|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Country":
?, Australia, Belgium, Brazil, Canada, China, Ecuador, France, Germany, Global, Greece, India, Israel, Italy, Jamaica, Japan, Korea, Libya, Mexico, New Zealand, Peru, Spain, Sweden, Thailand, Turkey, UK, United Nations, USA
List of incidents for which Country is UK
6 incidents listed
Reported: 01 January 2008Occurred: 04 May 2007
Classifications:
- Attack Method: Misconfiguration
- Country: UK
- Outcome: Planting of Malware
- Outcome: Leakage of Information
- Vertical: Service Providers
Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites. This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.
References:
Reported: 30 December 2007Occurred: 15 December 2007
Classifications:
- Attack Method: Cross Site Request Forgery (CSRF)
- Country: UK
- Origin: Iran
- Outcome: Defacement
- Outcome: Blackmail
Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored. The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.
References:
Reported: 19 December 2007Occurred: 17 December 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: UK
- Outcome: Link Spam
- Software: WordPress
- Vertical: Media
In an incident very similar to the Al Gore Hack, the personal blog of IT journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the breach and its origins.
References:
Reported: 19 December 2007Occurred: 27 October 2007
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Insufficient Authentication
- Attack Method: SQL Injection
- Country: UK
- Outcome: Downtime
- Software: WordPress
- Vertical: Education
This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.
I am sure that the guys at Light Blue Touchpaper have the
expertise to protect their WordPress installation, but they
don’t have the time. They made the compromise between ease of
management of their web site and its security. Actually my personal blog might be
just as vulnerable, since as I write this I am very much not paying
attention to its security.
Apart from, or actually because of the fact that the
victims are security experts, this story is noteworthy due to two
additional twists in the plot:
- Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
- The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
References:
Reported: 07 November 2007Occurred: 17 September 2007
Classifications:
- Attack Method: Unintentional Information Disclosure
- Country: UK
- Outcome: Leakage of Information
- Vertical: Security & Law Enforcement
An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.
While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.
References:
Reported: 01 July 2007Occurred: 27 June 2007
Classifications:
- Attack Method: SQL Injection
- Country: UK
- Outcome: Defacement
- Vertical: Technology
Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
