fuslontable/data/1SNiZC4yrlHb5KAafd39dO5KOg9...

13332 lines
832 KiB
HTML
Raw Normal View History

2019-12-03 20:41:57 -05:00
<!DOCTYPE HTML><html><head>
<title>Default WHID View (2) - Google Fusion Tables</title>
<style type="text/css">
html, body {
margin: 0;
padding: 0;
height: 100%;
}
</style></head>
<body><table cellpadding="0" cellspacing="0"><tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-209: Hacker may have accessed DHH database<br>
<b>WHID ID:</b> 2010-209<br>
<b>Date Occured:</b> 9/17/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Baton Rouge, LA<br>
<b>Incident Description:</b> Department of Health and Hospitals spokeswoman Lisa Faust said Bureau of Emergency Medical Services personnel discovered the database breach. The unauthorized entry gave the hacker access to an individuals name and personal information, including Social Security numbers.
“What we dont know is whether the hacker was able to access any information,” Faust said.
A computer screen displayed the message “You have been hacked,” Faust said. “Since we dont know one way or the other we sent notices out to 56,000 people that theres a potential that the information was compromised.”
WASC WHID Note - the portal login page (https://ems.oph.dhh.la.gov/ems/login.asp) looks vulnerable to SQL Injection<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.2theadvocate.com/news/105946193.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-208: BoingBoing hacked and defaced<br>
<b>WHID ID:</b> 2010-208<br>
<b>Date Occured:</b> 10/27/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Blogs<br>
<b>Attacked Entity Geography:</b> Toronto, CA<br>
<b>Incident Description:</b> BoingBoing.net, the popular blog and "directory of wonderful things", has been hacked and its home page replaced with a message containing vulgar language and pictures.
The site was pulled down by the administrators shortly after the attack, which is suspected to have been executed via an SQL injection, TechCrunch reports.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.net-security.org/secworld.php?id=10062<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-207: MWEB gets hacked<br>
<b>WHID ID:</b> 2010-207<br>
<b>Date Occured:</b> 10/25/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Hosting Providers<br>
<b>Attacked Entity Geography:</b> Lusaka, South Africa<br>
<b>Incident Description:</b> The login details of over 2000 MWEB Business account-holders has been published online by a hacker.
The hacker published details such as usernames, passwords, line speeds and subscriber names on a mailing list archive, MyBroadband reported.
Affected companies include Bloomberg, Volvo SA, Caledon Hotel Casino, Peugeot SA and Radio 786.
UPDATE: According to MWEB's Twitter account, less than a 1000 accounts have been affected. The ISP also said that the problem was with the Internet Solutions user interface.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://technology.iafrica.com/technews/682038.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-206: Tribal rights charity weathers DDoS assault<br>
<b>WHID ID:</b> 2010-206<br>
<b>Date Occured:</b> 10/28/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> The publication of footage of Indonesian soldiers torturing native Papuans appears to provoked a denial of service attack on the websites of development charities who hosted it.
The websites of Survival International and at least five other organisations who work in West Papua were all floored by the attack, which started at around 5pm on Wednesday and increased in severity over the evening. Survival's site is currently back up even though the assault remains ongoing.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/10/28/survival_ddos_assault/<br>
<b>Attack Source Geography:</b> London, England<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-205: Hackers plant Firefox 0day on Nobel Peace Prize website<br>
<b>WHID ID:</b> 2010-205<br>
<b>Date Occured:</b> 10/27/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> Norway<br>
<b>Incident Description:</b> Malicious hackers have exploited an unpatched vulnerability in the latest version of Firefox to attack people visiting the Nobel Peace Prize website, a Norway-based security firm said on Tuesday.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/10/26/firefox_0day_report/<br>
<b>Attack Source Geography:</b> Taiwan<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-204: How bank hackers beat Barclays<br>
<b>WHID ID:</b> 2010-204<br>
<b>Date Occured:</b> 10/25/2010<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Fraud<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> London, England<br>
<b>Incident Description:</b> The Barclays hack
The Barclays hackers used their zero-day attack (or hack) to get round the security gate timers the bank's engineers had put in its website software.
It was the hacking equivalent of sitting outside the bank in a Ford Cortina, and checking your watch every time the rent-a-cop does his rounds and the bank manager pops out for his lunch-time massage.
Barclays thought it was prepared for this sort of reconnaissance, said Romain. The bank's security team had reviewed the software behind its website payment system and got everything ship-shape.
They checked how their banking software handled internet transactions. Real people tend to fumble and faff about at their computers. It can take some old timers half a day just to enter their card number.
Yet automated software bots designed by hackers can spit out instructions as fast as the bank computer will receive them. Software like this pretends to be a bank customer, but is far too efficient to be a real person at all.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.thinq.co.uk/2010/10/25/how-bank-hackers-beat-barclays/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-203: Confessed student hacker speaks<br>
<b>WHID ID:</b> 2010-203<br>
<b>Date Occured:</b> 10/25/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> London, Ontario, CA<br>
<b>Incident Description:</b> HOW HE SAYS HE HACKED THE SYSTEM
An SQL database system is used to store information, such as passwords. Using an "SQL injection," he was able to log onto the site as an administrator. From there, he was able to upload files and to get the log-in information.
"It let me see all the files on the servers, passwords, user names. They did not make any effort to hide it," he said of the school board's IT department.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.woodstocksentinelreview.com/ArticleDisplay.aspx?e=2815263<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-202: NASA Website hacked and serving malware/spam<br>
<b>WHID ID:</b> 2010-202<br>
<b>Date Occured:</b> 10/21/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Misconfiguration<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Phoenix, AZ<br>
<b>Incident Description:</b> Some sites under NASAs Jet Propulsion lab ( http://jpl.nasa.gov/ ) have been hacked and are being used on the infamous blackhat SEO Spam network. Not only that, but they are also serving malware to unsuspicious users.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.sucuri.net/2010/10/nasa-web-site-hacked-and-serving-malwarespam.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-201: Operation: Payback Hits SatelFilm.at with 'Drive By' DoS<br>
<b>WHID ID:</b> 2010-201<br>
<b>Date Occured:</b> 10/21/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Wien, Austria<br>
<b>Incident Description:</b> Operation: Payback apparently went on a preemptive strike, taking Satel Film by surprise and launching a 'drive by' DDoS (Distributed Denial of Service) attack. As of this writing, SatelFilm.at is offline.<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Operation Payback<br>
<b>Number of Sites Affected:</b> 1<br>
<b>Reference:</b> http://www.slyck.com/story2097_Operation_Payback_Hits_SatelFilmat_with_Drive_By_DoS<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-200: Wikileaks Communications Infrastructure Attacked?<br>
<b>WHID ID:</b> 2010-200<br>
<b>Date Occured:</b> 10/21/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> News<br>
<b>Attacked Entity Geography:</b> San Mateo, CA<br>
<b>Incident Description:</b> According to sources in the hacking circuit familiar with the goings-on of Wikileaks, the organization is adopting a new server cluster to replace those that have come under the denial-of-service attack. The security breaches were not connected to the site restructuring that has brought it down for about two weeks, said a Wikileaks volunteer. Because the organization's staff members operate on the policy of "security through obscurity," insiders were not clear about the magnitude of or the parties behind the attack.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://cybersecurityreport.nextgov.com/2010/10/wikileaks_communications_infrastructure_attacked.php?oref=latest_posts<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-199: Cyber Attack Strikes FreedomWorks<br>
<b>WHID ID:</b> 2010-199<br>
<b>Date Occured:</b> 10/21/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Washington, DC<br>
<b>Incident Description:</b> A mysterious cyber attack apparently struck the computer servers at the pro-tea party group FreedomWorks this morning, just as it launched a major fund-raising drive.
FreedomWorks officials are investigating, but they suspect they were attacked deliberately, perhaps by a political opponent seeking the thwart its fund-raising efforts.
The attack crippled the site at about 9:45 a.m. just when the fund-raising drive was publicized on the radio by conservative talk show host Glenn Beck. The group estimates it lost about $80,000 in potential donations as it struggled to bring its site back online.
An “autopsy” showed a highly sophisticated hacker struck at 6:55 a.m., the group said, setting the stage for the eventual meltdown. The server was wiped out, though group officials said no data was lost or stolen.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blogs.wsj.com/washwire/2010/10/21/cyber-attack-strikes-freedomworks/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-198: Kaspersky download site hacked, redirecting users to fake AV<br>
<b>WHID ID:</b> 2010-198<br>
<b>Date Occured:</b> 10/17/2010<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Misconfiguration<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> Moscow, Russia<br>
<b>Incident Description:</b> According to ITPro, the incident was first denied, then confirmed by Kaspersky. They say that they took the server offline as soon as they found out about the breach, that the compromise was caused by a vulnerability in a third party application for website administration and that customer details contained on company servers were not compromised.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.net-security.org/malware_news.php?id=1499<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-197: AmeriCorps Security Breach<br>
<b>WHID ID:</b> 2010-197<br>
<b>Date Occured:</b> 10/8/2010<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Washington, DC<br>
<b>Incident Description:</b> In order for personal data to have been exposed, someone would have had to manipulate the website address -- or know the individual's unique log-in name and use a certain technique to bypass password requirements, the letter said. The records may have shown names, addresses and social security numbers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://wiredworkplace.nextgov.com/2010/10/americorps_workers_personal_data_jeopardized-print.php<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-196: HK star Dicky Cheung's blog hacked<br>
<b>WHID ID:</b> 2010-196<br>
<b>Date Occured:</b> 10/19/2010<br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> Hong Kong<br>
<b>Incident Description:</b> Even when the hoax was exposed, the hacker continued to boldly state in a post that he hacked Cheung's blog to test his skills.
He claimed that "it took only a short while to retrieve a user's login information" before apologising for the matter and vanishing.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.channelnewsasia.com/stories/entertainment/view/1087981/1/.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-195: Anonymous DDoS on Gene Simmons' websites<br>
<b>WHID ID:</b> 2010-195<br>
<b>Date Occured:</b> 10/12/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Beverly Hills, CA<br>
<b>Incident Description:</b> Gene Simmons, frontman of the band KISS, is hardly impressed with the DDoS (Distributed Denial of Service) attack on GeneSimmons.com - and indirectly - SimmonsRecords.com. In fact, according to a news post made to his site yesterday, Gene is threatening legal action against the perpetrators, along with posting their names and pictures online.<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Operation Payback<br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.slyck.com/story2088_Gene_Simmons_Directly_Threatens_Anonymous_With_Legal_Action_Jail_Time<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-194: Liberal Democrats website hijacked by tuition fees message<br>
<b>WHID ID:</b> 2010-194<br>
<b>Date Occured:</b> 10/18/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> The website for the Liberal Democrats was hacked at the end of last week, with the front page redirecting to a YouTube protest about tuition fees.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.scmagazineuk.com/liberal-democrats-website-hijacked-by-tuition-fees-message/article/181149/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-193: IPO.gov.uk - Less than an Hour Until Attack Begins<br>
<b>WHID ID:</b> 2010-193<br>
<b>Date Occured:</b> 10/16/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> So now the target of Anonymous is the IPO.gov.uk website - or the Intellectual Property Office. This is the first time Anonymous has targeted a government website, indicating a level of fearlessness considering the possible ramifications. As its name suggests, the IPO governs and helps protect copyrights and intellectual property in the United Kingdom.<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Operation Payback<br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.slyck.com/story2087_IPOgovuk_Less_than_an_Hour_Until_Attack_Begins<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-192: SQL Injection Used to Deface Copyprotected, Others Might Follow<br>
<b>WHID ID:</b> 2010-192<br>
<b>Date Occured:</b> 10/16/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> However, Sean-Paul Correll of Panda Security, doesn't agree with the "DNS cache poisoning" theory. According to him, the attack vector was SQL injection.
"The original researcher assumed that the host of the hijacked site was not affiliated with the MPAA website,  but we can see that the reported IP is hosting other MPAA related websites [cptwg.org, filmratings.com]," the researcher writes.
Correll even points out exactly where the exploited SQL injection weakness was located and calls the flaw "rudimentary."<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Operation Payback<br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/SQL-Injection-Used-to-Deface-Copyprotected-Others-Might-Follow-161316.shtml<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-191: XSS Flaw Found on Secure American Express Site<br>
<b>WHID ID:</b> 2010-191<br>
<b>Date Occured:</b> 10/5/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Credit Card Issuer<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A cross-site scripting (XSS) vulnerability has been identified on an American Express website secured with EV SSL and can be exploited to enhance phishing attacks.
XSS weaknesses are the result of poor input validation into Web forms and allow attackers to return potentially malicious code to visitors' browsers.
Ensuring proper validation of all inputs in Web applications, in order to prevent cross-site scripting and SQL injection vulnerabilities, is actually a requirement of the Payment Card Industry Data Security Standard (PCI-DSS).<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/XSS-Flaw-Found-on-Secure-American-Express-Site-159439.shtml<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-190: PayPal and eBay XSSed Again<br>
<b>WHID ID:</b> 2010-190<br>
<b>Date Occured:</b> 10/6/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> New cross-site scripting (XSS) vulnerabilities, that can be leveraged to create very credible phishing attacks, have been identified on PayPal and eBay.
The PayPal XSS weakness was discovered by a Romanian security enthusiast using the online handle of d3v1l, who disclosed it on his blog.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/eBay-and-PayPal-XSSed-Again-159733.shtml<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://blogs.forbes.com/firewall/2010/10/06/hackable-bug-found-on-paypal-com/?partner=yahootix
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-189: Copyright holder floored by DDoS flood<br>
<b>WHID ID:</b> 2010-189<br>
<b>Date Occured:</b> 10/7/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> Spain<br>
<b>Incident Description:</b> Spain's copyright society (SGAE) came under attack by hacktivists from Anonymous on Thursday as part of the latest phase of a high-profile campaign against organisations that hassle file-sharers.
A distributed denial of service attack, officially launched at midnight (Central European Time) on 7 October , crashed the organisation's website on Wednesday even before it even officially began. The assault is a repeat of tactics previously used against the websites of Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA) and UK law firm ACS:Law, among others.<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Operation Payback<br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/10/07/anonymous_ent_biz_ddos_hits_spain/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-188: Hackers hijack internet voting system in Washington DC<br>
<b>WHID ID:</b> 2010-188<br>
<b>Date Occured:</b> 10/6/2010<br>
<b>Attack Method:</b> OS Commanding<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> The voting application was written on the Ruby on Rails framework and ran on top of the Apache web server and the MySQL database. The scientists were able to hijack the system after they discovered that they could upload ballots with almost any string they wanted. By inserting Unix commands into the file names, they were able to take “almost total control of the server software, including the ability to change votes and reveal voters' secret ballots,” Halderman said.
A file named “ballot.$(sleep 10)pdf,” for instance, caused the server to pause for 10 seconds. They used similar techniques to install a backdoor on the system that allowed them almost unfettered system access.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/10/06/net_voting_hacked/<br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-187: "Operation Payback" attacks to go on until "we stop being angry"<br>
<b>WHID ID:</b> 2010-187<br>
<b>Date Occured:</b> 9/30/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> The distributed denial of service (DDoS) attacks against anti-piracy websites have gone on for a week now, with the lawyers behind the "US Copyright Group" being the latest target. And the anonymous Internet users behind "Operation Payback" aren't done acting out; in an interview yesterday with the security experts at Panda Labs, one of the organizers said that Anonymous' attacks will continue "until we stop being angry." Judging from the list of things that make him (?) angry, this could take a while.
The law firm of Dunlap, Grubb and Weaver was one of the newest targets of the attacks, organized a week ago to take down antipiracy organization around the world. Already hit: the RIAA (US), BPI (UK), MPAA (US), AFACT (Australia), BREIN (Netherlands), Aiplex (India), and Websheriff (UK). One of the smaller sites actually yielded the biggest bounty; the UK "P2P settlement letter factory" ACS Law gave up several hundred megabytes of private e-mails after being taken offline by the attack.<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Operation Payback<br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://arstechnica.com/tech-policy/news/2010/09/operation-payback-attacks-continue-until-we-stop-being-angry.ars<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-186: Foursquare Hacked by TechCrunch Editor Michael Arrington<br>
<b>WHID ID:</b> 2010-186<br>
<b>Date Occured:</b> 10/1/2010<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Abuse of Functionality<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Becoming "mayor" of a location is the most coveted status in Foursquare. To win this honor you have to check in to a location more than anyone else, and to do that you actually have to go there, since Foursquare won't let you check in remotely. But last night Techcrunch editor Michael Arrington punked Foursquare's API and made himself mayor of Facebook and Twitter headquarters, all without ever leaving his office.
"A mischievous hacker friend of mine stepped in with a small script that he wrote that will check me in to any venue at all via the Foursquare API," Arrington wrote in a post on TechCrunch. "That means I don't have to spend time finding friends already where I want to be, and since we're using the API we can easily fake out the "you're not actually there" problem."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.observer.com/print/133727<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-185: Online hackers steal $600K from city of Brigantine's bank account<br>
<b>WHID ID:</b> 2010-185<br>
<b>Date Occured:</b> 10/1/2010<br>
<b>Attack Method:</b> Banking Trojan<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> New Jersey, USA<br>
<b>Incident Description:</b> Computer hackers managed to steal $600,000 from a New Jersey shore town's bank account.
Officials say $200,000 still hasn't been recovered.
TD Bank notified Brigantine on Tuesday that multiple wire transfers had taken place from its account.
Police say someone was able to get a user name and password. Authorities say a virus or a fake Web page set up to mimic the bank's real one might have been used to carry out the thefts.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.nj.com/news/index.ssf/2010/10/online_hackers_steal_600k_from.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-184: Microsoft warns of in-the-wild attacks on web app flaw<br>
<b>WHID ID:</b> 2010-184<br>
<b>Date Occured:</b> 9/21/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Information Leakage<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Multiple<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering. The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests. Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system's most sensitive configuration files.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/09/21/asp_dot_net_padding_oracle_fix/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-183: Don't blame DNS for Facebook outage, experts say<br>
<b>WHID ID:</b> 2010-183<br>
<b>Date Occured:</b> 9/27/2010<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Facebook gave little detail about the cause of the outage except to say that it was the result of a misconfiguration in one of its databases, which prompted a flood of traffic from an automated system trying to fix the error.
"We made a change to a persistent copy of a configuration value that was interpreted as invalid," explained Robert Johnson in Facebook's blog post about the incident. "This meant that every single client saw the invalid value and attempted to fix it. Because the fix involves making a query to a cluster of databases, that cluster was quickly overwhelmed by hundreds of thousands of queries per second."
The feedback loop created so much traffic that Facebook was forced to turn off the database cluster, which meant turning off the Web site.
"Once the databases had recovered and the root cause had been fixed, we slowly allowed more people back onto the site," Johnson said. He added that "for now we've turned off the system that attempts to correct configuration values."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2010/09/27/urnidgns002570F3005978D8002577A9007EE871.DTL<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-182: Orkut Hit by XSS Worm<br>
<b>WHID ID:</b> 2010-182<br>
<b>Date Occured:</b> 9/26/2010<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> First Twitter was hacked. Then Facebook went down. Now its Orkuts turn. Googles social networking site has been attacked by the virulent “Bom Sabado” worm. Bom Sabado means “Good Saturday” in Portuguese, the native language of Brazil where the worm is thought to have originated. Orkut is the most popular social site in Brazil, India and several other countries.
The worm replicates itself across accounts and randomly sends “Bom Sabado” messages to friends scrapbooks — Orkuts version of Facebooks wall. Google support recently announced that the worm had been contained and they are in the process of cleaning infected accounts. However, the company recommends vigilance when accessing accounts — users should be especially wary about clicking suspicious links.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blogs.sitepoint.com/2010/09/26/orkut-bom-sabado-xss-worm/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Orkut<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-181: Mass cyber attack paralyses Burmese media<br>
<b>WHID ID:</b> 2010-181<br>
<b>Date Occured:</b> 9/27/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Burma<br>
<b>Incident Description:</b> Websites belonging to The Irrawaddy magazine, Mizzima and DVB all exiled media groups founded by former activists were today attacked using DDoS, or distributed denial-of-service, which fires thousands of malformed web connections against the site.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.dvb.no/elections/mass-cyber-attack-paralyses-burmese-media/11932<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-180: Thousands of Websites Affected by Anonymous DDoS Attack Against AFACT<br>
<b>WHID ID:</b> 2010-180<br>
<b>Date Occured:</b> 9/28/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Multiple<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> The Distributed Denial of Service (DDoS) attack launched by Anonymous against the Australian Federation Against Copyright Theft (AFACT) yesterday, has ended up affecting almost 8,000 unrelated websites.
Operation Payback, the DDoS campaign led by Anonymous against anti-piracy groups and entertainment industry associations is now over a week old.
Since September 18th, when the coordinated attacks started, the group has hit websites belonging to the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), the International Federation of the Phonographic Industry (IFPI), the British Phonographic Industry (BPI) and the Dutch Bescherming Rechten Entertainment Industrie Nederland (BREIN).
Two UK-based law firms and an Indian company called Aiplex Software involved in anti-piracy efforts have also been attacked<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Operation Payback<br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Thousands-of-Websites-Affected-by-Anonymous-DDoS-Attack-Against-AFACT-158431.shtml<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-179: WTF worm makes Twitterers declare goat lust<br>
<b>WHID ID:</b> 2010-179<br>
<b>Date Occured:</b> 9/27/2010<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Another malicious worm hit Twitter over the weekend, days after the micro-blogging site reached near-meltdown from a technically similar attack.
This time around the danger came from clicking links contained in micro-blogging messages beginning "WTF [URL]". Last week's more serious onMouseOver problem struck when users moved their mouse cursor over an infected tweet. These messages contained hidden JavaScript code that exploited a cross-site scripting problem - in the case of the WTF worm a CSRF (cross-site request forgery) technique is in play.
The miscreants behind the latest assault set up an attack page that exploited a CSRF vulnerability in Twitter so that victims who clicked on a link posted a crude message about their supposed fondness for sex with goats, as explained in a blog post by Sophos here.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/09/27/twitter_wtf_worm/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-178: New Mass Injection Attack Targets ASP Websites<br>
<b>WHID ID:</b> 2010-178<br>
<b>Date Occured:</b> 9/29/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Multiple<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> A gang of hackers targeting infecting predominantly ASP and ASP.NET websites with malicious code, has launched a new attack that so far affected at least 1,500 domains. "A large number of sites have been hacked again in the last few days with a malware script pointing to google-stat50.info (and google-stats50.info)," David Dede of Web integrity monitoring vendor Sucuri Security, warns. "Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few months ago," he adds. The robint.us mass injection took place at the beginning of June and got a good coverage in the media because it affected the websites of the Wall Street Journal and Jerusalem Post.<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Mass SQL Injection Bots<br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/New-Mass-Injection-Attack-Targets-ASP-Websites-158499.shtml<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-177: Japan Suspects Chinese Hackers Attacked Its Official Websites<br>
<b>WHID ID:</b> 2010-177<br>
<b>Date Occured:</b> 9/20/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Japan<br>
<b>Incident Description:</b> Japan views Chinese hackers as main suspects for Distributed Denial of Service (DDoS) attacks that affected several of its official websites last week.
According to the Taipei Times, the Japanese government is investigating attacks directed at the Ministry of Defense and National Police Agency websites, between Wednesday and Friday.
The largest known Chinese hacking group is suspected for launching the DDoS, because it made threats in this respect, following a recent maritime incident that led to a diplomatic conflict between the two countries.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Japan-Suspects-Chinese-Hackers-Attacked-Its-Official-Websites-157142.shtml<br>
<b>Attack Source Geography:</b> China<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-176: Cyber rally disrupts US recording industry website<br>
<b>WHID ID:</b> 2010-176<br>
<b>Date Occured:</b> 9/20/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Reference WHID 2010-164: Company Paid to Launch DoS Attacks Against Torrent Sites
Computer security researchers have said that an unprecedented mass cyber protest was triggered by efforts by film and music trade groups to close online piracy haunts.
Members of 4chan online forum that promotes users remaining anonymous organized distributed denial-of-service (DDoS) attacks on websites for the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), according to the security firm PandaLabs.
DDoS attacks are efforts to overload websites with so many simultaneous requests that computer servers can't handle the load and freeze or crash.
Attacks on RIAA caused a dozens of interruptions in service, taking down the group's website for a total of one hour and 37 minutes, according to PandaLabs.<br>
<b>Mass Attack:</b> Yes<br>
<b>Mass Attack Name:</b> Operation Payback<br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.google.com/hostednews/afp/article/ALeqM5h7fm6cBhM33alDYD_1n4tTVHwXMw<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-175: Persistent XSS Bug on Twitter Being Exploited<br>
<b>WHID ID:</b> 2010-175<br>
<b>Date Occured:</b> 9/21/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> There is currently a persistent cross-site scripting vulnerability on the main Twitter site and researchers say that the bug is being exploited via proof-of-concept code.
The bug appeared Tuesday morning and experts quickly noticed users taking advantage of the flaw. Details of the bug are slim right now, though experts say that mousing over a specific link will produce a pop-up window that displays the logged-in user's Twitter cookie.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://threatpost.com/en_us/blogs/persistent-xss-bug-twitter-being-exploited-092110<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-174: GOP lawmaker: My Twitter account was 'hacked by robospammers'<br>
<b>WHID ID:</b> 2010-174<br>
<b>Date Occured:</b> 9/15/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Rep. John Culberson (R-Texas) returned to Twitter after nearly a five-month break Tuesday night only to have his account hacked.
&quot;If you got a weird tweet from me ignore it &amp; do not click on the hyperlinks -they are prob viruses- my account was hacked by robospammers,&quot; he tweeted Wednesday morning. He noted later that he had &quot;fixed the account.&quot;<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://thehill.com/blogs/twitter-room/other-news/118909-gop-lawmaker-my-twitter-account-was-hacked-by-robospammers<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-173: Polish hacker gets inside US Military's Defence Logistic Agency website<br>
<b>WHID ID:</b> 2010-173<br>
<b>Date Occured:</b> 9/16/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> There is one movie every Polish person knows. It's a cult comedy from the 80s called "Miś" - meaning "Teddy Bear". Now, thanks to a hacker going by a name "Porkythepig", everyone can see it - but not on YouTube where you would expect it, but on the USA military Defence Logistics Agency website.
If you go the site and just type "porkythepig", a fragment of a movie begins to play. It's in Polish, of course - for those not fluent in Polish the man with a guitar sings: "I'm a Happy Romek..." * It's funny but the story is much more serious.
On Seclists.org you can find a post by porkythepig about the potential vulnerability that exists on many sites, including military and government.
But apparently since March, when the details of the insecurity were published on seclists.org, nobody did anything to patch the vulnerability so porkythepig decided to prove his observations the hard way. Polish language source is here - but the vulnerability still works at time of publishing so try it yourself.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.techeye.net/security/polish-hacker-gets-inside-us-militarys-defence-logistic-agency-website<br>
<b>Attack Source Geography:</b> Poland<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://seclists.org/fulldisclosure/2010/Mar/521
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-172: Cipro steps up security after hacking<br>
<b>WHID ID:</b> 2010-172<br>
<b>Date Occured:</b> 9/17/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> South Africa<br>
<b>Incident Description:</b> The Companies and Intellectual Property Registration Office (Cipro) said on Thursday it beefed up internal security to make sure directors cannot be removed from companies without the proper processes being followed.
It emerged last week that several directors of Kalahari Resources had been removed with their names substituted.
Cipro has been under fire for several months following claims criminals were able to hack into its database.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.eyewitnessnews.co.za/articleprog.aspx?id=48673<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-171: Hackers Push Malicious Ads onto UK Celebrity Gossip Website<br>
<b>WHID ID:</b> 2010-171<br>
<b>Date Occured:</b> 9/17/2010<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> The Popbitch celebrity gossip website was blacklisted by Google after hackers managed to compromise its ad server and push malware to users. A Popbitch spokesperson has since confirmed that the website served malicious ads for a limited period of time after its ad server was compromised by hackers.
"We've got to the bottom of this problem and are just waiting for the all clear from Google," they told The Register.
"There is a vulnerability in Open Ads X, the ad server we were using. We've cut off open ads from Popbitch and are upgrading to OpenAds 2.8.7," they added.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Hackers-Push-Malicious-Ads-onto-UK-Celebrity-Gossip-Website-156768.shtml<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> OpenX<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-170: OpenX Vulnerability Exploited to Compromise Multiple Ad Servers<br>
<b>WHID ID:</b> 2010-170<br>
<b>Date Occured:</b> 9/15/2010<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> A vulnerability in a component of the OpenX advertising platform has been exploited by hackers to tamper with ad serving on multiple websites including The Pirate Bay, eSarcasm and AfterDawn.
The affected component, called Open Flash Chart 2, is developed by a third party, but has been included by default in OpenX since last December.
The module allows visitor statistics to be displayed as graphic charts and the vulnerability is located in the ofc_upload_image.php script, which fails to properly validate uploaded files or the users uploading them.
According to Heise Media, the flaw was originally discovered a year ago by another open source project, which uses the same component, but it escaped the OpenX developers when deciding to integrate it.
As a result, hackers can leverage the bug to upload executable scripts and gain complete control of the servers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Unpatched-OpenX-Vulnerability-Exploited-to-Compromise-Multiple-Ad-Servers-156402.shtml<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> OpenX<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-169: TechCrunch Europe hacked to spread malware like a poison ivy infection<br>
<b>WHID ID:</b> 2010-169<br>
<b>Date Occured:</b> 9/7/2010<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Europe<br>
<b>Incident Description:</b> Graham Cluley, Senior Technology Consultant at Sophos, blogged, "A closer examination of TechCrunch Europe's site reveals that the offending code - which uses a malicious iFrame - is found in a JavaScript file, used by the site as part of its WordPress infrastructure. This attempts to serve up a malicious PDF file, exploiting a vulnerability that brings to your computer a nasty infection from the ZBot (also known as Zeus) malware family."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blogs.computerworld.com/16888/techcrunch_europe_hacked_to_spread_malware_like_a_poison_ivy_infection<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-168: Symantec secures its vulnerable "Hack is Wack" site<br>
<b>WHID ID:</b> 2010-168<br>
<b>Date Occured:</b> 9/7/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Security giant Symantec said it has secured its “Hack is Wack” contest website after researchers discovered it was riddled with vulnerabilities.
Last week, Symantec, with the help of famed rapper Snoop Dogg, began promoting its new “Hack is Wack” marketing campaign for its Norton anti-virus products. As part of the effort, budding rappers are invited to post a video about cybercrime for a chance to win Snoop concert tickets and to hang out with his management team.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.scmagazineus.com/symantec-secures-its-vulnerable-hack-is-wack-site/article/178388/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-167: Facebook closes hole that let spammers auto-post to walls, friends<br>
<b>WHID ID:</b> 2010-167<br>
<b>Date Occured:</b> 9/7/2010<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> acebook has closed a hole that was being used by spammers to automatically post wall messages and direct messages to friends, the company said on Tuesday.
Just clicking on the link to one of the applications that were taking advantage of the bug would allow the auto-posting to happen, Facebook said. The apps, which appeared to be sending people to a survey Web site, were disabled on Monday, the company said.
"Earlier this week, we discovered a bug that made it possible for an application to bypass our normal CSRF (cross-site request forgery) protections through a complicated series of steps. We quickly worked to resolve the issue and fixed it within hours of discovering it," Facebook said in a statement. "For a short period of time before it was fixed, several applications that violated our policies were able to post content to people's profiles if those people first clicked on a link to the application."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.cnet.com/8301-27080_3-20015728-245.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-166: Twitter Patches Account Hijacking Vulnerability<br>
<b>WHID ID:</b> 2010-166<br>
<b>Date Occured:</b> 9/8/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Session Hijacking<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Twitter users faced a virulent new JavaScript-based account hijacking attack on Monday. Simply clicking on one of the malicious links involved, disguised as innocuous-looking links in Tweets, enabled attackers to hijack a user's account and post numerous Tweets.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227300371&amp;cid=RSSfeed_IWK_News<br>
<b>Attack Source Geography:</b> Brazil<br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-165: FMT under DDOS attack<br>
<b>WHID ID:</b> 2010-165<br>
<b>Date Occured:</b> 9/9/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> News<br>
<b>Attacked Entity Geography:</b> Malaysia<br>
<b>Incident Description:</b> The FreeMalaysiaToday website has come under attack, rendering the news portal inaccessible to readers since 3am this morning.
According to FMT's chief technical officer Thirun Nadason, the Distributed Denial of Service (DDOS) attack is believed to be the work of professionals.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.freemalaysiatoday.com/fmt-english/news/general/10094-fmt-under-ddos-attack<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-164: Company Paid to Launch DoS Attacks Against Torrent Sites<br>
<b>WHID ID:</b> 2010-164<br>
<b>Date Occured:</b> 9/10/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> An Indian company paid by the film industry to get copyrighted works removed from the Internet openly admits to launching Denial of Service (DoS) attacks against torrent sites that refuse to comply with takedown notices.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Company-Paid-to-Launch-DoS-Attacks-Against-Torrent-Sites-155892.shtml<br>
<b>Attack Source Geography:</b> India<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-163: Ironman websites targeted by cyberattack<br>
<b>WHID ID:</b> 2010-163<br>
<b>Date Occured:</b> 8/31/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Sports<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> According to a press release today from Ironman.com, the site was a victim of a Distributed Denial-of-Service (DDoS) attack.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.examiner.com/triathlon-in-national/ironman-websites-targeted-by-cyberattack?render=print#print<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-162: Dick's says poll was hacked<br>
<b>WHID ID:</b> 2010-162<br>
<b>Date Occured:</b> 9/1/2010<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Hospitality<br>
<b>Attacked Entity Geography:</b> Washington, USA<br>
<b>Incident Description:</b> The poll to influence where a new Dick's Drive-In location will be built has been so popular, a hacker found a way to electronically stuff the ballot box.
Monday, the company's website, www.ddir.com, listed three geographic areas where the restaurant could be built.
A hacker wrote a script that repeatedly cast votes for one of the locations.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.seattlepi.com/local/426071_dicks02.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-161: IBC Bank Online Banking Website is Down or Under DDoS Attack?<br>
<b>WHID ID:</b> 2010-161<br>
<b>Date Occured:</b> 9/2/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Texas, USA<br>
<b>Incident Description:</b> There has been a lot of online banking website or internet-based banking experiencing a downtime for various reason these past few weeks. Last week we reported that the Bank of America website crashes down for at least 4 hours and now the IBC bank. Both the IBC Bank website (IBC.com) and the IBC Bank Online login site (ibcbankonline.ibc.com) are down currently.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.adi-news.com/ibc-bank-online-banking-website-is-down-or-under-ddos-attack/24357/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-160: Hackers crack e-mail server of Russian Federal Protection Service (gov.ru)<br>
<b>WHID ID:</b> 2010-160<br>
<b>Date Occured:</b> 8/23/2010<br>
<b>Attack Method:</b> Insufficient Authentication<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Russia<br>
<b>Incident Description:</b> Email server of one of Federal Protection Service (FPS) departments was attacked. As a result, for several hours every Internet user was allowed to access FPS e-mail archive.
Successful attack was conducted because of available outbound access and also because of administrators failure they did not modify default settings, including passwords for accounts used to access the system with administrative privileges.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.securitylab.ru/news/397019.php<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Dozor<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://habrahabr.ru/blogs/infosecurity/102391/
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-159: 500 000 websites hacked, including Apple<br>
<b>WHID ID:</b> 2010-159<br>
<b>Date Occured:</b> 8/17/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> As reported by The Register IT news portal, a number of smaller websites have been hacked using an SQL injection attack method that attempts to obfuscate links to malware infected pages. The hack apparently also affected two Apple websites that are used to promote its iTunes podcasts.
Other than the Apple sites, the news service says that at least 538 000 “mom-and-pop” websites have been victimized by the hack, in addition to 500 000 more that appear quite similar but lead to different domains.
The attack takes advantage of web-based application vulnerabilities, which often do not differentiate between legitimate search queries and intentional attacks via malicious code.
The Register reported that the malware-infected links have been removed from the Apple pages since Google last indexed its search page earlier this month.
The attack underlines the need for companies to go the extra mile and secure external web-facing applications said Rob Horton, the operational director of security testing consultant NCC Group.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.infosecurity-us.com/view/11870/500-000-websites-hacked-including-apple/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://www.theregister.co.uk/2010/08/17/apple_sql_attack/
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-158: National Space Agency of the Republic of Kazakhstan was hacked<br>
<b>WHID ID:</b> 2010-158<br>
<b>Date Occured:</b> 7/18/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Kazahtan<br>
<b>Incident Description:</b> On the 18th of July the hack-world.org group using an SQL Injection attack obtained access to the administration section of the National Space Agency of the Republic of Kazakhstan. Obtaining access to the administration system of the site was facilitated by the fact that administrators used weak passwords that allowed local recovery using MD5 hash. Currently, the site is under reconstruction.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://habrahabr.ru/blogs/infosecurity/99736/<br>
<b>Attack Source Geography:</b> Russia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://hack-world.org/showthread.php?t=5133
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-157: Facebook Full Disclosure<br>
<b>WHID ID:</b> 2010-157<br>
<b>Date Occured:</b> 7/20/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Information Leakage<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> apps.facebook.com website hacked via SQL Injection.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://sla.ckers.org/forum/read.php?16,35138,35138#msg-35138<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://devteev.blogspot.com/2010/07/facebook-full-disclosure.html
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-156: The Russian Railways tickets site was hacked<br>
<b>WHID ID:</b> 2010-156<br>
<b>Date Occured:</b> 7/21/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Transport<br>
<b>Attacked Entity Geography:</b> Russia<br>
<b>Incident Description:</b> Unknown attackers hack the official site of "Russian Railways" company. As a result, web pages were replaced by hackers messages. The site was temporary blocked; now it is resumed but some pages are still unavailable, "Buying Train Tickets" web page is among them (ticket.rzd.ru). No details about personal data leakage is now available.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.uinc.ru/news/sn14165.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-155: S. Korean Gov't Websites Hit by Hacker Attacks<br>
<b>WHID ID:</b> 2010-155<br>
<b>Date Occured:</b> 7/7/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> South Korea<br>
<b>Incident Description:</b> Official websites of South Korean government agencies, including the presidential office and the foreign ministry, came under hacker attacks Wednesday, a national telecom regulator said.
According to the state-run Korean Communications Commission ( KCC), the websites of government agencies, such as the presidential office Cheong Wa Dae, the Ministry of Foreign Affairs and Trade, and private firms, including the leading Internet search engine Naver, Nonghyup Bank and the Korean Exchange Bank, were hit by the so-called distributed denial-of-service (DDoS) attacks from around local time 6:00 p.m. (0900 GMT) Wednesday.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://english.cri.cn/6966/2010/07/07/1461s581567.htm<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-154: Justin Bieber My World Tour Contest Hacked<br>
<b>WHID ID:</b> 2010-154<br>
<b>Date Occured:</b> 7/2/2010<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> That was but a preliminary skirmish theyve come up with a much more damaging plan to send Bieber to North Korea. Foolish, foolish Bieber has started a competition for countries to vote for him to come and tour them. Called the Justin Bieber My World Tour Contest, it has now been thoroughly highjacked by Anonymous at the time of writing, North Korea is in second place by only a few thousand votes. Unless the current leader Israel can get its act together, it should be overtaken by lunchtime.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blogs.independent.co.uk/2010/07/02/the-plot-to-send-justin-bieber-to-north-korea/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-153: App Store, Hacked.<br>
<b>WHID ID:</b> 2010-153<br>
<b>Date Occured:</b> 7/4/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> This article began with details of one specific app developer hacking iTunes users accounts and purchasing their own apps using those accounts making it to the top of the iTunes charts. As the story has developed it appears to be far more widespread than just that one particular developer and his apps…the Apple App store is filled with App Farms being used to steal. Weve put together a complete list of all the facts and updates to this story here which we high recommend you read instead of this article. Apple has also now released a statement about the matter.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://thenextweb.com/apple/2010/07/04/app-store-hacked/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-152: The Pirate Bay hacked<br>
<b>WHID ID:</b> 2010-152<br>
<b>Date Occured:</b> 7/5/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> Sweden<br>
<b>Incident Description:</b> According to an advisory posted on the web site of Argentinian group of security researchers, they were able to obtain access to the Pirate Bays administration panel, by discovering multiple SQL injections, leading to the exposure of emails, MD5 hashes for passwords, and the IP address for any particular Pirate Bay user.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/<br>
<b>Attack Source Geography:</b> Argentina<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://insilence.biz/2010/07/multiple-sql-injections-on-the-pirate-bay/
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-151: YouTube Hacked<br>
<b>WHID ID:</b> 2010-151<br>
<b>Date Occured:</b> 7/4/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Today, members of the Internet communities 4chan and other enterprising computer whizzes hacked YouTube using a vulnerability in the sites comment system. While the hack was used on a variety of videos, striking music videos featuring teen pop idol Justin Bieber was the most popular activity.
Twitter lit up with complaints about the problem, Google support got some concerned posts on its forum, and we received tips in our inbox. The event caused quite a Sunday-morning stir.
The bug allowed users to inject HTML (the code that most websites are built with) that could be executed on the site, whereas HTML within comments is supposed to be restricted. The hackers did everything from force pop-up messages to appear over the site declaring that it had been hacked to redirecting Bieber video pages to sites hosting pornography and malware.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.acunetix.com/blog/web-security-zone/articles/dangerous-xss-vulnerability-found-on-youtube-the-vulnerability-explained/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-150: At least four Armenian websites were attacked by Azerbaijani hackers<br>
<b>WHID ID:</b> 2010-150<br>
<b>Date Occured:</b> 7/3/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Armenia<br>
<b>Incident Description:</b> At least four Armenian websites were attacked by Azerbaijani hackers during a week.
On July 2, the websites of Henaran.am press club (Henaran.am) and Armenia's Sambo Federation (sambo.am) were hacked to place Azerbaijan's flag and references to Azerbaijani media on them. Meanwhile, the websites' operation has already been resumed.
Besides, on June 29, hackers attacked Azdagir.am site of announcements again to place the Azerbaijani flag on it, as well as information on the January 20, 1990, events in Baku. On June 30, the owner of psyarmenia.com website told PanARMENIAN.Net that the site on psychology was hacked and a poster on "Armenian terror" was placed on it. Currently, the two websites do not operate.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.panarmenian.net/eng/it_telecom/news/50897/At_least_four_Armenian_websites_were_attacked_by_Azerbaijani_hackers<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-149: Identity Stolen Through X-Box Live<br>
<b>WHID ID:</b> 2010-149<br>
<b>Date Occured:</b> 7/3/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Rosalinda Gonzalez's bought the X-Box 360 console for her sons. They enjoy playing the video games and using the live service where they can connect with players from around the world.
In order to purchase the monthly live membership, Gonzalez entered her credit card information to her son's online profile. It is suppose to be kept private but Gonzalez says her son's profile was hacked by a computer whiz.
The man changed her son's password, stole game points and started making purchases using her credit card information. She says her boys actually spoke to the hacker through X-Box live. The man admitted to stealing other people's personal information too.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.krgv.com/content/news/story/Identity-Stolen-Through-X-Box-Live/vKZIV1Rboki6lngI78Qf_w.cspx<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-148: AsSeenOnTV SQL injection into corporate web server exposed credit card information of customers<br>
<b>WHID ID:</b> 2010-148<br>
<b>Date Occured:</b> 6/29/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> AsSeenOnTV website hacked via SQL Injection and planted malware.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://datalossdb.org/incidents/2953<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-147: Biggest blog company Skyblog hacked 32,000,000 accounts stolen<br>
<b>WHID ID:</b> 2010-147<br>
<b>Date Occured:</b> 5/19/2010<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Blogs<br>
<b>Attacked Entity Geography:</b> France<br>
<b>Incident Description:</b> Earlier this week, IT staff Skyrock / Skyblog audit its servers, an old classic that can trace bugs and small technical malfunctions. Except this time, the "bug" seems to be much more serious. A filenamed "hello"and some scripts are discovered on a server. Neither one, nor two, the alert is triggered. A more complete audit is implemented. It is then discovered that an intrusion has been orchestrated from a backdoor downloaded via a service misconfigured (Waka) "Download". From this facility, malicious, or the pirates have certainly got their hands on more than 32 million accounts skyblogueurs. It seems that the intruder will be difficult to trace. He crushed the logs after its passage. A ip appears, however, it resulted in a proxy, based in England. The drafting of ZATAZ.COM could know the exact date of the intrusion.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://datalossdb.org/incidents/2948<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-146: Hacking ring busted over test scores<br>
<b>WHID ID:</b> 2010-146<br>
<b>Date Occured:</b> 6/29/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> China<br>
<b>Incident Description:</b> Police in Jinan, Shandong Province arrested several members of a ring that hacked into education websites to change test scores and forge credentials for cash.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://english.people.com.cn/90001/90776/90882/7044956.html<br>
<b>Attack Source Geography:</b> China<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-145: Hacker tries to manipulate Maine's legislative website<br>
<b>WHID ID:</b> 2010-145<br>
<b>Date Occured:</b> 6/29/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Maine<br>
<b>Incident Description:</b> The state's online database of legislative activity has been taken offline because of an attempt by an unknown hacker to manipulate the website's coding.
On Thursday, the Legislature's information technology officials shut down the website's bill status function, which allows users to follow legislation such as roll calls, committee votes, amendments and fiscal notes.
The manipulated code inserted the addresses of extraneous websites that could have exposed users' computers to harm if they clicked on the links, said Scott Clark, director of information technology for the Legislature.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.pressherald.com/news/hacker-tries-to-manipulate-legislative-website-_2010-06-29.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-144: Hackers Steal $465,000 from Escrow Firm<br>
<b>WHID ID:</b> 2010-144<br>
<b>Date Occured:</b> 6/29/2010<br>
<b>Attack Method:</b> Banking Trojan<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> California<br>
<b>Incident Description:</b> A total of $465,000 was recently stolen from California-based Village View Escrow via 26 consecutive wire transfers.
"Owner Michelle Marisco said her financial institution at the time -- Professional Business Bank of Pasadena, Calif. -- normally notified her by e-mail each time a new wire was sent out of the companys escrow account," writes Krebs on Security's Brian Krebs. "But the attackers apparently disabled that feature before initiating the fraudulent wires."
"Marisco said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice," Krebs writes. "Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on Mariscos computer, and on the PC belonging to her assistant -- the second person needed to approve transfers."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.esecurityplanet.com/headlines/article.php/3890291/article.htm<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-143: Whirlpool Repeatedly Hit by DDoS Attacks<br>
<b>WHID ID:</b> 2010-143<br>
<b>Date Occured:</b> 6/29/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> Australian broadband news website Whirlpool.net.au was the target of several Distributed Denial of Service (DDoS) attacks this morning. The hosting provider moved quickly to mitigate, but attackers evaded the restrictions, causing an aggregated downtime of around ten hours.
Whirlpool.net.au is one of the most trafficked Australian websites, housing a community of over 350,000 registered users. It was started twelve years ago as a place to discuss Internet broadband services in the country, but has since evolved into a full-blown news website covering the telecommunications industry.
"Bulletproof received monitoring alerts of packet loss at 12:45 am. We identified it as a classic denial-of-service attack being targeted at Whirlpool. We immediately blocked Whirlpool IP addresses to observe it better and then we were able to track down that it was originating from Denmark and the United States," Lorenzo Modesto, chief operating officer at Bulletproof Networks, the company hosting Whirlpool, commented for ZDNet Australia.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Whirlpool-Repeatedly-Hit-by-DDoS-Attacks-145629.shtml<br>
<b>Attack Source Geography:</b> Denmark<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-142: Hackers vandalise 200 web sites, cripple 150<br>
<b>WHID ID:</b> 2010-142<br>
<b>Date Occured:</b> 6/28/2010<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Hosting Providers<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> The web sites of more than a whopping 200 Australian organisations were hijacked and vandalised in a spate of hacks last week.
In the largest single attack, a hacker gained administrative access to the Direct Admin server management system used by a hosting provider, who Computerworld Australia will not name, and suspended 159 accounts rendering their web sites inaccessible to the public.
The suspension notification page was then defaced with the hackers moniker and religious propaganda.
The hack was launched through a flaw created after an automatic patch of the admin system failed to complete.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.computerworld.com.au/article/351360/hackers_vandalise_200_web_sites_cripple_150/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-141: Virginia Right! Under Fire Yesterday With DDOS Attack<br>
<b>WHID ID:</b> 2010-141<br>
<b>Date Occured:</b> 6/27/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Blogs<br>
<b>Attacked Entity Geography:</b> Virginia, USA<br>
<b>Incident Description:</b> Sorry for the outage yesterday between 8:00 AM and 7:00 PM. Virginia Right! was under attack with a Distributed Denial of Service. Part of the problem in resolving the issue is the fact that Virginia Right! is on a shared hosting server with many hosts using the same IP address. The first thing that has to be determined is which domain is under attack. They do this by temporarily assigning a static IP address to each site hosted on the server (as opposed to all of us sharing the same address). When they were done, everyone came back up except Virginia Right!. So the attacks were specifically directed at us!<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://beforeitsnews.com/news/87/162/Virginia_Right_Under_Fire_Yesterday_With_DDOS_Attack.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-140: Hackers fleece online poker players<br>
<b>WHID ID:</b> 2010-140<br>
<b>Date Occured:</b> 6/28/2010<br>
<b>Attack Method:</b> Malware<br>
<b>Application Weakness:</b> Abuse of Functionality<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> Korea<br>
<b>Incident Description:</b> Police arrested 33 hackers who used a “distribution of denial of service” program to cheat online poker players out of 55 million won ($45,265) from last November through May.
The hackers, led by 30-year-old Yu and 29-year-old Kim, were booked without detention on charges of gaining illegal profits.
The Cyber Terror Response Center in Gyeonggi said the gang used a DDOS attack to infect 11,000 computers at 700 PC rooms across the country.
Police said Yu bought the “Netbot Attacker” program from a Chinese hacker last November, then sold copies online to Kim and others. The gang broke into the administrative systems of the PC rooms and installed the virus in their computers to allow them to see the hands of poker opponents.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://joongangdaily.joins.com/article/view.asp?aid=2922391<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-139: Twitter XSS Vulnerability Possibly Exploited by Turkish Hackers<br>
<b>WHID ID:</b> 2010-139<br>
<b>Date Occured:</b> 6/28/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Dimitris Pagkalos, one of the founders of the XSSed, a project that maintains an archive of XSS flaws and raises awareness about this type of Web vulnerability, notes that Twitter's security team promptly addressed the bug. However, he suggests the vulnerability might have been used in an earlier attack that made a rogue status reading "Hacked By Turkish Hackers" appear on almost one thousand Twitter profiles.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Twitter-XSS-Vulnerability-Possibly-Exploited-by-Turkish-Hackers-145594.shtml<br>
<b>Attack Source Geography:</b> Turkey<br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-138: Personal data accessed on Blue Cross website<br>
<b>WHID ID:</b> 2010-138<br>
<b>Date Occured:</b> 6/23/2010<br>
<b>Attack Method:</b> Forceful Browsing<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> In a written statement, Anthem Blue Cross explained how the breach occurred:
"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.ocregister.com/articles/information-254735-security-anthem.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-137: Persistent XSS on Twitter.com<br>
<b>WHID ID:</b> 2010-137<br>
<b>Date Occured:</b> 6/24/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability on Twitter he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix (see below), and get messages from the researcher who found the vulnerability.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://praetorianprefect.com/archives/2010/06/persistent-xss-on-twitter-com/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-136: Hotel account hacked, card info stolen<br>
<b>WHID ID:</b> 2010-136<br>
<b>Date Occured:</b> 6/23/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Hospitality<br>
<b>Attacked Entity Geography:</b> Austin, TX<br>
<b>Incident Description:</b> Dozens of Driskill Hotel customers' credit card information has been stolen. Hackers in Europe were able to break into the hotel's parent company's website and steal the information. There are more than 700 victims nationwide.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.kxan.com/dpp/news/hotel-account-hacked,-card-info-stolen<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-135: Another round of Asprox SQL injection attacks<br>
<b>WHID ID:</b> 2010-135<br>
<b>Date Occured:</b> 6/23/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Earlier this month, we reported on a new variant of Asprox malware which was being spammed out by the Pushdo botnet. At that time, the Asprox executables we analyzed were purely sending spam. However, a few days after our post, we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.m86security.com/labs/i/Another-round-of-Asprox-SQL-injection-attacks,trace.1366~.asp<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-134: Major hack of Israeli Twitter accounts<br>
<b>WHID ID:</b> 2010-134<br>
<b>Date Occured:</b> 6/22/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> Israel<br>
<b>Incident Description:</b> According to Mikko Hyponnen, chief research officer with F-Secure, more than 1000 accounts on the microblogging social networking service were hacked within the space of 12 hours, each of them broadcasting the message: "Hacked by Turkish Hackers."
In a security blog posting made last night, Hyponnen said that, although the exploit mechanism is unclear, most of the compromised accounts "seem to seem to belong to Israeli Twitter users."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.infosecurity-magazine.com/view/10426/major-hack-of-israeli-twitter-accounts-/<br>
<b>Attack Source Geography:</b> Turkey<br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-133: Druknet websites hacked<br>
<b>WHID ID:</b> 2010-133<br>
<b>Date Occured:</b> 6/19/2010<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Hosting Providers<br>
<b>Attacked Entity Geography:</b> Bhutan<br>
<b>Incident Description:</b> Local internet service provider (ISP) Druknet is currently recovering, after 50 of its websites were hacked early yesterday.
Users trying to access certain websites hosted by the ISP were greeted with a blank home page and a message that said the website had been hacked.
Although some of the hacked websites were back online by afternoon, many websites were still down as of last night. Druknets web server, on which the websites are stored, was also taken offline periodically throughout yesterday.
The hacker or hackers had exploited websites designed, using free open sourced content management systems (CMS), like Word Press, according to Druknet.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.kuenselonline.com/modules.php?name=News&amp;file=article&amp;sid=15822<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-132: Another Opposition Website Shut Down by Hackers<br>
<b>WHID ID:</b> 2010-132<br>
<b>Date Occured:</b> 6/19/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> News<br>
<b>Attacked Entity Geography:</b> Burma<br>
<b>Incident Description:</b> The popular Burmese Web site photayokeking.org, edited by a Burmese army deserter, was recently attacked, leaving it inaccessible and out of operation.
According to one of the editors, who goes by the name Photayoke, the Web site came under major attacks on May 27 and June 11, following three smaller attacks.
On June 11, the server provider sent an email to the Web site's owners stating that a major distributed denial-of-service attack (DDoS) had been focused on their data center.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.irrawaddy.org/article.php?art_id=18759<br>
<b>Attack Source Geography:</b> Burma<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-131: DoS attack stuffs Turkey's internet censors<br>
<b>WHID ID:</b> 2010-131<br>
<b>Date Occured:</b> 6/18/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Turkey<br>
<b>Incident Description:</b> Access to the internet in Turkey is becoming increasingly ragged, as growing state censorship collides with retaliation by anti-censorship hackers, leading to difficulties both in viewing sites and applying key online functions.
Since early this morning the websites of the Ministry of Transportation, the Information and Communication Technologies Authority and the Telecommunications Communication Presidency have been inaccessible. These three state bodies are responsible for internet censorship and have been the principal actors behind attempts to block access to YouTube and Google-related services in Turkey.
A number of theories abound, with favourites the state authorities websites have either been hacked or subject to a serious denial of service attack by hackers unhappy at the censorship.
Writing for the CyberLaw UK Blog, Dr Yaman Akdeniz, Associate Professor at the Faculty of Law, Istanbul Bilgi University, now writes that it has been confirmed as a denial of service attack coordinated by a group of hackers to protest against internet censorship in Turkey, and that the attack lasted 10 hours.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/06/18/turkey_dos_attack/<br>
<b>Attack Source Geography:</b> Turkey<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-130: Google Trends Hacked With Racial Slur (Again!)<br>
<b>WHID ID:</b> 2010-130<br>
<b>Date Occured:</b> 6/17/2010<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Search Engine<br>
<b>Attacked Entity Geography:</b> San Jose, California<br>
<b>Incident Description:</b> Google Trends is a powerful tool that many media companies (us included) rely upon for a sense of what new topics people are searching for at any given time -- at least, when it's not getting hacked with racial slurs, which is exactly what happened early this morning.
At around 9 a.m. Eastern, instead of the normal list of the hottest new search terms of the hour, visitors to the Google Trends website were greeted with the phrase "lol n------".<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.politicsdaily.com/2010/06/17/google-trends-hacked-with-racial-slur-again/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Google<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-129: Hackers Seize Top Torys Facebook, Blog &amp; Twitter Accounts<br>
<b>WHID ID:</b> 2010-129<br>
<b>Date Occured:</b> 6/17/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> London, England<br>
<b>Incident Description:</b> hackers have stolen the account details of Therese Coffey, Tory candidate for Suffolk Coastal (UK Parliament constituency), London Spin can exclusively reveal. The attackers bombarded social media users with sexually explicit messages and comments after gaining access to her Blog, Facebook and Twitter account details.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.londonspinonline.com/2010/06/exclusive-hackers-seize-top-torys.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-128: Microsoft Sues Alleged Spammer For Circumventing Filters<br>
<b>WHID ID:</b> 2010-128<br>
<b>Date Occured:</b> 6/16/2010<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Abuse of Functionality<br>
<b>Outcome:</b> Spam<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> Washington, USA<br>
<b>Incident Description:</b> Microsoft has sued Connecticut resident Boris Mizhen for allegedly gaming Hotmail's spam filters and sending unwanted emails to consumers. Mizhen, who previously settled a separate spam lawsuit brought by Microsoft, allegedly got around the company's anti-spam system by creating millions of new email accounts and then arranging for those accounts to classify his messages as "not spam," according to the lawsuit.
"Defendants developed and executed an elaborate scheme to circumvent Microsoft's Hotmail spam filters to disseminate a large quantity of spam email advertisements to Microsoft's Hotmail users," the company alleges in its complaint, filed last week in federal district court in Seattle.
The complaint details how Mizhen and his affiliates allegedly manipulated the statistics that Microsoft's anti-spam system relies on by creating millions of new email accounts and then moving up to 200,000 of their own messages a day from "junk" files into inboxes.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.mediapost.com/publications/?fa=Articles.showArticle&amp;art_aid=130320<br>
<b>Attack Source Geography:</b> Connecticut, USA<br>
<b>Attacked System Technology:</b> Hotmail<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-127: Israeli hacker hits IHH website<br>
<b>WHID ID:</b> 2010-127<br>
<b>Date Occured:</b> 6/17/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Turkey<br>
<b>Incident Description:</b> An Israeli hacker managed to break into the website of Turkish IHH group, which organized the Gaza flotilla, disabling the organization's fundraising mechanism for a few hours.
The 30-year-old hacker from Holon, who wished to remain anonymous, said he was concerned with Israel's poor PR efforts and decided to make a contribution of his own.
"The real war today is online. I spent an entire week exploring the site, a few hours each night, until I succeeded," he said.
The hacker added that he was surprised to learn that IHH received some 9,000 euros in donations every hour via the website. The group is planning to send a second flotilla to Gaza next month.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.ynetnews.com/articles/0,7340,L-3906872,00.html<br>
<b>Attack Source Geography:</b> Israel<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-126: Website breached by hacker through SQL injection - exposing personal information of customers<br>
<b>WHID ID:</b> 2010-126<br>
<b>Date Occured:</b> 3/24/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> New Hampshire, USA<br>
<b>Incident Description:</b> New Hampshire breach notification: HBDirect.com - Website hacked through SQL injection - exposing credit cards of customers from December 1, 2009 to February 10, 2010. 19 NH residents affected.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://datalossdb.org/primary_sources/2548<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-125: Eastern European banks under attack by next-gen crime app<br>
<b>WHID ID:</b> 2010-125<br>
<b>Date Occured:</b> 6/16/2010<br>
<b>Attack Method:</b> Banking Trojan<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Russia<br>
<b>Incident Description:</b> Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions' authentication system and then hits it with a denial-of-service attack.
The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks' Counter Threat Unit.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/06/16/blackenergy2_ddos_attacks/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-124: Riyad Bank Website Gets Hacked<br>
<b>WHID ID:</b> 2010-124<br>
<b>Date Occured:</b> 6/14/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Saudi Arabia<br>
<b>Incident Description:</b> Saudi bank Riyad Bank has been hacked by a group of hackers who posted a message demanding to end the service of the Mayor of Al Madina province in Saudi Arabia. Al Madina is the second holiest city in Islam, and the burial place of the Prophet Muhammad peace be upon him and it is the capital of the first Islamic state established by the Prophet and his companions after early Muslims migrated from oppression imposed by their people in Mecca around 1400 years ago.
The hacker/s only managed to hack the homepage of the site as the internal pages seems intact, the hackers displayed a message on the banks homepage apologizing to the bank and saying “we are hacking you to deliver a message to the king of Saudi Arabia.” They asked him to fire the Mayer.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://arabcrunch.com/2010/06/riyad-bank-website-gets-hacked.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-123: Botnet hijacks web servers for DDoS campaign<br>
<b>WHID ID:</b> 2010-123<br>
<b>Date Occured:</b> 5/13/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Botnet Participation<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> Netherlands<br>
<b>Incident Description:</b> Researchers at Imperva have discovered an 'experimental' botnet that uses around 300 hijacked web servers to launch high-bandwidth DDoS attacks.
The servers are all believed to be open to an unspecified security vulnerability that allows the attacker, who calls him or herself 'Exeman', to infect them with a tiny, 40-line PHP script. This includes a simple GUI from which the attacker can return at a later date to enter in the IP, port and duration numbers for the attack that is to be launched.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.computerworld.com.au/article/346342/botnet_hijacks_web_servers_ddos_campaign/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-122: Attack of WordPress Blogs on Rackspace<br>
<b>WHID ID:</b> 2010-122<br>
<b>Date Occured:</b> 6/15/2010<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> If you follow our blog, you probably noticed that these last few months have been specially hard for hosting companies. Lots of them got hacked, bringing down thousands of sites with them. Now we are hearing reports of a mass hack of WordPress blogs hosted on Rackspace.
What is going on?
The attackers were able to get access to Rackspace databases and infect the sites through there. They created a new admin user on many Worpress sites, giving them full access to the WordPress admin panel.
With that access they were able to inject malware, and as we saw before they used that to inject SEO spam to the sites.
One of the posts in that thread also suggests that the attack vector is a vulnerable version (2.11.3) of phpMyAdmin used by RackSpace Cloud. If this is true, hackers must have targeted an XSRF attack at one of RackSpace admins with mySql root permissions to gain access to the whole database (probably created one more admin user). At this point, RackSpace has upgraded their phpMyAdmin nodes. Hope, they also found any changes in the database done by those hackers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.sucuri.net/2010/06/mass-attack-of-wordpress-blogs-on-rackspace.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://blog.unmaskparasites.com/2010/06/14/attack-on-wordpress-blogs-on-rackspace/
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-121: Second round of GoDaddy sites hacked<br>
<b>WHID ID:</b> 2010-121<br>
<b>Date Occured:</b> 5/1/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> It seems that a second round of attacks are happening today at GoDaddy and infecting all kind of sites (Joomla, Wordress,etc). Looking at the modification dates on the files, they all happened May 1st (today) during the morning from 1 to 3/4 am.
All of them had the following javascript added to their pages:
script src= http://kdjkfjskdfjlskdjf.com/kp.php
Which looks very similar to the attacks from the last few weeks, but this time using kp.php instead of js.php. Also, many sites that were not infected during the previous batch got hacked now.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.sucuri.net/2010/05/second-round-of-godaddy-sites-hacked.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://blog.sucuri.net/2010/05/found-code-used-to-inject-the-malware-at-godaddy.html
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-120: Colombian government sites hacked (and spreading malware)<br>
<b>WHID ID:</b> 2010-120<br>
<b>Date Occured:</b> June 2011<br>
<b>Attack Method:</b> Remote File Inclusion (RFI)<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Colombia<br>
<b>Incident Description:</b> You would expect that a security-related web site would be secure, no? What about an official web site from a Government? Should that be safe? What about a government web site about security? Shouldnt that be ultra super secure? (yes, I am joking )
Thats not always the case… At Sucuri Security we have two main goals: Monitor your visible Internet presence (via DNS, site content changes, whois, blacklisting status, etc), and to also monitor what is not visible (or easily accessible). So we run multiple honey pots, we monitor IRC chats used by botnets and attackers, multiple forums, etc. All with the goal to protect our clients and notify them if we see any issue in the “underground”.
With this work, we get to see a lot of sites being exploited and attacked. Most of them are small sites, but sometimes we see big companies, .govs and many .edus in there.
One of those government web sites are from Colombia. And they are not a normal .gov site, they are about security and about cyber crimes.
They have two web sites that are currently hacked: http://www.delitosinformaticos.gov.co (related to solving cyber crimes) and
http://www.frentesdeseguridad.gov.co (related to security in general). We tried to contact them and got no replies. We would wait a little more to publish it, but since clem1 mentioned them on our post about Georgia government sites hacked, I think it is time to use full-disclosure to get them fixed.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.sucuri.net/2010/02/colombia-government-sites-hacked-and-spreading-malware.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-119: Georgia government sites hacked (and spreading malware)<br>
<b>WHID ID:</b> 2010-119<br>
<b>Date Occured:</b> 2/15/2010<br>
<b>Attack Method:</b> Remote File Inclusion (RFI)<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> imereti, GE<br>
<b>Incident Description:</b> *UPDATE: A few hours after this post, they removed the malware from justice.gov.ge and other sites. I am glad we had some effect.
You know, you would think that after all the attacks that Georgia suffered in 2008 they would be more careful about the security of their sites.
Well, not really. Even after I sent a bunch of emails to all their addresses that I could find and requested on twitter for contacts in the .ge government, nobody replied and they are still hacked, spreading malware and attacking other systems.
It doesnt look like it is being caused by the Russians or anything like that. And the attackers this time didnt defaced their web page. They just added some malware and scripts to attack others.
How do I know? We run multiple honeypots to detect web-based attacks and malware. And guess who started attacking us?<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.sucuri.net/2010/02/georgia-government-sites-hacked-and-spreading-malware.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-118: Two Korean govt. websites attacked by hackers<br>
<b>WHID ID:</b> 2010-118<br>
<b>Date Occured:</b> 6/12/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> South Korea<br>
<b>Incident Description:</b> Two South Korean government Web sites were attacked again Saturday by hackers traced to China, but there was no major damage, the home ministry said.
The sites of the Ministry of Justice and the Korea Culture and Information Service were hit by a massive number of access attempts in what is knowns as distributed denial-of-service (DDoS) attacks from 247 China-based Internet servers, according to the Ministry of Public Administration and Security.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://english.yonhapnews.co.kr/techscience/2010/06/12/73/0601000000AEN20100612002100315F.HTML<br>
<b>Attack Source Geography:</b> China<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-117: Turkish Hacker Hijacks .CO.IL MSN and Hotmail Domains<br>
<b>WHID ID:</b> 2010-117<br>
<b>Date Occured:</b> 6/10/2010<br>
<b>Attack Method:</b> DNS Hijacking<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> A Turkish hacker has managed to hijack msn.co.il and hotmail.co.il, two domains belonging to Microsoft, and use them to post a pro-Palestinian message. The name servers and administrative email address for the domains have been changed.
Users who accessed hotmail.co.il and msn.co.il earlier today were greeted by a page displaying the image of a child wearing the Palestinian flag as a cape and a message reading, "Free Palestine. Hi to greatest [expletive] of the world (i mean all the Jews). u think one day u will own all the world eh? Lol that makes me laugh. that makes all the world laugh. u are just insects. make muslims angrier and just sit and watch what will happen to you." The attacker signs the messsage as TurkGuvenligi Tayfa ("from Turkey with love") and sends greetings to Pakbugs, a notorious group of hackers and defacers.
It appears that the two Microsoft domains, which normally redirect users to login.live.com and il.msn.com, respectively, had their name server information altered. The new ns1.dollar2host.com and ns2.dollar2host.com name servers, which belong to a private Web hosting company, replaced the usual ns1.msft.net and ns2.msft.net that Microsoft used for its domains.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Turkish-Hacker-Hijacks-CO-IL-MSN-and-Hotmail-Domains-144299.shtml<br>
<b>Attack Source Geography:</b> Turkey<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-116: Hackers: Data Breach Exposed iPad Owners' Personal Info<br>
<b>WHID ID:</b> 2010-116<br>
<b>Date Occured:</b> 6/9/2010<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A security flaw in AT&amp;T&#39;s network exposed the e-mail addresses of more than 100,000 owners of Apple&#39;s 3G iPad, according to a report published by Gawker today.
Calling it the &quot;most exclusive e-mail list on the planet,&quot; Gawker said the list of exposed owners included New York Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and other powerful figures in finance, media and politics.
The security hole was uncovered by Goatse Security, a group known among security experts as hackers who enjoy pulling Web pranks, Gawker reported. Still, the group previously has uncovered flaws in browsers Firefox and Safari, Gawker said.
When contacted by ABCNews.com, a man who asked to be named as a Goatse employee confirmed Gawker&#39;s report.
&quot;It&#39;s absolutely real,&quot; he said, adding that the group gave the Gawker reporter their data set and he was able to verify the information.
The employee said someone in his organization learned that when given an iPad owners&#39; unique identification number, a program on AT&amp;T&#39;s website would return the e-mail address connected to that account.
Once the hole was uncovered, he said, the group was able to write a script that would automatically predict ID numbers and return the associated e-mail addresses.
In about six hours, he said, the group was able to scrape information for about 114,000 iPad 3G owners, but he did not say how many iPad owners could have been affected in total.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://abcnews.go.com/print?id=10871229<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-115: Mass hack plants malware on thousands of webpages<br>
<b>WHID ID:</b> 2010-115<br>
<b>Date Occured:</b> 6/9/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> More than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirected visitors to a website that attempted to install malware on their machines.
The mass compromise appears to have affected sites running a banner-ads module on top of Microsoft's Internet Information Services using ASP.net, said David Dede, head of malware research at Sucuri, a website monitoring firm. The sites were infected using SQL injection exploits, which allow attackers to tamper with a server's database by typing commands into search boxes and other user-input fields. The hackers used the exploit to plant iframes in the compromised sites that redirected visitors to robint.us. Malicious javascript on that site attempted to infect end users with malware dubbed Mal/Behav-290 according to anti-virus firm Sophos.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/<br>
<b>Attack Source Geography:</b> China<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-114: Seven held in Andhra for hacking passport software<br>
<b>WHID ID:</b> 2010-114<br>
<b>Date Occured:</b> 6/4/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Extortion<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> Seven people were arrested in Andhra Pradesh for hacking the online passport application software of the Hyderabad regional passport office, police said Friday.
Police Commissioner A.K. Khan told reporters that seven people, among them five passport agents, were arrested and a search was on for two other agents involved in the racket.
The passport office releases online slots for confirmed dates of appointments to the applicants for obtaining passports under 'Tatkal' scheme through its website www.passport.gov.in.
Every day these slots were visible to the users only for a few minutes till the slots released by the passport authorities were exhausted.
The accused hacked the website, blocked the online slots and were selling the same to the applicants for huge sums, police said.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://sify.com/news/seven-held-in-andhra-for-hacking-passport-software-news-national-kger4bcghcf.html<br>
<b>Attack Source Geography:</b> India<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-113: Facebook plugs email address indexing bug<br>
<b>WHID ID:</b> 2010-113<br>
<b>Date Occured:</b> 6/4/2010<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insecure Indexing<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Incident-prone social network monolith Facebook has plugged yet another security leak, this time involving the indexing by search engines of email addresses not listed on Facebook. Thousands of email addresses submitted using Facebook's "Find a friend" feature that were not tied to a Facebook account wound up getting indexed by Google, according to Blogger Cory Watilo, who was among those affected.
"One obvious problem is that spammers can easily scrape this data and add easily legitimate address to their lists, many of whom might not give their addresses to Facebook for a reason," Watilo writes. The issue sparked a lively discussion thread on Hacker News. Facebook changed its robot.txt file to prevent the search engine from indexing the relevant "opt out of emails from Facebook" page so that email address data can no longer be harvested by spammers or other miscreants.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/06/04/facebook_email_indexing_snafu/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-112: Turkish Cyber Hackers Strike at Israel<br>
<b>WHID ID:</b> 2010-112<br>
<b>Date Occured:</b> 6/2/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Israel<br>
<b>Incident Description:</b> The unofficial Likudnik website was targeted by angry Turkish hackers who were apparently less than pleased with the IDF Navy commando operation which prevented the terrorists on board from breaking the Gaza embargo on Hamas-controlled Gaza.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theyeshivaworld.com/news/Israeli+News/60651/Turkish-Cyber-Hackers-Strike-at-Israel.html<br>
<b>Attack Source Geography:</b> Turkey<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-111: Thieves steal virtual furniture from unsuspecting Hotel Habbo players<br>
<b>WHID ID:</b> 2010-111<br>
<b>Date Occured:</b> 6/2/2010<br>
<b>Attack Method:</b> Phishing<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> Finland<br>
<b>Incident Description:</b> Finnish police are searching for thieves who stole 1,000 Euros (about $1,200 U.S.) worth of virtual furniture and other items from the virtual world Habbo Hotel. The thieves allegedly used phishing scams to the capture usernames and passwords from Habbo Hotel users, who contacted Finnish police after they noticed that their virtual goods missing.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.gamezebo.com/news/2010/06/02/thieves-steal-virtual-furniture-unsuspecting-hotel-habbo-players<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-110: Local restaurant's computer hacked, customers' card numbers stolen<br>
<b>WHID ID:</b> 2010-110<br>
<b>Date Occured:</b> 5/22/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> The computer system at a local Mexican restaurant was hacked, and investigators believe thieves made off with the credit card numbers of hundreds of customers. "They know that it was a breach, and they know that the breach came from Russia, that's for sure," explained Blanca Aldaco. "So, we are working with our I.T. guy. They're definitely looking into. Hopefully, they can figure out what the IP address is."
The U.S. Secret Service and the San Antonio Police Department's Fraud Unit is also investigating. Neither would comment, but News 4 WOAI learned they are trying to track down the overseas hacker. The restaurant's owner said they have now changed the way they do business. "We are no longer on the internet when it comes to credit card authorizations," Blanca Aldaco told News 4 WOAI.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.woai.com/news/local/story/Local-restaurants-computer-hacked-customers-card/NSwj0Mpf5keeSXLOfsGvCw.cspx<br>
<b>Attack Source Geography:</b> Russia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-109: Viral clickjacking 'Like' worm hits Facebook users<br>
<b>WHID ID:</b> 2010-109<br>
<b>Date Occured:</b> 5/31/2010<br>
<b>Attack Method:</b> Clickjacking<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook this holiday weekend.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.sophos.com/blogs/gc/g/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-108: Cyber Thieves Rob Treasury Credit Union<br>
<b>WHID ID:</b> 2010-108<br>
<b>Date Occured:</b> 5/20/2010<br>
<b>Attack Method:</b> Banking Trojan<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned.
According to Melgar, the perpetrators who set up the bogus transactions had previously stolen a bank employees online login credentials after infecting the employees Microsoft Windows computer with a Trojan horse program. Melgar said investigators have not yet determined which particular strain of malware had infected the PC, adding that the banks installation of Symantecs Norton Antivirus failed to detect the infection prior to the unauthorized transfers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://krebsonsecurity.com/2010/05/cyber-thieves-rob-treasury-credit-union/<br>
<b>Attack Source Geography:</b> Ukraine<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-107: Hackers Take Over BP Twitter Feed<br>
<b>WHID ID:</b> 2010-107<br>
<b>Date Occured:</b> 5/27/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> BP's Twitter account looked to have fallen victim to hackers early Thursday, with a post referencing a fictional character from a popular fake BP microblog page.
Followers to the genuine account were told: "Terry is now in charge of operation Top Kill, work will recommence after we find a XXL wetsuit. #bpcares #oilspill."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.foxnews.com/scitech/2010/05/27/hackers-bp-twitter-feed/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-106: AMC website vulnerable to hackers<br>
<b>WHID ID:</b> 2010-106<br>
<b>Date Occured:</b> 5/27/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> With a weak network security, the website http:// www.egovamc.com. has several chinks in its armour and is a ready invitation for hackers. The issue has been brought to notice of senior AMC officials and only recently they effected a few cosmetic security patch-ups for their website.
“We have reported the bugs in the website and problems with database management system and coding. We had earlier told the systems department of the AMC about a system that can be exploited with username and password as simple 0. The vulnerability has been fixed by now but there are bigger challenges,” said Sunny Vaghela, a city-based cyber crime expert.
He said that if the website is vulnerable , it means that the hacker can get access to the control panel of the site, look into the contents such as tendering details, property tax details , building plans and allocation of funds, access to which is restricted to only senior-level civic officials.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://timesofindia.indiatimes.com/articleshow/5979202.cms<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-105: Poll removed due to widespread ballot stuffing and hacking<br>
<b>WHID ID:</b> 2010-105<br>
<b>Date Occured:</b> 5/25/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Fraud<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Dear users, yesterday we began a poll about the controversial immigration bill SB 1070 asking users what was their sentiment on the bill. It spread virally and was shared on facebook over 500 times and viewed over 10,000 times.
Unfortunately all the of attention has made it the target of some unscrupulous individuals. Around 3:00pm Tuesday afternoon we noticed that an individual was voting in the poll once every 10 seconds, and did this activity for nearly 2 hours.
Upon checking the logs we realized there were multiple users engaging in this sort of behavior from multiple vectors forcing us to remove the poll entirely. In terms of a long term solution, it seems inevitable that we will adopt a system that requires a KVOA.com user account in order to vote in a poll, but that modification cannot be patched in on the fly and would require a few days work.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.kvoa.com/news/poll-removed-due-to-widespread-ballot-stuffing-and-hacking/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-104: Code Security: MidAmerican Energy's top priority after SQL injection attacks<br>
<b>WHID ID:</b> 2010-104<br>
<b>Date Occured:</b> 5/21/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Energy<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> "Last May we had an incident where one of our web pages was exploited through an SQL injection flaw," Kerber said. "It was a wake-up call that we had vulnerabilities people could find out about."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.csoonline.com/article/594613/Code_Security_MidAmerican_Energy_s_top_priority_after_SQL_injection_attacks<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-103: SEO SPAM network - Details of the wp-includes infection<br>
<b>WHID ID:</b> 2010-103<br>
<b>Date Occured:</b> 5/25/2010<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> We have been digging lately in a large SEO SPAM network which is using thousands of compromised sites to increase their page rankings and spread malware. They are similar to the one we reported earlier affecting lean.mit.edu, but this time they seem focused only on Wordpress web sites
Attack method
All the sites infected are using the latest Wordpress version and had a PHP script injected inside their wp-includes directory. The script name is random and it does two things:
1-For a search engine, it shows a bunch of keywords (cialis, viagra, movie downloads, etc)
2-For a normal user coming from Google, they are redirected to a web site with malware or to another site for more spam.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-102: Denver's website hacked twice in one week<br>
<b>WHID ID:</b> 2010-102<br>
<b>Date Occured:</b> 5/25/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> The city and county of Denver website was pulled down Monday night after it was hacked, the second such attack in a week.
Eric Brown, a spokesman for the mayor's office, said he didn't know what time the site was breached and when it might be restored.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.denverpost.com/news/ci_15155519<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-101: 37 million passwords stolen on the site of Skyrock?<br>
<b>WHID ID:</b> 2010-101<br>
<b>Date Occured:</b> 5/21/2010<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> France<br>
<b>Incident Description:</b> A hacker broke the huge database site which had registered 36.7 million Internet users, raising fears of massive consequences. The Site Skyrock has sent a message to its internet users the message of the team to its Internet Skyrock
According Zataz, the hacker would be introduced through a security hole in the platform Waka , launched last week in partnership with the government . This ” backdoor “, which allowed anyone to edit the content of pages, had been quickly corrected.
For its part, Skyrock believes that “at this stage, we cannot determine whether the application Waka was concerned.”
Still, the hacker could have access to the huge database Skyrock.com, claiming “36.7 million active members in February 25. However, the head of security at the site revealed Monde.fr than Skyrock, passwords are stored in “plain” , that is to say they are not encrypted and protected.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://whitehatfirm.com/news/37-million-passwords-stolen-on-the-site-of-skyrock/2629.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-100: Chinaz.com compromised<br>
<b>WHID ID:</b> 2010-100<br>
<b>Date Occured:</b> 5/25/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> China<br>
<b>Incident Description:</b> Websense Security Labs™ ThreatSeeker™ Network has discovered that the speed testing site of chinaz.com has been compromised.
This payload contains two parts: ap.js, and the obfuscation code in the script tag. When combined, we get the entire exploit code. After analyzing this, we noticed that it is used to target the IE vulnerability (MS10-018), which downloads an executable file named dn.exe. This has a good detection rate by most AV vendors; however dn.exe will download and execute remote files and send local information to a remote server. The process disguises itself as an AV component while at the same time suspending the AV software. At present, a bug in the malicious code fails to get the MAC address correctly and as of this alert the site is still infected.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://community.websense.com/blogs/securitylabs/archive/2010/05/25/chinaz-com-compromised.aspx<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-99: Got an iTunes account? That's music to a cyber fraudster's ears<br>
<b>WHID ID:</b> 2010-99<br>
<b>Date Occured:</b> 5/22/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Session Hijacking<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Up to 125million people worldwide have accounts set up on the site.
But computer security experts say hackers are easily hijacking accounts by pretending they are a customer who has forgotten their password.
As with many websites, iTunes tells users to select a socalled 'security question' from a list of options when they first set up their account.
These are fairly basic and include 'what is your mother's maiden name?' and 'where did you spend your honeymoon?'.
Customers who have forgotten their passwords are prompted with the question they first selected when they set up their profile - as long as they give the correct answer, they can access the account.
Security analysts claim this is leaving the website wide open to fraud.
Hackers simply pretend they are a customer who has forgotten their password and can easily work out the answer to the personal question using information that users have posted on social-networking websites such as Facebook and Twitter.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.dailymail.co.uk/news/article-1280354/Got-iTunes-account-Thats-music-cyber-fraudsters-ears.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-98: Man charged with attacking O'Reilly, Coulter websites<br>
<b>WHID ID:</b> 2010-98<br>
<b>Date Occured:</b> 5/19/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A former college student has been charged with using the school's computer network to control a botnet and launch distributed denial-of-service (DDoS) attacks against conservative websites belonging to Bill O'Reilly, Ann Coulter and Rudy Giuliani.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.scmagazineus.com/man-charged-with-attacking-oreilly-coulter-websites/article/170524/<br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-97: Microsoft files two lawsuits for "click laundering"<br>
<b>WHID ID:</b> 2010-97<br>
<b>Date Occured:</b> 5/20/2010<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Abuse of Functionality<br>
<b>Outcome:</b> Fraud<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Microsoft this week filed two lawsuits in federal court in Seattle against alleged perpetrators of a new, technologically advanced form of online advertising click fraud being dubbed "click laundering."
According to Microsoft, click fraud is an online advertising scam that occurs when a person or computer program imitates a legitimate user and clicks on an online ad for the purpose of generating a fraudulent “charge-per-click,” without having any interest in the ad.
Click laundering, meanwhile, is a more advanced form of click fraud designed to outwit fraud detection systems by hiding the origin of fake clicks.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.scmagazineus.com/microsoft-files-two-lawsuits-for-click-laundering/article/170621/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-96: Facebook scrambles to close CSRF hole exposing private data<br>
<b>WHID ID:</b> 2010-96<br>
<b>Date Occured:</b> 5/19/2010<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Facebook engineers are finishing a patch for a critical vulnerability that exposed user birthdays and other sensitive data even when they were designated as private, a security researcher said Wednesday.
At time of writing, much of the CSRF (cross-site request forgery) bug appeared to have been patched, Keith said. However, as noted earlier by IDG News, attackers still could exploit the flaw to control a user's "like" functions, which are used to endorse ads and other types of content.
The flaw involved a piece of code Facebook engineers dubbed "post_form_id," which is used to ensure that commands can be issued only by browsers that have previously logged into the website. Keith discovered a simple way to bypass the security token: by omitting it altogether, Facebook servers no longer attempted to validate browsers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/05/19/facebook_private_data_leak/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://www.itworld.com/security/108279/facebook-fixing-embarrassing-privacy-bug
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-95: Fraud Bazaar Carders.cc Hacked<br>
<b>WHID ID:</b> 2010-95<br>
<b>Date Occured:</b> 5/18/2010<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Improper Filesystem Permissions<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Hacking<br>
<b>Attacked Entity Geography:</b> Germany<br>
<b>Incident Description:</b> Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forums users as well as countless passwords and credit card accounts swiped from unsuspecting victims.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-94: Hacker steals 22,000 e-mail address, demands Astley tune<br>
<b>WHID ID:</b> 2010-94<br>
<b>Date Occured:</b> 5/19/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Netherlands<br>
<b>Incident Description:</b> Dutch hacker Darkc0ke hijacked a radio station database containing 22,000 e-mail addresses and threatened to publish them unless the station play Rick Astley's "Never Gonna Give You Up," a variation of an Internet meme known as "rickrolling."
"It was a joke," Darkc0ke said via e-mail. "They didn't play the song. Why can't they do someone a favor, just for once?" Darkc0ke said he cracked the database using a basic SQL injection to exploit a security vulnerability. The hacker is known for breaking into databases. Last year, he stole a database containing 46,000 e-mail addresses from the Dutch magazine Autoweek.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.idg.no/cw/art.cfm?id=B143BFED-1A64-6A71-CE6E57CCCFC37786<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-93: Huge 'sexiest video ever' attack hits Facebook<br>
<b>WHID ID:</b> 2010-93<br>
<b>Date Occured:</b> 5/18/2010<br>
<b>Attack Method:</b> Rogue 3rd Party App<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A huge attack by a rogue Facebook application last weekend infected users' PCs with popup-spewing adware, a security researcher said Monday.
On Saturday, AVG Technologies received more than 300,000 reports of the malicious Facebook app, said Roger Thompson, AVG's chief research officer. AVG came up with its tally by counting the number of reports from its LinkScanner software, a free browser add-on that detects potentially poisoned pages.
"It was stunning, really, the number," said Thompson in an interview via instant message late Monday. "And stunning that it was not viral or wormy [but that] Facebook did it all by itself."
The volume of reports on Saturday's rogue Facebook software was highest during the nine-hour period between midnight and 9 a.m. Eastern, with spikes of approximately 40,000 per hour coming at 7 a.m. and noon. For the day, AVG received more than 300,000 reports, triple that of AVG's second-most-reported piece of spyware.
According to Thompson, Facebook eradicated the rogue application about 15 hours after the attack started. Facebook's only acknowledgment of the attack came on its security page, where a "Tip of the Week" Monday morning read: "Don't click on suspicious-looking links, even if they've been sent or posted by friends."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.computerworld.com/s/article/9176905/Huge_sexiest_video_ever_attack_hits_Facebook<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-92: SQL Injection attack used in breach of 168,000 Netherlands travelers<br>
<b>WHID ID:</b> 2010-92<br>
<b>Date Occured:</b> 5/18/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Netherlands<br>
<b>Incident Description:</b> An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers.
The website offered a coupon for a free trip using the OV smart card system and was set up to promote the new system which is being slowly rolled out throughout the region. According to Webwerld, a tech publication based in the Netherlands, the names, addresses and telephone numbers of individuals who signed up were publicly available as a result of the flaw.
Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes. The website has since been taken offline.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://itknowledgeexchange.techtarget.com/security-bytes/sql-injection-attack-used-in-breach-of-168000-netherlands-travelers/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-91: Twitter software bug forces followers<br>
<b>WHID ID:</b> 2010-91<br>
<b>Date Occured:</b> 5/10/2010<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Twitter users had a big shock on Monday when they checked into the micro-blogging service. Their follower and following numbers were at 0, meaning they were suddenly very unpopular or something was seriously wrong with the site.
It was the latter, of course. To kill a bug that allowed a user to force other users to follow him or her, Twitter temporarily reset all follower/following counts to zero, according to the Twitter Status blog. Everything was back to normal by 11 a.m. Pacific.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.pcworld.com/article/195962/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-90: Facebook Board Member's Account Compromised<br>
<b>WHID ID:</b> 2010-90<br>
<b>Date Occured:</b> 5/10/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A Facebook message sent out on Saturday from the account of company board member Jim Breyer to over 2,300 "friends" turns out to have been too good to be true.
The message, an invitation to an event at which attendees would be given a "Facebook phone number," was a phishing attack, designed to capture information from recipients.
The incident underscores the risk of supplying Facebook with data that might be better kept private.
Facebook's appeal to cybercriminals arises from the high level of trust that users extend to Facebook messages, which are generally presumed to come from friends.
Compromising someone's Facebook account also provides immediate access to a pool of new potential victims: the friends of the person whose account has been hacked.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.informationweek.com/news/software/showArticle.jhtml?articleID=224701441<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-89: Breaking News: WordPress Hacked with Zettapetta on DreamHost<br>
<b>WHID ID:</b> 2010-89<br>
<b>Date Occured:</b> 5/6/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Early this morning, we received reports that WordPress blogs were hacked on Linux shared-hosting at DreamHost, as well as other hosting companies. This is dangerous scareware which tries to install a virus on your visitor's computer.
WordPress, Zencart and other php-based platforms were hit. Our earliest hacked site report is of 5/6/2010 @ 9:17am.
This malware was just detected and is not showing up on website malware scanners yet. We have notified sucuri.net of this latest infection so that they can immediately update their malware detections systems.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-88: phpnuke.org has been compromised<br>
<b>WHID ID:</b> 2010-88<br>
<b>Date Occured:</b> 5/7/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Websense® Security Labs™ ThreatSeeker™ Network has discovered that the popular Web site, phpnuke.org, has been compromised.
PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks.
The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://community.websense.com/blogs/securitylabs/archive/2010/05/07/phpnuke-org-has-been-compromised.aspx<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> PHPNuke<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-87: Facebook hacker jailed after falsely accusing boyfriend of rape<br>
<b>WHID ID:</b> 2010-87<br>
<b>Date Occured:</b> 5/6/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A young mother who had accused her ex-boyfriend of rape hacked into his Facebook site to post a threat to herself to bolster her fakery.
Zoe Williams was described as "really wicked" by the judge, who jailed her for four months.
A court heard she tried to set up her ex-boyfriend partner after accused him of raping her several times after the end of their five-year relationship in 2007.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.telegraph.co.uk/technology/facebook/7685381/Facebook-hacker-jailed-after-falsely-accusing-boyfriend-of-rape.html<br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-86: China State News Agency Web Site Hit With Malware<br>
<b>WHID ID:</b> 2010-86<br>
<b>Date Occured:</b> 5/6/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> China<br>
<b>Incident Description:</b> A section of the Web site for China's state-run Xinhua news agency was found to be distributing malware last month, according to a Google malware scanning service that is still labeling the site as potentially harmful.
The "news center" section of the Xinhua's Web site, which displays a feed of the agency's stories, was found to have one scripting exploit and one Trojan on it during a scan, according to a Google Safe Browsing diagnostic page. No suspicious content was found on the site during a scan about ten days later, but the section of Xinhua's Web site is still being labeled potentially harmful in Google search results.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.yahoo.com/s/pcworld/20100506/tc_pcworld/chinastatenewsagencywebsitehitwithmalware<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-85: Facebook flaw exposes live chats<br>
<b>WHID ID:</b> 2010-85<br>
<b>Date Occured:</b> 5/6/2010<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Facebook has again come under fire for not doing enough to protect personal information after a security flaw allowed users to eavesdrop on private chat sessions.
The flaw also allowed Facebook members to view other people's pending friend requests.
The social networking site, which has more than 400 million active users, was forced to suspend the live chat function until engineers were able to fix the problem.
The flaw was in the Facebook feature that allows users to view their own privacy settings and could be easily exploited to view others' private information, according to TechCrunch blogger Steve O'Hear, who alerted the social networking site.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.infosecurity-magazine.com/view/9245/facebook-flaw-exposes-live-chats/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-84: PHP Website XSS Defacement<br>
<b>WHID ID:</b> 2010-84<br>
<b>Date Occured:</b> 5/2/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Cross-site scripting , html injection and redirect on bugs.php.net and phpbuilder.com
Screenshots and proof of concept
Redirect from php site to google POC and XSS
Sample xss alert on phpbuilder.com
And now what about http://doc.php.net/phd/ar/phd/ ?<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://security-sh3ll.blogspot.com/2010/05/php-website-xss-defacement.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-83: High-profile tech blog is hacked<br>
<b>WHID ID:</b> 2010-83<br>
<b>Date Occured:</b> 1/26/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> High-profile technology blog TechCrunch has been taken offline by hackers.
A message on the site said that it had been "compromised by a security exploit" but did not specify any further details.
"We're working to identify the exploit and will bring the site back online shortly," the message read.
The site went down at around 0620 GMT and was replaced by various messages including a link to a site directing people towards adult material.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.bbc.co.uk/2/hi/technology/8480306.stm<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-82: Victorian councils, libraries taught security in hack<br>
<b>WHID ID:</b> 2010-82<br>
<b>Date Occured:</b> 5/3/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> A hacker has busted the security of eight Victorian Government websites in a string of minor attacks on Sunday.
Purportedly hailing from an Indonesian hacking group, the hacker made unobtrusive defacements by inserting a text document into the homepages of six local council sites and two libraries.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.networkworld.com/news/2010/050310-victorian-councils-libraries-taught-security.html<br>
<b>Attack Source Geography:</b> Indonesia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-81: Network Solutions customers hit by mass hack attack<br>
<b>WHID ID:</b> 2010-81<br>
<b>Date Occured:</b> 4/19/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Network Solutions' security team is battling a mysterious attack that has silently infected a "huge" number of the websites it hosts with malicious code.
The mass compromise affects sites running WordPress, Joomla, and plain-vanilla HTML, according to reports here and here from Securi Security and Stop Malvertising. Many of the infected sites include encoded javascript that secretly attempts to install malware on visitors' computers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/04/19/network_solutions_mass_hack/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://blog.sucuri.net/2010/04/network-solutions-hacked-again.html
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-80: Hacked US Treasury websites serve visitors malware<br>
<b>WHID ID:</b> 2010-80<br>
<b>Date Occured:</b> 5/3/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Updated Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday.
The infection buries an invisible iframe in bep.treas.gov, moneyfactory.gov, and bep.gov that invokes malicious scripts from grepad.com, Roger Thompson, chief research officer of AVG Technologies, told The Register. The code was discovered late Sunday night and was active at time of writing, about 12 hours later.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-79: Italian expert: the attack of Romanian hackers against La Stampa and Corriere newspapers was the most relevant in the last eight years<br>
<b>WHID ID:</b> 2010-79<br>
<b>Date Occured:</b> 4/30/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Italy<br>
<b>Incident Description:</b> On April 30, a group of hackers, who sign as "Romanian National Security" attacked three of the most important media sites in Italy: La Stampa, Corriere della Sera and RAI. The Romanian hackers left a message inviting Italian journalists to avoid confusions between Romanians and gypsies.
The same group attacked in the last month the sites of the Daily Telegraph and Le Monde. However, unlike the British and French media, the Italian mass media did not mention the attack. Our HotNews.ro corresponded to Italy interviewed Italin Matteo Cavallini, responsible for IT security in the Commerce Ministry. He was one of the first Italians to raise the awareness about the attack of the Romanians hackers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://english.hotnews.ro/stiri-regional_europe-7212366-italian-expert-the-attack-romanian-hackers-against-stampa-and-corriere-newspapers-was-the-most-relevant-the-last-eight-years.htm<br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-78: Butler County Election Website Hacked<br>
<b>WHID ID:</b> 2010-78<br>
<b>Date Occured:</b> 5/5/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> The Butler County Sheriff will investigate an alleged hacking incident that brought down election computers in that county last night, and slowed the reporting of votes.
The Board of Election tells our partners at the Journal News that the problem affected the reporting of vote totals, not the counting of votes itself.
The BOE says three services crashed during the incident and two unidentified sites were deliberately diverting traffic from the website. The BOE believes the attack was deliberate.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.local12.com/news/local/story/Butler-County-Election-Website-Hacked/zsQw7iXCgkuoDeMvyY3dGA.cspx<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-77: Kilpatrick's site down, spokesman suspects hackers<br>
<b>WHID ID:</b> 2010-77<br>
<b>Date Occured:</b> 5/5/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> The New York City-based spokesman for Kwame Kilpatrick complained this afternoon that www.friendsofkwame.com is not working properly, and he suspects hackers.
Mike Paul said he is investigating the matter seriously and will pursue prosecution if the site he is promoting on Kwame Kilpatricks behalf indeed has been tampered with by outsiders.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.freep.com/article/20100505/NEWS01/100505073/1322/Kilpatricks-site-down-spokesman-suspects-hackers<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-76: Website hacked, election officials say<br>
<b>WHID ID:</b> 2010-76<br>
<b>Date Occured:</b> 5/5/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Local elections officials say their website was hacked as they tried to communicate the results of the Tuesday, May 4, primary election — crashing the site several times and delaying the announcement of vote tallies.
“We have crashed three servers, and in examining those servers, there are two unidentified sites that are deliberately diverting traffic,” said Butler County Board of Elections Director Betty McGary as her frenzied staff struggled to post election results.
“Our servers are under attack, we feel,” McGary said, stressing that the problem pertained only to transmitting totals to the public, not accurately counting the votes.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.middletownjournal.com/news/election/website-hacked-election-officials-say-687529.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-75: Russian-born hacker selling 1.5m Facebook usernames<br>
<b>WHID ID:</b> 2010-75<br>
<b>Date Occured:</b> 4/24/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Session Hijacking<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A RUSSIAN-born hacker is attempting to sell Facebook IDs for as little as $25 per 100 usernames, social-media blog Mashable reports, citing researchers at VeriSign's iDefense.
The hacker, who calls himself Kirllos, has obtained 1.5 million Facebook IDs, or one for every 300 people who use the social networking website.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.news.com.au/technology/russian-born-hacker-selling-15m-facebook-usernames/story-e6frfro0-1225857706897<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-74: Another Zimbabwe news website attacked by hackers<br>
<b>WHID ID:</b> 2010-74<br>
<b>Date Occured:</b> 4/24/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Zimbabwe<br>
<b>Incident Description:</b> London(ZimEye) Another Zimbabwe news website, the ZimDiaspora has been hacked by online criminals. As at Saturday, the website was no longer functioning and one of the editors speaking to ZimEye Saturday said that neither he nor the Hosting company were able to restore the site at the moment.
Despite the hosting companys apparent desperation Saturday, ZimEye was able to trace the notorious hackers to a location in the Indonesian town of Bandug. The hackers specialise in hacking websites made by the Joomlah software on which the Zimdiaspora is built. They have also declared it openly that this is their field of speciality.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.zimeye.org/?p=16521<br>
<b>Attack Source Geography:</b> Indonesia<br>
<b>Attacked System Technology:</b> Joomla<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-73: Report: Music insider site source of leaked songs<br>
<b>WHID ID:</b> 2010-73<br>
<b>Date Occured:</b> 4/23/2010<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> As if the record industry hasn't tasted enough bitter irony lately, a bunch of album leaks over the weekend apparently came from a service used by music labels to share files with radio stations, media, and other trusted insiders.
According to a post on AbsolutePunk, somebody signed up for an account with Play MPE under false pretenses, claiming to be an Australian music critic. Then this person--apparently a teenage boy--figured out how to access music he wasn't entitled to, including upcoming releases by The Black Keys, Macy Gray, Hole, The Gaslight Anthem, and many other artists.
The AbsolutePunk story referred to this kid as a hacker, but looking at his self-described exploits, that term might be a little too strong. It's not as if he did any sophisticated DRM cracking. Rather, he noticed that that the URL in the Web-based download file had the characters "songid=" followed by a bunch of numbers. By changing the numbers, he was apparently able to to get other song downloads that he wasn't supposed to see.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.cnet.com/8301-13526_3-20003331-27.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-72: Blippy users credit card numbers found on Google<br>
<b>WHID ID:</b> 2010-72<br>
<b>Date Occured:</b> 4/23/2010<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insecure Indexing<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Yesterday was a big day for social-oversharing site Blippy, which lets members automatically post their purchases to the Internet. The company announced $11.2 million in funding and was profiled in The New York Times.
Overnight, at least one Internet power user figured out a way to search for Blippy members credit card numbers on Google. A fairly obvious search for “from card” this morning returned 127 results that included full credit card numbers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://venturebeat.com/2010/04/23/blippy-credit-card-citibank/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-71: Fire Alarm Company Burned by e-Banking Fraud<br>
<b>WHID ID:</b> 2010-71<br>
<b>Date Occured:</b> 4/7/2010<br>
<b>Attack Method:</b> Banking Trojan<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A fire alarm company in Arkansas lost more than $110,000 this month when hackers stole the firms online banking credentials and drained its payroll account.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://krebsonsecurity.com/2010/04/fire-alarm-company-burned-by-e-banking-fraud/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> $110000<br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-70: Armenian websites attacked Turkish hackers<br>
<b>WHID ID:</b> 2010-70<br>
<b>Date Occured:</b> 4/12/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Armenia<br>
<b>Incident Description:</b> Turkish hackers have attacked several Armenian websites ahead of annual commemorative remembrances of the Armenian Genocide.
On April 12th, more than 250 sites were impacted when cyber terrorists attacked a server hosting sites including www.ArmeniaChat.com, www.ArmeniaSearch.com according to the owner of the sites (who wishes to remain anonymous), ANCA Communications Director Elizabeth Chouljian told PanARMENIAN.Net
The attackers also took down www.armenian.com, which is the website for Armenian Directory Yellow pages. Attackers attempted to hack into a second server which hosts www.ArmGate.com but were unsuccessful. All the websites attacked were offline for a period of two days due to the damage caused by the attack.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.panarmenian.net/eng/it_telecom/news/47183/<br>
<b>Attack Source Geography:</b> Turkey<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-69: Walmart web site hacked and hosting spam<br>
<b>WHID ID:</b> 2010-69<br>
<b>Date Occured:</b> 4/15/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> One of Walmart official web sites, www.walmartcommunity.com (for their Community Action Network) has SPAM links. The attackers probably injected the spam in one of their templates files. After a bit of search, we found all of them inside the footer.php<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.sucuri.net/2010/04/walmart-web-site-hacked-and-hosting.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-68: Daily Telegraph website hacked<br>
<b>WHID ID:</b> 2010-68<br>
<b>Date Occured:</b> 4/15/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> United Kingdom<br>
<b>Incident Description:</b> Part of the Daily Telegraph's website has been hacked, apparently by people in Romania who were aggrieved at its identification of "gypsies" and "Romanians".
Its "Short Breaks" and Wine And Dine sections were both hacked, with the Short Breaks site still up at 12.55pm today, with a picture of a Romanian flag claiming to be for the "Romanian National Security", some comments in Romanian and the remark in English at the bottom that "Guess what, gypsies aren't romanians, morons." It also links to a Russian site which plays an MP3 called The Lonely Shepherd.
Sunbelt Software, which first noticed the hack, said that it had alerted the Telegraph when it noticed the hack.
The method used to hack into the site is not known.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.guardian.co.uk/media/2010/apr/15/daily-telegraph-hacking<br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-67: Apache.org hit by targeted XSS attack, passwords compromised<br>
<b>WHID ID:</b> 2010-67<br>
<b>Date Occured:</b> 4/9/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Session Hijacking<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:
ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]
Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blogs.zdnet.com/security/?p=6123&amp;tag=nl.e539<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-66: Ads to blame for malware in Facebook's FarmTown?<br>
<b>WHID ID:</b> 2010-66<br>
<b>Date Occured:</b> 4/12/2010<br>
<b>Attack Method:</b> Malvertising<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> The 9.6 million players of the Facebook game FarmTown are being warned about fake security warnings popping up that are designed to mislead people into paying for antivirus protection they don't need.
"We are aware and have reported to the developers that many of our players have encountered the malware/spyware while on the FarmTown Site," the moderator of a user forum for FarmTown maker SlashKey warned over the weekend. "We believe at this time that it is harmless to your computer and a result of one or more of the ads on the site, but you should NOT follow any links to any software claiming to 'clean your system.'"
Sophos' Graham Cluley said it appeared that third-party advertising displayed underneath the FarmTown playing window is to blame.
"In all likelihood, hackers have managed to poison some of the adverts that are being served to FarmTown by the outside advert provider," Cluley wrote on his blog.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.cnet.com/8301-27080_3-20002267-245.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Facebook<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-65: NewsBusters Knocked Offline<br>
<b>WHID ID:</b> 2010-65<br>
<b>Date Occured:</b> 4/9/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A deliberate brute force attack, a criminal act, knocked NewsBusters offline since late Friday morning. More information to come, but now were back and we thank you for bearing with us as our tech team worked studiously to restore the site.
Read more: http://newsbusters.org/?q=blogs/nb-staff/2010/04/10/newsbusters-back-here-s-some-what-you-ve-missed#ixzz0kuulCcnh<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://newsbusters.org/?q=blogs/nb-staff/2010/04/10/newsbusters-back-here-s-some-what-you-ve-missed<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-64: Hundreds of Wordpress Blogs Hit by Networkads.net Hack<br>
<b>WHID ID:</b> 2010-64<br>
<b>Date Occured:</b> 4/9/2010<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Blogs<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> A large number of bloggers using Wordpress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software.
According to multiple postings on the Wordpress user forum and other blogs, the attack doesnt modify or create files, but rather appears to inject a Web address — “networkads.net/grep” — directly into the target sites database, so that any attempts to access the hacked site redirects the visitor to networkads.net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the Wordpress interface.
Its not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://krebsonsecurity.com/2010/04/hundreds-of-wordpress-blogs-hit-by-networkads-net-hack/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-63: Police cuff 70 eBay fraud suspects<br>
<b>WHID ID:</b> 2010-63<br>
<b>Date Occured:</b> 4/6/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Fraud<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Romanian police have arrested 70 suspected cybercrooks, thought to be members of three gangs which allegedly used compromised eBay accounts to run scams.
The alleged fraudsters obtained login credentials using phishing scams before using these trusted profiles to tout auctions for non-existent luxury goods (luxury cars, Rolex watches and even a recreational aircraft). Buyers handed over the loot but never received any goods in return.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/04/07/romania_cybercrime_bust/<br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> eBay<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-62: Computer Crooks Steal $100,000 from Ill. Town<br>
<b>WHID ID:</b> 2010-62<br>
<b>Date Occured:</b> 3/11/2010<br>
<b>Attack Method:</b> Banking Trojan<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Illinois, USA<br>
<b>Incident Description:</b> A rash of home foreclosures and abandoned dwellings had already taken its toll on the tax revenue for the Village of Summit, a town of 10,000 just outside Chicago. Then, in March, computer crooks broke into the towns online bank account, making off with nearly $100,000. According to Rivera, the theft took place Mar. 11, when her assistant went to log in to the towns account at Bridgeview Bank. When the assistant submitted the credentials to the banks site, she was redirected to a page telling her that the banks site was experiencing technical difficulties. What she couldnt have known was that the thieves were stalling her so that they could use the credentials shed supplied to create their own interactive session with the towns bank account.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-61: How Chinese Hackers Exploit Twitter, Google and Yahoo<br>
<b>WHID ID:</b> 2010-61<br>
<b>Date Occured:</b> 4/6/2010<br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> Abuse of Functionality<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> A stunning new report issued last night by a team of U.S. and Canadian researchers highlights a critical development in the world of cyber crime: the use of popular services like Twitter, Google (GOOG) and Yahoo (YHOO) to camouflage and carry out infiltrations at the highest level of international government and business.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blogs.bnet.com/business-news/?p=856<br>
<b>Attack Source Geography:</b> China<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://www.scribd.com/doc/29435784/SHADOWS-IN-THE-CLOUD-Investigating-Cyber-Espionage-2-0
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-60: CNN redirect exploited by scammers<br>
<b>WHID ID:</b> 2010-60<br>
<b>Date Occured:</b> 4/6/2010<br>
<b>Attack Method:</b> Redirection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> SPAMMERs use an Open Redirection vuln in a CNN ad site. The clever touch was providing a link that exploits redirect functionality supported by CNNs ad servers. The link is structured as follows:
http://ads.cnn.com/event.ng/Type=click&amp;Redirect=http:/bit.ly/cPXW
Clicking on the link sends a request to CNN which instructs the browser to send a second request to the redirect URL in this case the shortened http:/bit.ly/cP—XW. The host site would not be aware of the misuse the spammer is simply abusing legitimate ad-serving functionality.
This technique provides several advantages to the spammer:
1) The URL from cnn.com might give the impression that there was a genuine CNN-worthy story to be found
2) The reputable site name would allay fears of anything malicious lurking at the end of the click.
3) Most URL filtering solutions would not block the initial request to cnn.com (although reputable solutions would have been updated in real time about the follow on link which would be blocked)<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.commtouch.com/cafe/email-security-news/cnn-redirect-exploited-by-scammers/?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed:+CommtouchCafe+(Commtouch+Café)<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-59: Orange Regional Website Hacked<br>
<b>WHID ID:</b> 2010-59<br>
<b>Date Occured:</b> 2/9/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> Ivory Coast<br>
<b>Incident Description:</b> A Lebanese hacker claims to have hacked Orange's regional website in Cote d'Ivoire (Ivory Coast) through SQL injection. The attack allegedly gave him access to the website's administration interface and information on almost 60,000 customers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Orange-Regional-Website-Hacked-134467.shtml<br>
<b>Attack Source Geography:</b> Lebanon<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> 60000<br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-58: China journalist club shuts website after attack<br>
<b>WHID ID:</b> 2010-58<br>
<b>Date Occured:</b> 4/1/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> China<br>
<b>Incident Description:</b> The Foreign Correspondents Club of China said on Friday it had shut its website after a burst of hacker attacks, days after attacks on the Yahoo email accounts of some foreign journalists covering China were discovered.
"We do not know who is behind the attacks or what their motivation is," the club's board said in an emailed statement explaining it had decided to shut down temporarily the site after two days of "persistent" attacks.
The club has traced the online assault to IP addresses in both China and the U.S., but added that these machines could have been taken over by hackers in other locations.
The hacking was the latest of several recent incidents that have brought to light the Internet vulnerabilities of people or groups whose work may raise hackles in China.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.reuters.com/assets/print?aid=USTOE63101R20100402<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-57: Web security under attack from ads in prominent advertising programs<br>
<b>WHID ID:</b> 2010-57<br>
<b>Date Occured:</b> 3/31/2010<br>
<b>Attack Method:</b> Malvertising<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Advertisement programs operated by Google, Yahoo and Fox were recently found to deliver malware, according to CNET. Avast, the Czech Republic-based web security company, discovered the malware and stated that this particular strain target holes in popular web browsers such as Firefox and Internet Explorer.
Yahoo's Yield Manager and Fox FirmServe manage nearly 50 percent of all online ads. Google's program DoubleClick was found to contain some malvertisements, but not to the extent of Yield Manager or FirmServe. Other advertising platforms like Facebook and MySpace have also experienced similar problems in recent months.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.mxlogic.com/securitynews/web-security/web-security-under-attack-from-ads-in-prominent-advertising-programs651.cfm<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-56: Facebook Flub Leaks Private E-Mail Addresses<br>
<b>WHID ID:</b> 2010-56<br>
<b>Date Occured:</b> 3/31/2010<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Private e-mail addresses that many Facebook users wanted to keep hidden were revealed publicly last night on a multitude of Facebook profiles, Gawker reports. The glitch lasted about 30 minutes before Facebook sealed the gap.
It might be that Facebook's recently proposed changes to its privacy settings could be to blame for the hiccup. PC World writer Paul Suarez reported that "One of those changes [to Facebook's Privacy Policy and Statement of Rights and Responsibilities] would make it possible for Facebook to send your name, photo, friend list, and any public information about you and your friends to preapproved third-party Web sites." A slight tweak to broadcasting profile information could have resulted in this embarrassing flub.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.cio.com/article/589021/Facebook_Flub_Leaks_Private_E_Mail_Addresses<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-55: Drudge Report accused of serving malware, again<br>
<b>WHID ID:</b> 2010-55<br>
<b>Date Occured:</b> 3/9/2010<br>
<b>Attack Method:</b> Malvertising<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> For the second time in less than six months, visitors to the Drudge Report say they got malware in addition to the Web site's usual sensational headlines.
Matt Drudge denied that his site was infecting visitors, however it's likely that the malware is coming from ads delivered by a third-party ad network and not the site itself.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.cnet.com/8301-27080_3-10466044-245.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-54: MyPilotStore.com hack results in false charges on customers cards<br>
<b>WHID ID:</b> 2010-54<br>
<b>Date Occured:</b> 2/18/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> On February 18, MyPlane, dba MyPilotStore.com, discovered that their database containing their customers names, addresses, telephone numbers, e-mail addresses, and credit card information had been hacked. According to the firm, some customers received a “nominal fake charge to their credit card by a company not associated with us.”<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.databreaches.net/?p=10990<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-53: Google says Vietnam political blogs hacked<br>
<b>WHID ID:</b> 2010-53<br>
<b>Date Occured:</b> 3/31/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> Vietnam<br>
<b>Incident Description:</b> Internet giant Google says Vietnamese computer users have been spied on and political blogs hacked in attacks which a leading web security firm suspects are linked to the Vietnamese government.
The incidents recall cyber attacks in China that Google in January said had struck it and other unidentified firms in an apparent bid to hack into the email accounts of Chinese human rights activists.
"These infected machines have been used both to spy on their owners as well as participate in distributed denial of service attacks against blogs containing messages of political dissent," said Neel Mehta of Google's security team in the firm's Online Security Blog.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.yahoo.com/s/afp/20100331/tc_afp/vietnammediainternetrightsgooglemcafee&amp;a=Technology%20News&amp;x=1<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-52: 3000 Small Dog Electronics customers' credit card details compromised<br>
<b>WHID ID:</b> 2010-52<br>
<b>Date Occured:</b> 2/18/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> lectronics retailer Small Dog Electronics has suffered from a systems breach that left 3000 customers' credit card details compromised.
The data theft, which left the credit card details exposed from late December to almost the end of January, used a security hole in the in-house web application that had been developed to manage Smalldog's ecommerce system.
Don Mayer, CEO of Small Dog Electronics, explained that the company is PCI compliant, and that it had been subjected to a penetration test by a third party, which he would not name. The flaw in the code has now been rectified, and Small Dog is investigating the issue with the pen tester, added Mayer, who did not know what language the ecommerce system had been written in.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.infosecurity-us.com/view/7411/3000-small-dog-electronics-customers-credit-card-details-compromised/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> 3000<br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-51: Woman worms into D.C. taxpayer accounts<br>
<b>WHID ID:</b> 2010-51<br>
<b>Date Occured:</b> 2/5/2010<br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Washington DC, USA<br>
<b>Incident Description:</b> A mentally ill woman exploited a loophole in D.C. tax office online systems to gain unauthorized access to taxpayer accounts, establish herself as the owner of dozens of businesses and file returns on their behalf. The FR-500 forms were not submitted for review before processing, BDO found, and no verification checks were performed. The loophole was a glitch, OTR explained. The agency's Integrated Tax System was supposed to deny ownership changes requested through the FR-500 function, but "faulty logic" allowed the updates automatically. Umansky said a fix is now in place and "that can't happen again."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.washingtonexaminer.com/local/Woman-worms-into-D_C_-taxpayer-accounts-83589257.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-50: Shared-password vulnerability may have exposed personal information in online account management system<br>
<b>WHID ID:</b> 2010-50<br>
<b>Date Occured:</b> 1/14/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers.
In a disclosure letter (PDF) sent to the attorney general of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. The company was planning to issue notification to the affected customers on Jan. 6, the letter says.
The letter does not give technical details about the breach, but it indicates the unidentified source sent FINRA a username and password to the portfolio management system.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> 1200000<br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-49: Hackers pluck 8,300 customer logins from bank server<br>
<b>WHID ID:</b> 2010-49<br>
<b>Date Occured:</b> 1/12/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> NY, USA<br>
<b>Incident Description:</b> Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system.
The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release (PDF) issued Monday. It was discovered on December 24 during an internal security review. In all, credentials for 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB's total customer base.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2010/01/12/bank_server_breached/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> 8300<br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-48: Hackers brute force their way into galeton.com website containing names, credit card numbers<br>
<b>WHID ID:</b> 2010-48<br>
<b>Date Occured:</b> 2/8/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Hackers used brute force to log into web accounts of users at www.galeton.com.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://datalossdb.org/incidents/2692-hackers-brute-force-their-way-into-website-containing-names-credit-card-numbers<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-47: Court papers: JC Penney was hacking victim<br>
<b>WHID ID:</b> 2010-47<br>
<b>Date Occured:</b> 10/23/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> JC Penney Co. was one of the victims of notorious computer hacker Albert Gonzalez, according to unsealed documents made available on Monday by a federal judge in Boston.
Penney, which during Gonzalez' trial had asked the U.S. District Court for the District of Massachusetts to bar the government from disclosing its identity, was revealed in the documents to be the company that had been known throughout the trial as "Company A."
ICQ chat logs confirm SQL Injection was used - http://datalossdb.org/system/jcp_attachment.pdf<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.msnbc.msn.com/id/36088614/ns/technology_and_science-security/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://datalossdb.org/incident_highlights/48
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-46: Microsoft's Larry "Major Nelson" Hryb has online account hijacked through Xbox.com as part of underground group's publicity bid.<br>
<b>WHID ID:</b> 2010-46<br>
<b>Date Occured:</b> 3/29/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Xbox Live director of programming Larry Hryb has for some time now been the face of Microsoft's online platform for the Xbox 360, thanks in large part to his Major Nelson persona. Unfortunately, Xbox Live's figurehead saw his gamertag defaced over the weekend after a hacker was able to log into Hryb's account.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.gamespot.com/news/6254330.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-45: Online Thieves Take $205,000 Bite Out of Missouri Dental Practice<br>
<b>WHID ID:</b> 2010-45<br>
<b>Date Occured:</b> 3/30/2010<br>
<b>Attack Method:</b> Banking Trojan<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Missouri, USA<br>
<b>Incident Description:</b> Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.
Smile Zone is still investigating how the thieves compromised the account. But in case after case Ive reported on involving this type of fraud, the attackers hacked the victims computer networks using a Trojan horse program known as Zeus or Zbot, which allows the criminals to tunnel back through the victims PC in order to log into the target account without raising red flags or additional security mechanisms.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.krebsonsecurity.com/2010/03/online-thieves-take-205000-bite-out-of-missouri-dental-practice/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> $205000<br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-44: Baidu hacked by Iranian Cyber Army<br>
<b>WHID ID:</b> 2010-44<br>
<b>Date Occured:</b> 1/12/2010<br>
<b>Attack Method:</b> Weak Password Recovery Validation<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> China<br>
<b>Incident Description:</b> The attack, which took place overnight, saw a message from the Iranian Cyber Army appear on the Baidu home page. It featured a picture of the Iranian flag, and a message written in Farsi.
Heres how Baidu alleges the hacker got access to one of the worlds most popular web sites domain name account in under an hour:
1. Hacker starts online chat session with Register.com representative, claiming to be an agent of Baidu.
2. Register.com representative asks hacker to provide verification information. Hacker provides invalid information, but Register.com goes ahead and e-mails a security code to the email address it has on file for Baidu anyway.
3. The hacker doesnt have access to that e-mail address, so he/she relays a bogus security code to the Register.com representative via chat. Baidu claims the representative didnt bother to compare the code to the actual one.
4. Hacker asks Register.com representative to change email address on file to antiwahabi2008@gmail.com, and representative does.
5. Hacker now uses “forgot password” link at Register.com to request the username and password to the account. Hacker can then log in and change the name servers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.telegraph.co.uk/technology/news/6974129/Baidu-hacked-by-Iranian-Cyber-Army.html<br>
<b>Attack Source Geography:</b> Iran<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://domainnamewire.com/2010/02/24/how-baidu-got-hacked-by-the-iranian-cyber-army/
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-43: Sleuths Trace Digital Clues to Predict iPad Sales<br>
<b>WHID ID:</b> 2010-43<br>
<b>Date Occured:</b> 3/19/2010<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Entropy<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> To get the ball rolling on the iPad estimate, Mr. Tello asked participants on a private message board for Apple watchers, AAPL Sanity, to share the order number that the Apple Store assigns to each online purchase and includes on the order's email confirmation.
The first order submitted, from a user named Joe, had an eight-digit order number 68,715,XXX (the last three digits have been excised) at 8:30 a.m. Eastern time on March 12, the first day iPad orders could be placed. Another order placed five days later, by a user named Israel, was numbered 68,937,XXX. That is a difference of about 222,000.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://online.wsj.com/article/SB10001424052748704207504575130351672451186.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-42: Frenchman Arrested After Hacking Into Obama's Twitter Accounts<br>
<b>WHID ID:</b> 2010-42<br>
<b>Date Occured:</b> 3/25/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A Frenchman will face trial after hacking into Twitter accounts, including that of U.S President Barack Obama, a French prosecutor said.
The 24-year-old man from central France was arrested on Tuesday and could face up to two years in prison in France for fraudulent access to a computer system. The arrest followed a joint operation between the Federal Bureau of Investigation and the French police, according to French state prosecutor Jean-Yves Coquillat.
The man, whose name hasn't been release, is charged with having hacked into the Twitter Inc. social-networking accounts of famous people. He did this in April 2009 after posing as a site administrator, said Mr. Coquillat. As well as Mr. Obama's account, he hacked into that of singer Britney Spears, he said.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://online.wsj.com/article/SB10001424052748704094104575143391819054502.html<br>
<b>Attack Source Geography:</b> France<br>
<b>Attacked System Technology:</b> Twitter<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-41: NineMSN compromised<br>
<b>WHID ID:</b> 2010-41<br>
<b>Date Occured:</b> 2/17/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> Microsoft's Ninemsn, one of the most visited portals in Australia (Alexa rank 573), was compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.itwire.com/business-it-news/security/36912-ninemsn-compromised<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-40: TCS Website Hacked, Domain Name Up For Sale<br>
<b>WHID ID:</b> 2010-40<br>
<b>Date Occured:</b> 2/8/2010<br>
<b>Attack Method:</b> DNS Hijacking<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> Indian software giant Tata Consultancy Services Ltd. (TCS) has witnessed the hijacking of its official website www.tcs.com. The hackers not only attacked the website but also allegedly changed its domain name and put it up for sale!<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.techtree.com/India/News/TCS_Website_Hacked_Domain_Name_Up_For_Sale/551-109190-643.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-39: Tesda Website hacked again; users directed to Smartmatic<br>
<b>WHID ID:</b> 2010-39<br>
<b>Date Occured:</b> 1/11/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Phillipines<br>
<b>Incident Description:</b> Even before its administrators could fix the problem, the website of the Technical Education and Skills Development Authority was hacked again early Monday, this time redirecting visitors to the website of Smartmatic, the contractor tasked to implement the automated elections this May. A check of the hacked TESDA website's homepage showed the hackers left instructions for the site to redirect to Smartmatic's website in 20 seconds.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.gmanews.tv/story/181244/tesda-website-hacked-again-users-redirected-to-smartmatic<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-38: Cross-Site Scripting through Flash in Gmail Based Services<br>
<b>WHID ID:</b> 2010-38<br>
<b>Date Occured:</b> 3/22/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> IBM Security Researcher outlines the XSS vuln he found that exploits a Flash upload file movie by passing Javascript within external parameters.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-37: ING Shareholder Data Exposed on Website<br>
<b>WHID ID:</b> 2010-37<br>
<b>Date Occured:</b> 1/25/2010<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> On January 25, an ING customer discovered that she could access client information on the ingfunds.com web site and notified her stockbroker. In investigating the situation, ING discovered that since August 2008, a file containing the names, addresses, Social Security numbers, and account numbers of 106 ING shareholders had been available on the web through a search engine. The company notified the New Hampshire Attorney General on February 3 that 17 residents of the state were affected.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://doj.nh.gov/consumer/pdf/ing.pdf<br>
<b>Attack Source Geography:</b> New Hampshire, USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-36: Durex condom orders leak on web customer (update 1)<br>
<b>WHID ID:</b> 2010-36<br>
<b>Date Occured:</b> 3/22/2010<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> Last week, this site received a lead about a security problem involving the web site of a Durex product. On March 5, a customer reportedly discovered that anyone could view his and other customers orders on the kohinoorpassion.com web site by simply inserting a different order ID number in the url without any login required. Names, addresses, phone numbers, and type of products ordered were all there for ready viewing.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.databreaches.net/?p=10726<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-35: CISO Witnesses Hack Like No Other<br>
<b>WHID ID:</b> 2010-35<br>
<b>Date Occured:</b> 3/3/2010<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Loss of Sales<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> PA, USA<br>
<b>Incident Description:</b> Here's what Maley told attendees to an RSA Conference panel on state cybersecurity on Wednesday:
"We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams. It was encrypted traffic, and we were trying to figure out what the heck is going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know."
Authorities eventually discovered that the hacker who used a proxy server in Russia to mask his identity owned a driving school in Philadelphia, and exploited a vulnerability in the driving test scheduling system to allow the scheduling of more tests than the allotted time slots. It could take upward of six weeks to schedule a driving test in Philadelphia. Said Maley:
"What he was doing was saying (to potential customers), "You go over across the street, to John's driver training, and it's going to take you six to eight weeks to get your test. We can get you in tomorrow."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blogs.bankinfosecurity.com/posts.php?postID=469<br>
<b>Attack Source Geography:</b> PA, USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-34: Over 120 000 Sanoma User Credentials Stolen<br>
<b>WHID ID:</b> 2010-34<br>
<b>Date Occured:</b> 3/23/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> Finland<br>
<b>Incident Description:</b> Not exactly a startup news per se, but a healthy reminder to all those working with user credentials in their online services. One of the largest, if not the largest, online identity thefts has just occured in Finland. The service to be breached was Älypää, a Sanoma bought gaming site. The sad part is that while an identity breach of this magnitude is always bad this has been made worse by Sanoma actually storing the passwords in plain text, making them usable anywhere.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.arcticstartup.com/2010/03/23/over-120-000-sanoma-user-credentials-stolen/?ref=rc<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-33: N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss<br>
<b>WHID ID:</b> 2010-33<br>
<b>Date Occured:</b> 2/15/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> NY, USA<br>
<b>Incident Description:</b> A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.
Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.
Later, McCarthys friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.
Karen McCarthy said TDBank has dug in its heels and is now saying it has no responsibility for the loss.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-32: Crooks Crank Up Volume of E-Banking Attacks<br>
<b>WHID ID:</b> 2010-32<br>
<b>Date Occured:</b> 2/23/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Ohio, USA<br>
<b>Incident Description:</b> Computer crooks stole more than $200,000 from an auto body shop in Ohio last month in a brazen online robbery. The attack is yet another example of how thieves are using malicious software to bypass bank security technologies that are often touted as strong deterrents to this type of fraud.
Story outlines Banking Trojan types of activity which intercepted the one-time passcode and then redirected the real user to a fake maintenance page.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-31: Organized Crooks Hit Ark. Utility<br>
<b>WHID ID:</b> 2010-31<br>
<b>Date Occured:</b> 3/4/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Arkansas, USA<br>
<b>Incident Description:</b> In a separate incident on March 4, organized crooks stole roughly $130,000 from North Garland County Regional Water District, a public, nonprofit utility in Hot Springs, Ark. Again, thieves somehow broke into the utilitys online bank account and set up unauthorized transfers to more than a dozen individuals around the country that were not affiliated with the district.
Manager Bill Reinhardt said the district is still investigating how the thieves gained access to its accounts, and that it had notified the FBI about the breach. Reinhardt said the district has so far worked with its bank to reverse about half of the fraudulent transfers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/#more-1918<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-30: Organized Crooks Hit NJ Town<br>
<b>WHID ID:</b> 2010-30<br>
<b>Date Occured:</b> 3/19/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> New Jersey, USA<br>
<b>Incident Description:</b> The Federal Bureau of Investigation and the Atlantic County Prosecutor's Office are helping Egg Harbor Township police investigate what township police said was an "outside intrusion into a municipal banking account"that was to blame for missing municipal funds."
In a statement, the township police also warned the public that computer criminals have become more sophisticated.
"Emails can appear to originate from your bank, or other legitimate location, and when opened can cause great financial damage," the department wrote. "Use extra care with your email and where you may send/enter any personal information."<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.pressofatlanticcity.com/news/top_three/article_35e425d8-32f2-11df-a24f-001cc4c03286.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://www.krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-29: Conservatives embarrassed as hackers exploit loophole on anti-union website<br>
<b>WHID ID:</b> 2010-29<br>
<b>Date Occured:</b> 3/23/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> United Kingdom<br>
<b>Incident Description:</b> It was hoped that visitors to the website - http://cash-gordon.com would use popular social networking websites such as Twitter and Facebook to spread the word about Gordon Browns union links.
One of its features displayed any message posted on Twitter if it included the term “#cashgordon”, no matter what else it said.
By writing Twitter messages containing the “#cashgordon” and their own piece of web code, they were able to redirect visitors to any other site on the internet.
Anyone who tried to access the Cash Gordon website for more than an hour was sent elsewhere, such as to the Labour Partys site or to hardcore pornography pages.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.telegraph.co.uk/technology/twitter/7499228/Conservatives-embarrassed-as-hackers-exploit-loophole-on-anti-union-website.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-28: Bank sues victim of $800,000 cybertheft<br>
<b>WHID ID:</b> 2010-28<br>
<b>Date Occured:</b> 1/26/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> TX, USA<br>
<b>Incident Description:</b> A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.
The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.
In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft<br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-27: Poughkeepsie, N.Y., slams bank for $378,000 online theft<br>
<b>WHID ID:</b> 2010-27<br>
<b>Date Occured:</b> 2/8/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> NY, USA<br>
<b>Incident Description:</b> The theft of $378,000 from the town of Poughkeepsie, N.Y., is prompting questions about the responsibility of banks to protect customer accounts from online criminals.
In a statement last week, a Poughkeepsie town official revealed that thieves had broken into the town's TD Bank NA account and transferred $378,000 to accounts in the Ukraine.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.computerworld.com/s/article/9153598/Poughkeepsie_N.Y._slams_bank_for_378_000_online_theft<br>
<b>Attack Source Geography:</b> Ukraine<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-26: Russia Arrests Alleged Mastermind of RBS WorldPay Hack<br>
<b>WHID ID:</b> 2010-26<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Georgia, USA<br>
<b>Incident Description:</b> A fascinating story about a group of hackers who broke into the RBS WorldPay DBs through SQL Injection. Russian authorities have nabbed the man accused of masterminding a coordinated global ATM heist of $9.5 million from Atlanta-based card processing company RBS WorldPay. The hackers compromised RBS WorldPays database encryption to raise the amount of funds available on the compromised cards, and boost their daily withdrawal limits. In some case, the hackers raised the limits to $500,000. According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access. Pleschuk allegedly developed the method for reverse engineering the encrypted PINs. Once the hackers raised the account limits, they provided an army of cashers with 44 cards programmed with the account details. On November 8 that year, the cashers simultaneously hit more than 2,000 ATMs, netting about $9.5 million in less than 12 hours.
The story did not specify the exact vulnerabilities exploited to manipulate the DB however the Indictment PDF (in the reference) lists actual SQL commands sent to the DBs (pages 10-11).
If you then cross-reference this story with WHID entry 2009-51 where the Romania Hacker Unu released SQL Injection vulns in RBS WorldPay web applications, it seems most plausible that these Russian Hackers used similar vulnerabilities.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.wired.com/threatlevel/2010/03/alleged-rbs-hacker-arrested<br>
<b>Attack Source Geography:</b> Russia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://www.wired.com/images_blogs/threatlevel/2009/11/rbs-worldpay-indictment.pdf
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-25: Flawed Security Exposes Vital Software to Hackers<br>
<b>WHID ID:</b> 2010-25<br>
<b>Date Occured:</b> 3/5/2010<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> McAfee, a leading maker of Internet security software, warned this week that software systems used by many companies to store and manage their intellectual property are being actively targeted by hackers and are in need of significantly increased security focus.
McAfee took issue with Perforces implementation of access controls. For instance, using the Web interface, someone who manages to access one user account could access those of other users by manipulating the associated URL, or Web address, it said. Perforce responded that, if customers choose the systems most restrictive mode, that situation isnt possible.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://bits.blogs.nytimes.com/2010/03/05/flawed-security-exposes-vital-software-to-hackers/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://graphics8.nytimes.com/packages/pdf/technology/20100306Aurora.pdf
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-24: Singapore's biggest forum, Hardwarezone Forums, gets hacked (friendly)<br>
<b>WHID ID:</b> 2010-24<br>
<b>Date Occured:</b> 3/18/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> Singapore<br>
<b>Incident Description:</b> Yesterday, at 8pm past, a member "gameboyz" discovered pretty quickly that he could inject HTML code into the Tag Board Chat, and posted a script which changed the contents of the page where the tagboard would appear, with a message below, when one accessed certain sections of the site.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://asia.cnet.com/blogs/rehashplus/post.htm?id=63017848&amp;scid=hm_bl
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-23: Beware: Malware Attacks Facebook, B-Ball &amp; Gossip Sites<br>
<b>WHID ID:</b> 2010-23<br>
<b>Date Occured:</b> 3/19/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> At a time when college basketball fans are going wild, cybercriminals are actively pursuing opportunities for scams. Basketball fans go online to fill out bracket selections, and when they do, hackers are also playing their own game of spamdexing, i.e. manipulating search results to promote sites, according to James Duldulao, a security researcher at McAfee. In this case, he explained, cybercriminals are spamdexing malware-infected sites.
This week, the top results for terms like "ncaa bracket" and "march madness predictions" were poisoned. McAfee reports that five out of the first 10 hot searches on Google Trends are being promoted by a network Relevant Products/Services of legitimate sites that were hacked to serve malware. One site had an embedded Flash file that downloads malware from another site and installs it without user interaction Relevant Products/Services.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.toptechnews.com/story.xhtml?story_id=11000CA733W8&amp;full_skip=1<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-22: Hackers target SDP leaders<br>
<b>WHID ID:</b> 2010-22<br>
<b>Date Occured:</b> 3/21/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Finland<br>
<b>Incident Description:</b> At least two leading figures in the opposition Social Democratic Party were attacked by computer hackers during the weekend.
On Sunday, the web pages of the partys Parliamentary group chairman Eero Heinäluoma were hacked, and on Saturday evening it was the turn of the partys chairwoman Jutta Urpilainen.
Strange pictures and text had appeared on Heinäluomas page www.heinaluoma.net on Sunday, and shortly before 4 p.m. his web page was no longer accessible.
On Saturday evening, Urpilainens page had been targeted with obscene messages and child pornography.
The pages crashed at about 10:00 p.m.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.hs.fi/english/article/Hackers+target+SDP+leaders+/1135254873196<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-21: Wiseguys Tickets charged with hacking into Ticketmaster, LiveNation to illegally grab best seats<br>
<b>WHID ID:</b> 2010-21<br>
<b>Date Occured:</b> 3/1/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Loss of Sales<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> This entry is related to WHID 2008-48 (http://www.xiom.com/whid-2008-48) however it expands beyond only TicketMaster to include LiveNation.
Prosecutors said the men hired a hacker in Bulgaria to program a way around the "CAPTCHA" technology that requires ticket buyers to read and retype two distorted random words to prove they are people, not a computer program. In a spectacular irony, the defendents managed to take a process meant to distinguish between a human and a machine - and automate it. The indictment said they even programmed their bots to make mistakes so they would appear to be human ticket buyers. When the bots swarmed a Web site, they were able to fill out the CAPTCHA fields in a twinkling, beating any real human buyers.
Read more: http://www.nydailynews.com/news/ny_crime/2010/03/01/2010-03-01_wiseguys_tickets_charged_with_hacking_into_ticketmaster_livenation_to_illegally_.html?page=1#ixzz0iumX65AV<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.nydailynews.com/news/ny_crime/2010/03/01/2010-03-01_wiseguys_tickets_charged_with_hacking_into_ticketmaster_livenation_to_illegally_.html<br>
<b>Attack Source Geography:</b> Bulgaria<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-20: Jewish Community Assistance Group Website Hacked<br>
<b>WHID ID:</b> 2010-20<br>
<b>Date Occured:</b> 3/21/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Religious<br>
<b>Attacked Entity Geography:</b> Israel<br>
<b>Incident Description:</b> The internet website of the Keren Kehilot organization was hacked Sunday morning by a gang of Muslim hackers, apparently from Turkey.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.israelnationalnews.com/News/Flash.aspx/182976<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-19: Hacked personal data originating from China<br>
<b>WHID ID:</b> 2010-19<br>
<b>Date Occured:</b> 3/22/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> Korea<br>
<b>Incident Description:</b> According to police, Chinese hackers have been targeting Web sites of Korean department stores and other frequently visited sites. The hackers offer the Korean information for sale on the Internet. Last September, a used-car trading Web site and the Internet home page for a car navigation manufacturer were victims of Chinese hackers who stole names and residential registration numbers of 910,000 online members. Hackers can use the stolen registration numbers to become members of certain Web sites that send spam messages, or sell the numbers to other hackers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://joongangdaily.joins.com/article/view.asp?aid=2918142<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-18: Hackers crash Aussie charity websites<br>
<b>WHID ID:</b> 2010-18<br>
<b>Date Occured:</b> 3/22/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> The internet services of two Australian autism support organisations have been crashed by computer hackers and a third may also have fallen victim, raising fears of a targeted attack to coincide with autism month.
Austism Spectrum Australia (ASPECT), the country's autism service provider, is losing hundreds of dollars in online donations each day after its website was hit by hackers early on Sunday.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.stuff.co.nz/technology/3486923/Hackers-crash-Aussie-charity-websites<br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-17: Govt websites hacked<br>
<b>WHID ID:</b> 2010-17<br>
<b>Date Occured:</b> 3/20/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Bangladesh, India<br>
<b>Incident Description:</b> Bangladesh government websites, operating out of the Prime Minister's Office, were attacked on Saturday by hackers purporting to be "Indian" .
bdnews24.com, at around 2.30am, found that 19 out of 64 district web portals had been hacked by "MIL INDIAN HACKER", threatening "cyber war" in retaliation to any terrorist attack by Pakistan on Indian soil "via Bangladesh".
Most of the sites were fixed around 16 hours later, said officials, who in some cases had first been notified of the cyber attack by bdnews24.com's online report.
The hacked portals displayed a poster on opening, which said: 28 DIFFERENT STATES, 28 DIFFERENT LANGUAGES BUT ONE WORD JAI HIND!'<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://bdnews24.com/details.php?id=156315&amp;cid=2<br>
<b>Attack Source Geography:</b> India<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-16: The Game's Email Hacked, Monthly Expenses List Leaked<br>
<b>WHID ID:</b> 2010-16<br>
<b>Date Occured:</b> 3/22/2010<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Hackers don't discriminate. The biggest targets these days seem to be celebrities. The latest is rapper The Game, whose GMAIL account was reportedly hacked into recently. According to TheBoomBox.com, the rapper didn't have too many interesting things going on in his email. At least, nothing revealed just yet.
The only thing of interest leaked was a detailed list of his monthly expenses, which total roughly $52,000.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.ballerstatus.com/2010/03/22/the-games-email-hacked-monthly-expense-list-leaked/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> GMail<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-15: Villar website 'hacked'<br>
<b>WHID ID:</b> 2010-15<br>
<b>Date Occured:</b> 3/19/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Phillipines<br>
<b>Incident Description:</b> The rivalry between Senators Manny Villar and Benigno "Noynoy" Aquino has gone beyond the campaign trail as the official website of the Nacionalista Party presidential bet supposedly got hacked by an Aquino supporter Monday. At about 10 a.m., Villar's official website www.mannyvillar.co.ph contained a blog entry titled "Hacked by Kris Aquino." The entry, which was written in "swardspeak", took jabs at Villar's marketing strategy and ended up coaxing its readers to vote for Aquino instead.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.abs-cbnnews.com/lifestyle/03/22/10/villar-website-hacked<br>
<b>Attack Source Geography:</b> Phillipines<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-14: Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies<br>
<b>WHID ID:</b> 2010-14<br>
<b>Date Occured:</b> 3/19/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Saudi Arabia<br>
<b>Incident Description:</b> A very interesting cyberwarfare story involving US government/military on both sides. By early 2008, top U.S. military officials had become convinced that extremists planning attacks on American forces in Iraq were making use of a Web site set up by the Saudi government and the CIA to uncover terrorist plots in the kingdom. Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that dismantled the online forum.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.washingtonpost.com/wp-dyn/content/article/2010/03/18/AR2010031805464.html<br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-13: Australian Government websites blitzed by DDoS attack<br>
<b>WHID ID:</b> 2010-13<br>
<b>Date Occured:</b> 2/10/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> The websites of Senator Stephen Conroy and the Australian Parliament House were inaccessible this morning after the 'Anonymous' group of hackers claimed credit for a Distributed Denial of Service (DDoS) attack on Australian Government web sites.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.securecomputing.net.au/News/166860,australian-government-websites-blitzed-by-ddos-attack.aspx<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-12: Army Website Compromised Through SQL Injection<br>
<b>WHID ID:</b> 2010-12<br>
<b>Date Occured:</b> 1/9/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A Romanian grey hat hacker has disclosed an SQL inject (SQLi) vulnerability on a website belonging to the United States Army, which leads to full database compromise. The website, called Army Housing OneStop, is used to provide information about military housing facilities to soldiers.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/Army-Website-Compromised-Through-SQL-Injection-131649.shtml<br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-11: U.S. Military Equipment Website Hacked<br>
<b>WHID ID:</b> 2010-11<br>
<b>Date Occured:</b> 1/13/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A Lebanese hacker is taking credit for a security breach on the PEO Soldier Army website. By exploiting an SQL injection vulnerability, he allegedly obtained full access to the underlying database and the information contained within.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.softpedia.com/news/U-S-Military-Equipment-Website-Hacked-131947.shtml<br>
<b>Attack Source Geography:</b> Lebanon<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-10: FBI, police ID Boulder synagogue Web site hacker<br>
<b>WHID ID:</b> 2010-10<br>
<b>Date Occured:</b> 1/2/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Religious<br>
<b>Attacked Entity Geography:</b> Boulder, CO<br>
<b>Incident Description:</b> Boulder police and the FBI announced Friday that they have identified the individual who hacked into the Web sites of two Boulder synagogues and the Boulder Rabbinic Council last week and defaced them with anti-Semitic messages.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.dailycamera.com/ci_14150610?source=most_emailed#axzz0ieLUTxxC<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-9: Pakistani cyber crime website hit by hacker who is able to access database<br>
<b>WHID ID:</b> 2010-9<br>
<b>Date Occured:</b> 1/11/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Pakistan<br>
<b>Incident Description:</b> Details of a political website, the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority, being hacked has been reported when a sensitive site was hit by a hacker who managed to gain access to the email database.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.scmagazineuk.com/pakistani-cyber-crime-website-hit-by-hacker-who-is-able-to-access-database/article/160969/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-8: Cross-site scripting vulnerabilities see two political websites hacked<br>
<b>WHID ID:</b> 2010-8<br>
<b>Date Occured:</b> 1/5/2010<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Spain<br>
<b>Incident Description:</b> A report on BBC News said that visitors to Spain's EU presidency website were greeted by an image of comedy character Mr Bean instead of the Spanish Prime Minister Jose Luis Rodriguez Zapatero. The government said that the site - www.eu2010.es - had not been attacked and that a hacker had taken a screenshot of the homepage to make a photo montage using a cross-site scripting (XSS) vulnerability. Visitors found an image of Mr Bean complete with a benign smile and the words Hi there'.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.scmagazineuk.com/cross-site-scripting-vulnerabilities-see-two-political-websites-hacked/article/160597/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-7: Hacker attacks Ceridian; data from 27,000 at risk<br>
<b>WHID ID:</b> 2010-7<br>
<b>Date Occured:</b> 1/20/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Minnesota, USA<br>
<b>Incident Description:</b> A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide. The attack was against the Powerpay payroll system.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.startribune.com/business/83505102.html?elr=KArksUUUU<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> 27000<br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-6: Cyber hacker hits Paula Dockery's campaign site<br>
<b>WHID ID:</b> 2010-6<br>
<b>Date Occured:</b> 1/20/2010<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Florida, USA<br>
<b>Incident Description:</b> Attacker(s) conducted a DDoS attack against the Florida Candidate for Governor Paula Dockery's website. In essence, what is happening is someone is sending approximately 40,000 requests per second to the website/server, then immediately closing them… It is the equivalent of 2.4 million people a minute browsing to the site and closing it immediately. In essence this saturates the number of connections available to legitimate people trying to get to the server, causing them to time-out when they visit the site. In security terms it is called a Denial of Service Attack (DoS).<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://blogs.tampabay.com/buzz/2010/01/cyber-hacker-hits-paula-dockerys-campaign-site.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-5: City of Albertville's web site hacked<br>
<b>WHID ID:</b> 2010-5<br>
<b>Date Occured:</b> 3/18/2010<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Alabama, USA<br>
<b>Incident Description:</b> The website of the Mayor of Albertsville, AL was defaced with profanity.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.waff.com/Global/story.asp?S=12166330<br>
<b>Attack Source Geography:</b> Alabama, USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-4: Shopping website hacked with malware<br>
<b>WHID ID:</b> 2010-4<br>
<b>Date Occured:</b> 3/19/2010<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> Australian retailer DealsDirect.com.au started serving malware to clients through a compromised partner advertising system. It seems that end users were made aware of malware due to Google Safe Browsing plugins in Google Chrome, Firefox and Internet Explorer browsers as they were alerted with the "This site may harm your computer" warning. It is a shame that web sites themselves aren't doing better at analyzing outbound data they are serving to ensure that it is not malicious.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.ninemsn.com.au/technology/1029568/shopping-website-hacked-with-malware<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-3: Feds Crack Hackers' Stock Manipulation Cybercrime<br>
<b>WHID ID:</b> 2010-3<br>
<b>Date Occured:</b> 3/16/2010<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Hackers, working for BroCo Investments (a one-trader operation based in St. Petersburg, Russia) used stolen online brokerage credentials to initiate a pump-and-dump scheme. Within minutes of making the unauthorized transactions, the SEC claims BroCo then sold shares of these same stocks held in its own account at the artificially inflated prices, netting the hackers more than $250,000 in profits.
From a defensive perspective, the online brokerage accounts should be doing more to authenticate users and validate transactions. The challenging part is that these types of defensive mechanisms may actually interfere with many of the automated bot programs that investors use to monitor and execute trades. Online trading fraud is not going to go away anytime soon.
Read More on SEC filing - http://www.wired.com/images_blogs/threatlevel/2010/03/brocosec.pdf<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.esecurityplanet.com/news/article.php/3871176/Feds-Crack-Hackers-Stock-Manipulation-Cybercrime.htm<br>
<b>Attack Source Geography:</b> St. Petersburg, Russia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> $600000<br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-2: Hacker Disables More Than 100 Cars Remotely<br>
<b>WHID ID:</b> 2010-2<br>
<b>Date Occured:</b> 3/17/2010<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Data Loss<br>
<b>Attacked Entity Field:</b> Automotive<br>
<b>Attacked Entity Geography:</b> Austin TX, USA<br>
<b>Incident Description:</b> Hundreds of cars would not start and/or had their horn honking when a former employee at Texas Auto Center used previous passwords to log into a system called Webtech Plus whic is used as an alternative to repossessing vehicles that havent been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a cars ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The hacker destroyed account records and then started to disable cars/force the horn to honk continuously.
Read More http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/#ixzz0iYvPwUVj<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/<br>
<b>Attack Source Geography:</b> Texas, USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2010-1: Hacker Breaks Into 49 House Sites, Insults Obama<br>
<b>WHID ID:</b> 2010-1<br>
<b>Date Occured:</b> 2/1/2010<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A hacker broke into 49 House Web sites of both political parties after President Obama's State of the Union address. The websites were all managed by a private vendor -- GovTrends of Alexandria, Va. The article mentions that "GovTrends let its guard down while performing an update, allowing the hacker to penetrate sites of individual members and committees overnight" which leads to WHID's Misconfiguration Attack Method designation.
Interesting note - 18 House sites managed by GovTrends were defaced last August.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.toptechnews.com/news/Hacker-Breaks-Into-49-House-Sites/story.xhtml?story_id=00100041BAO7<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-51: Hacker Hits RBS WorldPay Systems Database<br>
<b>WHID ID:</b> 2009-51<br>
<b>Date Occured:</b> 9/11/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Georgia, USA<br>
<b>Incident Description:</b> A Romanian hacker well-known for discovering SQL injection vulnerabilities in high-profile Websites has struck again -- this time on RBS WorldPay's site, where he says he hit the jackpot, the company's database.
The hacker, who goes by "Unu," says he accessed RBS WorldPay's database via a SQL injection flaw in one of its Web applications. RBS WorldPay maintains Unu accessed a test database that didn't carry any live data, and that no merchant or cardholder data accounts were compromised. The company has since taken down the pages.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=220000005<br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-50: Iranian hacker attack: What will it cost Twitter?<br>
<b>WHID ID:</b> 2009-50<br>
<b>Date Occured:</b> 12/17/2009<br>
<b>Attack Method:</b> DNS Hijacking<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> A new attack by hackers Dec. 17 redirected Twitter users to a page from a previously unknown group called the Iranian Cyber Army. Most computer attacks are relatively straightforward denial-of-service attacks, where computers overwhelm a website with data to bring it down. Thursday night's attack against Twitter was more serious because the hackers gained access to part of Twitter's network and were able to redirect users to a page with a photo of a flag with Farsi script. Near the top of the page ran a bold red headline in English: "This site has been hacked by Iranian Cyber Army."
Hackers for several days have attacked the websites of opponents of Iran's regime and posted the same image. The opponents have used social-media sites like Twitter to organize street protests this year.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.csmonitor.com/Money/2009/1218/Iranian-hacker-attack-What-will-it-cost-Twitter<br>
<b>Attack Source Geography:</b> Iran<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-49: RockYou Hack: From Bad To Worse<br>
<b>WHID ID:</b> 2009-49<br>
<b>Date Occured:</b> 12/14/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Earlier today news spread that social application site RockYou had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers. RockYou have yet to inform users of the breach, and their blog is eerily silent but the details of the security breach are going from bad to worse.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-48: XSS Embedded iFrames<br>
<b>WHID ID:</b> 2009-48<br>
<b>Date Occured:</b> 12/14/2009<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Today we saw a variety of pages being advertised that have search.htm and other pages vulnerable to cross-site scripting (XSS) being used to inject an iframe to a malicious webpage redirector. To an unknowing user following such an advertisement, they would believe that they were just visiting the intended host site unaware that the iframe was also redirecting them to malicious content.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://research.zscaler.com/2009/12/xss-embedded-iframes.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-47: Morrison says 'new baby' story a hoax by web hacker<br>
<b>WHID ID:</b> 2009-47<br>
<b>Date Occured:</b> 12/29/2009<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> A hoax, posted by a hacker on Van Morrison's website, falsely claimed the singer (64) had a baby with a woman called Gigi Lee.
But the reclusive singer issued a statement on New Year's Eve saying he is happily married to former model Michelle Rocca.
The earlier reports were carried by news organisations worldwide after a Los Angeles based public relations consultant, who has represented Morrison in the past, apparently confirmed the claim on Tuesday.
However, the statement issued by Van Morrison said: "I have asked my management team to carry out an immediate investigation into a hacking attack which took place on my website on December 29th last.
"This is the second occasion on which the website has been hacked into during the last three months. In this most recent incident, claims were made relating to my personal life in a "statement'' purporting to come from me.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.independent.ie/national-news/morrison-says-new-baby-story-a-hoax-by-web-hacker-1996333.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-46: Clickjacking Attack Hit Facebook<br>
<b>WHID ID:</b> 2009-46<br>
<b>Date Occured:</b> 12/23/2009<br>
<b>Attack Method:</b> Clickjacking<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> The Facebook clickjacking assault appeared as a comment posted to the account of a user along with a photograph, which enticed him to hit it. On clicking the link, it led the user to a web-page, which pretended to be a CAPTCHA test. It also prompted him to hit a blue colored button namely "Share" embedded in the Facebook web-page.
But on clicking it, the victim was diverted to a YouTube video appeared on his Facebook account. Consequently, the victim and his contacts were infected. Krzysztof Kotowicz, a freelance security researcher, states that presently the attack is effective merely in Chrome and Firefox Web-browsers, as reported by Help Net Security on December 22, 2009.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.spamfighter.com/News-13684-Clickjacking-Attack-Hit-Facebook.htm<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-45: Vaserv Hacked and Owner Commits Suicide Over Data Loss<br>
<b>WHID ID:</b> 2009-45<br>
<b>Date Occured:</b> 6/10/2009<br>
<b>Attack Method:</b> Various<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Data Loss<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>This must be the worse incident reported by the Web Hacking Incident Database.</p>
<p>We all know that web security is highly important but neglected. We tell frightening stories but listners think they are only "FUD": fear, uncertainty and doubt, used to sell products and services. I hope that the VAServ incident will serve to warn that those are not fairytale stories. Even so, I wish this one would not have happened.</p>
<p>In this story, like most calamities, it seems that the laymen suffer: small entrepreneurs &amp; upstart companies who lost everything in a hacking incident. One of them even lost his life.</p>
<table style="height:141px;width:50%" border="1" align="right">
<tbody>
<tr>
<td style="background-color:#faebd7"><strong><span style="font-size:small">Vaserv web site reporting recovery status, June 10<sup>th</sup>:</span></strong><br> <span style="font-size:xx-small">22:19 vz47uk restored<br> 22:21 vz46uk data loss<br> 22:42 Please allow upto 2 hours for a ticket response as currently we have 200+ active tickets<br> 23:02 vz67uk data loss<br> 23:20 vz50uk data restored<br> 23:23 vz51uk data loss<br>00:03 FsckVPS server26 and server27 are still being worked on, but data *appears* to be intact</span></td>
</tr>
</tbody>
</table>
<p>It all started on Sunday, June 7<sup>th</sup>: someone broke into the web servers of VAServ, a tiny UK based hosting company. The hackers ruined many of VAServ virtual servers. Some of them lost were for ever as the snippet from VAServ home page, serving as an emergency bulletin board, shows.</p>
<p>As tiny as VAServ is, probably no more than 3 people, in today's virtual and flat world they could serve tens of thousands of low cost web sites, many of them now lost for ever. Behind each one of these web sites there is a story of someone who worked hard, whether on a hobby or a small business and is now left with nothing. A comment made on one of the blog entries about the incident reads:</p>
<p style="padding-left:30px"><em>"yeah thanks for ruining my life for the last 2 years i had built up my site spending alot of money and giving up my job for nothing.........what am i going to tell the wife?"</em></p>
<p>Just think about tens of thousand of such stories. Daniel Voyce, a web developer using VAServ for all of his clients, told the <a href="http://www.theregister.co.uk/2009/06/08/webhost_attack/">Register: </a></p>
<p style="padding-left:30px"><em>"Since last night, I've had probably 40 phone calls from clients saying 'Why is my website down, It's making me look bad."</em></p>
<p>But this domino effect ruining so many small businesses had another even more devastating angle. Just days before the hack, someone <a href="http://www.milw0rm.com/exploits/8880">posted on milw0rm</a> a long list of yet unpatched vulnerabilities in Kloxo, a virtual machine management software. The list certainly looks comprehensive enough to enable anyone to penetrate a site using Kloxo, which VAServ where, leading VAServ and others to believe that LxLabs, the Bangalorian software company behind Kloxo is the culprit. Somebody claiming to be the hacker <a href="http://www.inquisitr.com/25617/update-new-information-on-the-vaserv-hack-that-wiped-100k-sites/">commented to the inquistir blog</a>, claiming that weak password at VAServ where to blame for the hack, which <a href="http://www.theregister.co.uk/2009/06/10/vaserv_follow_up/">Rus Foster from VAServ denied</a>.</p>
<p>We may never know who is right and who is wrong. LxLabs, just like Vaserv, is a tiny company using the Internet to look big. However one area that suffers a lot in small companies, is their security. It is never important enough to invest resource in security in such a lean and mean operations.</p>
<p><img src="http://www.xiom.com/sites/default/files/ligesh.jpg" width="179" height="206" style="float:right">But tiny giants have another weakness: it all falls on the shoulders of too few people. In the case of LxLabs, on <a href="http://timesofindia.indiatimes.com/Bangalore/Techie-hangs-himself-in-HSR-Layout-/articleshow/4633101.cms">KT Ligesh the CEO</a>. Ligesh<a href="http://timesofindia.indiatimes.com/Bangalore/Techie-hangs-himself-in-HSR-Layout-/articleshow/4633101.cms"> committed suicide</a> just a day after the hack for which his company was blamed. While already a troubled person, one cannot escape the thought that the hacking incident was the last straw.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.inquisitr.com/25617/update-new-information-on-the-vaserv-hack-that-wiped-100k-sites/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-43: Web Mail Company to Pay Prize After CEO Hacked<br>
<b>WHID ID:</b> 2009-43<br>
<b>Date Occured:</b> 6/10/2009<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> What does a challenge to break an web mail system and get $10,000, broken within minutes prove? Is it a lesson in vanity? Or about the state of web security? Or about security in general. Probably all.
The most obvious observatoins is that offering $10,000 for anyone who can break your site and being broken within an hour shows that you don't know what you taking about. Maybe it would be a lesson to all security vendors to not believe their own marketing verbiage. A quick browse of the bugtraq vulnerability archives will show how insecure and easy to evade security products can be.
However, judging from the number and seriousness of the incidents reported on the web hacking incidents database, StrongWebmail is not alone and far stronger companies suffers severe incidents, making web applications the weakest link in an organizations information security.
Lastly, we should always remember that there is never perfect security. By making systems more secure we are just raising the price required to attack them and lowering the damage of such an attack, but never. As the old joke goes: the only secure system is one without users.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.strongwebmail.com/secure/email/contests/hack/tc<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-42: Puerto Rico sites redirected in a DNS attack<br>
<b>WHID ID:</b> 2009-42<br>
<b>Date Occured:</b> 4/27/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> US<br>
<b>Incident Description:</b> Attacking web sites by going to the source, targeting DNS servers rather than the web sites themselves shows both the boldness of hackers as well as the fragility of the Internet.
While not new, DNS hijacking attacks took an important turn this year showing how much we rely on the web and now little we care for its protection. In the past DNS hijacking required complete control over the DNS server. In recent years most applications are controlled through a web interface, including DNS servers. Earlier this year attackers found an XSS vulnerability in a common DNS platform to hijack unused DNS entries for phishing
But this was only a small prelude to the real thing. CNet reports that this time hackers took over an entire TLD (Top Level Domain, or country) DNS server using SQL injection, virtually defacing the Puerto Rican site of companies such as Google and Microsoft.
The amazing story unfolds in the comments to CNet story, which outlines a mischievous professor and slow authorities who let him privatize and monetize on domain registration in Puerto Rico without any control.
The question we are left with is whether other countries and geographies different? Or even other industries for that matter?<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.cnet.com/8301-1009_3-10228436-83.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-41: Malware in Advertizing at Digital Spy<br>
<b>WHID ID:</b> 2009-41<br>
<b>Date Occured:</b> 6/2/2009<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> The register reports that Digital Spy, a high profile UK gossip site carried banner inflicting ads. Digital Spy has acknowledged the issue and said it promptly addressed it, however details on the source of the malicious banners is still not availalbe.
Malware distribution through ad programs is a borderline phenomenon. While there is no question that malware distribucion is malicious, and in most geographies illegal, in many cases the site owners are not technically responsible for the content of the ads they serve as the ad content comes directly from a 3rd party. The question whether they are legally responsible is open.
Another issue is defining a malware. Many times ads are used to entice users to download and install programs that are questionable. a rootkit installed through a known browser vulnerability is a malware, however the distinction between adware and malware is many time blurred and depends on:
The ratio between benefit to the user and benefit to the software distributor,
The clarity in which the benefit to the software distributor is explained to the user, and lastly:
The legality of this benefit<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2009/06/02/digital_spy_malware/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-40: SQL injection Hits Sensitive US Army servers<br>
<b>WHID ID:</b> 2009-40<br>
<b>Date Occured:</b> 1/26/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Information Week reports that a well known Turkish hacker penetrated two sensitive US army servers, one at McAlester Ammunition Plant in McAlester, Okla., and the other at the U.S. Army Corps of Engineers' Transatlantic Center in Winchester, Va. The hacks are the currently under criminal investigation by Defense Department officials.
The breaches where not publicly disclosed and the level of exposure is therefore not known. It is known however that web site visitors where redirected to a site protesting against climate change.
The Register speculates that the attack method was SQL injection.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.informationweek.com/news/government/federal/showArticle.jhtml?articleID=217700619<br>
<b>Attack Source Geography:</b> Turkey<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-39: Uno is back: 245,000 records stolen from Orange France using SQL injection<br>
<b>WHID ID:</b> 2009-39<br>
<b>Date Occured:</b> 5/26/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> France<br>
<b>Incident Description:</b> After focusing earlier this year on Anti-Virus vendors, Uno, the Romanian Hacker is now back and reports in his blog that an Orange France web site dedicated to photo management is vulnerable to SQL injection and that he was able to access 245,000 records from the web site.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.hackersblog.org/2009/05/25/orange-is-so-cool/<br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> 245000<br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-38: Time's Poll For Most Influencial Hacked<br>
<b>WHID ID:</b> 2009-38<br>
<b>Date Occured:</b> 4/15/2009<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as <a href="http://www.xiom.com/whid-2009-3">demonstrated by previous incidents</a> such loose security enables hackers to distort the results.</p>
<p>This time <a href="http://www.theregister.co.uk/2009/04/17/time_top_100_hack/">a <span>hacker</span> <span>succeeded</span> in manipulating</a> <span>Time's</span> poll for most <span>influential</span> people in 2009.</p>
<p><a href="http://www.time.com/time/specials/packages/article/0,28804,1883644_1886141,00.html"><img src="http://www.xiom.com/sites/default/files/images/time_poll_hacked.png" alt="Top results for the hacked Time poll" width="480" height="156"></a></p>
<p>Such poll are probably always <span>distorted</span> by automated programs,  with every stakeholder running his own robot to promote a cause. The <a href="http://www.time.com/time/specials/packages/article/0,28804,1883644_1886141,00.html">current time poll status</a> <span>Shawn</span> above includes mostly known people, though the standings do seem skewed. Is it just that our view of the world is different than others, or have <span>Muslims</span> around the world become avid Time readers? The top rated person, "moot", which none of you heard about until now, proves that it is all about automation.</p>
<p>This specific poll distortion <a href="http://musicmachinery.com/2009/04/15/inside-the-precision-hack/">reported by Paul <span><span>Lamere</span></span></a> is unique since a group of hackers called 4chan, led by "moot", took the time to fight Time's humble attempts to mitigate automation. Among the measures and countermeasures that 4chan and Time exchanged are:</p>
<ul>
<li>4chan distributed the simple get URL required to vote for moot through legitimate web sites and comment spamming. Such a link can easily be executed automatically by a web site user without his awareness using CSRF techniques.</li>
<li>Using a typical CSRF counter measure, Time added a salted and hashed key to ensure that the poll was submitted from its own poll form. However the key was authentication on the client by <span>Time's</span> poll Flash application <span>enabling</span> 4<span><span>chan</span></span> to easily find it out and overcome the issue. </li>
<li>The Time voting mechanism did not even check that the ranking in the vote was legal, so a link to vote down "moot" competitors in the list was also used until Time fixed the issue. Voting down is key to winning such a poll as 4chan competitors are not at rest running their own sophisticated campaigns.</li>
<li>Lastly 4chan developed sophisticated robots to auto-vote. Those robots overcome Time's anti-automation protections: since each user is allowed to vote just once in every 13 seconds, the robots uses open proxies to vote faster. Since time only prevents voting for the same person from the same IP, the robots used the extra 12 seconds available for each source IP to vote down competitors. The system also reports to a central server allowing monitoring of the voting rate!</li>
</ul>
<p><img src="http://www.xiom.com/sites/default/files/images/4chan_voting_rate.png" alt="Rate of voting for &quot;rain&quot; as recorded by 4chan monitoring" width="480" height="149"></p>
<p>However this specific hack is ever more interesting. At one point 4<span><span>chan</span></span> where bored with just running moot for presidency, so they decided to use their sophisticated machine to do a more elaborate work. They <span>decided to fix all first 21 nominees so that their initials would spell "<span>Marblecake</span> Also the Game". And as </span><a href="http://musicmachinery.files.wordpress.com/2009/04/kg9kl.jpg?w=450&amp;h=460">Paul <span><span>Lamere</span></span>'s screenshot</a> proves, they made it.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.theregister.co.uk/2009/04/17/time_top_100_hack/<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-37: Twitter XSS/CSRF worm series (Updated)<br>
<b>WHID ID:</b> 2009-37<br>
<b>Date Occured:</b> 4/11/2009<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p><em><strong>Update (Apr 19<sup>th</sup> 2009)</strong></em> - The initial Mooney Twitter worm has evolved into a series of 5 worms at the time of writing, each exploiting a different vulnerability in Twitter. The latest one specifically focuses on twitter accounts who have a high number of followers thus targeting celebrities such as Ashton Kutcher and Oprah Winfrey <a href="http://www.sophos.com/blogs/gc/g/2009/04/17/mikeyy-worm-targets-oprah-york-times/">according to Graham Cluley</a> from Sophos.</p>
<p>The hack seems to have paid of to Mikeyy Mooney who was <a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;articleId=9131737&amp;intsrc=news_ts_head">hired to as security consultant</a> following the incident.</p>
<hr>
<p>Twitter is in the spotlights again. Mikeyy Mooney, the 17-year-old creator of StalkDaily.com, a Twitter alternative, <a href="http://www.bnonews.com/news/242.html">admitted </a>to hacking his giant competitor by implementing a worm that propagated itself through twitter making every affected user tweet about StalkDaily. Mikeyy certainly got the advertising and page views he was looking for.</p>
<p><img src="http://www.xiom.com/sites/default/files/images/Mikeyy_270x246.png" alt="Mikeyy Mooney, the Twitter worms creator" width="270" height="246" style="float:right">Mikeyy's worm is a good example of how CSRF and XSS can be combined to create a strong blended attack, in this case a propagating worm. A Web 2.0 community generated site such as twitter is often vulnerable to stored XSS . This often implies that a user can update his own profile with malicious code and as a result others who view his content get hit. Without any other vulnerability to complicate things, you are safe as long as your friends are trustworthy.</p>
<p>However, if the site is also vulnerable to CSRF, the XSS exploit can include in addition to the payload also the original XSS inflicting code run under the attacked users credential, modifying his content and therefore hiting his own friends, which hit their own friends and so on.</p>
<p>You can find the technical details of the attack on <a href="http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/">Damon Cortesi's blog</a>. You may also be interested in the <a href="http://gist.github.com/93782">full XSS payload</a>.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/<br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-36: Hackers steal Austalian and NZ Shell customer info (Updated)<br>
<b>WHID ID:</b> 2009-36<br>
<b>Date Occured:</b> 2/17/2009<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p><em><strong>Update (Apr 19<sup>th</sup> 2009)</strong></em> - (Presumably) the hacker posted a comment to this story with some details. He says that the Number_of_Records leaking was much higher: 17,000 Aussies and 7,000 Kiwis. The rest we did not understand and hope that either he or any of you can clarify.</p>
<p><a href="http://www.xiom.com/whid/2009/36/shell_au_hacking">Read more...</a></p>
<p></p><hr>
Leakage of information from an energy company is usually associated with gas stations fraud such as installing a stealth credit card reader at the pump. However, a <a href="http://www.stuff.co.nz/national/2269256/Hackers-steal-Shell-customer-info">report</a> suggests that an incident in which information about 4500 Australian and 1400 Kiwis leaked was a result of a glitch in a web based application for applying for a Shell fuel card. The information obtained included company names, address details, email addresses and some bank account details.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.stuff.co.nz/national/2269256/Hackers-steal-Shell-customer-info<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> 5900<br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-35: Former US Senator Donors Information Leaks<br>
<b>WHID ID:</b> 2009-35<br>
<b>Date Occured:</b> 3/11/2009<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Norm Coleman, a former senator from Minnesota, is going through a legal battle to try to win back his seat in the senate. If the way he manages his web site security and the crises it created are an indicator, I am not sure that he has a place there.</p>
<p>The Coleman team <a href="http://www.startribune.com/politics/state/41127537.html?elr=KArks8c7PaP3E77K_3c::D3aDhUec7PaP3E77K_0c::D3aDhUiD3aPc:_Yyc:aULPQL7PQLanchO7DiUr">called in the US Secret Service</a> to investigate the leak in which sensitive information about more than 4700 donors was published on Wikileaks, a web site devoted to such exposures. Coleman himself called the incident "an obviously an attack on my campaign".</p>
<p>However the Minnesota Independent <a href="http://minnesotaindependent.com/28711/breaking-colemans-unsecured-donorbase-to-be-revealed-on-wikileaks">reveals </a>that the information was exposed for anyone to view on the senator's web site since at least January 28<sup>th</sup>. Hardly an attack. At the time the site was suffering performance issues and in a debate about the cause somebody <a href="http://minnesotaindependent.com/24761/disenfranchised-voters-crash-colemans-site-unlikely-says-blogger#comment-24131">commented </a>to an Independent about the an exposed database, which the Independent was fast to <a href="http://minnesotaindependent.com/24817/crashgate-reveals-unprotected-database-on-colemans-site">report </a>on. Moreover, Wikileaks took the trouble to inform the people in the list that their information leaked, while it took the Senator team over a month to react.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://minnesotaindependent.com/28711/breaking-colemans-unsecured-donorbase-to-be-revealed-on-wikileaks<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> 4700<br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-34: Romanian Hacker Moves On To The Telegraph<br>
<b>WHID ID:</b> 2009-34<br>
<b>Date Occured:</b> 3/6/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>Another week, another hack by the <a href="http://www.hackersblog.org">HackerBlog</a>, and when it targets an important web site and the impact is severe it is worthy of WHID. This time the Romanian hacker <a href="http://www.hackersblog.org/2009/03/06/telegraphcouk-hacked-sql-injection/">used blind SQL injection to penetrate to the web site of the Telegraph</a>, a leading English daily paper.</p>
<p>Among his findings is a table including 700,000 e-mails, which would be a gold mine for spammers.</p>
<p>The Telegraph <a href="http://blogs.telegraph.co.uk/shane_richmond/blog/2009/03/09/hackersblog_and_telegraphcouk">response</a> was published on their official blog.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.hackersblog.org/2009/03/06/telegraphcouk-hacked-sql-injection/<br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-33: eBay Fraud Abuses Zero Day XSS<br>
<b>WHID ID:</b> 2009-33<br>
<b>Date Occured:</b> 3/4/2009<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A zero day XSS vector enables hackers to include in an eBay offer an arbitrary code which is executed by both FireFox and IE. As a result they were able to spoof the content of the offer, so that the user saw different information than the details known to eBay.</p>
<p>A very detailed technical explanation of the vulnerability is included in a <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=481558">FireFox community discussions</a> on whether the issue is a browser or a web site issue. As usual, the truth is somewhere in the middle. The FireFox team selected to correct the issue discovered in FireFox. Microsoft claimed that the issue exploited in IE, which is <a href="http://www.theregister.co.uk/2009/03/08/ebay_scam_wizardy/">reported </a>to be a CSS expression issue, is not feature and not a bug and the vulnerable web site should be fixed.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> https://bugzilla.mozilla.org/show_bug.cgi?id=481558<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-32: 750 Twitter Accounts Hacked<br>
<b>WHID ID:</b> 2009-32<br>
<b>Date Occured:</b> 3/10/2009<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Twitter reports in a <a href="http://blog.twitter.com/2009/03/safekeeping-twitter-accounts.html">blog entry</a> that 750 accounts were hacked. The hacker posted messages linking to a porn webcam. While Twitter did not disclose how the attack was carried out, the suggested remediation hints that the account passwords were guessed, probably using a brute force attack.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> Password<br>
<b>Number of Records:</b> 750<br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-31: Double Clickjacking Worm on Twitter<br>
<b>WHID ID:</b> 2009-31<br>
<b>Date Occured:</b> 2/12/2009<br>
<b>Attack Method:</b> Worm<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> US<br>
<b>Incident Description:</b> <p>Twitter is certainly bypassing Facebook as the most popular site out there, at least when it comes to security incidents.This time somebody decided abuse Twitter to demonstrate <a href="http://www.sectheory.com/clickjacking.htm">Clickjacking</a>, an attack that RSname and Jeremiah Grossman re-christened in the OWASP conference in New York in September.</p>
<p>A well placed button labeled "don't click" make people click on it actually sending a Twitter message. Sunlight labs have a very interesting <a href="http://sunlightlabs.com/blog/2009/02/12/what-dont-click-business/">report</a> showing the rate of propagation of the worm.</p>
<p>Cnet <a href="http://news.cnet.com/8301-1009_3-10162812-83.html">reports </a>the worm spread on Feb 12<sup>th</sup> in two pulses. After the Twitter people closed the loophole the 1st time, somebody <a href="http://news.cnet.com/8301-1009_3-10163790-83.html">bypassed the patch</a> to restart the worm spread out.</p>
<p>Chriss Shiflett provides a very good<a href="http://shiflett.org/blog/2009/feb/twitter-dont-click-exploit"> technical analysis</a> of the worm.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-30: Sage SaaS Withdrawn Due to Security Flaws<br>
<b>WHID ID:</b> 2009-30<br>
<b>Date Occured:</b> 1/21/2009<br>
<b>Attack Method:</b> Insufficient Authentication<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>While we have no public record of an exploit in this case, it seems that the mare discovery of vulnerabilities in sage new SaaS (software as a service) offering created so much damage to classify it as an incident.</p>
<p>Sage is the leading provider of accounting software in the UK and it was about to launch a trendy small business SaaS offering. However as <a href="http://blogs.zdnet.com/SAAS/?p=655">ZDnet reports</a>, serious security flaws were discovered in the public beta and the company has to call off the launch. Who discovered the issues? naturally the competition. Duane Jackson, the CEO of a tiny rival company <a href="http://blog.kashflow.com/2009/01/21/sage-live-security/">reported</a> them on his blog<span class="post-author vcard"><span class="fn">.</span></span></p>
<p><span class="post-author vcard"><span class="fn">More than anything, the incident shows how difficult it is for developers to migrate from desktop software to a web based offering. This is a whole new ball game, and security is one of the more difficult issues to adjust to. On the other hand it also shows that on line services are much more exposed to scrutiny, which may result in better security down the line.<br></span></span></p>
<p><span class="post-author vcard"><span class="fn">As for the technical details, the reports found that the following issues in the application:</span></span></p>
<ul>
<li><span class="post-author vcard"><span class="fn">Password displayed in clear text and sent in the request line.</span></span></li>
<li><span class="post-author vcard"><span class="fn">Remember me is on by default on any login.<br></span></span></li>
<li><span class="post-author vcard"><span class="fn">Access to management sections of the site and other users data.<br></span></span></li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Sage<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-29: FBI &amp; Secret Service warn of a sophisticated HSM attack<br>
<b>WHID ID:</b> 2009-29<br>
<b>Date Occured:</b> 2/25/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A very interesting <a href="http://usa.visa.com/download/merchants/20090212-usss_fbi_advisory.pdf">report </a>by the FBI together with the US Secret service outlines a scheme exploiting SQL injection to steal credit card information from financial institutes. The attack involves directly attacking HSMs, the banks key vaults in charge of verifying ATM PINs in order to brute force PIN numbers.</p>
<p>The report is unique in describing an attack on financial services. Such attacks are know to happen but are seldom reported, certainly not with the amount of details in this report. However, the report does not indicate which incident it is based on. Is the close proximity of the report release to the Heartland incident just a coincidence?</p>
<p>Getting to this report took some effort and the only non blogshpere copy we found is on the Visa web site. If you know anything about this incident, please help us complete the information by leaving a comment on <a href="/contact">contacting us</a>.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://usa.visa.com/download/merchants/20090212-usss_fbi_advisory.pdf
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-28: Serious Leakage on Mac clone Maker's site<br>
<b>WHID ID:</b> 2009-28<br>
<b>Date Occured:</b> 2/11/2009<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The Register <a href="http://www.theregister.co.uk/2009/02/11/psystart_website/">reports </a>that the online shop of Psystar, a maker of Mac compatible equipment is heavily leaking technical information that can be expoited to hack the site.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-27: Panasonic Products for Cheap<br>
<b>WHID ID:</b> 2009-27<br>
<b>Date Occured:</b> 2/14/2009<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>A <a href="http://www.zdnet.co.uk/talkback/0,1000001161,39610697-39001058c-20100458o,00.htm">report </a>suggests that the UK retail site of the electronic equipment giant Panasonic was hacked and prices of products where set to pennies. Since the incident followed a layoff of 15,000 employees, it is assumed to be a disgruntled employees doing.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-26: F-Secure Joins The Breached AV Vendors Club<br>
<b>WHID ID:</b> 2009-26<br>
<b>Date Occured:</b> 2/11/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> Finland<br>
<b>Incident Description:</b> <p>It wasn't surprising that after attacking a <a href="/whid/2009/19/kaspersky_site_breached">Kaspereski </a>and a <a href="/whid/2009/20/bitdefender_joins_kasperski_on_the_breached_side">BitDefender</a> web sites, Uno, the Romanian hacker, would continue to strike anti-virus vendors. This time he found a vulnerability in the web site of Finish AV vendor F-Secure. Somewhat less severe than the others, the vulnerability enabled the hacker only to access virus statistics.</p>
<p>As usual, the marketing department <a href="http://news.cnet.com/8301-1009_3-10163227-83.html">response </a>is amazing, mentioning that "<em>the problem with its site was due to a bug in a Web application and not related to an unpatched system</em>". Does that make it better?</p>
<p>Frankly, I don't envy the marketing department role. The company, any company for that matter, is spending too little on web application security, sites are taken down daily, and the marketing people are send to fend off the public. They must have a thick skin to survive in marketing.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-25: Zone-H defaced<br>
<b>WHID ID:</b> 2009-25<br>
<b>Date Occured:</b> 2/13/2009<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p><img alt="Zone-H Defaced" width="284" height="275" align="right">Whenever a defacement appears in WHID we need to explain why. After all isn't Zone-H a better repository of simple defacement. Well, yes, but according to this <a href="http://www.theregister.co.uk/2009/02/13/zone_h_defaced/">report </a>by The Register this time it was Zone-H which was defaced. The defaced site seen on the right, is available <a href="http://209.85.129.132/search?q=cache:4eY0ub7aCt4J:www.zone-h.org/+zone+h&amp;hl=pl&amp;ct=clnk&amp;cd=1&amp;gl=pl&amp;client=firefox-a">here</a>. I am sure it is just a matter of time before we add a WHID defacement to WHID...</p>
<p>The Register article is interesting due to another perspective: when discussing the future of Zone-H, John Leyden writes:</p>
<p></p><table border="0">
<tbody>
<tr>
<td>But in an age where SQL injection assaults against legitimate sites are used to run drive-by download attacks without leaving any obvious signs of attack, perhaps the recording of blatant web graffiti attacks is no longer as relevant as it once was</td>
</tr>
</tbody>
</table>
<p>We at the Web Hacking Incident Database try to provide the answer for this new age. I hope we help.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-24: New Phishing Attacks Combine Wildcard DNS and XSS<br>
<b>WHID ID:</b> 2009-24<br>
<b>Date Occured:</b> 2/10/2009<br>
<b>Attack Method:</b> DNS Hijacking<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Various<br>
<b>Attacked Entity Geography:</b> Various<br>
<b>Incident Description:</b> <p>Netcraft, one of the leading authorities on phising research, <a href="http://news.netcraft.com/archives/2009/02/17/new_phishing_attacks_combine_wildcard_dns_and_xss.html">reports</a> a Phishing scam that involves XSS.</p>
<p>The scam exploits an XSS vulnerability in <a href="http://www.scripts24.com/iredirector/subdomain/index.php">iRedirector</a>, a software used to map sub-domains into paths on the site, in order to hijack domains and use them as Phishing targets. Since iRedirector enables virtually any sub domain to be defined, the attacker can now create an endless number of combinations of domain names built to fool users and web filters alike.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> iRedorector<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-23: Miley Cyrus Twitter Account Hit By Sex-Obsessed Hacker<br>
<b>WHID ID:</b> 2009-23<br>
<b>Date Occured:</b> 2/17/2009<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>It is Twitter again, it is a celebrity again. Why don't they keep their password to themselves. This <a href="http://www.entertainmentwise.com/news/47172/miley-cyrus-twitter-account-hit-by-sexobsessed-hacker">incident </a>is even uglier as the attacker posted obscene content on the Twitter account of the 16 years old actress Miley Cyrus. This is not the first attack targeting Miley Cyrus. As r<a href="http://www.xiom.com/whid/2008/60/miley_cyrus_myspace_gmail">eported by WHID</a>, her personal G-mail account was hacked last year and personal pictures were stolen and published online.</p>
<p>We assume that he just guessed the password. Was it a trivial one? did he find a way to brute force it? Or was it something entirely different like yet another Twitter CSRF bug? time will tell.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-22: Federal Travel Booking Site Spreads Malware (Updated)<br>
<b>WHID ID:</b> 2009-22<br>
<b>Date Occured:</b> 2/11/2009<br>
<b>Attack Method:</b> Insufficient Authentication<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><em><strong>Updated (Feb 22<sup>nd</sup> 2009)</strong></em> - the Washington Post <a href="http://voices.washingtonpost.com/securityfix/2009/02/travel-booking_site_for_federa.html">updates </a>that the hack exploited a problem with the default configuration of the authentication module used for authenticating remote administrators. As a result we categorized this incident under "insufficient authentication" and "misconfiguration".</p>
<hr>
<p>Whenever we include a site inflicted with malware in WHID we need to explain why this one is worthy of WHID, after hundreds of thousands of web sites are planted with malware annually.</p>
<p>The <a href="http://voices.washingtonpost.com/securityfix/2009/02/travel-booking_site_for_federa.html">Washington Post</a> report about govtrip.com spreading malware is unique because this is an official US General Services Administration (GSA)  web site and many US federal departments employees are required to reserve travel through it. In addition, the site is run by a major defense contractor, Northrop Grumman, who you would think would know better. How secure are their defense projects when it comes to application security?</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-21: This Time Uno is after the Herald Tribute<br>
<b>WHID ID:</b> 2009-21<br>
<b>Date Occured:</b> 2/17/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>I must admit that Uno, the Romanian hacker behind a series of intrusions in recent days is a bit of a cheat for the Web Hacking Incident Database. We usually do not report vulnerabilities that where not exploited. While we understand their importance, they do not fall under the <a href="/whid-faq">criteria </a>set for WHID. For now we list them in a <a href="/research-web-site-vuln">separate page</a>, waiting for a place to be files in.</p>
<p>Uno presents a dilemma: he finds a vulnerability, exploits it to a limit and publish the results. Therefore the incident does not have a sizable outcome and not damage is done, but nevertheless it is interesting. We are not the only one to note that. Kasperski stressed the point the no data was actually compromised in their <a href="http://www.kaspersky.com/news?id=207575753">response </a>to the event. So should we add it to WHID as an incident? should we skip it as just a vulnerability? for now we put them in.</p>
<p>So what is Uno's mischeif this time? <a href="http://hackersblog.org/2009/02/17/international-herald-tribune-nytimescom-sqlinjection/">This time</a> it is the International Herald Tribune Uno is after. The impact of this attack, if carried out by a malicious hacker might have been profound as it seems that Uno got access to user name and passwords of editors and contributors, posibily enabling a malicious hacker to publish information on their behalf on this very prestigious newspaper.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-20: BitDefender joins Kasperski on the Breached side<br>
<b>WHID ID:</b> 2009-20<br>
<b>Date Occured:</b> 2/9/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Uno, the Romanian hacker responsible for <a href="/whid/2009/19/kaspersky_site_breached">penetrating the Kasperski web site</a>, reported <a href="http://hackersblog.org/2009/02/09/hackedbitdefender-portugal-exposes-sensitive-customer-data/">repeating the trick</a> also on the web site of the Polish distributor of BitDefender, another anti-virus software vendor.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-19: Kaspersky site breached using SQL injection, sensitive data exposed (Updated)<br>
<b>WHID ID:</b> 2008-19<br>
<b>Date Occured:</b> 2/7/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p><em><strong>Update (Feb 22<sup>nd</sup> 2009)</strong></em> - We were probably not the only ones not satisfied with Kasperski official press release on the subject. An interesting <a href="http://www.viruslist.com/en/weblog?discuss=208187633&amp;return=1">report </a>on Kasperski viruslist blog by a person on the investigating team provides answers: the data was neither secured well nor the hacker incapable. The hacker made a mistake in his attack vector and decided to pursue no further. The data was available for any hacker who was really after it.</p>
<p>I must tkae my hat off to Kasperski for this frank analysis, which is very uncommon to companies who were breached and can really help to highlight the importance of application security.</p>
<hr>
<p><em><strong>Update (Feb 13<sup>th</sup> 2009)</strong></em> - Kasperski hired David Litchfield, a well known database security expert, to analyze the incident. In their <a href="http://www.kaspersky.com/news?id=207575753">response, </a>Ksaperski point that no sensitive data was actually compromised to the event. The report points that the hacker and others following his hints did try to access sensitive data but did not succeed. The carefully worded report does leave many questions open:</p>
<p> </p>
<ul>
<li>Was the data secured well, or were the hackers who tried to access it just not capable?</li>
<li>Was no data vulnerable or just "sensitive data" and if so what is the data that was exposed?</li>
<li>Did the investigation go back to check that no one hacked the system prior to the published incident, potentially abusing it and avoiding publication?</li>
</ul>
<hr>
<p>A researcher <a href="http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/">found and exploited</a> a serious SQL injection vulnerability in US web site of Kasperski, an anti-virus software vendor, exposing the full customers database. Well, the full database actually as the list of tables exposed proves. <a href="http://www.theregister.co.uk/2009/02/09/kaspersky_compromise_follow_up/">Apparently</a>, the vulnerability existed for some time and the researched informed Kasperski about it to no avail before making it public.</p>
<p> </p>
<p>This is another example of how fatal is SQL injection. SQL Injection is considered one of the more well understood attack vectors, easy to find during a security review, and therefore easy to get rid of. However one of its variants, blind SQL injection, can appear everywhere in the application and not just in key pages managing sensitive information and expose the entire database, making a review and fix of the application from it much harder.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Romania<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-18: phpBB web site hacked using LFI<br>
<b>WHID ID:</b> 2009-18<br>
<b>Date Occured:</b> 2/1/2009<br>
<b>Attack Method:</b> Local File Inclusion (LFI)<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>phpBB was known for years as one of the most insecure software packages out there. It is responsible for one for one of the 1st application layer worm, <a href="/whid-2004-14">Santy</a> back in 2004. How ironic is that its own web site was seriously breached due to a vulnerability in another software package used...</p>
<p>The culprit was an<a href="http://www.bugreport.ir/index_60.htm"> LFI (Local File Inclusion) vulnerability in PHPlist</a>, an application for managing newsletters which enables the hacker to grab phpBB users list. Another researcher <a href="http://www.suspekt.org/2009/02/06/some-facts-about-the-phplist-vulnerability-and-the-phpbbcom-hack/">claims </a>that this is not an LFI but a super-globals-overwrite, which is still used to include files.</p>
<p>However, phpBB is not entirely off the hook, as the phpBB team <a href="http://area51.phpbb.com/phpBB/viewtopic.php?f=71&amp;t=29973">admits</a>. The stolen files included only hashed passwords, however phpBB 2 hash was unsalted and the hackers successfully brute forced 28,000 passwords. While phpBB 3, which is used on the phpBB site uses better password hashing, the upgrade procedure did not upgrade existing users waiting for their 1st login to upgrade. Anyone who did not log-in to the web site since the upgrade still had weakly hashed password in the database.</p>
<p>A <a href="http://hackedphpbb.blogspot.com/2009/01/place-holder.html">very detailed report </a>of the incident by the hacker shed light on how such hacks are carried out, including what the hacker went after and his exploitation techniques . The hacker found the exploit on <a href="http://www.milw0rm.com/exploits/7778">milw0rm</a>, a well known exploit repository, showing that public disclosure of vulnerabilities has its price, especially when it precedes the release if the patch.</p>
<p>A copy of the report in case the original disappears can be found <a href="http://ravenphpscripts.com/modules.php?name=News&amp;file=article&amp;sid=3540">here</a>.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> Password<br>
<b>Number of Records:</b> 28000<br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-17: Passwords are optional at SpeedDate<br>
<b>WHID ID:</b> 2009-17<br>
<b>Date Occured:</b> 2/3/2009<br>
<b>Attack Method:</b> Insufficient Authentication<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>TechCrunch <a href="http://www.techcrunch.com/2009/02/03/password-optionalhuge-security-breach-hits-speeddate/">reports </a>that for a short period of time, SpeedDate, an online dating service did not require a password. If you knew someone's user name you could login. Talking about "lack of sufficient authentication controls..."</p>
<p> </p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-16: Primary schools hit by smut hack<br>
<b>WHID ID:</b> 2009-16<br>
<b>Date Occured:</b> 1/30/2009<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>Not all defacement are created equal. I have a second grader who has just started to use her school's web site so this defacement of 20 primary school web sites with porn hit me deep inside. We do so much to screen our young ones from the sleazy world outside, and getting it in the school's web site is just unimaginable. Just thinking about the questions I would be asked if my daughter would get such pages.</p>
<p>The <a href="http://www.theregister.co.uk/2009/02/04/school_website_defacement/">incident </a>also highlights the total breakup of cyber security. The incident is blamed on an unpatched version of Moodle, an open source on-line education software. The naive way ot thinking would be that schools don't have the budgets to protect their applications or even to upgrade them. However, as this incident shows, proper security is fundamental and a substantial part of the budget should be allocated to it, even it means we spend less on the application features. We need to move slower but ensure security. After all, what is the value of an educational system that shows porn?</p>
<p>Another insight is that real time controls for protecting web applications are essential. You need a WAF. While the specific vulnerability exploited is unknown, Installing <a href="/modsecurity">ModSecurity</a> would have probably prevented the exploit.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Moodle<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-15: Kanye West has been Hacked<br>
<b>WHID ID:</b> 2009-15<br>
<b>Date Occured:</b> 1/23/2009<br>
<b>Attack Method:</b> Insufficient Authentication<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Celebrities web presence hacking is topping 2009 incidents list, and rappers seem to lead. However this <a href="http://network.nationalpost.com/np/blogs/theampersand/archive/2009/01/23/kanye-west-has-been-hacked.aspx">report</a> in the Ampersand, like the <a href="/WHID/2009/11/Lil_Kim_Facebook_Hacked">Lil Kim story f</a>rom the same week,is somewhat questionable. In both cases it seem that uncomfortable content was blamed on hacking.</p>
<p>West's story is somewhat ironic as he used his blog to remind users of the untruthfulness of his web presence.</p>
<p>When reviewing all the rappers incidents, my conclusion is that they are more susceptible to content spoofing because it is much easier for hackers to imitate their language and style.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-14: My.BarackObama.com Infects Visitors With Trojan<br>
<b>WHID ID:</b> 2008-14<br>
<b>Date Occured:</b> 1/27/2009<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Websense <a href="http://cyberinsecure.com/my-barackobama-com-infects-visitors-with-trojan/">reports</a> that my.barackobama.com, an open blogging service which is part of <a href="https://www.barackobama.com/">Obama's campaign web site</a> has been used to point users to malware infecting content.</p>
<p>The scam is a good example of the dangers of Web 2.0 user generated content and mashups. There was no malicious code on the Obama's site, however an allowed HTML code looking like a YouTube embedded flick pointed to an external site which carried the malware.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-13: Wikipedia Biography Hacking<br>
<b>WHID ID:</b> 2009-13<br>
<b>Date Occured:</b> 1/27/2009<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>This incident might have not gotten into the Web Hacking Incident Database a year ago. However a heated discussion on the <a href="http://www.webappsec.org">Web Application Security Consortium</a> <a href="http://www.webappsec.org/projects/threat/">threat classification</a> project reminded me that content spoofing is a potent attack vector by itself, actually one of the most dangerous there.</p>
<p>Wiki is one of those platforms that by design allow content be changed. It is its philosophy, and <a href="http://en.wikipedia.org">Wikipedia</a> is the premier wiki out there. It is not a surprise that it is a prime target to content spoofing, as the <a href="http://www.abc.net.au/pm/content/2008/s2475604.htm">story</a> about the unexpected demise of two US senators during Obama's inauguration.</p>
<p>You can read more about the unique security philosophy of Wikis in my recent <a href="/research/wiki_security">article and presentation</a> about the subject.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-12: Embassy of India in Spain found serving remote malware through iFrame attack<br>
<b>WHID ID:</b> 2009-12<br>
<b>Date Occured:</b> 1/26/2009<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Ismael Valenzuela sent us <a href="http://blog.ismaelvalenzuela.com/2009/01/26/embassy-of-india-in-spain-found-serving-remote-malware-through-iframe-attack/">a story</a> about yet another malware through iFrame serving site. This time it is an official one, belonging to the Indian government official branch in Spain - it's embassy.</p>
<p>We can hardly include every malware service site in WHID, after all there are hundred of thousands, if not millions, of those. Why pick on the Indian embassy in Spain? One good reason is that we finally got in an input from a reader and wanted to honor the event and include the incident. But there is another more important reason.</p>
<p>First, <a href="http://www.theregister.co.uk/2008/01/23/embassy_sites_serve_malware/">hacked embassy sites are becoming a major issue</a> which points to a much larger issue: cyber crime is endangering the Internet as we know it. While we come to rely on the web to provide us with all the information and services that we need, we do not have the tools to make it a safe place, and embassy web sites are a good example.</p>
<p>Practically the only way to provide sufficient security to a web site is not to have it in the first place. Instead small organizations must rely on the services of huge brokers, such as Amazon, eBay or Google sites. However not everyone can use this services. Embassies are a good example as they need to be "doubly localized" for both the originating and target countries which makes it nearly impossible to create a uniform service for them. Therefore even embassies of larger countries need to create small home made and insecure web sites, as they need to adjust their site content, language and site look to the local community served.</p>
<p><a href="http://blog.trendmicro.com/embassy-site-attack-reveals-other-compromised-sites/">Thechnical analysis</a> of the planted malware was done by Trend Micro.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-11: Lil Kim Facebook Hacked<br>
<b>WHID ID:</b> 2009-11<br>
<b>Date Occured:</b> 1/26/2009<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>I am not sure why rappers web presence is so often hacked. They might be the first generation of artists to use the web, brightly combining great Internet skills with technophobia which leads to basic operational errors. Or it might be the underground nature of the artists that (mis)manage their web presence by themselves.</p>
<p>Lil Kim is joining Soulja Boy in being cyber abuse, or so <a href="http://hiphop.popcrunch.com/lil-kim-facebook-hacked/">she claims</a>, saying that a blog entry calling Naturi Naughton, the actress who portrays her in a new film, “tasteless and talentless.”, is a fake.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-10: MacRumorsLive feed hack<br>
<b>WHID ID:</b> 2009-10<br>
<b>Date Occured:</b> 1/7/2009<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>It seems that if the worse thing that can happen to hackers is a real accident to Apple's CEO Steve Jobs. The number of hacks devoted to informing us about his fictitious accidents is just overwhelming. In this case <a href="http://anantasec.blogspot.com/2009/01/i-was-watching-macrumors-live-feed.html">AnantaSec reports</a> a hack into Mac Rumors feed that was possible simply because a file with the administrator password was laying around accessible to anyone due to an administration error.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-9: MetaFilter suffers an SQL injection attack<br>
<b>WHID ID:</b> 2009-9<br>
<b>Date Occured:</b> 1/24/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>MetaFilter <a href="http://en.wikipedia.org/wiki/MetaFilter#Moderation">philosophy </a>is that social norms and peer pressure, referred to as "self-policing", will ensure the quality of the content of the site. However is seems that this philosophy does not extend to hackers who <a href="http://status.metafilter.com/2009/01/sql-inject-problem.html">abuse the site's software to plant Malware</a> affecting MetaFilter users.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-8: Wired.com Image Viewer Hacked to Create Phony Steve Jobs Health Story<br>
<b>WHID ID:</b> 2009-8<br>
<b>Date Occured:</b> 1/22/2009<br>
<b>Attack Method:</b> Content Spoofing<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>John Abell from Wired magazine often writes about Apple's CEO health. However, <a href="http://www.alleyinsider.com/2009/1/vandalized-wiredcom-falsely-repo">this report</a> about Job suffering a cardiac arrest, was neither his nor true. The culprit was Wired public image viewing utility which lets people upload am image and than presented the image as part of the Wired web site, banner and domain included.</p>
<p>This is a wonderful example of a web application design flaw. There was nothing wrong with the code, however the design of the feature enabled it to be abused.</p>
<p style="text-align:center"><img width="372" height="251"></p>
<p>Further information:</p>
<ul>
<li><a href="http://blog.wired.com/business/2009/01/wiredcom-imagev.html">Abell's own report on the incident</a></li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-7: China&#39;s Yeepay.com Suffers Internet Payment Hacker Attack<br>
<b>WHID ID:</b> 2009-7<br>
<b>Date Occured:</b> 1/19/2009<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> China<br>
<b>Incident Description:</b> <p>China retail news <a href="http://www.chinaretailnews.com/2009/01/19/2134-chinas-yeepaycom-suffers-internet-payment-hacker-attack/">reports </a>that Yeepay, a Chinese online payments provider suffered a major denial of service attack. The story seems to be <a href="http://64.233.183.101/translate_c?hl=en&amp;u=http://www.yeepay.com/html/gg/index.shtml&amp;usg=ALkJrhgN9F-Iyzd_zXN5TPFdGiHzFO1eww">big in China</a>, but hardly made it to the west.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-6: InfoGov switch hosting due to lack of security<br>
<b>WHID ID:</b> 2009-6<br>
<b>Date Occured:</b> 1/16/2009<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>This gem is taken out of a <a href="http://www.hostsearch.com/news/supported247_news_8191.asp">press release</a> issued by a hosting provider. According to the press release, InfoGov, a UK provider of risk management solutions, switched hosting its sites to a new provider because the previous one did not provide adequate solution to an SQL injection attack that penetrated the site and inflicted Malware on InfoGov customers.</p>
<p>Probably yet another fallout from the on going Asprox attack, this incident is interesting as it emphasises the responsibility that customers expect service providers to take in protecting from web based attacks.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-5: School data hacked, grades altered<br>
<b>WHID ID:</b> 2009-5<br>
<b>Date Occured:</b> 1/15/2009<br>
<b>Attack Method:</b> Insufficient Authentication<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>This <a href="http://www.tmcnet.com/usubmit/2009/01/15/3916297.htm">story </a>about student hacking a Pottsville, PA school online system and changing grades demonstrated again that password stealing is by far the most common method in which web sites are hacked.</p>
<p>While it is usually not considered a vulnerability in the application itself, I think that application that expose administrative or high privileges interface to the web should include authentication beyond a simple password. A school grading system is one example. The Twitter administrative interface <a href="/whid-2009-2">hacked last week</a> is another example.</p>
<p> </p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-4: Twitter Personal Info CSRF<br>
<b>WHID ID:</b> 2009-4<br>
<b>Date Occured:</b> 1/7/2009<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Gareth Heyes (and others) reported an interesting vulnerability in Twitter last week. While his <a href="http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/">post </a>included a proof of concept code, it does not qualify as a hack only a vulnerability disclosure and the Web Hacking Incident Database does not list vulnerabilities.</p>
<p>Luckily <img alt="Cool" title="Cool"> <a href="http://maone.net/">Giorgio Maone</a> decided to create his own proof of concept, run it himself and <a href="http://hackademix.net/2009/01/13/twitter-json-hijacking-updates/">provide us with the result</a>, enabling me to label this as a hack</p>
<p>By exploiting a CSRF bug in twitter (or maybe a feature?) site owners can get twitter profiles of their visitors. For Twitter this is a second this year and now the comprise 50% of the web incidents for 2009. Is this going to be the year of Web 2.0 security?</p>
<p> </p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Italy<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-3: Google Trends Falls Victim to a Stunt<br>
<b>WHID ID:</b> 2009-3<br>
<b>Date Occured:</b> 1/6/2009<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><img align="right">Someone, and not for the 1st time, succeeded in manipulating <a href="http://www.google.com/trends">Google Trends</a>, a Google service listing popular search terms. In this case the New York Time <a href="http://bits.blogs.nytimes.com/2009/01/07/google-trends-falls-victim-to-disturbing-stunt/?hp">reports</a> that a symbol at presumably denoting 9/11 reached number 2 in the list of hot Trends (see picture right).</p>
<p>While this may be nothing more than a joke, the capability to create a trend can have a huge and sometimes devastating effect. After all in recent months the future of big financial institutes was determined by the rumor mill.</p>
<p>On the technical side, insufficient anti-automation controls have been one of the more obscure and hardest to fix vulnerabilities in web applications. Starting with the <a href="/whid-2005-65">Lexis-Nexis incident (WHID 2005-65)</a>, many incidents where waved off as nothing more than an automated client. However, as the incidents pile it becomes clear that it is the responsibility of the site owner to mitigate such harmful automation attacks.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-2: Twitter accounts of the famous hacked (Updated)<br>
<b>WHID ID:</b> 2009-2<br>
<b>Date Occured:</b> 1/5/2009<br>
<b>Attack Method:</b> Insufficient Authentication<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><em><strong>Update (Jan 11<sup>th</sup> 2009)</strong></em> - The hacker <a href="http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html">bragged </a>about the hack and revealed that it was a brute force dictionary attack against an administrator account. Twitter does not block repetitive login failures therefore enabling brute force attacks. We are still leaving the incident classification "insufficient authentication" in addition to brute force as we feel an administration interface should have additional authentication mechanism and not just a password.</p>
<hr>
<hr>
<p>Twitter <a href="http://blog.twitter.com/2009/01/monday-morning-madness.html">announced </a>that a hacker broke into 33 accounts including Obama's now inactive twitter. The hack is a result of a flaw in a web based support tool used by twitter, which where evidently accessible externally without proper authorization.</p>
<p>It is important to note that this incident is not related to <a href="http://blog.twitter.com/2009/01/gone-phishing.html">Twitter phishing attack</a> which occurred on the previous weekend.</p>
<p>This incident highlights the issue of public facing administration interfaces, which often combine strong functionality with lesser attention to quality and therefore security. As organizations virtualize, those interfaces become available over the Internet, often without sufficient protection.</p>
<p>You can read some of the funny things that the hacker published in different twitters on <a href="http://www.readwriteweb.com/archives/twitter_security_collapses_oba.php">Read Write Web</a>.</p>
<p>Additional information:<a href="http://news.cnet.com/8301-13577_3-10131251-36.html"> </a></p>
<ul>
<li><a href="http://news.cnet.com/8301-13577_3-10131251-36.html">CNet</a></li>
<li><a href="http://www.mediabistro.com/webnewser/personalities/rick_sanchez_twitter_hacked_104818.asp">Media Bistro</a><a href="http://news.cnet.com/8301-13577_3-10131251-36.html"><br></a></li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> Administration Tool<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> Password<br>
<b>Number of Records:</b> 33<br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2009-1: Gaza conflict cyber war<br>
<b>WHID ID:</b> 2009-1<br>
<b>Date Occured:</b> 1/5/2009<br>
<b>Attack Method:</b> Various<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Various<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Update (Jan 13, 2009) - Ynet, an Israeli paper, reports that many of the sites defaced where actually DNS hijacked following a break-in to the servers of DomainTheNet, an Israeli registrar. And just like other recent DNS hijacking incidents, the fault was lack of sufficient authentications and the hackers got hold of passwords to the administration system.
Update (Jan 10, 2009) - Zone-H reports that in addition to Israeli sites, Turkish hackers are also targetting USA and Nato web sites using SQL injection.
The war in Gaza, like most modern wars, moved immediately to cyberspace. Islamic and Arab groups all over the world are using the Internet to retaliate against Israeli web sites. Some of the reported incidents are:
<a href="http://www.israelnationalnews.com/News/Flash.aspx/158570">Israeli bank site hacked by an Islamic group</a>
<a href="http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212700313">Hundreds of Israeli web sites hacked in 'Propaganda War'</a>
Like every war, this one is not one sided. Interestingly enough, since this is a war between a country and a Guerrilla organization, and the cyber war which focus on mostly on conquering the minds of people is shaped similarly. The Israeli cyber war activity is mostly funneled through legal channels rather than hacking, as described by <a href="http://blog.wired.com/defense/2008/12/israels-info-wa.html">Wired</a>.
However, unlike the physical war in which only the Israeli military is conducting, in cyberspace Israelis join by themselves the hacking war. Artuz 7, an Israeli media site, <a href="http://www.israelnationalnews.com/News/News.aspx/129223">reports </a>that a group of students released a tool that perform distributed denial of service attacks against Hamas web sites. The <a href="http://www.help-israel-win.org/index.php?lang=eng">students site itself</a> provides news alerts about the cyber war between Israel and the Hamas.
Editor's notes: (1) As a policy, we decided to report each such conflict as a single incident, unless some hack is especiallly of interest. The author of this incident is Israeli.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.ynetnews.com/articles/0,7340,L-3649281,00.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-60: Miley Cyrus Pictures Leaked Due to a Web Hack (Updated)<br>
<b>WHID ID:</b> 2008-60<br>
<b>Date Occured:</b> 10/20/2008<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p><span><em><strong>Update (April 19th 2009)</strong></em> - E!News <a href="Update%20(April%2019th%202009)%20-%20E!News%20provides%20additional%20interesting%20details%20about%20Josh%20Holly,%20the%20hacker%20who%20carried%20out%20the%20attack.%20They%20actually%20took%20the%20trouble%20to%20go%20to%20Holly&#39;s%20hometown%20and%20and%20ask%20people%20about%20him,providing%20an%20interesting%20insight%20into%20the%20celebs%20hacking%20phenomena.">provides additional interesting</a> details about Josh Holly, the hacker who carried out the attack. They actually took the trouble to go to Holly's hometown and and ask people about him,providing an interesting insight into the celebs hacking phenomena. </span></p>
<hr>
<p>Celebs are fast becoming a prime hacking target. Miley Cyrus already made her debut at WHID when her Twitter account was raided. But it seems that this was not her first cyber incident for her. As <a href="http://blog.wired.com/27bstroke6/2008/10/miley-cyrus-hac.html">reported by Wired</a>, late last year a hacker named Josh Holly published private photos of Ms. Cyrus stolen from her G-mail account.</p>
<p>The hack was a relatively sophisticated one and a very good example of the risks of Web 2.0. Holly penetrated a MySpace administrator using social engineering. Using the account he gained access to a list of passwords which MySpace stored in an unencrypted form. Unbelievable. Since most of us use the same password for multiple services, Holly used Cyrus' MySpace password on her G-mail account gaining access and retrieving the photographs.</p>
<p>In a related but yet unconfirmed story Holly claims to have used the MySpace administrative account for an advertising scam by which he gained $50,000.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-59: Spotify Streaming Music Service Hacked and Millions of Records Leaked<br>
<b>WHID ID:</b> 2008-59<br>
<b>Date Occured:</b> 12/19/2008<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Transport Layer Protection<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Sweden<br>
<b>Incident Description:</b> <p>This time we may need to remove the word "web" leaving this <a href="http://www.spotify.com/blog/archives/2009/03/04/spotify-security-notice/">incident</a> classified only as "application security". Spotify is a new music streaming radio like service from Sweden. A weakness in <a href="http://www.spotify.com">Spotify </a>streaming protocols enables hackers to gain access to users' encrypted passwords, email address, birth date, gender, postal code and billing receipt.</p>
<p>An interesting aspect of this incident is that while the vulnerability has been discovered and fix on December 19<sup>th</sup>, the fact that it was actually exploited was discovered only in March 2009. Many times companies report that a vulnerability was found on there site, but they are not aware of any exploit of the vulnerability. As this incident shows, even if the company is not aware, there is a chance that the vulnerability was exploited.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-58: New Orkut Worm in Brazil<br>
<b>WHID ID:</b> 2008-58<br>
<b>Date Occured:</b> 10/4/2008<br>
<b>Attack Method:</b> Worm<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>XSSed <a href="http://www.xssed.com/news/77/New_Orkut_XSS_worm_by_Brazilian_web_security_group/">reports </a>another XSS worm in Orkut. Since Orkut is big in Brazil, it is quite natural that a Brazilian group created the worm.</p>
<p>I have used this occasion to sort out worms reporting in WHID.</p>
<ul>
<li>A worm is now considered an Attack_Method rather than an outcome. If nothing else, the outcome of a worm is "planting of malware": itself.</li>
<li>I have added a "Web 2.0" organization type as many of the XSS worms infect Web 2.0 sites.</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Brazil<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-57: Craigslist&#39;s Battle Against Spammers<br>
<b>WHID ID:</b> 2008-57<br>
<b>Date Occured:</b> 5/22/2008<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Insufficient Anti-Automation is fat becoming the #1 threat to web sites. Since Captcha has been proved practically <a href="http://en.wikipedia.org/wiki/Captcha#Circumvention">useless</a>, especially when there is a financial gain from automating access to the site, sites are pretty much defenceless against harmful automation. <a href="http://techdirt.com/articles/20080523/0327151211.shtml">Techdirt's story</a> about Craigslist losing the battle against automation tool is a very good example of this serious problem.</p>
<p>Read the comments, they are enlightening. As usual, one of the problem when spam is involved is defining if and what is a wrong doing and what is a valid action. Some commenters say that Craigslist has become useless due to the spam, while others say that Craiglist is the worst censors on the Internet not letting small time businesses work. Other argue about whether this is a crime or not. 132 comments, and they keep coming 8 months after the article has been published.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-56: Soulja Boy Myspace Hacked<br>
<b>WHID ID:</b> 2008-56<br>
<b>Date Occured:</b> 9/1/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Extortion<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>This is a first time a hacking report is a <a href="http://www.youtube.com/watch?v=iHOCC99UaKs">video flick</a>. If, like me, you find it hard to understand, you can read a written summary on this <a href="http://www.stuff.co.nz/4678287a28.html">Kiwi site</a>. I guess that their readers also needed a translation of the speech in the video to English.</p>
<p>In a nutshell, hackers defaced <a href="http://en.wikipedia.org/wiki/Soulja_Boy_Tell_%27Em">Soulja Boy's</a> MySpace page and published his e-mail and YouTube passwords on the net. They demanded $2,500 to give him his web presence back. For an artist that grew our of the Internet this presence is naturally very important, however he is now important enough that his record label was able to contact the different sites to get him his web properties back without paying the money.</p>
<p>In this case I have decided to categorize the attacked entity as Soulja Boy and not MySpace or YouTube, as I used to do in the past. The fact that the attack was against Soulja Boy properties around the web makes him, rather than any technology platform, the attack target.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-55: Hackers hijack bitchy fashion blog<br>
<b>WHID ID:</b> 2008-55<br>
<b>Date Occured:</b> 4/23/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>It might have been a random hack, but the <a href="http://www.theaustralian.news.com.au/story/0,24897,23586843-7582,00.html">pornographic pictures splashed on an insider fashion industry blog</a> where quickly blamed on the fashion icons and magazines offended by the blog.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-54: Hacker Redirects Obama&#39;s site to Hillary Clinton&#39;s<br>
<b>WHID ID:</b> 2008-54<br>
<b>Date Occured:</b> 4/18/2008<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Netcraft <a href="http://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.html">reports </a>that a hacker managed to redirect traffic from Barak Obama's web site to Hillary Clinton's site during the primaries held between the two.The culprit, an XSS bug in the Obama's site community blogs section, highlights the danger of user contributed content to web sites.</p>
<p>An interesting side story is that Oliver Friedrichs from Symantec was <a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;articleId=9077198">quoted in a Computer World article</a> only a week earlier saying that presidential campaign web sites are "clueless" about security. Was this a prophecy of or the trigger for the hack?</p>
<p>Additional technical information can be found on <a href="http://xssed.com/news/65/Barack_Obamas_official_site_hacked/">XSSed</a>.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-53: 'SQL by Design' leaks Thousands of SSNs at an Oklahoma Gov site<br>
<b>WHID ID:</b> 2008-53<br>
<b>Date Occured:</b> 4/14/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Alex Papadimoulis hits <a href="http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx">again </a>with a report on leakage of information on Oklahoma's Department of Corrections web site. The detailed report is very interesting and highlights one of the worse types of SQL injection out there: remote SQL by design.</p>
<p>A unique form of SQL injection, or even just a close sibling, remote SQL by design is a vulnerability in which the web application accepts SQL statements from the client in the normal course of operation. The SQL statement might be used in a hidden field, or generated on the fly by a client side script. In any case, it is extremely difficult to prevent alteration of the SQL statement by a user in such applications, making the applications highly vulnerable.</p>
<p>To find for yourself how common is this vulnerability, just Google for SELECT, FROM and WHERE in the URL. Amazing.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-52: The Hannaford Breach<br>
<b>WHID ID:</b> 2008-52<br>
<b>Date Occured:</b> 3/17/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>While the <a href="http://securosis.com/2008/03/18/picking-apart-the-hannaford-breach-what-might-have-happened/">Hannaford Breach</a> which resulted in 4.2 stolen credit cards and 1800 known fraud cases may not be a web hack, a <a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;taxonomyName=Disaster+Recovery&amp;articleId=9068999&amp;taxonomyId=151&amp;pageNumber=1">Computer World article mentioned</a> that the company's web site was off line following the breach. Even if the breach itself was not a result of web site issues, such issues where probably found in the security review to follow the Breach making the incident a worthy addition to WHID.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b> http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;taxonomyName=Disaster+Recovery&amp;articleId=9068999&amp;taxonomyId=151&amp;pageNumber=1
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-51: TrendMicro web site hit<br>
<b>WHID ID:</b> 2008-51<br>
<b>Date Occured:</b> 3/15/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> Japan<br>
<b>Incident Description:</b> <p>The infamous <a href="http://www.infoworld.com/article/08/03/14/Trend-Micro-hit-by-massive-Web-hack_1.html">SQL injection bot has hit TrendMicro</a>, worrying considering the fact that TrendMicro is there to protect us from malware. Unfortunately it seems that web security is still underrated outside of a small group of experts, even though it fast becomes the modern day equivalent of the now declining viruses and worms.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-50: The Indian government acknowledges hacking incidents<br>
<b>WHID ID:</b> 2008-50<br>
<b>Date Occured:</b> 2/29/2008<br>
<b>Attack Method:</b> Various<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> <p>An official Indian government <a href="http://pib.nic.in/release/release.asp?relid=36142">response </a>to a question in the Indian parliament, the Minister of State for Communications and Information Technology discusses hacking incidents which occurred between 2005 and 2008 in a large number of Indian government agencies. The interesting information is the list of agencies affected:</p>
<ul>
<li>Ministry of Railways, </li>
<li>Air Cargo Customs (Mumbai), </li>
<li>Forward markets Commission, </li>
<li>National Institute of Health and Family Welfare, </li>
<li>National Institute of Social Defence, </li>
<li>Department of Administrative Reforms and Public Grievances, </li>
<li>Wireless Planning &amp; Coordination Wing, </li>
<li>Bharat Sanchar Nigam Limited, </li>
<li>Telecom Regulatory Authority of India, </li>
<li>Department of Information Technology and </li>
<li>Anthropological Survey of India. </li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-49: ValueClick weak decryption and vulnerability to SQL injection<br>
<b>WHID ID:</b> 2008-49<br>
<b>Date Occured:</b> 3/17/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Marketing<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>As a side story to ValueClick indictment of deceptive marketing by the FTC, the <a href="http://www.ftc.gov/opa/2008/03/vc.shtm">FTC investigation</a> also found SQL injection vulnerabilities and lack of sufficient encryption of sensitive customer information. These findings contributed to the $2.9 million fine the FTC levied on ValueClick as well as to the company <a href="http://www.theregister.co.uk/2008/03/17/ebay_dumps_valueclick/">being dumped from managing eBay's affiliate program</a>.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-48: TicketMaster Fighting Hackers Line Bypassing<br>
<b>WHID ID:</b> 2008-48<br>
<b>Date Occured:</b> 3/9/2008<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Extortion<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><em><strong>Update (April 19<sup>th</sup> 2009)</strong></em> - A <a href="http://www.vancouversun.com/entertainment/Hackers+foil+Ticketmaster+website+security+order+thousands+tickets+high+priced+resale/1387348/story.html">recent article in the Vancouver Sun</a> further discuss the issue. While there are no new technical details, the <a href="http://www.vancouversun.com/entertainment/Hackers+foil+Ticketmaster+website+security+order+thousands+tickets+high+priced+resale/1387348/story.html#Comments">discussion that follows</a> the article is illuminating</p>
<hr>
<p>Insufficient anti-automation is fast becoming a major, if not the major threat to web application. The reason is that it can be very profitable for the hacker, and on the other hand it is far from a simple vulnerability just requiring a quick fix.</p>
<p><a href="http://www.canada.com/theprovince/news/story.html?id=a091de62-e480-4cd9-bdd3-32e660081d86&amp;k=9897">TicketMaster on going combat with hackers</a> line bypassing to buy event tickets to resell them for a high price is a very good example of the issue. In this specific example the hackers demonstrate that <a href="http://en.wikipedia.org/wiki/Captcha">Captcha,</a> a method of blocking automated programs by presenting a challenge supposedly difficult for a computer software<a href="http://en.wikipedia.org/wiki/Captcha">, </a>is not sufficient.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-47: The Federal Suppliers Guide validates login credential in JavaScript<br>
<b>WHID ID:</b> 2008-47<br>
<b>Date Occured:</b> 2/29/2008<br>
<b>Attack Method:</b> Stolen Credentials<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Marketing<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Alex Papadimoulis <a href="http://thedailywtf.com/Articles/So-You-Hacked-Our-Site!.aspx">tells in a brilliantly humoristic way</a> about the lack of security of the Federal Suppliers Guide's web site. The guide, is presumably limited to federal procurement agents only, but at the time of writing the credential checking was done on the client in JavaScript and for a single global user name and password.</p>
<p>Beyond making a mockery of the claim that the guide was limited to federal agents only, it also seemed to be a marketing method as it limits the potential advertisers from checking who is in the guide. After getting in Alex contacted some of the advertisers to find out that none of them got any value from the guide. Alex did not join, and I wonder how much Alex's report lowered the Federal Suppliers Guide earning.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-46: CheckFree customers redirected to fraudsters sites<br>
<b>WHID ID:</b> 2008-46<br>
<b>Date Occured:</b> 12/2/2008<br>
<b>Attack Method:</b> DNS Hijacking<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>In an attack with an alarming similarity to the COX incident (<a href="/whid-2008-45">WHID 2008-45</a>), but with a far greater potential damage, hackers changes the DNS records for CheckFree, the largest bill payment service in the USA. Customers where redirected to servers in the Ukraine, which attempted to install a password login software on their computers.</p>
<p>The change was done using correct credentials to login to the administrative web site of Network Solutions, CheckFree domain registrar. It is yet unknown how the hackers got the credentials. Since <a href="http://www.icann.org/en/committees/security/sac028.pdf">Phishing attacks against domain registrars</a> including Network Solutions have started to surface recently, a good guess is that it was through a Phishing attack.</p>
<p>According to <a href="http://doj.nh.gov/consumer/pdf/fiserv.pdf">CheckFree report to the authorities</a>, it estimates that around 160,000 customers where expoesed to the attack, and informed 5 million potential victims who may have been among this group.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://voices.washingtonpost.com/securityfix/2008/12/digging_deeper_into_the_checkf.html">The Washington Post's analysis of the incident</a></li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Ukraine<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-45: Comcast domain hijacked<br>
<b>WHID ID:</b> 2008-45<br>
<b>Date Occured:</b> 1/5/2009<br>
<b>Attack Method:</b> Domain Hijacking<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Recently the domain names has been the focus on hacking activity. Hackers found that hijacking a domain is as effective if not more than attacking the web site itself.</p>
<p>Are domain hacking a case of web hacking? should they be included in WHID? in this case it seems, according to the <a href="http://blog.wired.com/27bstroke6/2008/05/comcast-hijacke.html">Wired report</a> that the hack itself involved attacking the domains registrar's (Network Solutions) web interface.</p>
<p>However, we believe that the resulting "virtual" defacement of the web site by redirecting users to a fraudulent web site is still a web hack, even if the DNS hijacking is not web related.</p>
<p>The defaced site, as logged by <a href="http://www.theregister.co.uk/2008/05/29/comcast_domain_hijacked/">the register</a> was:</p>
<p><img src="http://regmedia.co.uk/2008/05/29/comcast.jpg" width="450" height="115"></p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-44: Balkan cyber wars<br>
<b>WHID ID:</b> 2008-44<br>
<b>Date Occured:</b> 4/1/2008<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Various<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The interesting <a href="http://blogs.zdnet.com/security/?p=1145">report </a>in ZDnet about the cyber war around Kosovo is unique in describing the process. According to the report hacker groups on each side share information in order to make attacks more efficient. Some collect vulnerable web sites, while others use automatic defacement tools to attack.</p>
<p>On the positive side, the report states that at the time of writing, there is a ceasefire and parties are negotiating. Is there room for cyber peace along side cyber war?</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-43: Russian nuclear power web sites attacked amid accident rumors<br>
<b>WHID ID:</b> 2008-43<br>
<b>Date Occured:</b> 1/5/2009<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Russia<br>
<b>Incident Description:</b> <p>Novosti, the Russian news agency <a href="http://en.rian.ru/russia/20080523/108202288.html">reports </a>that in what seems to be a planned dual head attack to break panic by spreading a rumor about a nuclear accident near St. Petersburg.</p>
<p>At the same time that e-mails spreading the rumor where distributed, hackers blocked access to web sites enabling the public to check for themselves the status of the nuclear power pland intensifying the panic.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-42: Chinese hackers steal 9 million items of personal information from South Koreans<br>
<b>WHID ID:</b> 2008-42<br>
<b>Date Occured:</b> 12/30/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Various<br>
<b>Attacked Entity Geography:</b> South Korea<br>
<b>Incident Description:</b> <p>The <a href="http://209.85.129.132/search?q=cache:B3oFg-OQmAQJ:www.thedarkvisitor.com/2008/07/chinese-hackers-steal-9-million-items-of-personal-information-from-south-koreans/+chinese-hackers-steal-9-million-items-of-personal-information-from-south-koreans/&amp;hl=en&amp;ct=clnk&amp;cd=1">Dark Visitor</a>, a Chinese hacking insider site, and the Korean <a href="http://english.chosun.com/w21data/html/news/200807/200807280013.html">Chuson</a> reports that a Chinese hacker used a commercially available SQL injection tool called HDMI to penetrate a large number of South Korean sites and still 9 million personal information items, which he than sold for approximately $15,000 to South Koreans for them to abuse.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> China<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-41: A Joomla first day exploit<br>
<b>WHID ID:</b> 2008-41<br>
<b>Date Occured:</b> 8/12/2008<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Various<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Joomla is a widely used open source content management system. Many <a href="http://theprogrammerx.wordpress.com/2008/08/23/what-the-hack-is-going-on-three-attacks-within-a-week/">administrators reports</a> that <a href="http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html">a vulnerability announced August 12<sup>th</sup></a> was immediately exploited by hackers to attack Joomla based web sites. Another report shows a specific site that was defaced by exploiting the same vulnerability.</p>
<p>This incident shows the importance of timely patching, but also brings back the age old debate around publication of vulnerabilities by researchers. Does it contribute to software security or just helps the hackers?</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Joomla<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-40: Olympics news sites hit with attacks<br>
<b>WHID ID:</b> 2008-40<br>
<b>Date Occured:</b> 8/12/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> <p>Like many Asprox bot SQL injection attacks, the one on NDTV.com, a New Delhi TV station's web site has its unique aspects.</p>
<p>First, the attack came at absolutely the wrong time, just when all eyes (and mouse clicks) where turned to the Olympic games in Beijing, the NDTV web site which carried real time information from the games was hacked, greatly extending the infection rate.</p>
<p>In addition, the information was syndicated from a French news agency. While apparently the agency did not have anything to do with the hack, the did catch some fire over the incident as some experts suggested it should help its customers to protect their systems.</p>
<p>More information:</p>
<ul>
<li><a href="http://www.scmagazineus.com/Olympics-news-sites-hit-with-attacks/article/113781/">SC Magazine</a>, Aug 12th 2008</li>
<li><a href="http://www.sophos.com/blogs/gc/g/2008/08/11/olympic-games-coverage-on-news-website-hit-by-sql-injection/">Graham Cluley's blog entry</a>, Aug 11th 2008</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-39: Hacker compromises a south african political party web site<br>
<b>WHID ID:</b> 2008-39<br>
<b>Date Occured:</b> 8/7/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> South Africa<br>
<b>Incident Description:</b> <p>The South African Democratic Alliance party's web site seems like another random victim of the Asprox family of bots. This specific incident demonstrates several issues:</p>
<ul>
<li>Aprox successfully attacks organizations that should really know better.</li>
<li>While most known cases of Asprox attacks result in planting of malware on the web site, since this is easily detected by malware search services, the very brutal injection used by Asprox probably takes down more sites than it infects with malware.</li>
<li>According to one comment, the site used an outdated version of WordPress, stressing again the problem with not upgrading in a timely manner, especially open source software.</li>
</ul>
<p>More information:</p>
<ul>
<li><a href="http://www.mg.co.za/article/2008-08-15-hacker-compromises-da-website">Mail &amp; Guardian</a>, Aug 15th 2008</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Russia<br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-38: DNSChanger Trojans v4.0<br>
<b>WHID ID:</b> 2008-38<br>
<b>Date Occured:</b> 12/4/2008<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Fraud<br>
<b>Attacked Entity Field:</b> Various<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The DNSchanger Trojan uses different methods to manipulate the DNS lookup of the victim. One of the most malicious techniques is using CSRF to attack the ADSL or cable router and modify its DNS tables.</p>
<p>More Information:</p>
<ul>
<li><a href="http://www.avertlabs.com/research/blog/index.php/2008/12/04/dnschanger-trojans-v40">McAfee: DNSChanger Trojans v4.0</a>, Dec 4th 2008</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-37: Pakistani hacker attacks Indian Rail site, threatens cyber war on India<br>
<b>WHID ID:</b> 2008-37<br>
<b>Date Occured:</b> 12/24/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> <p>The web site of the Indian Eastern Railway company was hacked. The hacker planted malware on the site and added a message to the home page declaring a cyber war on Indian Cyberspace.</p>
<p>Additional Information:</p>
<ul>
<li><a href="http://www.financialexpress.com/news/pak-hacker-attacks-e-rlys-site-threatens-cyber-war-on-india/402609/0">The Financial Express</a>, Dec 25th 2008</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Pakistan<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-36: RBS WorldPay Data Breach Hits 1.5 Million (Updated)<br>
<b>WHID ID:</b> 2008-36<br>
<b>Date Occured:</b> 11/10/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><em><strong>Update (Feb 4<sup>th</sup> 2009)</strong></em>: While RBS reported that just 100 cards where abused in the incident, the news now <a href="http://blog.wired.com/27bstroke6/2009/02/atm.html">surfaced</a>, that those cards where heavily abused as the hacker managed to lift the withdrawal limit and distribute the card copies around the world so that in total 9 million dollars where withdrawn from them in a matter of hours before they where blocked. At least, as the saying goes, losing a $100 is your problem; losing a million is the banks.</p>
<p></p><hr>
The Royal Bank of Scotland (RBS) confirmed that a hacker perform a "sophisticated cyber intrusion" on RBS WorldPay Unit web site. 1.5 Million credit card numbers and 1.1 million social security numbers may have been stolen.
<p>At this time the only abuse known is a fraudulent use of about a 100 reloadable cards, which are used by companies to pay their employees.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://sev.prnewswire.com/banking-financial-services/20081223/NY5456423122008-1.html">Company press release</a>, December 23rd 2008</li>
<li><a href="http://www.internetnews.com/security/article.php/3793386/RBS+WorldPay+Data+Breach+Hits+15+Million.htm">Internet News</a>, December 24th 2008</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-35: Business Week site hit by malware<br>
<b>WHID ID:</b> 2008-35<br>
<b>Date Occured:</b> 9/15/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Business Week is the latest victim of Asprox, a botnet using SQL injection attacks to plant malware. <a href="http://www.internetnews.com/security/article.php/3779021/Adobe+Sites+Hit+by+Malware.htm">Internet News</a> reports that Sophos has <a href="http://www.sophos.com/blogs/gc/g/2008/09/15/hackers-infect-businessweek-website-via-sql-injection-attack/">discovered</a> malwares on a large number of pages on the magazine’s web site. A Google safe browsing report, which checks how many pages on a web site, if any, are infected with malware picked at 214 out of 2,157 pages on the site, just shy of 10%.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-34: Adobe hit by malware<br>
<b>WHID ID:</b> 2008-34<br>
<b>Date Occured:</b> 10/17/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Adobe joins the long list of sites hit by Asprox, a botnet using SQL injection attacks to plant malware. <a href="http://www.internetnews.com/security/article.php/3779021/Adobe+Sites+Hit+by+Malware.htm">Internet News</a> reports that Sophos has discovered malwares on Adobe “<a href="http://www.sophos.com/pressoffice/news/articles/2008/10/adobe-infection.html">Vlog it</a>” and “<a href="http://www.sophos.com/security/blog/2008/10/1863.html">Serious Magic</a>” sites.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-33: Chinese hacker jailed for false quake alarm<br>
<b>WHID ID:</b> 2008-33<br>
<b>Date Occured:</b> 5/29/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> China<br>
<b>Incident Description:</b> <p>A Chinese student penetrated the Shaanxi Provincial Seismic Bureau's web site and planted a false warning on an earth quake expected the following night reports <a href="http://www.theaustralian.news.com.au/story/0,25197,24275633-12377,00.html">The Australian</a>.<br>
The false warning created panic, especially since it was made shortly after the devastating earth quake hitting China just a few weeks earlier. The faked warning drew 767 page views within 10 minutes, the bureau’s phones became immediately very busy.<br>
As expected in China, authorities were far from forgiving, and the student was jailed for 18 months.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> China<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-32: Yahoo HotJobs XSS<br>
<b>WHID ID:</b> 2008-32<br>
<b>Date Occured:</b> 10/26/2008<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Session Hijacking<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><a href="http://news.netcraft.com/archives/2008/10/26/ongoing_phishing_attack_exposes_yahoo_accounts.html">Netcraft</a> reported an ongoing exploit of XSS vulnerability in Yahoo HotJobs site. The attackers have been using an obfuscated JavaScript to steal session cookies of victims, which were in turn sent to a server in the US.<br>
The stolen cookie was a yahoo-wide cookie and therefore by stealing it the hackers could gain control of every service accessible to the victim within Yahoo, including Yahoo! Mail.<br>
Netcraft identified the issue by observing irregular activity by its toolbar users and Yahoo! fixed the vulnerability short after, on Oct 28th.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.netcraft.com/archives/2008/10/26/ongoing_phishing_attack_exposes_yahoo_accounts.html<br>
<b>Attack Source Geography:</b> USA<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-31: Hacker takes $50,000 a few cents at a time<br>
<b>WHID ID:</b> 2008-31<br>
<b>Date Occured:</b> 9/20/2008<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Californian Michael Largent used an automated script to open 58,000 such accounts, collecting many thousands of the small payments used to verify credit cards when openning accounts.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pcpro.co.uk/news/201252/hacker-takes-50000-a-few-cents-at-a-time.html">Hacker takes $50,000 a few cents at a time</a> [PC Pro, May 28 2008]</li>
<li><a href="http://blog.wired.com/27bstroke6/2008/05/man-allegedly-b.html">Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits'</a> [Wired, May 27 2008]</li>
<li><a href="http://blog.wired.com/27bstroke6/files/largent_affidavit.pdf">Secret Service search warrant affidavit</a> [Secret Service, May 7 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-30: Security breach hits DivShare, unauthorized access to its database<br>
<b>WHID ID:</b> 2008-30<br>
<b>Date Occured:</b> 9/20/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The popular document and media sharing service DivShare, suffered a security breach that allowed a malicious user to access their database, which included user e-mail addresses and other basic profile information.
</p><p>Additional information:</p>
<ul>
<li><a href="Dancho%20Danchev">Security breach hits DivShare, unauthorized access to its database</a> [Zdnet, Jun 19 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-29: Sunwear hacks metasploit.com?<br>
<b>WHID ID:</b> 2008-29<br>
<b>Date Occured:</b> 9/20/2008<br>
<b>Attack Method:</b> ARP spoofing<br>
<b>Application Weakness:</b> Insufficient Transport Layer Protection<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>someone hacked a machine on the same subnet and was ARP spoofing the gateway. The metasploit.com machines were not compromised, but all HTTP requests coming into the ISP network were passed through a MITM defacer that inserted that HTML. Once I as able to set a static ARP entry and notify the ISP, the problem was resolved. So, to make things clear, the metasploit.com servers were not hacked, the ISP</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-28: Confidential data on thousands of students exposed by test preparatory firm<br>
<b>WHID ID:</b> 2008-28<br>
<b>Date Occured:</b> 9/20/2008<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> New York, NY<br>
<b>Incident Description:</b> While moving to a new hosting provider, a system by Princeton Review used by student to prepare for a state assessment program exposed due to misconfiguration approximately 34,000 students from 2nd to 10th grade. The information included names, Florida ID (which is nearly identical to the US social security number) and the students exam report.
The information was available for available online from late June to early August.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.nytimes.com/2008/08/19/technology/19review.html?_r=3&amp;adxnnl=1&amp;oref=slogin&amp;adxnnlx=1221859844-4bHK03P+zrmLhJ5Ul2SlPA<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-27: U.K&#39;s Crime Reduction Portal Hosting Phishing Pages<br>
<b>WHID ID:</b> 2008-27<br>
<b>Date Occured:</b> 9/20/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>Poste Italiane seems to have relocated to a brand new location online, in this case the U.K's Crime Reduction Portal which is currently hosting a phishing page.
</p><p>Additional information:</p>
<ul>
<li><a href="">U.K's Crime Reduction Portal Hosting Phishing Pages</a> [Dancho Danchev, Jun 2 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-26: Palin&#39;s private e-mail hacked, posted to Net<br>
<b>WHID ID:</b> 2008-26<br>
<b>Date Occured:</b> 9/20/2008<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The activist group called "anonymous," best known for its jousts with the Church of Scientology, has apparently hacked into the private Yahoo e-mail account of Alaska Gov. Sarah Palin, the Republican candidate for vice president.</p>
<p>Contents of that account, including two sample e-mails, an index of messages and Palin family photos, have been posted by the whistle blower site Wikileaks, which contends that they constitute evidence that Palin has improperly used her private e-mail to shield government business from public scrutiny, an issue that had already been raised by others.</p>
<p><span style="text-decoration:underline"><em>Update (Oct 8)<br></em></span></p>
<p>David Kernell, the 20-year-old Tennessee college student was indicted with the hack. The most interesting aspect of the identity of the hacker is that his father Mike Kernell is a longtime Democratic state representative from Memphis</p>
<p>Additional information:</p>
<ul>
<li><a href="http://wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked">VP contender Sarah Palin hacked</a> [Wiki Leaks, Sep 16 2008]</li>
<li><a href="http://www.networkworld.com/community/node/32838">Palin's private e-mail hacked, posted to 'Net</a> [Network Wold, Sep 17 2008]</li>
<li><a href="http://www.internetnews.com/security/article.php/3776696">Student Indicted in Palin E-Mail Hack</a> [Internet News, Oct 8 2008)</li>
<li><a href="http://www.usdoj.gov/opa/documents/indictment.pdf">Court indictment document</a>, Oct 7 2008</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-25: BusinessWeek website attacked and hosts malware<br>
<b>WHID ID:</b> 2008-25<br>
<b>Date Occured:</b> 9/20/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Another site hit by the SQL injection bot
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.net-security.org/malware_news.php?id=990">BusinessWeek website attacked and hosts malware</a> [Net-Security, Sep 15 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-24: SQL attacks lob onto ATP Web site<br>
<b>WHID ID:</b> 2008-24<br>
<b>Date Occured:</b> 7/21/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Sports<br>
<b>Attacked Entity Geography:</b> Global<br>
<b>Incident Description:</b> <p>Not a day goes by without yet another prominenent web site hacked by an SQL injection attack planting Malware.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.networkworld.com/news/2008/070208-sql-attacks-lob-onto-tennis.html">SQL attacks lob onto tennis association Web site</a> [Network World, Jul 4 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-23: Sony PlayStation<br>
<b>WHID ID:</b> 2008-23<br>
<b>Date Occured:</b> 7/21/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Yet another iframe injection in a very prominent web site, proving yet again that nobody is immune.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.thetechherald.com/article.php/200827/1393/Sony-PlayStation-s-site-hit-with-SQL-Injection">Sony PlayStation
</a></li></ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-22: Hacker changes news releases on sheriff&#39;s Web site<br>
<b>WHID ID:</b> 2008-22<br>
<b>Date Occured:</b> 7/21/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Security &amp; Law Enforcement<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p> A targeted defacement that modified two specific press releases to ridicule the local government.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.dailybulletin.com/ci_9668183">Nosy hacker alters sheriff's news releases</a> [The Daily Bulletin, Jun 22 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-21: Information about organ and tissue donors open to all<br>
<b>WHID ID:</b> 2008-21<br>
<b>Date Occured:</b> 7/20/2008<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The Agency for Health Care Administration (AHCA) Florida's database of organ and tissue donor registry was open to the public due to an unspecified software glitch. Personal details of 55,000 people, including name, address, date of birth, driver license number and social security number where exposed.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.fdhc.state.fl.us/Organ/faq.htm">AHCA Incident Faq</a> [AHCA, ]</li>
<li><a href="http://www.fdhc.state.fl.us/Executive/Communications/Press_Releases/pdf/Organ_Tissue7708.pdf">AHCA Incident PR</a> [AHCA, Jul 7 2008]</li>
<li><a href="http://www.examiner.com/a-1476582~Breach_in_Fla__donor_registry_may_have_exposed_IDs.html">Breach in Fla. donor registry may have exposed IDs</a> [Associated Press, Jul 7 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-20: XSS Worm At Justin.tv Affects 2525 Profiles<br>
<b>WHID ID:</b> 2008-20<br>
<b>Date Occured:</b> 7/16/2008<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A proof of concept XSS worm crawled justin.tv, a popular lifecasting platform. The warm succeeded in planting a self replicating code on 2525 accounts in less than 24 hours before the vulnerability was fixed.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://cyberinsecure.com/xss-worm-at-justintv-affects-2525-profiles/">XSS Worm At Justin.tv Affects 2525 Profiles</a> [CyberInsecure, Jul 15 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-19: OSU breach raises fears of ID theft<br>
<b>WHID ID:</b> 2008-19<br>
<b>Date Occured:</b> 5/19/2008<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>At the Oklahoma State Universitiy (OSU) a security breach has exposed the names, addresses and Social Security numbers of 70,000 students, faculty and staff who bought parking and transit services permits in the past six years. The university failed to report the incident to affected individuals for two months after it was detected.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.cr80news.com/news/2008/05/16/osu-breach-raises-fears-of-id-theft/">OSU breach raises fears of ID theft</a> [cr80 News, May 16 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-18: Winzipices SQL bot<br>
<b>WHID ID:</b> 2008-18<br>
<b>Date Occured:</b> 5/11/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Another member of the wave of SQL injection bots injecting malware inflicting code to web sites.
</p><p>Additional information:</p>
<ul>
<li><a href="http://isc.sans.org/diary.html?storyid=4393">SQL Injection Worm on the Loose</a> [SANS Internet Storm Center, May 7 2008]</li>
<li><a href="http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507">New SQL Injection Attacks and New Malware: winzipices.cn</a> [ShadowServer, May 7 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-17: Hackers&#39; posts on epilepsy forum cause migraines, seizures<br>
<b>WHID ID:</b> 2008-17<br>
<b>Date Occured:</b> 5/11/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Up to now we never registered at WHID an incident that caused physical pain on its victims. Unfortunately, there is always a first. In an attack which gives a whole new dimension to the term "malicious",hackers recently injected to the Epilepsy Foundation's Web site hundreds of pictures and links to pages with rapidly flashing images.</p>
<p>The breach caused severe migraines and near-seizure reactions in some site visitors who viewed the images. People with photosensitive epilepsy can get seizures when they're exposed to flickering images, a response also caused by some video games and cartoons.</p>
<p>The Attack_Method is only described as an exploit of a security hole in the foundation's publishing software. However, the attack looks very much like a variation of the popular iframe injection SQL bots, used for malice rather than profit, hinting that this was an SQL injection attack.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://ap.google.com/article/ALeqM5jEG2MsrwWkzr9_q60h8dojhHsArgD90H3NV01">Hackers' posts on epilepsy forum cause migraines, seizures</a> [AP, May 7 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-16: Turkish PM supporters hack hacker&#39;s Web site<br>
<b>WHID ID:</b> 2008-16<br>
<b>Date Occured:</b> 5/11/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Turkey<br>
<b>Incident Description:</b> <p>In a twist on the classical defacement incident, supporters of the Turkish PM defaced, as a retaliation, the web site of hackers who just recently defaced the PM web site. A disturbing question is whether this is a juvenile mischief or was the act planned and executed by PM supporters. Did the political spin reached web site hacking?</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.turkishdailynews.com.tr/article.php?enewsid=104028">Erdogan supporters hack hacker's Web site</a> [Turkish Daily News, May 9 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-15: ValueClick to Pay $2.9 Million to Settle FTC Charges<br>
<b>WHID ID:</b> 2008-15<br>
<b>Date Occured:</b> 3/24/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Marketing<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>In this case SQL injection was not the root cause, but rather the justification. Just as Al Capone was arrested at the end of the day for tax evasion, ValueClick, which seems to infuriate the FTC over many nasty commercial misdeeds, was caught at the end of the day for SQL injection, presumably left open against the company written security policy.</p>
<p>The FTC settlement cost ValueClick a record amount of $2.9 million dollars, plus 20 years of rigorous security procedures that will probably cost as much if not more. On top of that, eBay, a major partner, left ValueClick as a result.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.ftc.gov/opa/2008/03/vc.shtm">ValueClick to Pay $2.9 Million to Settle FTC Charges</a> [Federal Trade Commision, Mar 17 2008]</li>
<li><a href="http://www.theregister.co.uk/2008/03/17/ebay_dumps_valueclick/">eBay dumps ValueClick</a> [The Register, Mar 17 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-14: Hacker takes over Dallas police Web site<br>
<b>WHID ID:</b> 2008-14<br>
<b>Date Occured:</b> 2/21/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Security &amp; Law Enforcement<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>### Dallas say the department shut down its Internet presence after a hacker took over its Web site and filled it with anti-American rants.<br><br>The vandalized Web pages included a doctored photograph showing American troops watching over four people lined up against a wall.<br><br>Each of the four prisoners had lines leading away from their faces to individual head shots of President George W. Bush, Vice President Dick Cheney, Secretary of State Condoleezza Rice and Sen. John McCain
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.upi.com/NewsTrack/Top_News/2008/02/19/hacker_defaces_dallas_police_web_site/5990/">Hacker defaces Dallas police Web site</a> [United Press, Feb 19 2008]</li>
<li><a href="http://www.foxnews.com/story/0,2933,331201,00.html">Dallas Police Web Site Hacked, Defaced</a> [Fox (AP), Feb 19 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-13: Harvard site hacked and leaked on BitTorrent<br>
<b>WHID ID:</b> 2008-13<br>
<b>Date Occured:</b> 2/20/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://torrentfreak.com/harvard-website-hacked-080218/">Harvard Site Hacked and Leaked on BitTorrent</a> [TorrentFreak, Feb 18 2008]</li>
<li><a href="http://virtualization.sys-con.com/read/503459.htm">Harvard Web Site Hack is a Cautionary Tale</a> [Virtualization News Desk, Feb 19 2008]</li>
<li><a href="http://walkah.net/blog/walkah/harvard-joomla-site-hacked-things-learn">Harvard Joomla site hacked: things to learn?</a> [James Walker, Feb 19 2008]</li>
<li><a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;articleId=9063198">Harvard Web site hacked; database on file-sharing site</a> [Computer World, Feb 18 2008]</li>
<li><a href="http://www.scmagazineus.com/Harvard-grad-school-site-hacked-files-distributed-on-BitTorrent-network/article/107028/">Harvard grad school site hacked, files distributed on BitTorrent network</a> [SC Magazine, Feb 19 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Joomla<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-12: Greek ministry websites hit by hacker intrusion<br>
<b>WHID ID:</b> 2008-12<br>
<b>Date Occured:</b> 2/17/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Greece<br>
<b>Incident Description:</b> <p>This is yet another case of defacement of a governmental web site. It is amazing to note it is nearly never the large commercial and financial web sites that are defaced. It is either small mom and dad shops or government and political web sites. Don't you get the feeling the government IT is run like a mom and dad shop? Do you wonder if it is only the IT part that is run that way?
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.ekathimerini.com/4dcgi/_w_articles_politics_100018_31/01/2008_92784">Ministry websites hit by hacker intrusion</a> [Kathimerini, Jan 31 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-11: Hacker breaks into Ecuador&#39;s presidential website<br>
<b>WHID ID:</b> 2008-11<br>
<b>Date Occured:</b> 2/12/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Ecuador<br>
<b>Incident Description:</b> <p>Was it defaced or not? In this extraordinary incident, a hacker broke to the web site of the Ecuadorian president and said nice things about him. So nice in fact that the presidential office had to apologize in front of the opposition leader. Was it a hack or an over enthusiastic marketing person?
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.thaindian.com/newsportal/uncategorized/hacker-breaks-into-ecuadors-presidential-website_10017070.html">Hacker breaks into Ecuador's presidential website</a> [Thaindian News, Feb 11 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-10: Chinese hacker steals user information on 18 Million online shoppers at Auction.co.kr<br>
<b>WHID ID:</b> 2008-10<br>
<b>Date Occured:</b> 2/12/2008<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Entropy<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> Korea<br>
<b>Incident Description:</b> <p><strong><em>Update (January 5th 2009)</em></strong></p>
<p>We where informed by sources at eBay the Korean sites parent company that the issue was not CRSF or seesion hijacking. The Attack_Method was not disclosed.</p>
<hr>
<p>A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.</p>
<p>The attack description is vague but can be best described as session hijacking.</p>
<p>This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.</p>
<p>More Information:</p>
<ul>
<li><a href="http://www.thedarkvisitor.com/tag/auctioncokr-chinese-hacker-attack/">The Dark Visitor</a></li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-09: Hacking Stage 6<br>
<b>WHID ID:</b> 2008-09<br>
<b>Date Occured:</b> 2/10/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Sensitive information about people who created an account on the site leaked and was published through IRC.
</p><p>Additional information:</p>
<ul>
<li><a href="http://en.wikipedia.org/wiki/Stage6#Hacking">Stage 6 - Hacking</a> [Wikipedia, Feb 9 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-08: Hacker steals Davidson Cos. clients&#39; data<br>
<b>WHID ID:</b> 2008-08<br>
<b>Date Occured:</b> 2/4/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack_Method is not known, but it seems very much like a web hack.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.greatfallstribune.com/apps/pbcs.dll/article?AID=/20080130/NEWS01/801300301">Hacker steals Davidson Cos. clients' data</a> [Great Falls Tribune, Feb 4 2008]</li>
<li><a href="http://www.davidsoncompanies.com/dc/pressreleases/pressreleasesdetail.cfm?newsid=1777378305">Davidson Companies Informs Clients of Network Intrusion Resulting in Illegal Access to Personal Data</a> [Davidson Companies, Jan 30 2008]</li>
<li><a href="http://www.greatfallstribune.com/apps/pbcs.dll/article?AID=/20080210/NEWS01/802100303">Davidson Co.'s security breach reminds that personal data isn't as safe as we'd like</a> [Great Falls Tribune, Feb 11 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-07: Another Free MacWorld Platinum Pass? Yes in 2008!<br>
<b>WHID ID:</b> 2008-07<br>
<b>Date Occured:</b> 1/28/2008<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Kurt already got his free MacWorld pass last year (<a href="http://www.webappsec.org/projects/whid/byid_id_2007-14.shtml">WHID 2007-14</a>), but it seems that nothing changes year after year and he was able to pull a similar trick this year. As the codes that allow customers to get the passes where hashed but stored on the client browser, Kurt was able to crack them.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html">Another Free MacWorld Platinum Pass? Yes in 2008!</a> [Kurt Grutzmacher, Jan 14 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-06: Hackers Take Down Pennsylvania Government<br>
<b>WHID ID:</b> 2008-06<br>
<b>Date Occured:</b> 1/28/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>&gt;
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.linuxjournal.com/node/1006060">Hackers Take Down Pennsylvania Government</a> [Linux Journal, Jan 10 2008]</li>
<li><a href="http://ap.google.com/article/ALeqM5iGKgY3SpKw7_p7A8MGHpTfSpN8mAD8TVE5SG0">Hackers Force Pa. to Shut State Web Site</a> [AP, Jan 4 2008]</li>
<li><a href="http://www.geeksaresexy.net/2008/01/09/pennsylvania-state-disconnects-from-internet-over-chinese-hacker-phearz/">Pennsylvania State Disconnects from Internet Over Chinese Hacker Phearz</a> [Geeks Are Sexy, Jan 9 2008]</li>
<li><a href="http://www.post-gazette.com/pg/08006/847083-85.stm">Officials say no data was compromised by hackers</a> [Post Gazette, Jan 6 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-05: Drive-by Pharming in the Wild<br>
<b>WHID ID:</b> 2008-05<br>
<b>Date Occured:</b> 1/28/2008<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Mexico<br>
<b>Incident Description:</b> <p>Symantec <a href="http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html">reported</a> an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html">Drive-by Pharming in the Wild</a> [Symantec, Jan 22 2008]</li>
<li><a href="http://www.heise-security.co.uk/news/102352">Symantec reports first active attack on a DSL router</a> [Heise, Jan 24 2008]</li>
<li><a href="http://www.xiom.com/?p=12">Client Side Web Server Hacking</a> [WHID Blog, Jan 28 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> DSL Router<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-04: RIAA web site cleared<br>
<b>WHID ID:</b> 2008-04<br>
<b>Date Occured:</b> 1/22/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Entertainment<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a <a href="http://reddit.com/info/660oo/comments/">query that takes particularly long time was posted on a social network web site</a> causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2008/01/21/riaa_hacktivism/">RIAA wiped off the net</a> [The Register, Jan 21 2008]</li>
<li><a href="http://reddit.com/info/660oo/comments/">This link runs a slooow SQL query on the RIAA's server. Don't click it; that would be wrong</a> [Reddit, Jan 20 2008]</li>
<li><a href="http://torrentfreak.com/riaa-website-hacked-080120/">RIAA Website Wiped Clean by "Hackers"</a> [Torrent Freak, Jan 20 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-02: Italian Bank&#39;s XSS Opportunity Seized by Fraudsters<br>
<b>WHID ID:</b> 2008-02<br>
<b>Date Occured:</b> 1/9/2008<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Italy<br>
<b>Incident Description:</b> <p>It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (<a href="http://www.webappsec.org/projects/whid/byid_id_2004-11.shtml">SunTrust, WHID 2004-11</a>). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as <a href="http://www.xssed.org/">XSSed</a>, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://news.netcraft.com/archives/2008/01/08/italian_banks_xss_opportunity_seized_by_fraudsters.html">Italian Bank's XSS Opportunity Seized by Fraudsters</a> [NetCraft, Jan 8 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2008-01: Information stolen from geeks.com (Updated)<br>
<b>WHID ID:</b> 2008-01<br>
<b>Date Occured:</b> 1/8/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><strong><em>Update (Feb 8<sup>th</sup> 2009)</em></strong> - The company has reached a <a href="http://www.ftc.gov/os/caselist/0823113/index.shtm">settlement </a>with the FTC. Not a breathtaking achievement in the effort to make business care about web application security, yet a step in this direction. The report also identifies the attack as an SQL injection attack.</p>
<hr>
&lt;!--break--&gt;
<p>Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV).</p>
<p>The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment....</p>
<p>And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;articleId=9056004&amp;intsrc=news_ts_head">Update: 'Hacker safe' Web site gets hit by hacker</a> [Copmuter World, Jan 7 2008]</li>
<li><a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=205600099&amp;subSection=All+Stories">'Hacker Safe' Geeks.com Hacked</a> [Information Week, Jan 7 2008]</li>
<li><a href="http://consumerist.com/341408/geekscom-website-hacked-customer-data-stolen">Geeks.com Website Hacked, Customer Data Stolen</a> [Consumerist, ]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-89: The big TJX hack<br>
<b>WHID ID:</b> 2007-89<br>
<b>Date Occured:</b> 12/29/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><em><strong>Update (January 12<sup>th</sup> 2009)</strong></em> An Ukrainian hacker who who was a member of the TJX hack ring <a href="http://www.theregister.co.uk/2009/01/08/hacker_30yr_jail_stretch_turkey/">was sentenced to 30 years in jail by a Turkish court</a>. According to investigation papers Maksym Yastremskiy made approximately 11 million dollars from the hack!</p>
<hr>
<p>The TJX breach is one of most publicized hacking incident in recent years. However, until now it was not part of the Web Hacking Incidents Database. And for a good reason: early report described the hack as a war driving hack, in which the attackers drive around and find a wireless network not properly secured.</p>
<p>However new information from the trial of the identity theft ring leader Albert Gonzalez, reveals that in order to penetrate TJX data center from the captured end points, the hackers employed different techniques including password sniffing and SQL injection. The later justifies getting the TJX incident for the 1st time into WHID.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.networkworld.com/news/2008/080608-id-theft-ring-attacked-retailers.html?page=1">Network World</a>, June 8th 2008</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-88: Police Academy in India Hosting a Phishing Site<br>
<b>WHID ID:</b> 2007-88<br>
<b>Date Occured:</b> 9/20/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> <p>The SVP National Police Academy in Hyderabad, India has had some sort of compromise on their website resulting in a Bank of America phishing site operating on one of their servers.</p><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-87: Hacker uses Insider information to gain on the stock exhange<br>
<b>WHID ID:</b> 2007-87<br>
<b>Date Occured:</b> 2/21/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>###
</p><p>Additional information:</p>
<ul>
<li><a href="http://jeremiahgrossman.blogspot.com/2008/02/it-pays-to-be-hacker.html">It pays to be a hacker</a> [Jeremiah Grossman, Feb 19 2008]</li>
<li><a href="http://www.nytimes.com/2008/02/15/business/15norris.html">Make Big Profits Illegally (and Maybe Keep Them, Too)</a> [New York Times (free subscription required), Feb 15 2008]</li>
<li><a href="http://www.theregister.co.uk/2008/02/19/insider_trading_catch22/">Hacker holds onto ill-gotten gains thanks to US courts</a> [The Register, Feb 17 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-87: Hacker uses Insider information to gain on the stock exhange<br>
<b>WHID ID:</b> 2007-87<br>
<b>Date Occured:</b> 2/21/2008<br>
<b>Attack Method:</b> <br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>###
</p><p>Additional information:</p>
<ul>
<li><a href="http://jeremiahgrossman.blogspot.com/2008/02/it-pays-to-be-hacker.html">It pays to be a hacker</a> [Jeremiah Grossman, Feb 19 2008]</li>
<li><a href="http://www.nytimes.com/2008/02/15/business/15norris.html">Make Big Profits Illegally (and Maybe Keep Them, Too)</a> [New York Times (free subscription required), Feb 15 2008]</li>
<li><a href="http://www.theregister.co.uk/2008/02/19/insider_trading_catch22/">Hacker holds onto ill-gotten gains thanks to US courts</a> [The Register, Feb 17 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Ukrain<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-87: Hacker uses Insider information to gain on the stock exhange<br>
<b>WHID ID:</b> 2007-87<br>
<b>Date Occured:</b> 2/21/2008<br>
<b>Attack Method:</b> <br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>###
</p><p>Additional information:</p>
<ul>
<li><a href="http://jeremiahgrossman.blogspot.com/2008/02/it-pays-to-be-hacker.html">It pays to be a hacker</a> [Jeremiah Grossman, Feb 19 2008]</li>
<li><a href="http://www.nytimes.com/2008/02/15/business/15norris.html">Make Big Profits Illegally (and Maybe Keep Them, Too)</a> [New York Times (free subscription required), Feb 15 2008]</li>
<li><a href="http://www.theregister.co.uk/2008/02/19/insider_trading_catch22/">Hacker holds onto ill-gotten gains thanks to US courts</a> [The Register, Feb 17 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-87: Hacker uses Insider information to gain on the stock exhange<br>
<b>WHID ID:</b> 2007-87<br>
<b>Date Occured:</b> 2/21/2008<br>
<b>Attack Method:</b> <br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>###
</p><p>Additional information:</p>
<ul>
<li><a href="http://jeremiahgrossman.blogspot.com/2008/02/it-pays-to-be-hacker.html">It pays to be a hacker</a> [Jeremiah Grossman, Feb 19 2008]</li>
<li><a href="http://www.nytimes.com/2008/02/15/business/15norris.html">Make Big Profits Illegally (and Maybe Keep Them, Too)</a> [New York Times (free subscription required), Feb 15 2008]</li>
<li><a href="http://www.theregister.co.uk/2008/02/19/insider_trading_catch22/">Hacker holds onto ill-gotten gains thanks to US courts</a> [The Register, Feb 17 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-87: Hacker uses Insider information to gain on the stock exhange<br>
<b>WHID ID:</b> 2007-87<br>
<b>Date Occured:</b> 2/21/2008<br>
<b>Attack Method:</b> <br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>###
</p><p>Additional information:</p>
<ul>
<li><a href="http://jeremiahgrossman.blogspot.com/2008/02/it-pays-to-be-hacker.html">It pays to be a hacker</a> [Jeremiah Grossman, Feb 19 2008]</li>
<li><a href="http://www.nytimes.com/2008/02/15/business/15norris.html">Make Big Profits Illegally (and Maybe Keep Them, Too)</a> [New York Times (free subscription required), Feb 15 2008]</li>
<li><a href="http://www.theregister.co.uk/2008/02/19/insider_trading_catch22/">Hacker holds onto ill-gotten gains thanks to US courts</a> [The Register, Feb 17 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-87: Hacker uses Insider information to gain on the stock exhange<br>
<b>WHID ID:</b> 2007-87<br>
<b>Date Occured:</b> 2/21/2008<br>
<b>Attack Method:</b> <br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>###
</p><p>Additional information:</p>
<ul>
<li><a href="http://jeremiahgrossman.blogspot.com/2008/02/it-pays-to-be-hacker.html">It pays to be a hacker</a> [Jeremiah Grossman, Feb 19 2008]</li>
<li><a href="http://www.nytimes.com/2008/02/15/business/15norris.html">Make Big Profits Illegally (and Maybe Keep Them, Too)</a> [New York Times (free subscription required), Feb 15 2008]</li>
<li><a href="http://www.theregister.co.uk/2008/02/19/insider_trading_catch22/">Hacker holds onto ill-gotten gains thanks to US courts</a> [The Register, Feb 17 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-87: 7-Eleven Hack From Russia Led to ATM Looting in New York<br>
<b>WHID ID:</b> 2007-87<br>
<b>Date Occured:</b> September 2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> In his most-recent plea agreement, filed in court Monday, confessed hacker Albert Gonzalez admitted conspiring in the 7-Eleven breach and fingered two Russian associates as the direct culprits. The Russians are identified as “Hacker 1″ and “Hacker 2″ in Gonzalezs plea agreement, and as “Grigg” and “Annex” in an earlier document inadvertently made public by his attorney.
The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.s servers through 7-Elevens public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.”
Read More http://www.wired.com/threatlevel/2009/12/seven-eleven/#ixzz0iehheEY7<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.wired.com/threatlevel/2009/12/seven-eleven/<br>
<b>Attack Source Geography:</b> Russia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> $2000000<br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-86: Mac Blogs defaced using XSS<br>
<b>WHID ID:</b> 2007-86<br>
<b>Date Occured:</b> 2/17/2008<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> Global<br>
<b>Incident Description:</b> <p>The standard disclaimer that we do not cover each and every defacement is relevant to this entry as well. So why do we include the defacement incident this time? First and foremost, it is known to be an XSS abusing a WordPress zero day bug. Secondly, it is a targeted attack aiming to deface only Mac related web sites. Usually targeted defacement attacks are carried out against political targets. Did attacking apple become a political issue? Was Apple transformed into a nation overnight? Well certainly into a cult.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://xssworm.blogvis.com/27/xssworm/mac-sites-are-being-hacked-by-blackhat-xss-hackers/">Mac sites are being hacked by blackhat XSS hackers</a> [XSSworm, Nov 23 2007]</li>
<li><a href="http://www.theregister.co.uk/2007/11/27/mac_site_defacer/">Hacker defaces temples to OS X</a> [The Register, Nov 27 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-85: IndiaTimes.com Visitors Risk High Exposure To Malware<br>
<b>WHID ID:</b> 2007-85<br>
<b>Date Occured:</b> 2/17/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> <p>The web site of a leading Indian newspaper is swamped with malware. A recent <a href="http://www.theregister.co.uk/2008/01/23/embassy_sites_serve_malware/">survey by WebSense</a> cites by the Register found that of the sites hosing malware, 51% where legitimate sites that have been broken into. This is a major shift in the threat landscape, since keeping to web sites that you know is no longer a good protection strategy. Anecdotally undermining WebSense own web site classification technology as a security solution.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=202804433">IndiaTimes.com Visitors Risk High Exposure To Malware</a> [Information Week, Nov 9 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-84: Soccer league&#39;s online shoppers get kicked by security breach<br>
<b>WHID ID:</b> 2007-84<br>
<b>Date Occured:</b> 2/10/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Sports<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>It is already February, and we still add 2007 incidents. If<br>you wonder why, it is because organizations such as MLS only now find<br>out that they were hacked last year! Sometime between January and<br>August of 2007, names, addresses, credit and debit card data, and<br>passwords of an unknown number of people, including 169 New Hampshire<br>residents were stolen from the site.</p>
<p>Why New Hampshire? Because the company has to report to the<br>authorities there about the incidents, but only specify the number of<br>individuals from this state affected. Why only New Hampshire? Since<br>regulations and bills requiring disclosures exist in many states, one<br>would expect that the company would have to provide such a testimonial<br>in many states. This incident is another good example of the size of<br>the hidden part of the iceberg.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://computerworld.com/action/article.do?command=viewArticleBasic&amp;taxonomyName=security&amp;articleId=9061858&amp;taxonomyId=17&amp;intsrc=kc_top">Soccer league's online shoppers get kicked by security breach</a> [Computer World, Feb 8 2008]</li>
<li><a href="http://doj.nh.gov/consumer/pdf/MLSgear.pdf">MLSgear.com Notification to NH DOJ</a> [New Hampshire DOJ, Feb 1 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-83: More Social Security numbers leaked at Montana State University<br>
<b>WHID ID:</b> 2007-83<br>
<b>Date Occured:</b> 1/28/2008<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Again a Microsoft Excel file was left on a University's web site for anyone to view.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.montanasnewsstation.com/Global/story.asp?S=7321482&amp;nav=LpDb">More Social Security numbers leaked at MSU</a> [Montana's News Station, Nov 7 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-82: An SQL injection Mass Robot<br>
<b>WHID ID:</b> 2007-82<br>
<b>Date Occured:</b> 1/8/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code.</p>
<p>As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a <a href="http://www.securityfocus.com/bid/21799/discuss">Cacti vulnerability</a>: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users.</p>
<p>A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=205600157&amp;pgno=2&amp;queryText">70,000 Web Pages Hacked By Database Attack</a> [Information Week, Jan 8 2008]</li>
<li><a href="http://isc.sans.org/diary.html?date=2008-01-04">Realplayer Vulnerability</a> [SANS Internet Storm Center, Jan 4 2008]</li>
<li><a href="http://www.heise-security.co.uk/news/101488">Massive embedded exploit web site attack underway</a> [Heise, Jan 8 2008]</li>
<li><a href="http://www.modsecurity.org/blog/archives/2008/01/sql_injection_a.html">SQL Injection Attack Infects Thousands of Websites</a> [Ryan Barnett, Jan 8 2008]</li>
<li><a href="http://isc.sans.org/diary.html?storyid=3823&amp;rss">Mass exploits with SQL Injection</a> [SANS, Jan 9 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> China<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-81: MSNBC Turkish site caught serving malware<br>
<b>WHID ID:</b> 2007-81<br>
<b>Date Occured:</b> 1/1/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Turkey<br>
<b>Incident Description:</b> <p>Another Malware defacement, but this time at a very prominent web site: MSNBC Turkish edition. There are indications that this is an application layer attack.
</p><p>Additional information:</p>
<ul>
<li><a href="http://blogs.zdnet.com/security/?p=641">MSNBC Turkish site caught serving malware</a> [Zdnet, Nov 7 2007]</li>
<li><a href="http://www.websense.com/securitylabs/alerts/alert.php?AlertID=817">Malicious Website / Malicious Code: MSNBC's Turkish site compromise</a> [WebSense, Nov 7 2007]</li>
<li><a href="http://isc.sans.org/diary.html?storyid=3621">yl18.net mass defacement </a> [SANS ISC, Nov 6 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-80: Vodafone blocks website after hacking<br>
<b>WHID ID:</b> 2007-80<br>
<b>Date Occured:</b> 1/1/2008<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> <p>Yet another defacement, but this time at a very major telecommunication provider in India. These are the guys in charge of our network after all!
</p><p>Additional information:</p>
<ul>
<li><a href="http://timesofindia.indiatimes.com/Lucknow/Vodafone_blocks_website_after_hacking/articleshow/2523834.cms">Vodafone blocks website after hacking</a> [Times of India, Nov 7 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-79: Infamous Russian malware gang used SQL injection to penetrate US government sites<br>
<b>WHID ID:</b> 2007-79<br>
<b>Date Occured:</b> 1/1/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.news.com/Infamous-Russian-malware-gang-vanishes/2100-7355_3-6217852.html?part=rss&amp;tag=2547-1_3-0-5&amp;subj=news">Infamous Russian malware gang vanishes</a> [News.com, Nov 9 2008]</li>
<li><a href="http://www.grumpysecurityguy.com/governement-sql-injection/">US Gov sites Hacked with SQL Injection</a> [Bill Pennington, Nov 9 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Russia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-78: A Brazilian banking site allows users to views receipts intended for others<br>
<b>WHID ID:</b> 2007-78<br>
<b>Date Occured:</b> 1/1/2008<br>
<b>Attack Method:</b> Forceful Browsing<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Brazil<br>
<b>Incident Description:</b> <p>IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.</p>
<p>Reported by Alexandre Sieira</p>
<p>Additional information:</p>
<ul>
<li><a href="http://translate.google.com/translate?u=http%3A%2F%2Fidgnow.uol.com.br%2Fseguranca%2F2007%2F01%2F29%2Fidgnoticia.2007-01-29.8751247129%2FIDGNoticia_view&amp;langpair=pt%7Cen&amp;hl=en&amp;ie=UTF-8">Unibanco tem brecha em sistema de comprovantes de transa??es online</a> [IDG Now (Google Translate), Jan 29 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-77: HostGator: cPanel Security Hole Exploited in Mass Hack<br>
<b>WHID ID:</b> 2007-77<br>
<b>Date Occured:</b> 1/1/2008<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Hackers exploited an unknown cPanel vulnerability to break into HostGator servers and plant malware on hosted sites.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.html">HostGator: cPanel Security Hole Exploited in Mass Hack</a> [NetCraft, Sep 23 2007]</li>
<li><a href="http://news.netcraft.com/archives/2006/09/22/hacked_hostgator_sites_distribute_ie_exploit.html">Hacked HostGator Sites Distribute IE Exploit</a> [NetCraft, Sep 22 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> cPanel<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-76: A large web hosting firm inflicted by mass malware installation<br>
<b>WHID ID:</b> 2007-76<br>
<b>Date Occured:</b> 1/1/2008<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The Washington Post ran a story about a large scale infiltration to IPower, a major hosting provider. According to the story and the following comments, it seems that the problem is plunging IPower for a long time without being resolved. Put in perspective the <a href="byid_id_2007-75.shtml">PlusNet incident</a> which was serious but swiftly handled and publicly acknowledged by the company.</p>
<p>Actually the problem is so dominant that a recent <a href="http://stopbadware.org">StopBadware</a> report lists Ipower as by far the most Malware infected hosting company. Reports mention that the problem started as early as mid 2006.
</p><p>The root cause of the breach here is mentioned as being a vulnerability in either Apache, PHP or cPanel. I have selected the third as being more probably until further evidence materialize.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://blog.washingtonpost.com/securityfix/2007/05/cyber_crooks_hijack_activities_1.html">Cyber Crooks Hijack Activities of Large Web-Hosting Firm</a> [Washington Post, May 23 2007]</li>
<li><a href="http://stopbadware.org/home/pr_050307">StopBadware.org Identifies Companies Hosting Large Numbers of Websites That Can Infect Internet Users With Badware</a> [StopBadware, May 4 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> cPanel<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-75: PlusNet blames itself for webmail spamfest<br>
<b>WHID ID:</b> 2007-75<br>
<b>Date Occured:</b> 1/1/2008<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites.</p>
<p>This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2007/05/24/plusnet_takes_blame/">PlusNet blames itself for webmail spamfest</a> [News Story, May 24 2007]</li>
<li><a href="http://community.plus.net/comms/2007/05/23/webmail-incident-report/">Web mail Incident Report</a> [PlusNet, May 23 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-74: Web host breach may have exposed passwords for 6,000 clients<br>
<b>WHID ID:</b> 2007-74<br>
<b>Date Occured:</b> 1/1/2008<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A known vulnerability in the helpdesk software used by hosting provider Layered Technologies resulted in leakage of information, including names, addresses, phone numbers and email addresses of up to 6,000 of the company's clients.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2007/09/19/layered_technologies_breach_disclosure/">Web host breach may have exposed passwords for 6,000 clients</a> [The Register, Sep 19 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Cerberus Helpdesk<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-73: Brokerage Firm Fined $375,000 for Unsecured Data<br>
<b>WHID ID:</b> 2007-73<br>
<b>Date Occured:</b> 12/26/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme.
The hackers used a SQL injection attack to obtain access to the companys database on Dec. 25 and 26, 2007.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.wired.com/threatlevel/2010/04/brokerage-firm-fined<br>
<b>Attack Source Geography:</b> Latvia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> $375000<br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-72: David Airey domains hijacked<br>
<b>WHID ID:</b> 2007-72<br>
<b>Date Occured:</b> 12/30/2007<br>
<b>Attack Method:</b> Domain Hijacking<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Fraud<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p><em><span style="text-decoration:underline">Update (Dec 30th 2008)</span></em></p>
<p>It seems that the original report was not accurate and it was not a CSRF vulnerablity that was exploited. The mistake is reported by the victim in an imaginary <a href="http://www.davidairey.com/google-site-links-gmail-hack-search-penalty/">discussion with Google</a> blog post (Search the page for XSRF) and by <a href="http://googleonlinesecurity.blogspot.com/2008/11/gmail-security-and-recent-phishing.html">Google</a>. Google hints that it was a phishing attack, but David Airey is <a href="http://www.davidairey.com/google-gmail-phishing-scam/">not convinced</a>.</p>
<hr>
<p>Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored.</p>
<p>The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://blogs.securiteam.com/index.php/archives/1054">When fixing is not enough</a> [Securiteam, Dec 28 2007]</li>
<li><a href="http://www.davidairey.co.uk/google-gmail-security-hijack/">WARNING: Google's Gmail security failure leaves my business sabotaged</a> [David Airey, Dec 24 2007]</li>
<li><a href="http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/">Google GMail E-mail Hijack Technique</a> [GNUcitizen, Sep 25 2007]</li>
<li><a href="http://www.davidairey.com/david-airey-dot-com-restored/">Collective effort restores David Airey.com</a> [David Airey, Dec 27 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Iran<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-71: Hacker uses Social Security numbers from Ohio court site<br>
<b>WHID ID:</b> 2007-71<br>
<b>Date Occured:</b> 12/22/2007<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Security &amp; Law Enforcement<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.</p>
<p>The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts. </p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.ohio.com/news/12763097.html">Hacker uses Social Security numbers from Ohio court site</a> [Ohio.com/AP, Dec 22 2007]</li>
<li><a href="http://www.dispatch.com/live/content/local_news/stories/2007/12/20/clerkh.html">Feds take over municipal court Web hacking probe</a> [Columbus Dispatch, Dec 20 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection<br>
<b>WHID ID:</b> 2007-70<br>
<b>Date Occured:</b> 12/20/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Security &amp; Law Enforcement<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Just like <a href="byid.php?id=2007-60">WHID 2007-60</a>, this hack is probably a representative of many other incidents. The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your soul" on the Web site of the police department in Tucson, Arizona. Only unlike regular defacement, this time it is not the front page but rather the news section that was modified.</p>
<p>As many you know, the news section is one of the few database driven parts in many mostly static sites, as it allows the site owner to add news without requiring a web designer. Therefore it came as no surprise that the attack was identified by a public source as an SQL injection attack.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2007/12/20/tuscon_police_website_defacement/">Indonesian hacker touches souls by bringing down police web site</a> [The Register, Dec 20 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Indonesia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-69: The Orkut XSS Worm<br>
<b>WHID ID:</b> 2007-69<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.gnucitizen.org/blog/the-orkut-xss-worm">The Orkut XSS Worm</a> [GNU Citizen, Dec 19 2007]</li>
<li><a href="http://antrix.net/journal/techtalk/orkut_xss.html">Orkut XSS</a> [Sounds From The Dungeon, Dec 19 2007]</li>
<li><a href="http://www.cgisecurity.com/2007/12/17">Orkut XSS worm in the wild</a> [CGI Security, Dec 19 2007]</li>
<li><a href="http://www.marrowbones.com/commons/technosocial/2007/12/orkut_worm_code_and_why_was_go.html#more">Orkut Worm Code (and why was Google so slow to respond?)</a> [TechnoSocial, Dec 19 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-67: The Day My Web Site Was Hacked<br>
<b>WHID ID:</b> 2007-67<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>In an incident very similar to the <a href="byid.php?id=2007-61">Al Gore Hack</a>, the personal blog of IT journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the breach and its origins.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.itweek.co.uk/itweek/comment/2205891/day-web-site-hacked-3714596">The day my web site was hacked</a> [IT Week, Dec 17 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site<br>
<b>WHID ID:</b> 2007-66<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>To iframe or not to iframe, this is the question. As malware becomes more popular, the number of incidents, mostly insignificant, in which malware was planted on a hacked site is rising and WHID is not the right place to list all of them. We currently report such incidents if the hacked site is of interest or if the Attack_Method is known.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.portalit.net/fullnews_hacker-conquer-french-embassy-in-libya-webiste_712.html">Hacker Conquer French Embassy In Libya Webiste</a> [Portalit, Dec 14 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-65: Facebook suing a porn site over automated access<br>
<b>WHID ID:</b> 2007-65<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler.</p>
<p>Going forward we are going to add such incidents to WHID if there is a reason to believe that they are not friendly, even if the actual goal of the attack cannot be easily classified. The Facebook case at hand is a perfect example: while the details are not clear, the fact that Facebook filed a law suit implies that there is fire behind the smoke.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://docs.justia.com/cases/federal/district-courts/california/candce/5:2007cv03404/193531/17/0.pdf">Facebook vs. John Doe</a> [US District Court, San Jose, CA, Oct 23 2007]</li>
<li><a href="http://www.theregister.co.uk/2007/12/17/facebook_hack_attack_lawsuit/">Facebook sues Canadian smut firm over hacking</a> [The Register, Dec 17 2007]</li>
<li><a href="http://www.thestar.com/article/286091">Facebook suing Ontario porn firm</a> [The Star, Dec 16 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-64: Information about Duke&#39;s Students and Applicants Stolen<br>
<b>WHID ID:</b> 2007-64<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The personal data of nearly 1,400 prospective Duke Law School students may have been stolen by a hacker from two separate databases, one including the prospective students' data and another filled with requests for information about the school.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.upi.com/NewsTrack/Top_News/2007/12/05/hacker_may_have_stolen_duke_students_data/2789/">Hacker may have stolen Duke students' data</a> [UPI, Dec 5 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German subsidiary<br>
<b>WHID ID:</b> 2007-63<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> Germany<br>
<b>Incident Description:</b> <p>An unidentified group had stolen credit card numbers and billing addresses of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of Ticketmaster. Some 66,000 customers who purchased tickets with a credit card from the Kartenhaus.de web site between October 24, 2006 and September 30, 2007 were affected.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.heise.de/english/newsticker/news/96992">Theft of credit card data affects tens of thousands of Kartenhaus customers</a> [Heise, Oct 5 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-62: A security flaw in Passport Canada&#39;s website<br>
<b>WHID ID:</b> 2007-62<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> Forceful Browsing<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Canada<br>
<b>Incident Description:</b> <p>The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theglobeandmail.com/servlet/Page/document/v5/content/subscribe?user_URL=http://www.theglobeandmail.com%2Fservlet%2Fstory%2FRTGAM.20071204.wpassport1204%2FBNStory%2FNational%2Fhome&amp;ord=258556&amp;brand=theglobeandmail&amp;force_login=true">Passport applicant finds massive privacy breach</a> [The Globe and Mail, Dec 4 2007]</li>
<li><a href="http://www.cbc.ca/canada/ottawa/story/2007/12/04/passport-security.html">Passport Canada strengthens online security following breach</a> [CBC, Dec 4 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-61: Another inconvenient truth: Al Gore&#39;s Web site hacked<br>
<b>WHID ID:</b> 2007-61<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Whether comment spam by itself is an application failure or a necessary evil for site allowing rich comments is an open question. However it is reported that in this case vulnerability in WordPress allowed the spammers to actually penetrate the site and modify pages and not just abuse comments.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pcworld.com/article/id,139945-pg,1/article.html">Another inconvenient truth: Al Gore's Web site hacked</a> [PC World, Nov 26 2007]</li>
<li><a href="http://blog.wired.com/business/2007/11/blog-link-spam.html">Blog Link Spam Claims Another Victim: Al Gore</a> [Wired, Nov 27 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-60: The blog of a Cambridge University security team hacked<br>
<b>WHID ID:</b> 2007-60<br>
<b>Date Occured:</b> 12/19/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as <a href="http://www.phpbb.com">phpBB</a> and <a href="http://www.wordpress.org">WordPress</a> are good<br>examples of very popular open source systems that require constant<br>attention in order to maintain secure.</p>
<p>I am sure that the guys at Light Blue Touchpaper have the expertise to protect their WordPress installation, but they don’t have the time. They made the compromise between ease of management of their web site and its security. Actually my <a href="http://blog.shezaf.com">personal blog</a> might be just as vulnerable, since as I write this I am very much not paying attention to its security.</p>
<p>Apart from, or actually because of the fact that the victims are security experts, this story is noteworthy due to two additional twists in the plot:</p>
<ul>
<li>Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.</li>
<p></p>
<li>The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.</li>
<p>
</p></ul>
<p>Additional information:</p>
<ul>
<li><a href="http://www.lightbluetouchpaper.org/2007/10/27/upgrade-and-new-theme/">Upgrade and new theme</a> [Light Blue Touchpaper Blog, Oct 27 2007]</li>
<li><a href="http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/">Google as a password cracker</a> [Light Blue Touchpaper Blog, Nov 16 2007]</li>
<li><a href="http://blogs.guardian.co.uk/technology/2007/11/23/forgotten_your_password_google_can_find_it_for_you_unfortunately.html">Forgotten your password? Google can find it for you. Unfortunately</a> [Technology Guardian, Nov 23 2007]</li>
<li><a href="http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/">Wordpress cookie authentication vulnerability</a> [Light Blue Touchpaper Blog, Nov 20 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-59: Hackers jack Monster.com, infect job hunters<br>
<b>WHID ID:</b> 2007-59<br>
<b>Date Occured:</b> 11/21/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A Crimeware iframe tag on a site is not news anymore. On Monster.com it is.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;articleId=9048019">Hackers jack Monster.com, infect job hunters</a> [Computer World, Nov 20 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-58: Internet Retailer Publisher Victim of Customer File Hack<br>
<b>WHID ID:</b> 2007-58<br>
<b>Date Occured:</b> 11/7/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Vertical Web Media, publisher of Internet Retailer magazine, suffered a security <a href="http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_server/breach" title="http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_server/breach">http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_se...</a> and credit card information of readers had been stolen. The Irony is that Internet Retailed magazine is covering the risks of e-commerce.</p>
<p>While the actual technique used is not known, signs are that it was a web hack as it was done by a distributed network of bots all over the world and since the information stolen belonged to customers who paid online.</p>
<p>The information stolen includes names, addresses, e-mail addresses, phone numbers, credit card account numbers and card expiration dates. The Number_of_Records stolen is unknown.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://publications.mediapost.com/index.cfm?fuseaction=Articles.showArticleHomePage&amp;art_aid=67559">Internet Retailer Publisher Victim Of Customer File Hack</a> [NBC.com, Sep 18 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-57: New Zealand&#39;s Government Web Sites Attacked And Information Stolen<br>
<b>WHID ID:</b> 2007-57<br>
<b>Date Occured:</b> 11/7/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> New Zealand<br>
<b>Incident Description:</b> <p>An attack on New Zealand government web sites required New Zealand Prime Minister, Helen Clark to comment and ensure the public that no confidential information was stolen. However official sources in New Zealand confirm attacks were carried out by unnamed, but known, foreign governments on New Zealand government web site that resulted in stealing of information.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.nzherald.co.nz/section/story.cfm?c_id=5&amp;objectid=10462899">No classified data lost in cyber attacks - Clark</a> [The New Zealand Herald, Sep 11 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-56: TJMaxx XSS Vulnerability<br>
<b>WHID ID:</b> 2007-56<br>
<b>Date Occured:</b> 11/7/2007<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.
</p><p>Additional information:</p>
<ul>
<li><a href="http://ha.ckers.org/blog/20070923/tjmaxx-xss-vulnerability/">TJMaxx XSS Vulnerability</a> [RObert Hansen (Rsnake), Sep 23 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-55: Malicious Code Infects Chinese Security Site<br>
<b>WHID ID:</b> 2007-55<br>
<b>Date Occured:</b> 11/7/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> China<br>
<b>Incident Description:</b> <p>Defacement are a dime a dozen this days, and are not normally reported by WHID. Even invisible defacements in which sites are changed in order to infect their clients with malicious code are becoming too common. But this time it is the site of a security organization, and not just any one, but China's internet security organization. So in the light of the hot debate about china as the source of all hacking, we think that this story has a value.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pcworld.com/article/id,138006-c,hackers/article.html">Malicious Code Infects Chinese Security Site</a> [PC World, Oct 3 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-54: Mistake Left Constables Open To ID theft<br>
<b>WHID ID:</b> 2007-54<br>
<b>Date Occured:</b> 11/7/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Security &amp; Law Enforcement<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.</p>
<p>While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://nl.newsbank.com/nl-search/we/Archives?p_product=YKDB&amp;p_theme=ykdb&amp;p_action=search&amp;p_maxdocs=200&amp;s_dispstring=headline(Mistake%20left%20constables%20open%20to%20ID%20theft)%20AND%20date(2007)&amp;p_field_date-0=YMD_date&amp;p_params_date-0=date:B,E&amp;p_text_date-0=2007&amp;p_field_advanced-0=title&amp;p_text_advanced-0=(">Mistake left constables open to ID theft -- Clerk of Courts posted Social Security numbers online</a> [York Dispatch, Sep 17 2007]</li>
<li><a href="http://breachblog.com/2007/09/18/yorkcountybreach.aspx">Cache Comes Back to Bite York County Constables</a> [The Breach Blog, Sep 18 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-53: Google&#39;s Advanced Search Operators Abused by Spammers<br>
<b>WHID ID:</b> 2007-53<br>
<b>Date Occured:</b> 11/7/2007<br>
<b>Attack Method:</b> Redirection<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Link Spam<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> Global<br>
<b>Incident Description:</b> <p>While most WHID entries are about web site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them to include a honest looking URL in their e-mail, this way bypassing spam filters and observant users.</p>
<p>Symantec response team found actively used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to the first result of a search. All the spammer is left with is finding a query for which his site would pop up first on Google.</p>
<p>This method has another advantage over a redirection page, as the final target is specified by a search string and not by a URL, bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.symantec.com/enterprise/security_response/weblog/2007/11/googles_advanced_search_operat.html/">Google's Advanced Search Operators Abused by Spammers</a> [Symantec Response Team, Nov 2 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-52: Hacker halts Rivkin auction of 37 watches<br>
<b>WHID ID:</b> 2007-52<br>
<b>Date Occured:</b> 11/5/2007<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> <p>Seems that the there is a new trend to disrupt on line bidding using denial of service attacks. In this case, an auction for 37 very expensive watches was halted 20 minutes before the end as the site crashed, in what official sources describe as a hacker attack that did not result in a site compromise.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.news.com.au/heraldsun/story/0,21985,22703750-662,00.html">Hacker halts Rivkin auction of 37 watches</a> [Herald Sun, Nov 5 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-51: 570 Scarborough &amp; Tweed customers&#39; personal information accessed by SQL injection<br>
<b>WHID ID:</b> 2007-51<br>
<b>Date Occured:</b> 11/4/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The web servers of Scarborough &amp; Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers&#39; names, addresses, telephone numbers, account numbers, and credit card numbers.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pogowasright.org/article.php?story=20071103140620396">570 Scarborough &amp; Tweed customers&#39; personal information accessed by SQL injection</a> [PogoWasRight.Org, Nov 3 2007]</li>
<li><a href="http://doj.nh.gov/consumer/pdf/ScarboroughTweed.pdf">Scarborough &amp; Tweed</a> [State of New Hampshire, Oct 26 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-50: Art.com says hacker accessed names, credit cards<br>
<b>WHID ID:</b> 2007-50<br>
<b>Date Occured:</b> 10/29/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> Global<br>
<b>Incident Description:</b> <p>A hacker gained access to names and encrypted credit card numbers of Arts.com. While the reason is not known, since the information is known to belong to online shoppers who made transactions from July to September we assume it was a web site breach.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.marketwatch.com/news/story/artcom-inc-hacker-accessed-some/story.aspx?guid=%7BAF391148-394C-4ED4-B9A0-01C7D2451E25%7D&amp;dist=hplatest">Art.com says hacker accessed names, credit cards</a> [MarketWatch, Oct 28 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-49: Hackers Block Sale of Colorado Rockies World Series Tickets<br>
<b>WHID ID:</b> 2007-49<br>
<b>Date Occured:</b> 10/25/2007<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Loss of Sales<br>
<b>Attacked Entity Field:</b> Sports<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The site of the Rockies was taken down by a denial of service preventing fans from buying tickets for the World Series games.
</p><p><br>Like any DDoS attack, it is very hard to know if it was an application layer or network layer attack, but since this attack had a very significant financial impact by crippling a web site, we think it deserve a place in WHID.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.associatedcontent.com/article/424906/hackers_block_sale_of_colorado_rockies.html">Hackers Block Sale of Colorado Rockies World Series Tickets</a> [Associated Content, Oct 24 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-48: MSU investigating hacking incident<br>
<b>WHID ID:</b> 2007-48<br>
<b>Date Occured:</b> 10/17/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.montanasnewsstation.com/Global/story.asp?S=7220235&amp;nav=menu227_3">MSU investigating hacking incident</a> [Montana's News Station, Oct 16 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-47: Commerce Bank, a US regional bank, hacked<br>
<b>WHID ID:</b> 2007-47<br>
<b>Date Occured:</b> 10/12/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2007/10/11/commerce_bank_hack/">US regional bank hacked</a> [The Register, ]</li>
<li><a href="http://columbiatribune.com/2007/Oct/20071010Busi001.asp">Customer information compromised at bank</a> [Columbia Tribune, Oct 10 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-46: School Web site breached? Personal info of Pembroke workers, volunteers accessible for months<br>
<b>WHID ID:</b> 2007-46<br>
<b>Date Occured:</b> 10/11/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.patriotledger.com/articles/2007/10/09/news/news01.txt">School Web site breached? Personal info of Pembroke workers, volunteers accessible for months</a> [Patriot Ledger, Oct 11 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-45: XSS flaw makes PM say: &quot;I want to suck your blood&quot;<br>
<b>WHID ID:</b> 2007-45<br>
<b>Date Occured:</b> 10/10/2007<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> <p>Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.builderau.com.au/news/soa/XSS-flaw-makes-PM-say-I-want-to-suck-your-blood-/0,339028227,339282682,00.htm">XSS flaw makes PM say: "I want to suck your blood"</a> [Builder.AU, Oct 9 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out<br>
<b>WHID ID:</b> 2007-44<br>
<b>Date Occured:</b> 10/10/2007<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A hacker exploited a leftover admin function on eBay to block users and close sales.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pcworld.com/article/id,138193-c,hackers/article.html">Hacker Breaks Into eBay Server, Locks Users Out</a> [PC World, Oct 8 2007]</li>
<li><a href="http://www.auctionbytes.com/cab/abn/y07/m10/i09/s01">eBay Explains Security Hole Used by Hacker</a> [Action Bytes, Oct 9 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-43: Hacker attacks the Ministry for Housing website as Spanish mortgages come under the international spotlight<br>
<b>WHID ID:</b> 2007-43<br>
<b>Date Occured:</b> 9/3/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Spain<br>
<b>Incident Description:</b> <p>Yet another defacement, and as usual in the political arena.<br>However, this one is worth a note as the attack is very targeted, while<br>usually such political defacements are carried quote randomly against<br>sites loosely related to the opponent and usually has little to do with<br>the actual message the attackers want to convey. In this case the<br>defacement seems to be a direct response to the hot debate about<br>housing prices in Spain.<br></p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.typicallyspanish.com/news/publish/article_12212.shtml">Hacker attacks the Ministry for Housing website as Spanish mortgages come under the international spotlight</a> [Typically Spanish, Aug 30 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-42: Bank of India seriously compromised<br>
<b>WHID ID:</b> 2007-42<br>
<b>Date Occured:</b> 9/3/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> <p>This very serious hacking incident provides insight into a lot<br>of the failures information security in general and web application<br>security particularly beyond the simple fact that the web site of the<br>largest state owned bank in India was invisibly defaced with Trojan<br>inflicting code.</p>
<p>Firstly, the entire discussion in the references is about the<br>Trojan payload, with no word about the vulnerability that led to the<br>defacement. Actually a reviewer on the SiteAdvisor report gives the<br>green mark to the web site after the Trojan is removed, without<br>requiring any information about the actual problem.</p>
<p>Secondly, most trust systems, including SiteAdvisor,<br>completely fail to detect the breach. Which makes me think about those<br>trust models: they check that the site was not breached, while they<br>should check that the site is not vulnerable. I guess the reason is<br>that their primary goal is to detect intentionally malicious sites and<br>not breaches is normative sites, but others use them to assess the<br>level of security of the later.<br></p>
<p>Additional information:</p>
<ul>
<li><a href="http://sunbeltblog.blogspot.com/2007/08/breaking-bank-of-india-seriously.html">Breaking: Bank of India seriously compromised</a> [Sunblet Blog, Sep 2 2007]</li>
<li><a href="http://www.siteadvisor.com/sites/bankofindia.com">McAfee SiteAdvisor</a> [McAfee, ]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-41: Hackers hit New Zealand Herald website<br>
<b>WHID ID:</b> 2007-41<br>
<b>Date Occured:</b> 9/2/2007<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Still defacement but this time with a twist. This was a genuine XSS rewriting attack, and was carried out by well known people as a stunt. No information is provided on how the XSS vector found its way to the victim computers.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.stuff.co.nz/stuff/4182914a28.html">Hackers hit New Zealand Herald website</a> [Stuff, Aug 29 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-40: County&#39;s Web site hacked; no data lost<br>
<b>WHID ID:</b> 2007-40<br>
<b>Date Occured:</b> 9/2/2007<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Defacements seem to dominate the list recently, probably because they reach everywhere. Two important conclusions from this particular one are that patch management is a key problem and that it is a problem mainly at government sites across the world.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.journalgazette.net/apps/pbcs.dll/article?AID=/20070828/LOCAL/708280400/1002/LOCAL">County's Web site hacked; no data lost</a> [Journal Gazetter, Aug 28 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-39: Hacker sabotages Peru president&#39;s Web site<br>
<b>WHID ID:</b> 2007-39<br>
<b>Date Occured:</b> 8/30/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> Peru<br>
<b>Incident Description:</b> <p>Defacements seem to start dominating this list. Alas, they are the most obvious web site hacks out there. While not every defacement is reported in the Web Hacking Incidents Database, key ones are. I included this one since the attacked web site is significant, and since it emphasizes what is becoming a major goal of attacking: politics and international affairs. <br>As a side note, this incident is also interesting because it was repeated after discovered and presumably fixed, which goes a long way to show how much effort there is in protecting web sites and how difficult it cab be.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.metimes.com/storyview.php?StoryID=20070726-053627-3518r">Hacker sabotages Peru president's Web site</a> [Middle East Times, Jul 26 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-38: Gentoo takes server offline due to security vulnerabilities<br>
<b>WHID ID:</b> 2007-38<br>
<b>Date Occured:</b> 8/30/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process. <br>What can we learn from this? That no server is secure, and that patching is hard.
</p><p>Additional information:</p>
<ul>
<li><a href="https://bugs.gentoo.org/show_bug.cgi?id=187971">Bugzilla Bug 187971 - Gentoo Website Command Injection Issue</a> [Gentoo, Aug 7 2007]</li>
<li><a href="http://www.gentoo.org/proj/en/infrastructure/nuthatch-writeup/">Analysis and Timeline of the Nuthatch exploitation attempts</a> [Gentoo, ]</li>
<li><a href="http://www.gentoo.org/proj/en/infrastructure/nuthatch-writeup/apache-log-extract.txt">Log of all usages of the exploit</a> [Gentoo, ]</li>
<li><a href="http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_server/">Gentoo cuts key parts of itself from net for its own good</a> [The Register, Aug 17 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-37: United Nations VS SQL Injections<br>
<b>WHID ID:</b> 2007-37<br>
<b>Date Occured:</b> 8/13/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> United Nations<br>
<b>Incident Description:</b> <p>Defacements are usually beyond the scope of the Web Hacking Incidents Database. We only publish those that stand out, and this one certainly stands out.</p>
<p>The site of the United Nations was broken into and defaced using a pretty basic SQL injection technique, and the referenced article has all the details</p>
<p>Additional information:</p>
<ul>
<li><a href="http://hackademix.net/2007/08/12/united-nations-vs-sql-injections/">United Nations VS SQL Injections</a> [Hackademix, Aug 12 2007]</li>
<li><a href="http://news.bbc.co.uk/2/hi/technology/6943385.stm">UN's website breached by hackers</a> [BBC, Aug 13 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-36: Server hacked through holes in Confixx management software<br>
<b>WHID ID:</b> 2007-36<br>
<b>Date Occured:</b> 8/12/2007<br>
<b>Attack Method:</b> OS Commanding<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> Service Providers<br>
<b>Attacked Entity Geography:</b> Germany<br>
<b>Incident Description:</b> <p>A command injection vulnerability at 1&amp;1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites. </p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.heise-security.co.uk/news/93642">Server hacked through holes in Confixx management software</a> [Heise Security, Aug 1 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> Confixx<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-35: Data lapse involved 51,000 at a hospital<br>
<b>WHID ID:</b> 2007-35<br>
<b>Date Occured:</b> 7/30/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.indystar.com/apps/pbcs.dll/article?AID=2007707250428">Data lapse involved 51,000, St. Vincent says</a> [Indy Star, Jul 25 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-34: Fox News leaks secret files<br>
<b>WHID ID:</b> 2007-34<br>
<b>Date Occured:</b> 7/25/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Fox News left non public files on a directory accessible to everyone on their web server.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.0x000000.com/?i=398">Foxnews File Disclosure</a> [The Hacker Webzine, Jul 23 2007]</li>
<li><a href="http://www.theinquirer.net/default.aspx?article=41187">Fox News leaks secret files</a> [The Inquierer, Jul 24 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-33: THAILAND: ICT Ministry website sabotaged by hacker<br>
<b>WHID ID:</b> 2007-33<br>
<b>Date Occured:</b> 7/22/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> Thailand<br>
<b>Incident Description:</b> <p>While defacements are usually not the bread and butter of this database, when it hits an important government site, especially of a ministry in charge of information technology, it is worth mentioning it.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.asiamedia.ucla.edu/article.asp?parentid=74329">THAILAND: ICT Ministry website sabotaged by hacker</a> [Bangkok Times, Jul 20 2007]</li>
<li><a href="http://64.233.183.104/search?q=cache:4emUUaBp2L8J:www.asiamedia.ucla.edu/article.asp%3Fparentid%3D74329+www.asiamedia.ucla.edu/article.asp%3Fparentid%3D74329&amp;hl=en&amp;ct=clnk&amp;cd=1&amp;client=firefox-a">Cached Version</a> [Bangkok Times (Google Cache), Jul 20 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-32: XSS vulnerability on various German online banking sites<br>
<b>WHID ID:</b> 2007-32<br>
<b>Date Occured:</b> 7/1/2007<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> Germany<br>
<b>Incident Description:</b> <p>I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/fulldisclosure/2007/May/0274.html">XSS vulnerability on various german online banking sites</a> [Full Disclosure, May 17 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-31: Hackers Make Off With Personal Info On Applicants At UC Davis<br>
<b>WHID ID:</b> 2007-31<br>
<b>Date Occured:</b> 7/1/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Somebody snitched names, social security number and birth dates of approximately 1500 students at the vet school of UC Davis. Indication is that the web application used by the students was as fault. The school's web site described the incident as a result of "the computer attacker being able to manipulate a university computing application to accept unauthorized commands". A disgruntled cow?
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.informationweek.com/industries/showArticle.jhtml?articleID=200001374">Hackers Make Off With Personal Info On Applicants At UC Davis</a> [Information Week, Jun 28 2007]</li>
<li><a href="http://www.vetmed.ucdavis.edu/computer%5Fsecurity/">UC David Vet School Web Site</a> [UC Davis, Jun 28 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-30: Microsoft UK site defaced<br>
<b>WHID ID:</b> 2007-30<br>
<b>Date Occured:</b> 7/1/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> UK<br>
<b>Incident Description:</b> <p>Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pcworld.com/article/id,133583-c,hackers/article.html">Microsoft.co.uk Succumbs to SQL Injection Attack</a> [PC world, Jun 29 2007]</li>
<li><a href="http://www.zone-h.org/content/view/14780/31/">Microsoft Defaced, again!</a> [Zone-H, Jun 27 2007]</li>
<li><a href="http://www.unbase.com/n/5725974396">Video Recording of the Attack</a> [Hacker, Jun 27 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-29: Teen arrested for hacking Belgian police website<br>
<b>WHID ID:</b> 2007-29<br>
<b>Date Occured:</b> 6/26/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Security &amp; Law Enforcement<br>
<b>Attacked Entity Geography:</b> Belgium<br>
<b>Incident Description:</b> <p>As you may know, defacement usually do not find their way to WHID, especially if the method used is not known. However, since in this case the victim was the Belgian police, I though it is worth including.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.physorg.com/news101998423.html">Teen arrested for hacking Belgian police website</a> [Physorg.org, Jun 25 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-28: US Embassy probes hacking of online visa appointment system<br>
<b>WHID ID:</b> 2007-28<br>
<b>Date Occured:</b> 6/17/2007<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.
</p><p><br>While this might be classified as a business process design flaw, isn't security also about this?
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.rjr94fm.com/news/story.php?category=2&amp;story=36819">US Embassy probes hacking of online visa appointment system</a> [RJR 94FM, Jun 13 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-27: Files From Google On the Streets<br>
<b>WHID ID:</b> 2007-27<br>
<b>Date Occured:</b> 6/12/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.0x000000.com/?i=319">Breaking News: Files From Google On the Streets</a> [The Hacker Webzine, May 30 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-26: $1,000,000 CNBC stock trading contest hacked<br>
<b>WHID ID:</b> 2007-26<br>
<b>Date Occured:</b> 6/12/2007<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Session Expiration<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.
</p><p><br>The interesting anecdote is that the person who discovered the issue has used a different, but also questionable technique of maintaining a very large number of portfolios automatically managed by automated programs using the fact that the game allowed a user to have any number of portfolios but only the best one is counted. Kosher, but stinks.
</p><p><br>This story remind <a href="http://www.webappsec.org/projects/whid/list_id_2005-36.shtml">an older story</a> about a predictable delay in a poker game that enabled gamblers to beat the house.
</p><p>Additional information:</p>
<ul>
<li><a href="http://jeremiahgrossman.blogspot.com/2007/06/1000000-cnbc-stock-trading-contest.html"> $1,000,000 CNBC stock trading contest hacked</a> [ Jeremiah Grossman, Jun 11 2007]</li>
<li><a href="http://www.businessweek.com/bwdaily/dnflash/content/jun2007/db20070607_007145.htm">CNBC's Easy Money</a> [Business Week, Jun 7 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-25: University of Iowa Molecular and Cellular Biology Program Security Incident<br>
<b>WHID ID:</b> 2007-25<br>
<b>Date Occured:</b> 6/12/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Approximately 1100 students and faculty members' personal information records which includes social security numbers were exposed by a vulnerable web application at the Molecular and Cellular Biology program at the University of Iowa. The report suggests that the application was actually compromised.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://news-releases.uiowa.edu/2007/june/060807website-breach.html">UI Notifies Graduate Program Students, Faculty About Security Breach</a> [Univ. Of Iowa, May 19 2007]</li>
<li><a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=199903218">Two Universities Hit By Security Breaches</a> [Information Week, Jun 11 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-24: Hackers access personal info on faculty members at Univ. of Virginia<br>
<b>WHID ID:</b> 2007-24<br>
<b>Date Occured:</b> 6/12/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&amp;taxonomyId=17&amp;articleId=9024279&amp;intsrc=hm_topic">Hackers access personal info on faculty members at Univ. of Virginia</a> [Computer World, Jun 11 2007]</li>
<li><a href="http://www.informationweek.com/software/showArticle.jhtml?articleID=199903218&amp;cid=RSSfeed_IWK_News">Two Universities Hit By Security Breaches</a> [Information Week, Jun 11 2007]</li>
<li><a href="http://www.virginia.edu/uvatoday/newsRelease.php?id=2217">U.Va. Faculty Names, SSN Security Breach</a> [Univ. of Va., Jun 8 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-23: Office of Nation&#39;s Top Spy Inadvertently Reveals Key to Classified National Intel Budget<br>
<b>WHID ID:</b> 2007-23<br>
<b>Date Occured:</b> 6/12/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Security &amp; Law Enforcement<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.
</p><p><br>This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.thespywhobilledme.com/the_spy_who_billed_me/2007/06/exclusive_offic.html">Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget</a> [The Spy Who Billed Me, Jun 3 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-22: Hacking of CM&#39;s website: Interpol&#39;s help sought<br>
<b>WHID ID:</b> 2007-22<br>
<b>Date Occured:</b> 6/12/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> India<br>
<b>Incident Description:</b> <p>The web site of the chief minister of Kerala (an Indian State) was hacked and defaced. The local police has contacted the Interpol to help in finding who is behind the web site hacking.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.newindpress.com/NewsItems.asp?ID=IEO20070609142217&amp;Page=O&amp;Title=Thiruvananthapuram&amp;Topic=0">Hacking of CM's website: Interpol's help sought</a> [NewindPress, Jun 10 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-21: Belgian Defense Ministry site defaced by Turks<br>
<b>WHID ID:</b> 2007-21<br>
<b>Date Occured:</b> 5/17/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Security &amp; Law Enforcement<br>
<b>Attacked Entity Geography:</b> Belgium<br>
<b>Incident Description:</b> <p>The site of the Belgian Defense Ministry was defaced by Turks who protested a pro-Kurdish remarks by the Belgian government.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.armenian.ch/forum/phpBB2/viewtopic.php?=&amp;p=10536">Belgian defense ministry web site remains off line after weekend hacking</a> [Associated Press, Jan 15 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Turkey<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-20: Pirate Bay breach leaks database<br>
<b>WHID ID:</b> 2007-20<br>
<b>Date Occured:</b> 5/14/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Internet<br>
<b>Attacked Entity Geography:</b> Sweden<br>
<b>Incident Description:</b> <p>Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found.<br>This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/brief/499">Pirate Bay breach leaks database</a> [Security Focus, May 14 2007]</li>
<li><a href="http://thepiratebay.org/blog/68">User data stolen but not unsecured</a> [Private Bay, May 11 2007]</li>
<li><a href="http://www.theinquirer.net/default.aspx?article=39604">Pirate Bay says stolen database safe</a> [The Inquierer, May 14 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-19: Hacker accessed data at University of Missouri<br>
<b>WHID ID:</b> 2007-19<br>
<b>Date Occured:</b> 5/9/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.msnbc.msn.com/id/18561756/">Hacker accessed data at University of Missouri</a> [MSNBC, May 8 2007]</li>
<li><a href="http://computerworld.com/action/article.do?command=viewArticleBasic&amp;taxonomyName=cybercrime_and_hacking&amp;articleId=9018982&amp;taxonomyId=82&amp;intsrc=kc_top">One-at-a-time hacker grabs 22,000 IDs from Univ. of Missouri</a> [Computerworld, May 9 2007]</li>
<li><a href="http://doit.missouri.edu/computersecurity/">May 2007 Security Incident</a> [University of Missouri, May 8 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-18: Microsoft.com defaced<br>
<b>WHID ID:</b> 2007-18<br>
<b>Date Occured:</b> 5/6/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.zone-h.org/content/view/14734/31/">Microsoft.com defaced</a> [zone-H, May 3 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Saudi Arabia<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-17: Big Brother&#39;s big bother<br>
<b>WHID ID:</b> 2007-17<br>
<b>Date Occured:</b> 4/26/2007<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Media<br>
<b>Attacked Entity Geography:</b> Australia<br>
<b>Incident Description:</b> <p>The site of "Big Brother", a reality show in Australia issued duplicate session IDs to different users since the session ID pool was exhausted. Naturally, the 2nd person to get the same session ID got to see all the details of the 1st one!
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theage.com.au/news/tv--radio/porn-privacy-glitches-hit-big-bro/2007/04/23/1177180548617.html">Porn and privacy: Big Brother's big bother</a> [The Age, Apr 23 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-16: USDA admits data breach, thousands of social security numbers revealed<br>
<b>WHID ID:</b> 2007-16<br>
<b>Date Occured:</b> 4/23/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.axcessnews.com/index.php/articles/show/id/10832">USDA admits data breach, thousands of social security numbers revealed</a> [Axcess News, Apr 23 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-15: High School Hackers Cancel School With Fake Snow Day<br>
<b>WHID ID:</b> 2007-15<br>
<b>Date Occured:</b> 4/5/2007<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Two girls modified a schools home page by adding a note that school was closed due to a snow storm. The attack was probably done using a rouge admin accounts.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.firstcoastnews.com/news/strange/news-article.aspx?storyid=75657">High School Hackers Cancel School With Fake Snow Day</a> [http://www.firstcoastnews.com/news/strange/news-article.aspx?storyid=75657, Feb 9 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-14: Your Free MacWorld Expo Platinum Pass<br>
<b>WHID ID:</b> 2007-14<br>
<b>Date Occured:</b> 4/2/2007<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Loss of Sales<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/2100-1002_3-6149994.html?part=rss&amp;tag=2547-1_3-0-5&amp;subj=news">Macworld crack offers VIP passes, hacker says</a> [CNet, Jan 12 2007]</li>
<li><a href="http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html">Your Free MacWorld Expo Platinum Pass (valued at $1,695)</a> [Grutz, Jan 11 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-13: Hackers hit Georgia Tech and steal personal info<br>
<b>WHID ID:</b> 2007-13<br>
<b>Date Occured:</b> 4/2/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The personal information of about 3,000 current and former Georgia Tech employees may have been compromised. The informatoin included names, addresses, Social Security numbers and other sensitive information, including about 400 state purchasing card numbers.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://atlanta.bizjournals.com/atlanta/stories/2007/02/19/daily20.html?t=printable">Hackers hit Georgia Tech and steal personal info</a> [Atlanta Business Chronicle, Feb 21 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-12: SQL injection at knorr.de login page<br>
<b>WHID ID:</b> 2007-12<br>
<b>Date Occured:</b> 4/2/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> Germany<br>
<b>Incident Description:</b> <p>While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.
</p><p>Additional information:</p>
<ul>
<li><a href="http://blog.gjl-network.net/blog/index.php?/archives/78-Knorr.de-SQL-Injection-and-XSS-Vulnerabilities.html">Knorr.de SQL Injection and XSS Vulnerabilities</a> [Sebastian Bauer, Mar 2 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-11: Nokia defaced by XSS<br>
<b>WHID ID:</b> 2007-11<br>
<b>Date Occured:</b> 3/30/2007<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Technology<br>
<b>Attacked Entity Geography:</b> Canada<br>
<b>Incident Description:</b> <p>Nokia's Canadian Web Site was defaced using an XSS attack.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.mad4mobilephones.com/news/383/">Nokia website hacked</a> [Mad4mobilephones, Jan 29 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-10: Super Bowl Site Hacked with Trojan, Key logger<br>
<b>WHID ID:</b> 2007-10<br>
<b>Date Occured:</b> 3/30/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> Sports<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Hackers penetrated the Dolphins stadium web site just days before the Super Bowl was held there and modified the home page to include a Trojan inflecting script.
</p><p>Additional information:</p>
<ul>
<li><a href="http://cbs.sportsline.com/nfl/story/9971314">Hacker installs malicious code on Dolphin Stadium website</a> [CBS/AP, Feb 2 2007]</li>
<li><a href="http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733">Malicious Website: Super Bowl XLI / Dolphin Stadium</a> [WebSense, Feb 2 2007]</li>
<li><a href="http://eset.com/threat-center/blog/?p=39">Super Bowl Dolphin Stadium Website Trojan</a> [eSet, Feb 2 2007]</li>
<li><a href="http://www.securityfocus.com/brief/473">Chinese servers host malicious cursor attacks</a> [Security Focus, Mar 30 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-09: Former Fruit of the Loom workers&#39; identities compromised<br>
<b>WHID ID:</b> 2007-09<br>
<b>Date Occured:</b> 3/29/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Names and social security numbers of former employees of Fruit of the Loom where available for download from the company's web site.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.thenortheastgeorgian.com/articles/2007/02/23/news/business/01business.prt">Former Fruit of the Loom workers' identities compromised</a> [The Northwest Georgian, Feb 23 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-08: WordPress Backdoor<br>
<b>WHID ID:</b> 2007-08<br>
<b>Date Occured:</b> 3/29/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Backdoor was planted in a new official release of WordPress, the most popular blogging software in the world. It was available for download for a few days before the backdoor was located.
</p><p>Additional information:</p>
<ul>
<li><a href="http://wordpress.org/development/2007/03/upgrade-212/">WodPress dangerous, Upgrade</a> [, Mar 2 2007]</li>
<li><a href="http://news.com.com/Intruder+adds+backdoor+to+WordPress+blog+software/2100-7349_3-6164967.html">Intruder adds back door to WordPress blog software</a> [News.com, Mar 6 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> WordPress<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-07: Westerly Hospital data breach affects 2,000<br>
<b>WHID ID:</b> 2007-07<br>
<b>Date Occured:</b> 3/29/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Health<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.
</p><p><br>The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pbn.com/stories/23678.html">Westerly Hospital data breach affects 2,000</a> [Providence Business News, Mar 2 2007]</li>
<li><a href="http://www.westerlyhospital.com/news_events/patient_data_incident_report.htm">Patient Data Incident</a> [, Mar 5 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-06: Hackers swipe seed company&#39;s customers&#39; data<br>
<b>WHID ID:</b> 2007-06<br>
<b>Date Occured:</b> 3/29/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.
</p><p><br>The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.
</p><p>Additional information:</p>
<ul>
<li><a href="http://kennebecjournal.mainetoday.com/news/local/3676190.html">Hackers swipe seed company's customers' data</a> [Kennebec Journal, Mar 3 2007]</li>
<li><a href="http://www.realtime-itcompliance.com/privacy_incidents/2007/03/maine_seed_company_website_hac.htm">Maine Seed Company Website Hacked: Demonstrates SMB Vulnerability &amp; Questions Hacker Safe Seals</a> [Realtime IT compliance, Mar 3 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-05: Hacking John McCain<br>
<b>WHID ID:</b> 2007-05<br>
<b>Date Occured:</b> 3/29/2007<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>An open source developer virtually defaced John McCain's MySpace page. He did not have to commit any crime, because the page pulled an image directly from the open source developer's site.
</p><p>Additional information:</p>
<ul>
<li><a href="http://mike.newsvine.com/_news/2007/03/27/633799-hacking-john-mccain">Hacking John McCain</a> [, Mar 27 2007]</li>
<li><a href="http://news.com.com/2061-10796_3-6170883.html">Oops! John McCain's MySpace page gets pranked</a> [CNet, Mar 27 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-04: College glitch avails student information to public<br>
<b>WHID ID:</b> 2007-04<br>
<b>Date Occured:</b> 3/27/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A student at a community college in Sacramento who was &quot;Googling&quot; himself last month found his name, among 2000 others, in a file accidentally left by school staff online and picked by Google crawler.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.azcentral.com/arizonarepublic/business/articles/0310biz-googleshock0310.html">College glitch avails student information to public</a> [The Arizona Republic, Mar 10 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-03: UI put staff data on Web<br>
<b>WHID ID:</b> 2007-03<br>
<b>Date Occured:</b> 3/26/2007<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Education<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.spokesmanreview.com/tools/story_pf.asp?ID=178531">UI put staff data on Web</a> [Spokesman Review, Mar 10 2007]</li>
<li><a href="http://www.vandalidentity.net/default.aspx?pid=97037"></a> [Vandal Identity Resource Center, ]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2007-01: Credit Card Information stolen from Indiana&#39;s Web Site<br>
<b>WHID ID:</b> 2007-01<br>
<b>Date Occured:</b> 3/26/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Government<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>On January 3, a hacker broke into Indiana's government web site and made off with personal information for 71,000 health care aides who obtained certifications from the state, as well as 5,600 credit card numbers from people who had paid the state through the IN.gov web site.</p>
<p>While officials in Indiana tried to write it off as a harmless prank played by a teenager, the U.S. Department of Justice has also been investigating the case, and they believe the same hacker is responsible for attempts on other state government web sites.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=198500410">Hacker Suspected Of Multistate Break-In Spree</a> [Information Week, Mar 23 2007]</li>
<li><a href="http://www.theindychannel.com/news/10973406/detail.html">Hacker Accesses Credit Card Info On State Web Site</a> [The Indy Channel, Feb 9 2007]</li>
<li><a href="http://www.theindychannel.com/news/11315796/detail.html">State Notifies 71,000 Workers Of Web Site Breach</a> [The Indy Channel, Mar 21 2007]</li>
<li><a href="http://www.theindychannel.com/news/11334932/detail.html">State: Web Site Breach May Have Been Prank</a> [The Indy Channel, Mar 22 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-48: SQL Injection Used to Steal Information from &quot;Life is Good&quot;<br>
<b>WHID ID:</b> 2006-48<br>
<b>Date Occured:</b> 1/19/2008<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p><em><strong>Update (Jan 26<sup>th</sup> 2009) </strong></em>- an <a href="http://www.scmagazineus.com/Clothing-retailer-settles-with-FTC-over-credit-card-breach/article/109217/">SC magazine article sheds more light on the incident</a> revealing that there was actually a breach, apparently using SQL injection, which resulted in leakage of 10,000 credit card numbers</p>
<p></p><hr>
An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good".
<p>The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=205901219">Online Retailer Settles Charges That It Left Consumer Data Open To Hackers</a> [Information Week, Jan 18 2008]</li>
<li><a href="http://www.storefrontbacktalk.com/story/011808ftc">FTC Wags Finger At Site For Weak Consumer Data Security</a> [Storefront Backtack, Jan 18 2008]</li>
<li><a href="http://www.ftc.gov/os/caselist/0723046/index.shtm">n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046</a> [Federal Trade Commission, Jan 17 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-47: Santa brought to Zone-H a brand new defacement<br>
<b>WHID ID:</b> 2006-47<br>
<b>Date Occured:</b> 4/2/2007<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Zone-h is one of the best (well, the best, not just one of them) web sites to follow if you interested in what the bad guys do. Their account of how their own web site was defaced is a classic. And no, it was not their fault. The incident shows how a seemingly minor vulnerability in a major web site (a hotmail XSS bug), can be used to deface another, unrelated site in a very elaborate and targeted attack.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.zone-h.org/content/view/14458/31/">Santa brought to Zone-H a brand new defacement</a> [Zone-H, Dec 22 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-46: Hacker Redirects Bank Customers To Phony Site<br>
<b>WHID ID:</b> 2006-46<br>
<b>Date Occured:</b> 3/30/2007<br>
<b>Attack Method:</b> Redirection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A small credit union web site was hacked and the traffic redirected to a pharming site. About 180 users where redirected, out of which 12 where tricked into providing their personal information to the attackers. $500 are known to have been stolen from one of the victims.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.thekansascitychannel.com/news/10408223/detail.html">Hacker Redirects Bank Customers To Phony Site</a> [The Kensas City Channel, Nov 27 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-45: Man arrested for hacking Internet shopping malls<br>
<b>WHID ID:</b> 2006-45<br>
<b>Date Occured:</b> 3/30/2007<br>
<b>Attack Method:</b> Hidden Parameter Manipulation<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A Korean shopping system was vulnerable to hidden field manipulation and a determined hacker purchased $6000 worth of merchandize at 45 stores for much less.
</p><p>Additional information:</p>
<ul>
<li><a href="http://english.hani.co.kr/arti/english_edition/e_national/178464.html">Man arrested for hacking Internet shopping malls</a> [The Hankyorea, Dec 17 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-42: Netscape.com hacked<br>
<b>WHID ID:</b> 2006-42<br>
<b>Date Occured:</b> 7/27/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Most XSS vulnerabilities are benign. In many cases they are hardly exploitable. In this case Netscape's new digg like shared news site was hacked using a persistent XSS attack, so every viewer of the site was attacked, luckily only to show funny dialog boxes.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.f-secure.com/weblog/archives/archive-072006.html#00000927">Netscape.com hacked</a> [F-Secure, Jul 26 2006]</li>
<li><a href="http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1204568,00.html">Netscape.com hit with cross-site scripting attack</a> [Search Security, Jul 26 2006]</li>
<li><a href="http://www.betanews.com/article/AOL_Fixes_Netscapecom_XSS_Hack/1153940441">AOL Fixes Netscape.com XSS Hack</a> [Beta News, Jul 26 2006]</li>
<li><a href="http://www.securitypronews.com/news/securitynews/spn-45-20060726NetscapeHackedProfessorDeniesSexinessClaims.html">Netscape Hacked, Professor Denies Sexiness Claims</a> [SecurityPro News, Jul 26 2006]</li>
<li><a href="http://www.threadwatch.org/node/7714">NetScape.com - JavaScript Exploit Embaressment</a> [Threadwatch.org, Jul 26 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-41: Making money with MySpace bulletin system!<br>
<b>WHID ID:</b> 2006-41<br>
<b>Date Occured:</b> 7/24/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Abuse of Functionality<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.boogybonbon.com/2006/06/16/making-money-with-myspace-bulletin-system/">Making money with Myspace bulletin system!</a> [, Jun 16 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-40: Data Mining MySpace Bulletins<br>
<b>WHID ID:</b> 2006-40<br>
<b>Date Occured:</b> 7/24/2006<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.
</p><p>Additional information:</p>
<ul>
<li><a href="http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047579.html">Data Mining Myspace Bulletins</a> [Full Disclosure Mailing List, Jun 30 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-39: Another Google XSS<br>
<b>WHID ID:</b> 2006-39<br>
<b>Date Occured:</b> 7/24/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main <a href="http://www.google.com" title="www.google.com">www.google.com</a> host, the executed JavaScript can access any Google resource.
</p><p>Additional information:</p>
<ul>
<li><a href="http://blog.outer-court.com/archive/2006-07-06-n81.html">Google Fixes XSS Security Problem</a> [Google Blogoscoped, Jul 6 2006]</li>
<li><a href="http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/">Cross Site Scripting Vulnerability in Google</a> [ha.ckers, Jul 4 2006]</li>
<li><a href="http://news.com.com/Google+fixes+security+flaw+in+Reader/2100-1002_3-6090974.html?part=rss&amp;tag=6090974&amp;subj=news">Google fixes security flaw in Reader</a> [News.com, Jul 5 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-38: Convenience or just bad design?<br>
<b>WHID ID:</b> 2006-38<br>
<b>Date Occured:</b> 7/24/2006<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/webappsec/2006/Jul-Sep/0052.html">Convenience or just bad design?</a> [WebAppSec, Jul 12 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-37: MySpace Hack Spreading<br>
<b>WHID ID:</b> 2006-37<br>
<b>Date Occured:</b> 7/24/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://chaseandsam.com/2006/07/myspace-hack-spreading-like-wildfire.html"> Myspace Hack spreading like wildfire: SPAIRLKAIFS</a> [Chase and Sam page, Jul 16 2006]</li>
<li><a href="http://kinematictheory.phpnet.us/">How the myspace SWF hack worked</a> [Unknown, Jul 16 2006]</li>
<li><a href="http://www.scmagazine.com/uk/news/article/569987/political+hacking+hits+myspace/">Political hacking hits MySpace</a> [SC Magazine, Jul 17 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-36: PayPal Flaw Gets Accidental Two-Year Reprieve?<br>
<b>WHID ID:</b> 2006-36<br>
<b>Date Occured:</b> 7/24/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html">PayPal Security Flaw allows Identity Theft</a> [Netcraft, Jun 16 2006]</li>
<li><a href="http://news.netcraft.com/archives/2006/07/20/paypal_xss_exploit_available_for_two_years.html">PayPal XSS Exploit available for two years?</a> [Netcraft, Jul 20 2006]</li>
<li><a href="http://news.com.com/PayPal+fixes+phishing+hole/2100-7349_3-6084974.html">PayPal fixes phishing hole</a> [News.com, Jun 16 2006]</li>
<li><a href="http://computerworld.com/blogs/node/3028"> Responsible Disclosure? - Paypal vulnerable for two years</a> [Computer World, Jul 20 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-35: Yahoo mail XSS in CSS expression keyword<br>
<b>WHID ID:</b> 2006-35<br>
<b>Date Occured:</b> 5/9/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Yahoo mail does not filter properly the CSS "expression" keyword when it includes a comment that is encoded.
</p><p>Additional information:</p>
<ul>
<li><a href="http://applesoup.googlepages.com/yahoo_mail_xss.txt">Yahoo! Mail XSS Vulnerability</a> [Cheng Peng Su, Apr 21 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-34: XSS Exploit at sms.ac<br>
<b>WHID ID:</b> 2006-34<br>
<b>Date Occured:</b> 5/9/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>This community site allows including scripts in multiple locations including ones personal profile thus enabling XSS.
</p><p>Additional information:</p>
<ul>
<li><a href="http://addict3d.org/index.php?page=viewarticle&amp;type=security&amp;ID=5754&amp;title=XSS%20Exploit%20at%20sms.ac"> XSS Exploit at sms.ac</a> [Addict3D, Jan 3 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-33: Alexadex.com players.py XSS Exploit<br>
<b>WHID ID:</b> 2006-33<br>
<b>Date Occured:</b> 5/9/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Alexadex is an online investment game. There is an XSS vulnerability in the group adding functionality.
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/bugtraq/2006/May/0113.html">Alexadex.com players.py XSS Exploit</a> [Bugtraq, May 5 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-32: libero.it XSS vulnerability - HTML injection<br>
<b>WHID ID:</b> 2006-32<br>
<b>Date Occured:</b> 5/9/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Libero.it is a Web portal of big Italian ISP offering dial-up, Broadband and talk services. A script on it's customer service pages which enabled a connection speed test is vulnerable to XSS.
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/bugtraq/2006/May/0079.html">libero.it XSS vulnerability - HTML injection</a> [Bugtraq (Posted by Davide Denicolo), May 2 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-31: URL Bug On 1ASPHost and DomainDLX Hosting Services<br>
<b>WHID ID:</b> 2006-31<br>
<b>Date Occured:</b> 5/9/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A researcher found that the login error page on this sites can be injected.
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/bugtraq/2006/May/0121.html">URL Bug On 1ASPHost and DomainDLX Hosting Services</a> [Bugtraq, Jun 6 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-30: National Secret Agency of Slovak Republic Hacked<br>
<b>WHID ID:</b> 2006-30<br>
<b>Date Occured:</b> 4/30/2006<br>
<b>Attack Method:</b> OS Commanding<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A hacker successfully abuse a vulnerability in Horde to penetrate a site owned by the National Security Agency of the Slovak Republic
</p><p>Additional information:</p>
<ul>
<li><a href="http://blackhole.sk/node/442">Narodny Bezpecnostny Urad pwn3d (Slovak with Code Snippets</a> [Blackhole.sk, Apr 25 2006]</li>
<li><a href="http://www.securityfocus.com/archive/75/432202">National Secret Agency of Slovak Republic</a> [Incidents Mailing List, Apr 26 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-28: Tlen.PL e-mail XSS vulnerability<br>
<b>WHID ID:</b> 2006-28<br>
<b>Date Occured:</b> 4/20/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Tlen.PL is a popular Polish IM system provided by o2.pl, which includes e-mail accounts. The e-mail client is web based with a browser embedded in the communicator software. Certain webmail servers do not validate e-mail subject for HTML tags, allowing attacker to inject script code.
</p><p>Additional information:</p>
<ul>
<li><a href="http://security.pass.pl/adv/160406_XSS_tlen_pl.txt">Tlen.PL e-mail XSS vulnerability</a> [<a href="http://security.pass.pl/">Tomasz Koperski</a>, ]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-27: SQL Injection in incredibleindia.org<br>
<b>WHID ID:</b> 2006-27<br>
<b>Date Occured:</b> 4/20/2006<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p><a href="http://www.incredibleindia.org" title="www.incredibleindia.org">www.incredibleindia.org</a> is official Indian government tourism website.<br><br><br>The researcher has found that the parameter PageID in the page ms_Page.asp is vulnerable to SQL injection. He further tested that SQL error messages enable standard probing methods for finding out the number of columns and their type work.
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/bugtraq/2006/Apr/0408.html">SQL Injection in incredibleindia.org</a> [Susam Pal, Apr 16 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-26: Yahoo XSS used for phishing<br>
<b>WHID ID:</b> 2006-26<br>
<b>Date Occured:</b> 4/18/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00049.html">Alert - Yahoo! Webmail XSS</a> [Cesar Cerrudo, <a href="http://www.argeniss.com">Argeniss</a>, Apr 17 2006]</li>
<li><a href="http://seclists.org/lists/fulldisclosure/2006/Apr/0823.html">Alert - Yahoo! Mail XSS vulnerability</a> [Cesar Cerrudo, <a href="http://www.argeniss.com">Argeniss</a>, Apr 28 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-25: Everyone.net XSS<br>
<b>WHID ID:</b> 2006-25<br>
<b>Date Occured:</b> 4/12/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Everyone.net login script (loginuser.pl) is prone to a cross site scripting attack in the variable loginName.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.morx.org/everyoneXSS.txt">Everyone.net XSS</a> [Simo Ben Youssef, Feb 12 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-24: Hotmail XSS (2)<br>
<b>WHID ID:</b> 2006-24<br>
<b>Date Occured:</b> 4/12/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The $a variable in Hotmail's inbox is vulnerable to cross site scripting vulnerability. Exploit requires the victim to open the email message.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.morx.org/HotmailCookieXploit.txt">Hotmail Cross Site Scripting</a> [Simo Ben Youssef, Feb 20 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-23: ICQ search vulnerable to XSS<br>
<b>WHID ID:</b> 2006-23<br>
<b>Date Occured:</b> 4/12/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>ICQ.com search script (search_result.php) is vulnerable to cross-site scripting attacks. This problem is due to a failure<br>in the application to properly sanitize user input, the input can be passed to the vulnerable script in 2 variables<br>(gender and home_country_code).
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.morx.org/ICQ-XSS.txt">ICQ Cross Site Scripting</a> [Simo Ben Youssef, Jan 10 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-22: SQL injection in a banking application<br>
<b>WHID ID:</b> 2006-22<br>
<b>Date Occured:</b> 4/12/2006<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A CIO of a bank in Singapore reports that many application layer vulnerabilities, including SQL injection, where discovered in a banking application they purchased before it was put into production.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.cio-asia.com/ShowPage.aspx?pagetype=2&amp;articleid=3381&amp;pubid=5&amp;issueid=81">Pulled in All Directions</a> [CIO Asia, Jan 1 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-21: Sourceforge.net XSS (1)<br>
<b>WHID ID:</b> 2006-21<br>
<b>Date Occured:</b> 4/12/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Sourceforge download pages are vulnerable to XSS
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/bugtraq/2006/Feb/0537.html">Sourceforge XSS</a> [Bugtraq, Feb 24 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-20: Sourceforge.net XSS (2)<br>
<b>WHID ID:</b> 2006-20<br>
<b>Date Occured:</b> 4/10/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Sourceforge forums search is vulnerable to XSS
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/vuln-dev/2006/Apr/0018.html">Sourceforge.net XSS</a> [Vulnerability Development, Apr 9 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-19: Google XSS<br>
<b>WHID ID:</b> 2006-19<br>
<b>Date Occured:</b> 4/10/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Yet another Google XSS. This time it seems to hit Arabic variant of the main search site. It seems that the actual language selector parameter enables the attack.
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/bugtraq/2006/Apr/0213.html">Google XSS (1)</a> [Bugtraq, Apr 10 2006]</li>
<li><a href="http://seclists.org/lists/bugtraq/2006/Apr/0222.html">Google XSS (2)</a> [Bugrtaq, Apr 10 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-18: Myspace.com - Intricate Script Injection Vulnerability<br>
<b>WHID ID:</b> 2006-18<br>
<b>Date Occured:</b> 4/10/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Forget putting &lt;script&gt; tags in input field. This high tech vulnerability exploits the code handling online/offline flags by inserting a malicious online/offline flag. Awesome.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.silent-products.com/advisory4.5.06.txt">Myspace.com - Intricate Script Injection Vulnerability</a> [Justin Lavoie, Apr 5 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-17: Mass defacement using XSS at Israblog<br>
<b>WHID ID:</b> 2006-17<br>
<b>Date Occured:</b> 4/10/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Israblog is a large Israeli blogging site. A hacker used XSS to hijack bloggers sessions and deface them. The defacing was used to inform the world that Israblog lead developer is a bad programmer.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.nrg.co.il/online/10/ART1/070/252.html">Large Scale Breakin to Israblog</a> [NRG (Hebrew), Apr 5 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-16: AstraTel customer call records leaked<br>
<b>WHID ID:</b> 2006-16<br>
<b>Date Occured:</b> 4/10/2006<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A security hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy.
</p><p> The service redirected users to a different server and propagated the user information in a hidden field without re-authenticating.
</p><p>Additional information:</p>
<ul>
<li><a href="http://australianit.news.com.au/articles/0,7204,18665780%5E15331%5E%5Enbv%5E15306%2D15318,00.html">Privacy breach at ISP</a> [Australian IT, Mar 31 2006]</li>
<li><a href="http://forums.whirlpool.net.au/forum-replies.cfm?t=498645">AstraTel customer call records leaked</a> [Public Forum, Mar 31 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-15: eBay contains a cross-site scripting vulnerability<br>
<b>WHID ID:</b> 2006-15<br>
<b>Date Occured:</b> 4/4/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>eBay contains a cross-site scripting vulnerability. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description which creates a cross-site scripting vulnerability in the eBay website
</p><p>Additional information:</p>
<ul>
<li><a href="http://addict3d.org/index.php?page=viewarticle&amp;type=security&amp;ID=5986&amp;title=eBay%20contains%20a%20cross-site%20scripting%20vulnerability"> eBay contains a cross-site scripting vulnerability</a> [Addict3D, Apr 4 2006]</li>
<li><a href="http://news.com.com/Phishers+set+hidden+traps+on+eBay/2100-7349_3-6056687.html">Phishers set hidden traps on eBay</a> [CNet, Mar 31 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-14: Forgotten password clues create hacker risk<br>
<b>WHID ID:</b> 2006-14<br>
<b>Date Occured:</b> 4/4/2006<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A UK Security Consulting firm reports that 54 UK sites that it has surveyed have flaws in the "forgotten password" feature.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2006/03/20/forgotten_password_security_risk/">Forgotten password clues create hacker risk</a> [The Register, Mar 20 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-13: Hackers Tap Banks&#39; Web Sites In Unique Phishing Attack<br>
<b>WHID ID:</b> 2006-13<br>
<b>Date Occured:</b> 4/4/2006<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>In this very interesting attack a hacker broke into the informational web sites of several smaller banks in Florida. He than changed the link on the informational pages that points to the outsourced transactional web site to point to his own phishing site.<br>While the vulnerability that enabled the hacker to penetrate the informational sites is not known, this is a very interesting example of a targeted web attack. It highlights the importance of protecting every web site and not just the core business logic.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.techweb.com/wire/security/184401079">Hackers Tap Banks' Web Sites In Unique Phishing Attack</a> [TechWeb, Mar 29 2006]</li>
<li><a href="http://www.tallahassee.com/apps/pbcs.dll/article?AID=/20060317/BUSINESS/603170343/1003">Banks pull plug on Web sites</a> [Tallahassee Democrat, Mar 17 2006]</li>
<li><a href="http://www.tallahassee.com/apps/pbcs.dll/article?AID=/20060318/BUSINESS/603180310/1003">Hackers create a new scam</a> [Tallahassee Democrat, Mar 18 2006]</li>
<li><a href="http://riskman.typepad.com/perilocity/2006/03/a_new_phishing_.html">A New Phishing Variation</a> [John S. Quarterman, Mar 24 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-12: Music Web Site: Breach Exposed Accounts<br>
<b>WHID ID:</b> 2006-12<br>
<b>Date Occured:</b> 3/22/2006<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A musical instrument and sound gear Web site that advertises its relationship with artists such as Dave Matthews, Carlos Santana and Mary J. Blige was breached and notified some customers that their credit card information may have been stolen.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.yahoo.com/s/ap/20060317/ap_on_hi_te/web_site_breach">Music Web Site: Breach Exposed Accounts</a> [AP, Mar 16 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-11: Teenager claims to find code flaw in Gmail<br>
<b>WHID ID:</b> 2006-11<br>
<b>Date Occured:</b> 3/5/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A 14 years old claims to have discovered an XSS flaw in Google's Gmail. Comments have been mixed, and Google did not comment, so either the flaw was fixed pretty fast, or did not exits.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.networkworld.com/news/2006/030206-teen-flaw-gmail.html">Teenager claims to find code flaw in Gmail</a> [Network World, Feb 3 2006]</li>
<li><a href="http://ph3rny.blogspot.com/2006/03/vulnerability-in-gmail.html"> Vulnerability in Gmail</a> [Ph3rny's Blog, ]</li>
<li><a href="http://news.zdnet.com/2100-1009_22-6045416.html">Google fixes 'minor' Gmail flaw</a> [ZDnet, Feb 2 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-10: NUJP website defacement seen not related to political crisis<br>
<b>WHID ID:</b> 2006-10<br>
<b>Date Occured:</b> 3/5/2006<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A mass defacement of a Philippine hosting service was carried our using SQL injection. It accidentally also defaced the site of the National Union of Journalists of the Philippines, which led some to believe that it was a targeted political attack.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.inq7.net/infotech/index.php?index=1&amp;story_id=68097">NUJP website defacement seen not related to political crisis</a> [inq7, Mar 2 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-9: EBay XSS<br>
<b>WHID ID:</b> 2006-9<br>
<b>Date Occured:</b> 3/3/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Unlike other XSS cases, this was discovered due to actual abuse on a specific auction at EBay.
</p><p>Additional information:</p>
<ul>
<li><a href="http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0730.html">Ebay XSS</a> [Full Disclosure, Feb 28 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-8: ICQmail.com - Mail2World.com XSS vulnerability<br>
<b>WHID ID:</b> 2006-8<br>
<b>Date Occured:</b> 3/5/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Links sent to a user as part of the mail content are not properly sanitized, so a user receiving such mail and activating a link would be affected.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.nukedx.com/?viewdoc=15">Advisory: ICQmail.com &amp; Mail2World.com (ms_inbox.asp Current_folder) XSS vulnerability</a> [NukedX, Feb 25 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-7: Google Reader &quot;preview&quot; and &quot;lens&quot; script improper feed validation<br>
<b>WHID ID:</b> 2006-7<br>
<b>Date Occured:</b> 3/5/2006<br>
<b>Attack Method:</b> Redirection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Google reader allows redirection so sites can fool users to subscribe to malicious content.
</p><p>Additional information:</p>
<ul>
<li><a href="http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042439.html">Google Reader "preview" and "lens" script improper feed validation</a> [Full Disclosure, Feb 22 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-6: Hacker breaks into Buffalo sports site<br>
<b>WHID ID:</b> 2006-6<br>
<b>Date Occured:</b> 3/22/2006<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A site of a minor league baseball team was hacked and personal details of fans was stolen.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.wstm.com/Global/story.asp?S=4633614&amp;nav=2aKD">Hacker breaks into Buffalo sports site</a> [NBC, Mar 15 2006]</li>
<li><a href="http://www.buffalonews.com/editorial/20060314/1033934.asp">Hacker gains access to Bisons fans' Web data</a> [The Buffalow News, Mar 14 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-5: Hotmail XSS (1)<br>
<b>WHID ID:</b> 2006-5<br>
<b>Date Occured:</b> 3/29/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Hotmail&#39;s filtering engine insufficiently filters JavaScript scripts. It is possible to write JavaScript in the BGCOLOR attribute of the BODY tag, using CSS. This leads to execution when the email is viewed. JavaScript must be Unicode encoded in order to fool the filter. This encoding is recognized with IE &gt;= 6
</p><p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/bugtraq/2006/Mar/0509.html">Microsoft MSN Hotmail : Cross-Site Scripting Vulnerability</a> [Bugtraq Archives, Mar 23 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-4: Hacker diverts traffic from city&#39;s Web page<br>
<b>WHID ID:</b> 2006-4<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A hoster was broken into by brute forcing passwords in a management interface. Sites of many clients, including three municipalities where defaced.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.contracostatimes.com/mld/cctimes/news/local/crime_courts/13643743.htm">Hacker diverts traffic from city's Web page</a> [ContraCosta times, Jan 17 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-3: Russian hackers broke into a RI GOV website<br>
<b>WHID ID:</b> 2006-3<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Russian hackers broke into a Rhode Island government Web site and allegedly stole credit card data from individuals who have done business online with state agencies. The hackers claimed to have stolen 53,000 credit card numbers, while the hosting service provider claims the number was just 4113.<br><br>The technical reference site is in Russian, you can use <a href="http://www.appliedlanguage.com/free_translation.shtml">Applied Languages Solutions</a> for an online translations.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.fcw.com/article92132-01-27-06-Web">Hackers steal credit card info from R.I. Web site</a> [Federal Computer Week, Jan 27 2006]</li>
<li><a href="http://www.xakep.ru/post/29550/default.asp">Competition: As it was broken up ri.gov or as become the owner of the island</a> [, ]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-2: GSA takes down eOffer after finding security flaw<br>
<b>WHID ID:</b> 2006-2<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.fcw.com/article91960-01-13-06-Web">GSA takes down eOffer after finding security flaw</a> [Federal Computing, Jan 13 2006]</li>
<li><a href="http://www.thinkcomputer.com/corporate/news/pressreleases.html?id=25">Think Reveals Flaws in U.S. Government Security</a> [Think Computers, Jan 13 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2006-1: Google&#39;s Blogger HRS vulnerability<br>
<b>WHID ID:</b> 2006-1<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> HTTP Response Splitting<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://o0o.nu/~meder/o0o_Blogger_HTTP_response_splitting.txt">Blogger.com classic HTTP response splitting vulnerability</a> [, Jan 2 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-65: LexisNexis Data Breach<br>
<b>WHID ID:</b> 2005-65<br>
<b>Date Occured:</b> 2/17/2008<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Information Services<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>The LexisNexis data breach is not new, but we have recently decided to <a>start tracking</a> abuse of insufficient automation measures and are adding historical incidents.</p>
<p>In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.</p>
<p>As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to <a href="http://www.webappsec.org/projects/whid/byid_id_2005-5.shtml">Paris Hilton Vodafone account</a>, which was clearly an unlawful act.
</p><p>Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.washingtonpost.com/wp-dyn/content/article/2006/06/30/AR2006063001222.html">Arrests Made in '05 LexisNexis Data Breach</a> [Washington Post, Jun 30 2006]</li>
<li><a href="http://www.washingtonpost.com/wp-dyn/articles/A45756-2005Apr12.html">LexisNexis Data Breach Bigger Than Estimated</a> [Washington Post, Apr 13 2008]</li>
<li><a href="http://www.nytimes.com/2005/04/13/technology/13theft.html">Security Breach at LexisNexis Now Appears Larger</a> [New York Times, Apr 13 2008]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-64: Woman scammed QVC for $400,000+ in Internet glitch<br>
<b>WHID ID:</b> 2005-64<br>
<b>Date Occured:</b> 11/20/2007<br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>A woman exploited a bug in QVC shopping network web site to get, without paying, more than 1800 items worth $412,000 items from the March to November 2005. The glitch enabled her to cancel orders she placed at a specific time and still get the product.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.tgdaily.com/content/view/34608/113/">Woman scammed QVC for $400,000+ in Internet glitch</a> [TG Daily, Oct 30 2007]</li>
<li><a href="http://www.philly.com/dailynews/local/20071026_N_C__woman_admits_400G_scam_of_QVC.html">N.C. woman admits 400G scam of QVC</a> [Phily.com, Oct 26 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-63: Web designer sentenced for hacking competitor&#39;s site<br>
<b>WHID ID:</b> 2005-63<br>
<b>Date Occured:</b> 8/14/2007<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>While lacking in technical details, this story is certainly juicy. It demonstrates well the business use of web site hacking. The downside is that the hacker got only a minimal punishment, which unless the incident itself is overrated in the media, is a very bad sign on how courts view computer crime.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.cnet.co.uk/software/0,39029694,49292191,00.htm">Web designer sentenced for hacking competitor's site</a> [CNet, Aug 14 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-62: Guidance Software<br>
<b>WHID ID:</b> 2005-62<br>
<b>Date Occured:</b> 4/18/2007<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>3,800 customer credit-card numbers were stolen in the attack on Guidance Software web site. This incident is made more severe since Guidance software is a provider of software for investigating security breaches and many of its clients are security and law enforcement agencies, some of them known to be affected.
</p><p><br>As usual in such cases the actual way in which the information was stolen was not disclosed. A federal trade commission report on the incident, published only in 2007, revealed that the incident was a result on an SQL injection attack on Guidance servers. In a settlement with the FTC, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.ftc.gov/os/caselist/0623057/0623057%20-Guidance%20complaint.pdf">United States Of America Federal Trade Commission In The Matter Of Guidance Software, Inc.</a> [Federal Trade Commission, Apr 1 2007]</li>
<li><a href="http://www.internetnews.com/security/article.php/3572386">Guidance Software Investigating Stolen Data</a> [Internet News, Dec 20 2005]</li>
<li><a href="http://www.internetnews.com/security/article.php/3669561">FTC Approves Final Guidance Settlement</a> [Internet News, Apr 3 2007]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-61: Gmail session management bug<br>
<b>WHID ID:</b> 2005-61<br>
<b>Date Occured:</b> 4/12/2006<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.elhacker.net/gmailbug/english_version.htm">Gmail bug</a> [elhacker.net, Oct 18 2005]</li>
<li><a href="http://www.eweek.com/article2/0,1759,1889050,00.asp">Google Downplays Gmail Security Fix</a> [eWeek, Oct 18 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-60: KU shuts down housing application Web site<br>
<b>WHID ID:</b> 2005-60<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Web site used to file online for housing at KU was shutdown for lack of proper security measures to prevent visitors from viewing personal information about others
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.kansascity.com/mld/kansascity/news/local/13495104.htm">KU shuts down housing application Web site</a> [Associated Press, Dec 27 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-59: Vote Someone Else&#39;s Shares<br>
<b>WHID ID:</b> 2005-59<br>
<b>Date Occured:</b> 2/28/2006<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.schneier.com/blog/archives/2005/11/vote_someone_el.html">Vote Someone Else's Shares</a> [Bruce Schneier, Nov 24 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-58: Yahoo mail Cross Site Scripting<br>
<b>WHID ID:</b> 2005-58<br>
<b>Date Occured:</b> 2/28/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.morx.org/yahoo-XSS.txt">Yahoo mail Cross Site Scripting</a> [Morx, Dec 22 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-57: RPG site bit by hackers<br>
<b>WHID ID:</b> 2005-57<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Extortion<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>User data stolen from an online game web site. The hacker tried to extort RPG by threatening to publish the users' data. The news item states that the hack was a result of a flaw in custom web site software.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.scmagazine.com/uk/news/article/533573/rpg-site-bit-hackers/">RPG site bit by hackers</a> [SC Mazagine, Dec 21 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-56: XSS vulnerabilities in Google.com<br>
<b>WHID ID:</b> 2005-56<br>
<b>Date Occured:</b> 2/28/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.webappsec.org/lists/websecurity/archive/2005-12/msg00059.html">XSS vulnerabilities in Google.com</a> [Watchfire, Dec 21 2005]</li>
<li><a href="http://www.betanews.com/article/Google_CrossSite_Scripting_Flaw_Fixed/1135201187">Google Cross-Site Scripting Flaw Fixed</a> [Beta News, Dec 21 2005]</li>
<li><a href="http://news.com.com/Google+plugs+obscure+phishing+holes/2100-1002_3-6004471.html">Google plugs 'obscure' phishing holes</a> [CNet, Dec 21 2005]</li>
<li><a href="http://shiflett.org/archive/178">Google XSS Example</a> [Chris Shiflett, Dec 21 2005]</li>
<li><a href="http://shiflett.org/archive/177">Google's XSS Vulnerability</a> [Chris Shiflett, Dec 21 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-55: Yahoo RSS XSS Vulnerability<br>
<b>WHID ID:</b> 2005-55<br>
<b>Date Occured:</b> 2/28/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.alljer.com/yahoorssxss.htm">Yahoo RSS XSS Vulnerability</a> [alljer.com, Dec 18 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-54: XSS vulnerability in NIST web site<br>
<b>WHID ID:</b> 2005-54<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.netcraft.com/archives/2005/12/14/us_government_security_site_vulnerable_to_common_attack.html">US Government Security Site Vulnerable to Common Attack</a> [NetCraft, Dec 14 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-53: Charity Web Site Hacked<br>
<b>WHID ID:</b> 2005-53<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A UK Church charity web site was hacked and at least 3000 credit card numbers where stolen. Credit card information is known to have been used by the hackers. While no specific details are given, the article indicates that the way site was hacked.
</p><p>Additional information:</p>
<ul>
<li><a href="http://software.silicon.com/malware/0,3800003100,39154991,00.htm">Police investigate charity credit card data hack</a> [Silicon.com, Dec 12 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-51: Critical MySpace Vulnerabilities Leave Every Active Account Exploitable<br>
<b>WHID ID:</b> 2005-51<br>
<b>Date Occured:</b> 2/28/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.silent-products.com/advisory12.5.05.txt">Critical Myspace Vulnerabilities Leave Every Active Account Exploitable</a> [Silent Productions, Dec 5 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-50: XSS on Yahoo Mail<br>
<b>WHID ID:</b> 2005-50<br>
<b>Date Occured:</b> 2/28/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.
</p><p>Additional information:</p>
<ul>
<li><a href="http://archives.neohapsis.com/archives/bugtraq/2005-11/0289.html">XSS on Yahoo Mail</a> [Bugtraq, Nov 23 2005]</li>
<li><a href="http://richard.computeiro.com/yahoo_bug.jpg">XSS on Yahoo Mail</a> [Bugtraq, Nov 23 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-49: Google Base launched with security hole<br>
<b>WHID ID:</b> 2005-49<br>
<b>Date Occured:</b> 2/28/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>XSS in Google Base search function
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.pcworld.idg.com.au/index.php/id;751088708;fp;2;fpid;1">Google Base launched with security hole</a> [PC World, Nov 21 2005]</li>
<li><a href="http://jibbering.com/blog/?p=189">More Google security failures</a> [Jibbering.com, Nov 16 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-48: Insufficient authorization on Papa John&#39;s Pizza chain web site<br>
<b>WHID ID:</b> 2005-48<br>
<b>Date Occured:</b> 11/10/2005<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0156.html">Zero Day Pizza Party - Yo Noid Advisory #00001</a> ["Full Disclosure" Mailing List, Nov 7 2005]</li>
<li><a href="http://news.com.com/Pizza+chain+caught+without+fully+baked+security/2100-7349_3-5938572.html">Pizza chain caught without fully baked security</a> [Cnet, Nov 7 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-47: SEC Vs. The Estonian Spiders<br>
<b>WHID ID:</b> 2005-47<br>
<b>Date Occured:</b> 11/8/2005<br>
<b>Attack Method:</b> Process Automation<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Business wire allowed access to non published press releases.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.webpronews.com/topnews/topnews/wpn-60-20051102SECVsTheEstonianSpiders.html">SEC Vs. The Estonian Spiders</a> [Web Pro News, Nov 2 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-46: Teen uses SQL injection to break to a security magazine web site<br>
<b>WHID ID:</b> 2005-46<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.taipeitimes.com/News/front/archives/2006/01/22/2003290158">Teenage hacker facing court case for data theft</a> [Taipe Times, Jan 22 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-44: Xoops web site hacked<br>
<b>WHID ID:</b> 2005-44<br>
<b>Date Occured:</b> 11/8/2005<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.xoops.org/modules/news/article.php?storyid=2639">Xoops web site hacked</a> [Vendor Web Site, Oct 28 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-43: XSS in Yahoo&#39;s Web mail enables phishing<br>
<b>WHID ID:</b> 2005-43<br>
<b>Date Occured:</b> 11/10/2005<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>XSS in Yahoo mail, Allows phishing
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/Yahoo+fixes+Web+mail+security+flaw/2100-1002_3-5907383.html">Yahoo fixes Web mail security flaw</a> [News.com, Oct 21 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-42: Default password in a common application used by schools<br>
<b>WHID ID:</b> 2005-42<br>
<b>Date Occured:</b> 11/10/2005<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The software has a default password for teachers, enabling anyone to access the system with teachers privileges.
</p><p>Additional information:</p>
<ul>
<li><a href="http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/10/21/SNAFU.TMP"> Software glitch reveals private data for thousands of state's students<br>
S.F. administrators close program to update passwords</a> [Sfgate, Oct 21 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-41: XSS on Google&#39;s AdWords enables phishing<br>
<b>WHID ID:</b> 2005-41<br>
<b>Date Occured:</b> 11/10/2005<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/Google+fixes+Web+site+security+bug/2100-1002_3-5892525.html?part=rss&amp;tag=5892525&amp;subj=news">Google fixes Web site security bug</a> [News.com, Oct 10 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-40: Defacement of several Novell websites<br>
<b>WHID ID:</b> 2005-40<br>
<b>Date Occured:</b> 11/8/2005<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Script upload due to a scoop known vulnerability
</p><p>Additional information:</p>
<ul>
<li><a href="http://lists.suse.com/archive/suse-security-announce/2005-Oct/0001.html">Defacement of several Novell websites</a> [Mailing list post, Oct 4 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-39: Promotional Firefox community site hacked (again)<br>
<b>WHID ID:</b> 2005-39<br>
<b>Date Occured:</b> 11/8/2005<br>
<b>Attack Method:</b> OS Commanding<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Exploited unpatched Twiki
</p><p>Additional information:</p>
<ul>
<li><a href="http://arstechnica.com/news.ars/post/20051004-5383.html">Promotional Firefox community site hacked (again)</a> [ARStechnica, Oct 4 2005]</li>
<li><a href="http://www.net-security.org/article.php?id=836">SpreadFirefox.com Community Website Hacked Once Again</a> [ARStechnica, Oct 4 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-38: Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers<br>
<b>WHID ID:</b> 2005-38<br>
<b>Date Occured:</b> 9/12/2005<br>
<b>Attack Method:</b> Denial of Service<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Extortion<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&amp;STORY=/www/story/09-08-2005/0004103380&amp;EDATE=">Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers </a> [Press Release, Sep 8 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-37: A 12 years old hacked an online game and stole game items<br>
<b>WHID ID:</b> 2005-37<br>
<b>Date Occured:</b> 9/12/2005<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Information Warfare<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A 12 years old guess login information of a woman and abused her account, stealing game items from her.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.buslab.org/index.php/content/view/22317/2/">Boy, 12, referred to child guidance center for hacking into online game site</a> [Manchini Daily News, Sep 7 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-36: Predictable delay in an online poker game enabled users to beat the casino<br>
<b>WHID ID:</b> 2005-36<br>
<b>Date Occured:</b> 9/4/2005<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Abuse of Functionality<br>
<b>Outcome:</b> Monetary Loss<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A player of an online game discovered that considerable delay hinted on the cards the dealer holds.
</p><p>Additional information:</p>
<ul>
<li><a href="http://haacked.com/archive/2005/08/29/9748.aspx">Online Games Are Written By Humans</a> [Personal , Aug 29 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-35: Stanford University web sites defaced using XMLRPC bug<br>
<b>WHID ID:</b> 2005-35<br>
<b>Date Occured:</b> 8/23/2005<br>
<b>Attack Method:</b> OS Commanding<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Sites where defaced by utilizing an issue in an XMLRPC library used by PHP
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.zone-h.org/en/news/read/id=205962/">Brazilian defacers hack hundreds of Stanford University web sites</a> [Zone-H, Aug 21 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-34: Man logs into dabs.com misc customer account<br>
<b>WHID ID:</b> 2005-34<br>
<b>Date Occured:</b> 8/22/2005<br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.channelregister.co.uk/2005/08/18/dabs_password_misdirected/">Man logs into dabs.com customer account shocker</a> [channel register, Aug 18 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-33: Insufficient authorization on Verizon&#39;s MyAccount feature<br>
<b>WHID ID:</b> 2005-33<br>
<b>Date Occured:</b> 8/22/2005<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.washingtonpost.com/wp-dyn/content/article/2005/08/11/AR2005081102122.html">Glitch on Verizon Wireless Web Site Left Data at Risk</a> [Washington Post, Aug 12 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-32: Weak password recovery on Citrix&#39;s site<br>
<b>WHID ID:</b> 2005-32<br>
<b>Date Occured:</b> 8/8/2005<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Weak password recovery procedure at Citrix
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/archive/107/407243/30/0/threaded">Example of the worst passwd recovery interface</a> [WebAppSec mailing list, Aug 3 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-31: Hacker forced new planet discovery out of the closet<br>
<b>WHID ID:</b> 2005-31<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Extortion<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.theinquirer.net/?article=25031">Hacker forced new planet discovery out of the closet </a> [The Inquierer, Aug 1 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-30: Blogger Developers Network Blog Cracked<br>
<b>WHID ID:</b> 2005-30<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> Administration Error<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Official answer from Blogger was that this was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com'].
</p><p>Additional information:</p>
<ul>
<li><a href="http://google-blog.dirson.com/post.new/0272/">Blogger Developers Network Blog Cracked</a> [, Jul 31 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-29: Security issues in interactive hotel TVs<br>
<b>WHID ID:</b> 2005-29<br>
<b>Date Occured:</b> 7/31/2005<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.wired.com/news/privacy/0,1848,68370,00.html">A Hacker Games the Hotel </a> [Wired, Jul 30 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-28: Phishers Steal Trust from eBay Sign In Pages<br>
<b>WHID ID:</b> 2005-28<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Redirection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://news.netcraft.com/archives/2005/07/29/phishers_steal_trust_from_ebay_sign_in_pages.html">Phishers Steal Trust from eBay Sign In Pages</a> [Netcraft, Jul 29 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-27: Phishers hack eBay<br>
<b>WHID ID:</b> 2005-27<br>
<b>Date Occured:</b> 8/8/2005<br>
<b>Attack Method:</b> Redirection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.macworld.com/news/2005/08/02/phishers/index.php?lsrc=mwrss">Phishers hack eBay</a> [MacWorld, Aug 2 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-26: NISCC reveals SAP R/3 security flaw<br>
<b>WHID ID:</b> 2005-26<br>
<b>Date Occured:</b> 7/31/2005<br>
<b>Attack Method:</b> Path Traversal<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.computerweekly.com/Home/Articles/2005/07/28/211124/NISCCrevealsSAPR3securityflaw.htm">NISCC reveals SAP R/3 security flaw</a> [Computer Weekly, Jul 28 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-25: No Charges Filed Yet Against South Charlotte Computer Hacker<br>
<b>WHID ID:</b> 2005-25<br>
<b>Date Occured:</b> 7/31/2005<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A man hacked into a competing web site
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.wsoctv.com/news/4773654/detail.html">No Charges Filed Yet Against South Charlotte Computer Hacker</a> [WSOC-TV, Jul 26 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-24: Firefox marketing site hacked<br>
<b>WHID ID:</b> 2005-24<br>
<b>Date Occured:</b> 7/15/2005<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://news.zdnet.com/2100-1009_22-5790030.html">Firefox marketing site hacked</a> [Zdnet, Jul 15 2005]</li>
<li><a href="http://news.com.com/Firefox+marketing+site+hacked/2100-7349_3-5790030.html?part=rss&amp;tag=5790030&amp;subj=news">Firefox marketing site hacked</a> [C-Net, Jul 15 2005]</li>
<li><a href="http://arstechnica.com/news.ars/post/20050715-5101.html">Promotional firefox community site hacked</a> [ars technica, Jul 15 2005]</li>
<li><a href="http://www.eweek.com/article2/0,1759,1837657,00.asp?kc=EWRSS03119TX1K0000594">SpreadFirefox Site Hacked, Data Leaked</a> [eWeek, Jul 15 2005]</li>
<li><a href="http://www.spreadfirefox.com/node/16836">Spread Firefox Downtime</a> [Spread Firefox, Jul 15 2005]</li>
<li><a href="http://www.networkworld.com/news/2005/071505-mozilla-hack.html?fsrc=rss-security">Mozilla marketing site hacked</a> [Network World, Jul 15 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-23: Chinese hacker held in Web data theft<br>
<b>WHID ID:</b> 2005-23<br>
<b>Date Occured:</b> 7/11/2005<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.contentguarder.com/news/web-content-news-0009.htm">Chinese hacker held in Web data theft</a> [Asahi Shimbun, Jul 7 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-22: MS UK defaced in hacking attack<br>
<b>WHID ID:</b> 2005-22<br>
<b>Date Occured:</b> 7/11/2005<br>
<b>Attack Method:</b> Misconfiguration<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Microsoft UK site defaced due to server misconfiguration
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2005/07/06/msuk_hacked/">MS UK defaced in hacking attack</a> [The Register, Jul 6 2005]</li>
<li><a href="http://www.zone-h.org/index2.php?option=com_mirrorwrp&amp;Itemid=43&amp;id=2531794">MS UK Zone-H defacements archive</a> [Zone-H, Jul 6 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data<br>
<b>WHID ID:</b> 2005-21<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/brief/191">Man charged with accessing USC student data</a> [Security Focus, Apr 20 2006]</li>
<li><a href="http://www.securityfocus.com/news/11239">Flawed USC admissions site allowed access to applicant data</a> [Security Focus, Jul 5 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-20: Security gaps found in EPA contracting system<br>
<b>WHID ID:</b> 2005-20<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> Known Vulnerability<br>
<b>Application Weakness:</b> Application Misconfiguration<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An audit of a major Environmental Protection Agency contract management system uncovered significant security lapses that, if exploited by hackers, could have serious consequences for the agency's operations, assets and personnel. The audit focused on lack of monitoring for known vulnerabilities on these systems.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.govexec.com/dailyfed/0206/020306p1.htm"> Security gaps found in EPA contracting system</a> [GovExec, Feb 3 2006]</li>
<li><a href="http://www.epa.gov/oig/reports/2006/20060131-2006-P-00010.pdf">Information Security Series: Security Practices - Integrated Contract Management System</a> [EPA, Jan 31 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-19: Privacy Fears due to insufficient authentication on CVS drugstore chain web site<br>
<b>WHID ID:</b> 2005-19<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.computerworld.com/securitytopics/security/story/0,10801,102773,00.html">Privacy Fears Prompt CVS To Turn Off Online Service </a> [Computer World, Jun 27 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-18: Hacker hits Duke system<br>
<b>WHID ID:</b> 2005-18<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/isn/2005/Jun/0005.html">Hacker hits Duke system</a> [The News Observer, Jun 5 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-17: Leakage of information due to XSS in Hotmail<br>
<b>WHID ID:</b> 2005-17<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.vnunet.com/vnunet/news/2137707/hotmail-hack-fixed">Microsoft fixes Hotmail hack</a> [VUnet, Jun 9 2005]</li>
<li><a href="http://www.theregister.co.uk/2005/06/08/hotmail_hack/">Hotmail users exposed to cookie snaffling exploit</a> [The Registrer, Jun 8 2005]</li>
<li><a href="http://www.pcmag.com/article2/0,1759,1825250,00.asp">MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes</a> [PC Magazine, Jun 7 2005]</li>
<li><a href="http://news.com.com/MSN+flaw+put+Hotmail+accounts+at+risk/2100-1002_3-5734448.html?part=rss&amp;tag=5734448&amp;subj=news">MSN flaw put Hotmail accounts at risk</a> [CNet, Jun 6 2005]</li>
<li><a href="http://www.net-force.nl/files/articles/hotmail_xss/">Hacking hotmail, by Alex de Vries</a> [Personal Web Page, Jun 4 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-16: MSN site hacked in South Korea<br>
<b>WHID ID:</b> 2005-16<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Session Hijacking<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The web site was modified to include password stealing code
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.usatoday.com/tech/news/2005-06-02-hacked_x.htm">Microsoft admits MSN site hacked in South Korea</a> [USA Today, Jun 2 2005]</li>
<li><a href="http://abcnews.go.com/Technology/wireStory?id=817338">MSN Site Hacking Went Undetected for Days</a> [ABC News, Jun 3 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-15: Unprotected information on the University of Chicago web site<br>
<b>WHID ID:</b> 2005-15<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Files containing sensitive information left unprotected on the web server
</p><p>Additional information:</p>
<ul>
<li><a href="http://incidentresponse.uchicago.edu/">University of Chicago</a> [Victim's Site, May 30 2005]</li>
<li><a href="http://maroon.uchicago.edu/news/articles/2005/05/27/private_records_disc.php">Private records discovered on server</a> [Chicago Maroon, May 27 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-14: XSS on Microsoft Xbox site allowed phishing<br>
<b>WHID ID:</b> 2005-14<br>
<b>Date Occured:</b> 11/8/2005<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/Microsoft+plugs+phishing+hole+in+Xbox+site/2100-1029_3-5720241.html?tag=nl">Microsoft plugs phishing hole in Xbox site</a> [news.com, May 25 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-13: Hacker attacked weak point on Kakaku.com&#39;s Web Site<br>
<b>WHID ID:</b> 2005-13<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Downtime<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://seclists.org/lists/isn/2005/May/0041.html">Web sites get costly lesson in security</a> [Asahi (Japan), May 18 2005]</li>
<li><a href="http://www.cdrinfo.com/forum/tm.asp?m=110616&amp;mpage=1&amp;#110616">Hacker attacked weak point on Kakaku.com's Web Site</a> [Asahi (Japan), May 25 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-12: Insufficient authentication on Arbela mutual insurance allowed access to private data<br>
<b>WHID ID:</b> 2005-12<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Extranet system accessible to the public
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.boston.com/business/technology/articles/2005/05/05/insurers_website_error_reveals_data_on_drivers/?rss_id=Boston+Globe+">Insurer's website breach reveals data on drivers</a> [The Boston Globe, May 5 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-11: Samy XSS Worm Hits MySpace<br>
<b>WHID ID:</b> 2005-11<br>
<b>Date Occured:</b> 11/8/2005<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Web 2.0<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://ha.ckers.org/blog/20070310/my-lunch-with-samy/">My Lunch With Samy</a> [ha.ckers, Mar 10 2007]</li>
<li><a href="http://fast.info/myspace/">MySpace XSS worm writer notes</a> [bindshell, Apr 10 2005]</li>
<li><a href="http://www.bindshell.net/papers/xssv/myspace/code/">MySpace XSS worm source</a> [bindshell, Apr 10 2005]</li>
<li><a href="http://namb.la/popular/tech.html">MySpace XSS virus development</a> [bindshell, Apr 10 2005]</li>
<li><a href="http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391">Cross-Site Scripting Worm Hits MySpace</a> [Beta News, Apr 10 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-10: Indian SATs results leaking<br>
<b>WHID ID:</b> 2005-10<br>
<b>Date Occured:</b> 11/8/2005<br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://blogs.law.harvard.edu/philg/comments?u=philg&amp;p=7726&amp;link=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F2005%2F03%2F08%23a7726#a7777">Indian SATs results leaking</a> [Blog talkback, Mar 10 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-9: Undisclosed application security issue on Cisco&#39;s site forces global passwords reset<br>
<b>WHID ID:</b> 2005-9<br>
<b>Date Occured:</b> 4/8/2005<br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> Insecure Indexing<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An undisclosed application security issue on Cisco web site required resetting passwords for all registered users.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.computerworld.com/developmenttopics/websitemgmt/story/0,10801,103661,00.html?source=NLT_PM&amp;nid=103661">Cisco.com passwords reset after Web site exposure</a> [Computer World, Mar 8 2005]</li>
<li><a href="http://www.betanews.com/article/Cisco_Web_Site_Breached_by_Hackers/1123086248">Cisco Web Site Breached by Hackers</a> [Beta News, Mar 8 2005]</li>
<li><a href="http://news.com.com/Customers+warned+that+Cisco.com+was+breached/2100-7349_3-5816809.html?part=rss&amp;tag=5816809&amp;subj=news">Cisco warns customers of site breach</a> [Cnet, Mar 8 2005]</li>
<li><a href="http://taosecurity.blogspot.com/2005/08/cisco-connection-online-compromised.html">Cisco Connection Online Compromised? </a> [TaoSecurity Blog, Mar 8 2005]</li>
<li><a href="http://www.eweek.com/article2/0,1895,1843451,00.asp">Cisco Web Portal Password Security Compromised</a> [eWeek, Mar 8 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-8: eBay Redirect Becomes Phishing Tool<br>
<b>WHID ID:</b> 2005-8<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Redirection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.betanews.com/article/eBay_Redirect_Becomes_Phishing_Tool/1109886753">eBay Redirect Becomes Phishing Tool</a> [Beta News, Mar 3 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-7: Hacker Tips Off B-School Applicants<br>
<b>WHID ID:</b> 2005-7<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Parameter tampering to jump into someone else's account data
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.thecrimson.com/article.aspx?ref=506140">Hacker Tips Off B-School Applicants</a> [The Crimson, Mar 3 2005]</li>
<li><a href="http://poweryogi.blogspot.com/2005/03/hbsapplyyourself-admit-status-snafu.html">HBS/ApplyYourself Admit Status snafu</a> [Personal Blog, Mar 2 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-6: Tampering with parameters allows access to others account data on PayMaxx Inc. site<br>
<b>WHID ID:</b> 2005-6<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/Payroll+site+closes+on+security+worries/2100-1029_3-5587859.html?tag=cd.hed">Payroll site closes on security worries</a> [CNet, Feb 23 2005]</li>
<li><a href="http://www.thinkcomputer.com/corporate/news/pressreleases.html?id=18">Think Finds Flaw Revealing Up To 100,000 Social Security Numbers</a> [Vulnerabiliy Publisher's Site, Feb 23 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-5: Paris Hilton&#39;s T-Mobile online account hacked<br>
<b>WHID ID:</b> 2005-5<br>
<b>Date Occured:</b> 7/11/2005<br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.washingtonpost.com/wp-dyn/content/article/2005/05/19/AR2005051900711.html">Paris Hilton Hack Started With Old-Fashioned Con</a> [Washington Post, May 19 2005]</li>
<li><a href="http://www.pcworld.com/news/article/0,aid,119851,00.asp">Paris Hilton: Victim of T-Mobile's Web Flaws?</a> [PCWorld, Mar 1 2005]</li>
<li><a href="http://www.wired.com/news/privacy/0,1848,66735,00.html">Known Hole Aided T-Mobile Breach</a> [Wired.com, Feb 28 2005]</li>
<li><a href="http://www.macdevcenter.com/pub/a/mac/2005/01/01/paris.html">How Paris Got Hacked?</a> [O'Reilly Network, Feb 22 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-4: An Israeli debate site vulnerable to XSS<br>
<b>WHID ID:</b> 2005-4<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.nrg.co.il/online/10/ART1/049/017.html">Identity theft in Hyde Park</a> [nrg.co.il, Feb 16 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-3: Misconfiguration issues in paid wireless access and billing applications<br>
<b>WHID ID:</b> 2005-3<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Directory Indexing<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.thinkcomputer.com/corporate/news/pressreleases.html?id=17">Think Discovers Critical Flaws in U.S. Transportation Security</a> [Vulnerabiliy Publisher's Site, Feb 1 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-2: Froogle XSS<br>
<b>WHID ID:</b> 2005-2<br>
<b>Date Occured:</b> 7/11/2005<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An XSS was found in Froogle
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2005/01/17/google_security_bugs/">Google plugs brace of GMail security flaws</a> [The Register, Jan 14 2005]</li>
<li><a href="http://www.eweek.com/article2/0,1759,1751689,00.asp">Google Plugs Cookie-Theft Data Leak</a> [eWeek, Jan 14 2005]</li>
<li><a href="http://packetstormsecurity.nl/0501-exploits/froogleCookie.txt">Froogle XSS</a> [Packet Storm, ]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2005-1: Gmail Bug Exposes E-mails messages of other users<br>
<b>WHID ID:</b> 2005-1<br>
<b>Date Occured:</b> 7/11/2005<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Parameter tampering enabled exposing sensitive information in G-Mail
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.betanews.com/article/Gmail_Bug_Exposes_Emails_to_Hackers/1105561408">Gmail Bug Exposes E-mails to Hackers</a> [Beta News, Jan 12 2005]</li>
<li><a href="http://it.slashdot.org/article.pl?sid=05/01/12/1655246&amp;tid=172&amp;tid=215&amp;tid=217&amp;tid=218">Gmail Messages Are Vulnerable To Interception</a> [Slash.Dot, Jan 12 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-18: Security flaw exposed in Cahoot bank accounts<br>
<b>WHID ID:</b> 2004-18<br>
<b>Date Occured:</b> 10/25/2007<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.
</p><p><br>The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.
</p><p><br>We somehow missed this story so it finds its way to WHID only now in late 2007.
</p><p>Additional information:</p>
<ul>
<li><a href="http://software.silicon.com/security/0,39024655,39125639,00.htm">Security flaw exposed in Cahoot bank accounts</a> [Silicon.com, Oct 5 2004]</li>
<li><a href="http://software.silicon.com/security/0,39024655,39125665,00.htm">Leader: Not another security scare</a> [Silicon.com, Oct 5 2004]</li>
<li><a href="http://news.bbc.co.uk/2/hi/business/3984845.stm">Cahoot hit by web security scare</a> [BBC, Oct 5 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-17: The CardSystems breach was an SQL Injection hack (Updated)<br>
<b>WHID ID:</b> 2004-17<br>
<b>Date Occured:</b> 4/20/2006<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Credit Card Leakage<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p><em><strong>Update (May 27th 2009)</strong></em> - The CardSystems incident is refusing to die. Merrick Back is now <a href="http://www.courthousenews.com/2009/05/26/Merrick.pdf">suing Savvis</a> for certifying CardSystems as CISP compliant while it systems where wide open. CISP is a VISA program for certifying credit card processing systems which existed prior to PCI DSS.</p>
<p>The actual damage to an organization of an attack is rarely disclosed, and coverage focuses on the Number_of_Records stolen. In the court documents Merrick reveals that its own damage from the CardSystems incident was $16,000,000! The money was paid to card holders to compensate for losses and for legal fees and fines.</p>
<p>The case is also interesting as it put to test the liability of the certifying entity (in this case Savvis) resulting from assessing. The results may have profound influence on the PCI QSA market and therefore PCI itself. David Navetta posts an <a href="http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-merrick-bank-complaint/">excellent legal analysis</a> of the potential implications of the lawsuit.</p>
<hr>
<p>This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.</p>
<p>But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.</p>
<p>Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.</p>
<p>This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.</p>
<p>Additional information:</p>
<ul>
<li><a href="http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1180411,00.html">Cleaning up after a hack job: CardSystems' Christensen</a> [Information Security (mirror), Apr 14 2006]</li>
<li><a href="http://www.ftc.gov/os/caselist/0523148/0523148complaint.pdf">FTC complain In the Matter of CardSystems Solutions</a> [FTC, ]</li>
<li><a href="http://wiki.midrange.com/index.php/CardSystems">Midrange CardSystems Wiki</a> [Midrange, ]</li>
<li><a href="http://www.webappsec.org/lists/websecurity/archive/2006-04/msg00051.html">CardSystems was a Web Application Hack</a> [Cesar Cerrudo, <a href="http://www.argeniss.com">Argeniss</a>, Apr 18 2006]</li>
<li><a href="http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html">CardSystems Exposes 40 Million Identities</a> [Bruce Schneier, Jun 23 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> Credit Card Number<br>
<b>Number of Records:</b> 40000000<br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-16: Lycos Free Email XSS<br>
<b>WHID ID:</b> 2004-16<br>
<b>Date Occured:</b> 7/11/2005<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An XSS was found in Lycos Web Mail
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securiteam.com/securitynews/6A00N20C1C.html">Lycos Free Email Cross-Site Scripting Vulnerability</a> [SecriTeam, Dec 27 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-15: New Variant of Santy Worm Spreads<br>
<b>WHID ID:</b> 2004-15<br>
<b>Date Occured:</b> 12/25/2004<br>
<b>Attack Method:</b> OS Commanding<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Various<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>phpBB worm</p>
<p>Additional information:</p>
<ul>
<li><a href="http://www.frsirt.com/exploits/20041225.PhpIncludeWorm.php">PHP Scripts Automated Arbitrary File Inclusion</a> [Vulnerabiliy Publisher's Site, Dec 25 2004]</li>
<li><a href="http://www.pcworld.com/news/article/0,aid,119051,pg,1,RSS,RSS,00.asp">New Variant of Santy Worm Spreads</a> [PC World, Dec 27 2004]</li>
<li><a href="http://www.computerworld.com/securitytopics/security/holes/story/0,10801,98553,00.html">Santy.E worm poses threat to sites badly coded in PHP </a> [Computer World, Dec 27 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> phpBB<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-14: Santy worm defaces websites using PHP bug<br>
<b>WHID ID:</b> 2004-14<br>
<b>Date Occured:</b> 12/22/2004<br>
<b>Attack Method:</b> OS Commanding<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> Various<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Worm used Google to locate sites vulnerable to OS</p>
<p>Additional information:</p>
<ul>
<li><a href="http://news.bbc.co.uk/1/hi/technology/4117711.stm">Santy worm makes unwelcome visit</a> [BBC, Dec 22 2004]</li>
<li><a href="http://isc.sans.org/diary.php?date=2004-12-21">Santy worm defaces websites using php bug</a> [Sans Storm Center, Dec 21 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> Various<br>
<b>Attacked System Technology:</b> phpBB<br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-13: SunTrust site XSS vulnerability exploited by for phishing<br>
<b>WHID ID:</b> 2004-13<br>
<b>Date Occured:</b> 11/8/2005<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack)
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.fool.com/News/mft/2004/mft04120810.htm">Do Online Banks Facilitate Fraud?</a> [The Motley Fool, Dec 8 2004]</li>
<li><a href="http://news.netcraft.com/archives/2004/12/06/suntrust_site_exploited_by_fraudsters.html">SunTrust site exploited by fraudsters</a> [NetCraft, Dec 6 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-12: XSS in Gmail<br>
<b>WHID ID:</b> 2004-12<br>
<b>Date Occured:</b> 7/11/2005<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>An XSS was found in G-Mail
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.theregister.co.uk/2004/10/29/gmail_vuln/">Gmail accounts 'wide open to exploit' - report</a> [The Register, Oct 29 2004]</li>
<li><a href="http://net.nana.co.il/Article/?ArticleID=155025&amp;sid=10">NetLife Exclusive: Security hole found in Gmail</a> [Nana NetLife, Oct 27 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-11: Phishers Manipulate SunTrust Site to Steal Data<br>
<b>WHID ID:</b> 2004-11<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Phishing<br>
<b>Attacked Entity Field:</b> Finance<br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> <p>Phishing based on XSS
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.netcraft.com/archives/2004/09/28/phishers_manipulate_suntrust_site_to_steal_data.html">Phishers Manipulate SunTrust Site to Steal Data</a> [NetCraft, Sep 28 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-10: SQL Injection and XSS on presidential campaign web sites<br>
<b>WHID ID:</b> 2004-10<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>C:UsersOfer ShezafDocuments
</p><p>Additional information:</p>
<ul>
<li><a href="http://wired-vig.wired.com/news/infostructure/0,1377,64036,00.html?tw=wn_tophead_3">Campaign Sites Lack Security</a> [Wired, Jun 30 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site<br>
<b>WHID ID:</b> 2004-9<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A billing information system required only phone number and zip code to pull up account details
</p><p>Additional information:</p>
<ul>
<li><a href="http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci969836,00.html">A security tale: From vulnerability discovery to disaster</a> [Search Security, Jun 14 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site<br>
<b>WHID ID:</b> 2004-8<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> Insufficient Process Validation<br>
<b>Outcome:</b> Disinformation<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Previously moderated weather announcements could be changed by the user
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/news/8191">Pranksters bedevil TV weather announcment system</a> [Security Focus, Mar 4 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service<br>
<b>WHID ID:</b> 2004-7<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.cs.umass.edu/~kevinfu/news/wsj-gomes2.txt<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-6: More Scary Tales Involving Big Holes In Web-Site Security - Tiffany<br>
<b>WHID ID:</b> 2004-6<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-5: More Scary Tales Involving Big Holes In Web-Site Security - Gateway<br>
<b>WHID ID:</b> 2004-5<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl&#39;s<br>
<b>WHID ID:</b> 2004-4<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web-Site Security</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega<br>
<b>WHID ID:</b> 2004-3<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes2.txt">More Scary Tales Involving Big Holes In Web</a> [Wallstreet Journal (Archive Copy), Feb 2 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-2: Biggest Web Problem Isn&#39;t About Privacy, It&#39;s Sloppy Security - Saks<br>
<b>WHID ID:</b> 2004-2<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes1.txt">Biggest Web Problem Isn't About Privacy, It's Sloppy Security</a> [Wallstreet Journal (Archive Copy), Jan 26 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.cs.umass.edu/~kevinfu/news/wsj-gomes1.txt<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2004-1: Biggest Web Problem Isn&#39;t About Privacy, It&#39;s Sloppy Security - OpenTable<br>
<b>WHID ID:</b> 2004-1<br>
<b>Date Occured:</b> 8/4/2005<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://snafu.fooworld.org/~fubob/pubs/wsj-gomes1.txt">Biggest Web Problem Isn't About Privacy, It's Sloppy Security</a> [Wallstreet Journal (Archive Copy), Jan 26 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-9: Defenses lacking at social network sites<br>
<b>WHID ID:</b> 2003-9<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/news/7739">Defenses lacking at social network sites</a> [Security Focus, Dec 31 2003]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-8: SQL Injection in PetCo.com leads to FTC investigation<br>
<b>WHID ID:</b> 2003-8<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.infoworld.com/article/04/11/17/HNpetco_1.html">Petco settles charge it left customer data exposed</a> [Infoeworld, Nov 17 2004]</li>
<li><a href="http://www.securityfocus.com/news/9957">Petco settles with FTC over cyber security gaffe</a> [Security Focus, Nov 17 2004]</li>
<li><a href="http://www.securityfocus.com/news/7581">FTC investigates PetCo.com security hole</a> [Security Focus, Dec 5 2003]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-7: Victoria&#39;s Secret reveals far too much<br>
<b>WHID ID:</b> 2003-7<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>View other customers orders by changing a sequential number within a URL parameter
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.cbsnews.com/stories/2003/10/22/tech/main579547.shtml">Victoria's Secret Reveals Too Much</a> [CBS News, Oct 22 2003]</li>
<li><a href="http://cooltech.iafrica.com/technews/280300.htm">Victoria's Secret reveals far too much</a> [iAfrica, Oct 24 2003]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-6: Mississippi man blackmails Best Buy<br>
<b>WHID ID:</b> 2003-6<br>
<b>Date Occured:</b> 2/26/2006<br>
<b>Attack Method:</b> Unknown<br>
<b>Application Weakness:</b> Unknown<br>
<b>Outcome:</b> Extortion<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A person convicted of blackmailing Best Buy. He threatened to expose a breach in the company's web site if not paid $2.5 million.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.zdnet.com/2100-1009_22-5136932.html?tag=nl">Mississippi man denies Best Buy blackmail</a> [ZDnet, Jan 7 2004]</li>
<li><a href="http://news.zdnet.com/2100-1009_22-5980008.html">Police blotter: Best Buy 'hacker' loses in court</a> [Zdnet, Dec 2 2005]</li>
<li><a href="http://caselaw.lp.findlaw.com/data2/circs/8th/051655p.pdf">Appeals Court's Opinion</a> [, Nov 22 2005]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-5: Car shoppers&#39; credit details exposed in bulk<br>
<b>WHID ID:</b> 2003-5<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/news/7067">Car shoppers' credit details exposed in bulk</a> [Security Focus, Sep 25 2003]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-4: SQL injection on Guess site triggers an FTC inquiry<br>
<b>WHID ID:</b> 2003-4<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.ftc.gov/opa/2003/06/guess.htm">Guess Settles FTC Security Charges</a> [FTC Web Site, Jun 18 2003]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-3: User passwords could be stolid in Microsoft&#39;s Passport service<br>
<b>WHID ID:</b> 2003-3<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://news.zdnet.co.uk/business/0,39020645,2134469,00.htm">Microsoft faces huge fine over security</a> [Zdnet, May 9 2003]</li>
<li><a href="http://www.atnewyork.com/news/article.php/2203651">Microsoft Patches .NET Passport Hole</a> [AnyNetwork, May 8 2003]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-2: UT Austin hack yields personal info on thousands<br>
<b>WHID ID:</b> 2003-2<br>
<b>Date Occured:</b> 4/4/2006<br>
<b>Attack Method:</b> Brute Force<br>
<b>Application Weakness:</b> Insufficient Anti-automation<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>While an old incident, further research into it suggest that it was a web hack. While the initial reports talk about a database break in, a report in the Register identify the database as txClass, which is a web based system.<br>55,200 social security numbers where stolen, though the hacker claimed that he did not perform the act for profit. He was caught and sentenced to 5 years probation.
</p><p>Additional information:</p>
<ul>
<li><a href="https://www.utexas.edu/datatheft/">Data Theft Incident Response</a> [UofT, Sep 7 2005]</li>
<li><a href="http://www.theregister.co.uk/2003/03/18/student_owns_up_to_texas/">Student owns up to Texas Uni cyber-heist</a> [The Register, Mar 18 2003]</li>
<li><a href="http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79102,00.html">UT Austin hack yields personal info on thousands</a> [Computer World, Mar 6 2003]</li>
<li><a href="http://www.securityfocus.com/news/2935">Hackers steal names, Social Security numbers from University of Texas database</a> [Security Focus, Mar 6 2006]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2003-1: FTD.com hole leaks personal information<br>
<b>WHID ID:</b> 2003-1<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>View other customers information by modifying a cookie
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/2100-1017-984585.html">FTD.com hole leaks personal information</a> [CNet, Feb 13 2003]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2002-4: Tower Records settles charges over hack attacks<br>
<b>WHID ID:</b> 2002-4<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>View other customers orders by changing a guessable number within a URL parameter
</p><p>Additional information:</p>
<ul>
<li><a href="http://www.securityfocus.com/news/8508">Tower Records settles charges over hack attacks</a> [Security Focus, Apr 21 2004]</li>
<li><a href="http://news.com.com/2100-1017-976271.html">Tower Records site exposes data</a> [CNet, Dec 5 2002]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2002-3: Reuters accused of hacking<br>
<b>WHID ID:</b> 2002-3<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it.
</p><p>Additional information:</p>
<ul>
<li><a href="http://news.com.com/2100-1023-963658.html">Reuters accused of hacking</a> [Cnet, Nov 29 2002]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2002-2: Advogato XSS virus account<br>
<b>WHID ID:</b> 2002-2<br>
<b>Date Occured:</b> 7/11/2005<br>
<b>Attack Method:</b> Cross Site Request Forgery (CSRF)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Worm<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Additional information:</p>
<ul>
<li><a href="http://www.bindshell.net/papers/xssv/advogato/">Advogato xss virus account</a> [Bindshell, Sep 21 2002]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2002-1: Flawed authentication at BN.com exposes personal information<br>
<b>WHID ID:</b> 2002-1<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Password Recovery<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <p>Opening an account with a discontinued e-mail address exposes all the information of the discontinues account
</p><p>Additional information:</p>
<ul>
<li><a href="http://wired-vig.wired.com/news/ebiz/0,1272,53942,00.html">BN.com: The Hole Story</a> [Wired, Jul 19 2002]</li>
<li><a href="http://www.marktaw.com/technology/HackingBarnesAndNoble.com.html">BarnesAndNoble.com Security Flaw</a> [Personal Web Page, Jul 9 2002]</li>
<li><a href="http://itmanagement.earthweb.com/secu/article.php/3347761">Barnes &amp; Noble.com Fined for Customer Data Leak</a> [Datamation, Apr 30 2004]</li>
</ul><br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> <br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2001-6: XSS at Microsoft Passport<br>
<b>WHID ID:</b> 2001-6<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> <br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.pcworld.com/news/article/0,aid,69543,00.asp<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2001-5: Privacy hole found in Verizon Wireless Web site<br>
<b>WHID ID:</b> 2001-5<br>
<b>Date Occured:</b> 9/6/2001<br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> The privacy hole affected users who logged on to the Verizon Wireless Web site and used the My Account feature to view or change their cell phone billing and account information. The Web site address for the feature assigns session identifications sequentially as each user logs in which allows for forceful browsing.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.html<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2001-4: Hacked Web site damaged PCs in Japan<br>
<b>WHID ID:</b> 2001-4<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Planting of Malware<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Users who visited the Price Lotto site using Microsoft's IE (Internet Explorer) 4.x and 5.x, automatically downloaded malicious JavaScript that was programmed to alter the software configuration of their PCs.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.infoworld.com/articles/hn/xml/01/08/21/010821hnjapmal.html?&amp;_ref=1024727153<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2001-3: Persistent XSS in Hotmail<br>
<b>WHID ID:</b> 2001-3<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> Improper Output Handling<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Persistent XSS HTML Injection inside an HTML email message to hotmail<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.usatoday.com/tech/news/2001-08-31-hotmail-security.htm<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2001-2: Computer E-Retailer Exposes Credit Card Numbers<br>
<b>WHID ID:</b> 2001-2<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> View other orders by changing a sequential parameter number. Security was provided by client side JavaScript<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.extremetech.com/article2/0,3973,103782,00.asp<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2001-1: Travelocity exposes customer information<br>
<b>WHID ID:</b> 2001-1<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Predictable Resource Location<br>
<b>Application Weakness:</b> Insufficient Authorization<br>
<b>Outcome:</b> Disclosure Only<br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Sensitive files were left in a publicly accessible directory of a new web server install<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.com.com/2100-1017-251344.html?legacy=cnet<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2000-6: Inforeading.com defacement using command injection<br>
<b>WHID ID:</b> 2000-6<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> OS Commanding<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Executing local commands using URL parameters<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://www.inforeading.com/library/infoarticles/InfoReading/logs/deface/02.txt<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2000-5: Eve.com exposes customers order information<br>
<b>WHID ID:</b> 2000-5<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Credential/Session Prediction<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> View other customers orders by changing a sequential number within a URL parameter<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.com.com/2100-1017-245700.html?legacy=cnet<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2000-4: Sensitive files left unprotected on Western Union&#39;s Web<br>
<b>WHID ID:</b> 2000-4<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> <br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> Sensitive files were left in a publicly accessible directory during a maintenance window<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.com.com/2100-1023-245525.html?legacy=cnet<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2000-3: Gaffe at Amazon leaves email addresses exposed<br>
<b>WHID ID:</b> 2000-3<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Abuse of Functionality<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> E-mail addresses of other customers displayed by mistake, no hacking was required<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.com.com/2100-1017-245387.html?legacy=cnet<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 2000-2: IKEA exposes customer information on catalog site<br>
<b>WHID ID:</b> 2000-2<br>
<b>Date Occured:</b> <br>
<b>Attack Method:</b> Unintentional Information Disclosure<br>
<b>Application Weakness:</b> Insufficient Authentication<br>
<b>Outcome:</b> Leakage of Information<br>
<b>Attacked Entity Field:</b> Retail<br>
<b>Attacked Entity Geography:</b> <br>
<b>Incident Description:</b> Error message revealed a database file location, which could be downloaded.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://news.com.com/2100-1017-245372.html?legacy=cnet<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td> <td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> WHID 1999-1: eBay downplays security hole<br>
<b>WHID ID:</b> 1999-1<br>
<b>Date Occured:</b> 4/4/2006<br>
<b>Attack Method:</b> Cross Site Scripting (XSS)<br>
<b>Application Weakness:</b> <br>
<b>Outcome:</b> <br>
<b>Attacked Entity Field:</b> <br>
<b>Attacked Entity Geography:</b> USA<br>
<b>Incident Description:</b> A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> <br>
<b>Reference:</b> http://packetstormsecurity.org/9904-exploits/ebayla.txt<br>
<b>Attack Source Geography:</b> <br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr> <tr><td><div class="googft-card-view" style="font-family:sans-serif;width:450px;padding:4px;border:1px solid #ccc;overflow:hidden">
<b>Entry Title:</b> Conservative party web CMS system hacked<br>
<b>WHID ID:</b> <br>
<b>Date Occured:</b> 10/16/2010<br>
<b>Attack Method:</b> SQL Injection<br>
<b>Application Weakness:</b> Improper Input Handling<br>
<b>Outcome:</b> Defacement<br>
<b>Attacked Entity Field:</b> Politics<br>
<b>Attacked Entity Geography:</b> United Kingdom<br>
<b>Incident Description:</b> SQL injection flaw in CMS system allowed admin access to many smaller individual and regional Conservative party web sites (the main site www.conservatives.com was unaffected). The password field for the CMS login page was susceptible to a SQL injection attack allowing access to arbitrary user accounts including the CMS administrator account.
The CMS controlled content access to the content of a number of sites run by the Conservative party, many of which are used by regional party groups. The websites have remained down since the attack, including:
http://www.bathconservatives.com/
http://www.newtonabbotconservatives.org.uk/
http://www.nwdurhamconservatives.com/
http://www.nwnorfolkconservatives.com/
Details of the flaw were posted on several message boards and rapid and widespread defacement occured, ranging from political satire to hate speak.<br>
<b>Mass Attack:</b> No<br>
<b>Mass Attack Name:</b> <br>
<b>Number of Sites Affected:</b> 20<br>
<b>Reference:</b> http://editor.conservatives.org.uk/cms/v6/cms.admin.php<br>
<b>Attack Source Geography:</b> Multiple sources<br>
<b>Attacked System Technology:</b> <br>
<b>Cost:</b> <br>
<b>Items Leaked:</b> <br>
<b>Number of Records:</b> <br>
<b>Additional Link:</b>
</div></td></tr></table></body></html>