SpiderLabs Blog

Latest Web Hacking Incident Database (WHID) Entries (1)

Written by Ryan Barnett | May 9, 2011 6:09:00 AM

These are the lastest entries added by SpiderLabs to the Web Application Security Consortium (WASC) Web Hacking Incident Database (WHID) Project.

 

WHID 2011-99: FTC settles data breach charges against Lookout Services

Entry Title: WHID 2011-99: FTC settles data breach charges against Lookout Services
WHID ID: 2011-99
Date Occurred: October 1, 2009
Attack Method: Predictable Resource Location
Application Weakness: Insufficient Authorization
Outcome: Leakage of Information
Attacked Entity Field: Information Services
Attacked Entity Geography:
Incident Description: In October and December 2009, an employee of a Lookout customer was able to gain access to the product's database by typing a URL into a Web browser, the FTC said in its complaint. The intruder was able to gain access to personal information, including Social Security numbers, of about 37,000 consumers, the FTC said.
Mass Attack: No
Reference: http://news.idg.no/cw/art.cfm?id=2761F224-1A64-67EA-E41CDB96A756125A
Attack Source Geography:
Additional Link: http://ftc.gov/os/caselist/1023076/110503lookoutservicesanal.pdf

 

SpiderLabs Research Analysis

FTC reports usually offer some insight into vulnerabilities that were mostly likely exploited against the companies cited, although it often takes years before the data is released. In this case, from 2009, it seems that forceful browsing was attack technique used to access the data. 

 

WHID 2011-98: Sony Darkens Another Network As Breach Investigation Widens

Entry Title: WHID 2011-98: Sony Darkens Another Network As Breach Investigation Widens
WHID ID: 2011-98
Date Occurred: May 2, 2011
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Leakage of Information
Attacked Entity Field: Entertainment
Attacked Entity Geography: Japan
Incident Description: Sony Corp. took further steps to contain a serious data breach: temporarily shuttering the Website of Sony Online Entertainment and station.com, another of the technology company's online gaming networks, even as it signaled the slow return of its PlayStation Network to operation.
Mass Attack: No
Reference: http://threatpost.com/en_us/blogs/sony-darkens-another-network-breach-investigation-widens-050211
Attack Source Geography:

 

SpiderLabs Research Analysis

The Sony breach is significant for a number of reasons, not the least of which is the shear number of customers impacted. While the attack vector(s) itself are still not 100% clear, there are a number of various sources that are pointing to older Apache software which allowed the attackers to gain a foothold into the inner network. There are also reports that the "develeoper network" didn't have the same level of security as other parts of the network.
 

WHID 2011-97: Man who liveblogged Bin Laden raid was hacked

Entry Title: WHID 2011-97: Man who liveblogged Bin Laden raid was hacked
WHID ID: 2011-97
Date Occurred: May 2, 2011
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Blogs
Attacked Entity Geography: Pakistan
Incident Description: The Pakistani programmer who dubbed himself "the guy who liveblogged the Osama raid without knowing about it" is also the guy who got his website hacked without knowing about it.
Mass Attack: No
Reference: http://www.computerworld.com/s/article/9216341/Man_who_liveblogged_Bin_Laden_raid_was_hacked
Attack Source Geography:
Attacked System Technology: WordPress

 

SpiderLabs Research Analysis

Planting of malware is a serious problem for website today. Many sites that, perhaps previously, were not in an attack target group are now viable targets as they have a large user-base and that is what is of value to malware distributors.

 

WHID 2011-96: Click-jacking on Facebook

Entry Title: WHID 2011-96: Click-jacking on Facebook
WHID ID: 2011-96
Date Occurred: May 2, 2011
Attack Method: Clickjacking
Application Weakness: Application Misconfiguration
Outcome: Link Spam
Attacked Entity Field: Web 2.0
Attacked Entity Geography: USA
Incident Description: WebSense analyzes a recent click-jacking attack against FaceBook users.
Mass Attack: No
Reference: http://community.websense.com/blogs/securitylabs/archive/2011/05/02/a-weekend-of-click-jacking-on-facebook.aspx
Attack Source Geography:
Attacked System Technology: Facebook

 

SpiderLabs Research Analysis

Click-jacking or UI Redressing, is another one of these interesting attack methods that will most likely be around for quite awhile as it is difficult for websites to know that this is event happening client-side in the browser. And with users leveraging tabbed browsing and being constantly "logged in" to so many sites, this type of attack will continue to flourish.

 

WHID 2011-95: Researchers Catch Targeted Attack On Popular Soccer Website

Entry Title: WHID 2011-95: Researchers Catch Targeted Attack On Popular Soccer Website
WHID ID: 2011-95
Date Occurred: May 2, 2011
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Planting of Malware
Attacked Entity Field: Sports
Attacked Entity Geography: Luxembourg
Incident Description: A popular sports website late last week was spotted serving up malware in what researchers say appears to be a targeted attack and not part of a mass SQL injection campaign.
Mass Attack: No
Reference: http://www.darkreading.com/advanced-threats/167901091/security/application-security/229402594/researchers-catch-targeted-attack-on-popular-soccer-website.html
Attack Source Geography:
Attacked System Technology: WordPress

 

SpiderLabs Research Analysis

The attack vector was most likely an issue with WordPress (or one of its plugins). Again, sites with high traffic are now squarely in the cross-hairs of malware distributors as they want to infect your masses of clients.

 

WHID 2011-94: High school hackers expose security gap in Seattle Public Schools

Entry Title: WHID 2011-94: High school hackers expose security gap in Seattle Public Schools
WHID ID: 2011-94
Date Occurred: May 1, 2011
Attack Method: Stolen Credentials
Application Weakness: Insufficient Authentication
Outcome: Disinformation
Attacked Entity Field: Education
Attacked Entity Geography: Seattle, WA
Incident Description: District officials suspect a student, or several, swiped teachers' passwords for online grade books, possibly using a key-logger device or keystroke-recording software that captures every keystroke, including IDs and passwords
Mass Attack: No
Reference: http://seattletimes.nwsource.com/html/editorials/2014914193_edit02grades.html
Attack Source Geography:

 

SpiderLabs Research Analysis

Insufficient authentication, where sites rely solely upon usernames and passwords, continue to be a problem for sites as there are so many different ways in which an attacker can gain access to this data including: Keystroke logging software on the computer, phishing attacks, etc... Mutlti-factor authentication options should be evaluated.

 

WHID 2011-93: Hacker posts screenshot of sex video on SPAD website

Entry Title: WHID 2011-93: Hacker posts screenshot of sex video on SPAD website
WHID ID: 2011-93
Date Occurred: May 2, 2011
Attack Method: Unknown
Application Weakness: Improper Output Handling
Outcome: Defacement
Attacked Entity Field: Government
Attacked Entity Geography: Malaysia
Incident Description: The Land Public Transport Commission (SPAD) website was hacked yesterday and a screenshot of the controversial sex video allegedly involving a top politician was posted on its main page.
Mass Attack: No
Reference: http://thestar.com.my/news/story.asp?file=/2011/5/2/nation/8591951&sec=nation
Attack Source Geography:

 

SpiderLabs Research Analysis

This is yet another case of Hacktivism/Defacement. Many organizations label defacements as a lower priority risk outcome, however they need to keep in mind that if an attacker is able to gain enough system access to modify the content to this extent, then there is a good bet that they could have gained access to other systems/data. And do you have proper audit logs to prove/disprove this possibility???

 

WHID 2011-92: Anonymous attacks Iranian state websites

Entry Title: WHID 2011-92: Anonymous attacks Iranian state websites
WHID ID: 2011-92
Date Occurred: May 2, 2011
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: Iran
Incident Description: The infamous Anonymous hacking group has crippled a string of Iranian state websites including those of the Office of the Supreme Leader, state police and the Islamic Revolutionary Guards in attacks launched yesterday.
Mass Attack: No
Reference: http://www.securecomputing.net.au/News/256057,anonymous-attacks-iranian-state-websites.aspx
Attack Source Geography: 

 

SpiderLabs Research Analysis

I will give it to Anonymous, they are proving that DDoS attacks have not been addressed by the vast majority of web site. Organizations need to take a serious look at how their infrastructure, and specifically web application, will handle high traffic volumes.

 

WHID 2011-91: Rabobank network floored by cyber attack

Entry Title: WHID 2011-91: Rabobank network floored by cyber attack
WHID ID: 2011-91
Date Occurred: May 2, 2011
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Finance
Attacked Entity Geography: Netherlands
Incident Description: Internet and mobile banking at the Rabobank has been badly hit by an attack on its computer network, the company reported on Monday.
The denial of service attack, in which the target computer is saturated with external communications requests, has made the network unavailable to its customers.
Mass Attack: No
Reference: http://www.dutchnews.nl/news/archives/2011/05/rabobank_network_floored_by_cy.php
Attack Source Geography:

 

SpiderLabs Research Analysis

Another DoS attack, however this one seemed to be targeted by Hacktivists.

 

WHID 2011-90: DSLReports says member information stolen

Entry Title: WHID 2011-90: DSLReports says member information stolen
WHID ID: 2011-90
Date Occurred: April 28, 2011
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: News
Attacked Entity Geography: USA
Incident Description: Subscribers to ISP news and review site DSLReports.com have been notified that their e-mail addresses and passwords may have been exposed during an attack on the Web site earlier this week.
The site was targeted in an SQL injection attack yesterday and about 8 percent of the subscribers' e-mail addresses and passwords were stolen, Justin Beech, founder of DSLReports.com, wrote in an e-mail to members. That would be about 8,000 random accounts of the 9,000 active and 90,000 old or inactive accounts created during the site's 10-year history, Beech said in an e-mail to CNET today.
Mass Attack: No
Reference: http://news.cnet.com/8301-27080_3-20058471-245.html
Attack Source Geography:

SpiderLabs Research Analysis

SQL Injection attacks also continue to plague a large number of websites. Organzations should ensure that their developers have reviewed the OWASP SQL Injection Cheatsheet and updated all SQL queries to remove dynamic insertion of user-supplied data.