Re: Latest round of web hacking incidents for 2007 & Project news
We can tell Google what to crawl and what not to. If people don't tell
Google not to crawl then it will be crawled. We cant blame Google for
that.
On 12/30/07, Memisyazici, Aras <arasm@xxxxxx> wrote:
> >>The researchers found that they can use Google to retrieve the hashed
> >>password of the hacker. Google has become so big that it actually allows
> >>efficient encrypted passwords lookup.
>
> Could you please be more specific? Do you mean, Google had crawled an entire
> MySQL DB and had access to the contents of the password field in encrypted
> form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table
> repo. to compare hashes against? Or... ?
>
>
> Sincerely,
> Aras "Russ" Memisyazici
> IT Specialist II
> Virginia Tech -- OIS
>
>
> -----Original Message-----
> From: "Ofer Shezaf" <ofers@xxxxxxxxxx>
> To: "Bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
> Sent: 12/27/07 11:01 AM
> Subject: Latest round of web hacking incidents for 2007 & Project news
>
>
> The last month was very active in the web application security field and at
> the Web Hacking Incidents Database Project we have collected numerous new
> incidents, listed below. It is very evident that both the rate of incidents
> as well the amount of information about each one is on the rise.
>
> We have also started adding more classifications to each incident. In
> addition to the attack method we now track for each incident its geography,
> the outcome of the attack and the industry sector it occured at. We are
> going to use this information in the our first annual Web Incidents summary
> report to be issued in early January.
>
> So if you know of a web hacking incident that you feel should be in the
> database and is not (or you could not find it), send me an e-mail at ofer at
> shezaf.com, so it will be there in time for the annual report.
>
> For more information and complete details of each incident refer to the Web
> Hacking Incidents Database at http://www.webappsec.org/projects/whid.
>
> Ofer Shezaf
> Work: offer at breach.com, +972-9-9560036 #212
> Personal: ofer at shezaf.com, +972-54-4431119
>
> VP Security Research, Breach Security
> Chair, OWASP Israel
> Leader, ModSecurity Core Rule Set Project
> Leader, WASC Web Hacking Incidents Database Project
>
>
> WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
> ======================================================================
> Reported: 22 December 2007, Occurred: 22 December 2007
>
> Classifications:
>
> * Attack Method: Credential/Session Prediction
> * Country: USA
> * Outcome: Identity Theft
> * Vertical: Government
>
> The Secret Service has arrested at least 6 people in an investigation that
> involves information theft at an Ohio court web site, which is actively used
> for identity theft. At least one known identity theft case resulted in
> $40,000 loss to the victim.
>
>
> WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
> =========================================================================
> Reported: 20 December 2007, Occurred: 20 December 2007
>
> Classifications:
>
> * Attack Method: SQL Injection
> * Country: USA
> * Outcome: Defacement
> * Vertical: Government
>
> The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your
> soul" on the Web site of the police department in Tucson, Arizona. Only
> unlike regular defacement, this time it is not the front page but rather the
> news section that was modified.
>
>
> WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
> subsidiary
> =========================================================================
> Reported: 19 December 2007, Occurred: 30 September 2007
>
> Classifications:
>
> * Attack Method: Unknown
> * Country: Germany
> * Outcome: Leakage of Information
> * Vertical: e-commerce
>
> An unidentified group had stolen credit card numbers and billing addresses
> of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of
> Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
> from the Kartenhaus.de web site between October 24, 2006 and September 30,
> 2007 were affected.
>
>
> WHID 2007-60: The blog of a Cambridge University security team hacked
> =====================================================================
> Reported: 19 December 2007, Occurred: 27 October 2007
>
> Classifications:
>
> * Attack Method: Known Vulnerability
> * Attack Method: Insufficient Authentication
> * Attack Method: SQL Injection
> * Country: UK
> * Outcome: Downtime
> * Software: WordPress
> * Vertical: Education
>
> I am sure that the guys at Light Blue Touchpaper have the expertise to
> protect their WordPress installation, but they don't have the time. They
> made the compromise between ease of management of their web site and its
> security.
> Apart from, or actually because of the fact that the victims are security
> experts, this story is noteworthy due to two additional twists in the plot:
>
> * Zero day exploit in the wild - the attacker penetrated twice, once
> using a known SQL injection vulnerability, but the second time using a yet
> unknown vulnerability in WordPress, which was reverse engineered and
> published for the first time by the people at Light Blue Touchpaper.
> * The researchers found that they can use Google to retrieve the hashed
> password of the hacker. Google has become so big that it actually allows
> efficient encrypted passwords lookup.
>
>
> WHID 2007-62: A security flaw in Passport Canada's website
> ==========================================================
> Reported: 19 December 2007, Occurred: 01 December 2007
>
> Classifications:
>
> * Attack Method: Credential/Session Prediction
> * Country: Canada
> * Outcome: Disclosure Only
> * Vertical: Government
>
> The Web site of the Canadian passports authority enables users to access
> others' record by modifying a value of a parameter in the URI.
>
>
> WHID 2007-64: Information about Duke's Students and Applicants Stolen
> =====================================================================
> Reported: 19 December 2007, Occurred: 01 December 2007
>
> Classifications:
>
> * Attack Method: Unknown
> * Country: USA
> * Outcome: Leakage of Information
> * Vertical: Education
>
> The personal data of nearly 1,400 prospective Duke Law School students may
> have been stolen by a hacker from two separate databases, one including the
> prospective students' data and another filled with requests for information
> about the school.
>
>
> WHID 2007-65: Facebook suing a porn site over automated access
> ==============================================================
> Reported: 19 December 2007, Occurred: 28 June 2007
>
> Classifications:
>
> * Attack Method: Insufficient Anti-automation
> * Country: USA
> * Country: Canada
> * Vertical: Information Services
>
> Use of robots and automated software against a web site, as long as it is
> not done in order to break into the site, falls into a grey area. While hard
> to classify as an unlawful act, it is usually harmful to the site owner and
> possibly to the site users. Apart from using valuable resources, such an
> automated access may breach the site's usage license of public information
> and might also indicate unlawful activity such as using a botnet. Many times
> it is hard to know if such a blast of requests is a denial of service
> attack, brute force password cracking or just a search engine crawler.
>
> Going forward we are going to add such incidents to WHID if there is a
> reason to believe that they are not friendly, even if the actual goal of the
> attack cannot be easily classified. The Facebook case at hand is a perfect
> example: while the details are not clear, the fact that Facebook filed a law
> suit implies that there is fire behind the smoke.
>
>
> WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site
> =============================================================
> Reported: 19 December 2007, Occurred: 14 December 2007
>
> Classifications:
>
> * Attack Method: Unknown
> * Country: France
> * Country: Libya
> * Outcome: Planting of Malware
> * Vertical: Government
>
> To iframe or not to iframe, this is the question. As malware becomes more
> popular, the number of incidents, mostly insignificant, in which malware was
> planted on a hacked site is rising and WHID is not the right place to list
> all of them. We currently report such incidents if the hacked site is of
> interest or if the attack method is known.
>
>
> WHID 2007-67: The Day My Web Site Was Hacked
> ============================================
> Reported: 19 December 2007, Occurred: 17 December 2007
>
> Classifications:
>
> * Attack Method: Known Vulnerability
> * Country: UK
> * Outcome: Link Spam
> * Software: WordPress
> * Vertical: Information Services
>
> In an incident very similar to the Al Gore Hack, the personal blog of IT
> journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the
> breach and its origins.
>
>
> WHID 2007-69: The Orkut XSS Worm
> ================================
> Reported: 19 December 2007, Occurred: 19 December 2007
>
> Classifications:
>
> * Attack Method: Cross Site Scripting (XSS)
> * Country: USA
> * Outcome: Worm
> * Vertical: Information Services
>
> A vulnerability in the social networking site Orkut that allowed users to
> inject HTML and JavaScript into their profiles set the stage for a
> persistent XSS worm that appears to have affected more than 650,000 Orkut
> users.
>
>
> WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked
> ===================================================================
> Reported: 19 December 2007, Occurred: 26 November 2007
>
> Classifications:
>
> * Attack Method: Known Vulnerability
> * Country: USA
> * Outcome: Link Spam
> * Software: WordPress
> * Vertical: Government
>
> Whether comment spam by itself is an application failure or a necessary evil
> for site allowing rich comments is an open question. However it is reported
> that in this case vulnerability in WordPress allowed the spammers to
> actually penetrate the site and modify pages and not just abuse comments.
>
>
>
>