List of Web Hacking Incidents

WHID 2009-45: Outcome: Death

Ofer Shezaf — Wed, 10 Jun 2009 20:32:49 +0000

Updated:

8 June 2009

This must be the worse incident reported by the Web Hacking Incident Database.

We all know that web security is highly important but neglected. We tell frightening stories but listners think they are only "FUD": fear, uncertainty and doubt, used to sell products and services. I hope that the VAServ incident will serve to warn that those are not fairytale stories. Even so, I wish this one would not have happened.

In this story, like most calamities, it seems that the laymen suffer: small entrepreneurs & upstart companies who lost everything in a hacking incident. One of them even lost his life.

Vaserv web site reporting recovery status, June 10^th:
22:19 vz47uk restored
22:21 vz46uk data loss
22:42 Please allow upto 2 hours for a ticket response as currently we have 200+ active tickets
23:02 vz67uk data loss
23:20 vz50uk data restored
23:23 vz51uk data loss
00:03 FsckVPS server26 and server27 are still being worked on, but data *appears* to be intact

It all started on Sunday, June 7^th: someone broke into the web servers of VAServ, a tiny UK based hosting company. The hackers ruined many of VAServ virtual servers. Some of them lost were for ever as the snippet from VAServ home page, serving as an emergency bulletin board, shows.

As tiny as VAServ is, probably no more than 3 people, in today's virtual and flat world they could serve tens of thousands of low cost web sites, many of them now lost for ever. Behind each one of these web sites there is a story of someone who worked hard, whether on a hobby or a small business and is now left with nothing. A comment made on one of the blog entries about the incident reads:

"yeah thanks for ruining my life for the last 2 years i had built up my site spending alot of money and giving up my job for nothing.........what am i going to tell the wife?"

Just think about tens of thousand of such stories. Daniel Voyce, a web developer using VAServ for all of his clients, told the Register:

"Since last night, I've had probably 40 phone calls from clients saying 'Why is my website down, It's making me look bad."

But this domino effect ruining so many small businesses had another even more devastating angle. Just days before the hack, someone posted on milw0rm a long list of yet unpatched vulnerabilities in Kloxo, a virtual machine management software. The list certainly looks comprehensive enough to enable anyone to penetrate a site using Kloxo, which VAServ where, leading VAServ and others to believe that LxLabs, the Bangalorian software company behind Kloxo is the culprit. Somebody claiming to be the hacker commented to the inquistir blog, claiming that weak password at VAServ where to blame for the hack, which Rus Foster from VAServ denied.

We may never know who is right and who is wrong. LxLabs, just like Vaserv, is a tiny company using the Internet to look big. However one area that suffers a lot in small companies, is their security. It is never important enough to invest resource in security in such a lean and mean operations.

But tiny giants have another weakness: it all falls on the shoulders of too few people. In the case of LxLabs, on KT Ligesh the CEO. Ligesh committed suicide just a day after the hack for which his company was blamed. While already a troubled person, one cannot escape the thought that the hacking incident was the last straw.

WHID 2009-43: Web Mail Company to Pay Prize After CEO Hacked

Ofer Shezaf — Wed, 10 Jun 2009 15:14:40 +0000

Updated:

5 June 2009

What does a challenge to break an web mail system and get $10,000, broken within minutes prove? Is it a lesson in vanity? Or about the state of web security? Or about security in general. Probably all.

The most obvious observatoins is that offering $10,000 for anyone who can break your site and being broken within an hour shows that you don't know what you taking about. Maybe it would be a lesson to all security vendors to not believe their own marketing verbiage. A quick browse of the bugtraq vulnerability archives will show how insecure and easy to evade security products can be.

However, judging from the number and seriousness of the incidents reported on the web hacking incidents database, StrongWebmail is not alone and far stronger companies suffers severe incidents, making web applications the weakest link in an organizations information security.

Lastly, we should always remember that there is never perfect security. By making systems more secure we are just raising the price required to attack them and lowering the damage of such an attack, but never. As the old joke goes: the only secure system is one without users.

WHID 2009-42: Puerto Rico sites redirected in a DNS attack

Ofer Shezaf — Wed, 10 Jun 2009 14:31:02 +0000

Updated:

10 June 2009

Attacking web sites by going to the source, targeting DNS servers rather than the web sites themselves shows both the boldness of hackers as well as the fragility of the Internet.

While not new, DNS hijacking attacks took an important turn this year showing how much we rely on the web and now little we care for its protection. In the past DNS hijacking required complete control over the DNS server. In recent years most applications are controlled through a web interface, including DNS servers. Earlier this year attackers found an XSS vulnerability in a common DNS platform to hijack unused DNS entries for phishing

But this was only a small prelude to the real thing. CNet reports that this time hackers took over an entire TLD (Top Level Domain, or country) DNS server using SQL injection, virtually defacing the Puerto Rican site of companies such as Google and Microsoft.

The amazing story unfolds in the comments to CNet story, which outlines a mischievous professor and slow authorities who let him privatize and monetize on domain registration in Puerto Rico without any control.

The question we are left with is whether other countries and geographies different? Or even other industries for that matter?

WHID 2009-41: Malware in Advertizing at Digital Spy

Ofer Shezaf — Wed, 03 Jun 2009 09:51:26 +0000

Updated:

3 June 2009

The register reports that Digital Spy, a high profile UK gossip site carried banner inflicting ads. Digital Spy has acknowledged the issue and said it promptly addressed it, however details on the source of the malicious banners is still not availalbe.

Malware distribution through ad programs is a borderline phenomenon. While there is no question that malware distribucion is malicious, and in most geographies illegal, in many cases the site owners are not technically responsible for the content of the ads they serve as the ad content comes directly from a 3^rd party. The question whether they are legally responsible is open.

Another issue is defining a malware. Many times ads are used to entice users to download and install programs that are questionable. a rootkit installed through a known browser vulnerability is a malware, however the distinction between adware and malware is many time blurred and depends on:

The ratio between benefit to the user and benefit to the software distributor,
The clarity in which the benefit to the software distributor is explained to the user, and lastly:
The legality of this benefit

WHID 2009-40: SQL injection Hits Sensitive US Army servers

Ofer Shezaf — Sun, 31 May 2009 12:22:11 +0000

Updated:

31 May 2009

Information Week reports that a well known Turkish hacker penetrated two sensitive US army servers, one at McAlester Ammunition Plant in McAlester, Okla., and the other at the U.S. Army Corps of Engineers' Transatlantic Center in Winchester, Va. The hacks are the currently under criminal investigation by Defense Department officials.

The breaches where not publicly disclosed and the level of exposure is therefore not known. It is known however that web site visitors where redirected to a site protesting against climate change.

Ofer Shezaf — Tue, 17 Mar 2009 13:51:54 +0000

Updated:

17 March 2009

Norm Coleman, a former senator from Minnesota, is going through a legal battle to try to win back his seat in the senate. If the way he manages his web site security and the crises it created are an indicator, I am not sure that he has a place there.

WHID 2009-34: Romanian Hacker Moves On To The Telegraph

Ofer Shezaf — Tue, 10 Mar 2009 11:05:03 +0000

Updated:

10 March 2009

Another week, another hack by the HackerBlog, and when it targets an important web site and the impact is severe it is worthy of WHID. This time the Romanian hacker used blind SQL injection to penetrate to the web site of the Telegraph, a leading English daily paper.

Among his findings is a table including 700,000 e-mails, which would be a gold mine for spammers.

The Telegraph response was published on their official blog.

WHID 2009-33: eBay Fraud Abuses Zero Day XSS

Ofer Shezaf — Tue, 10 Mar 2009 10:49:26 +0000

Updated:

10 March 2009

A zero day XSS vector enables hackers to include in an eBay offer an arbitrary code which is executed by both FireFox and IE. As a result they were able to spoof the content of the offer, so that the user saw different information than the details known to eBay.

WHID 2008-60: Miley Cyrus Pictures Leaked Due to a Web Hack (Updated)

Ofer Shezaf — Tue, 10 Mar 2009 10:33:57 +0000

Updated:

19 April 2009

Update (April 19th 2009) - E!News provides additional interesting details about Josh Holly, the hacker who carried out the attack providing an interesting insight into the celebs hacking phenomena.

Celebs are fast becoming a prime hacking target. Miley Cyrus already made her debut at WHID when her Twitter account was raided. But it seems that this was not her first cyber incident for her. As reported by Wired, late last year a hacker named Josh Holly published private photos of Ms. Cyrus stolen from her G-mail account.

Ofer Shezaf — Wed, 25 Feb 2009 21:18:48 +0000

Updated:

25 February 2009

SaaS is the new buzzword in the IT world. Is it secure enough? read about the latest blunder of Sage, the leading provider of accounting software in the UK, when it was about to launch a trendy small business SaaS offering.

While we have no public record of an exploit in this case, it seems that the mare discovery of vulnerabilities in sage new SaaS (software as a service) offering created so much damage to classify it as an incident.

Sage is the leading provider of accounting software in the UK and it was about to launch a trendy small business SaaS offering. However as ZDnet reports, serious security flaws were discovered in the public beta and the company has to call off the launch. Who discovered the issues? naturally the competition. Duane Jackson, the CEO of a tiny rival company reported them on his blog.

More than anything, the incident shows how difficult it is for developers to migrate from desktop software to a web based offering. This is a whole new ball game, and security is one of the more difficult issues to adjust to. On the other hand it also shows that on line services are much more exposed to scrutiny, which may result in better security down the line.

As for the technical details, the reports found that the following issues in the application:

Password displayed in clear text and sent in the request line.
Remember me is on by default on any login.
Access to management sections of the site and other users data.

WHID 2009-29: FBI & Secret Service warn of a sophisticated HSM attack

Ofer Shezaf — Wed, 25 Feb 2009 20:12:30 +0000

Updated:

25 February 2009

The FBI and US Secret Service issue an alert on attack using SQL injection to penetrate banks secret key vaults: the enigmatic HSMs. Yet, nobody hears about it. Sounds like a movie plot, can it really be?

WHID 2009-28: Serious Leakage on Mac clone Maker's site

Ofer Shezaf — Wed, 25 Feb 2009 18:53:56 +0000

Updated:

25 February 2009

The Register reports that the online shop of Psystar, a maker of Mac compatible equipment is heavily leaking technical information that can be expoited to hack the site.

Ofer Shezaf — Wed, 18 Feb 2009 20:50:18 +0000

Updated:

22 February 2009

This one is somewhat more than your average "I got infected by a malware honey" b-movie.