Web Application Security Consortium - Web hacking Incidents Database (WHID)

Reported: 17 February 2008
Occurred: 09 March 2005

Classifications:

Attack Method: Insufficient Anti-automation
Country: USA
Outcome: Leakage of Information
Vertical: Information Services

The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.

In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.

As usual in such cases there is a question of whether the attack was a criminal activity, violation of the license agreement of the information provider or plainly legal. In this regard it is interesting to note that the group arrested in the incident was also responsible for the hacking to Paris Hilton Vodafone account, which was clearly an unlawful act.

Back in 2005 this data breach was one of the first such incidents, generated a lot of media interest, and led to more regulation regarding information aggregators. Interestingly, the excuse given by the company was that the incident was that there was no security failure in the web site, but that the procedures where lacking. We accepted this story at the time, but today we believe that such automation and scraping attacks are among the most dangerous attacks.

References:

Arrests Made in '05 LexisNexis Data Breach
News Story, Washington Post, 30 June 2006
LexisNexis Data Breach Bigger Than Estimated
News Story, Washington Post, 13 April 2008
Security Breach at LexisNexis Now Appears Larger
News Story, New York Times, 13 April 2008

WHID 2007-84: Soccer league's online shoppers get kicked by security breach

Reported: 10 February 2008
Occurred: 01 August 2007

Classifications:

Attack Method: SQL Injection
Country: USA
Outcome: Leakage of Information
Vertical: Sports

It is already February, and we still add 2007 incidents. If you wonder why, it is because organizations such as MLS only now find out that they were hacked last year! Sometime between January and August of 2007, names, addresses, credit and debit card data, and passwords of an unknown number of people, including 169 New Hampshire residents were stolen from the site.

Why New Hampshire? Because the company has to report to the authorities there about the incidents, but only specify the number of individuals from this state affected. Why only New Hampshire? Since regulations and bills requiring disclosures exist in many states, one would expect that the company would have to provide such a testimonial in many states. This incident is another good example of the size of the hidden part of the iceberg.

References:

Soccer league's online shoppers get kicked by security breach
News Story, Computer World, 08 February 2008
MLSgear.com Notification to NH DOJ
Legal Document, New Hampshire DOJ, 01 February 2008

WHID 2008-09: Hacking Stage 6

Reported: 10 February 2008
Occurred: 09 February 2008

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Entertainment

Sensitive information about people who created an account on the site leaked and was published through IRC.

References:

Stage 6 - Hacking
Reference, Wikipedia, 09 February 2008

WHID 2008-08: Hacker steals Davidson Cos. clients' data

Reported: 04 February 2008
Occurred: 04 February 2008

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Finance

A computer hacker broke into the database of D.A. Davidson, a local Montana financial services firm and stole their entire customers' database: 226,000 records including names and social security numbers. Attack method is not known, but it seems very much like a web hack.

References:

Hacker steals Davidson Cos. clients' data
News Story, Great Falls Tribune, 04 February 2008
Davidson Companies Informs Clients of Network Intrusion Resulting in Illegal Access to Personal Data
Victim's report, Davidson Companies, 30 January 2008
Davidson Co.'s security breach reminds that personal data isn't as safe as we'd like
News Follow Up, Great Falls Tribune, 11 February 2008

WHID 2007-83: More Social Security numbers leaked at Montana State University

Reported: 28 January 2008
Occurred: 07 November 2007

Classifications:

Attack Method: Administration Error
Country: USA
Outcome: Leakage of Information
Vertical: Education

Again a Microsoft Excel file was left on a University's web site for anyone to view.

References:

More Social Security numbers leaked at MSU
News Story, Montana's News Station, 07 November 2007

WHID 2008-07: Another Free MacWorld Platinum Pass? Yes in 2008!

Reported: 28 January 2008
Occurred: 14 January 2008

Classifications:

Attack Method: Brute Force
Country: USA
Outcome: Monetary Loss
Vertical: Technology

Kurt already got his free MacWorld pass last year (WHID 2007-14), but it seems that nothing changes year after year and he was able to pull a similar trick this year. As the codes that allow customers to get the passes where hashed but stored on the client browser, Kurt was able to crack them.

References:

Another Free MacWorld Platinum Pass? Yes in 2008!
Blog Entry, Kurt Grutzmacher, 14 January 2008

WHID 2008-06: Hackers Take Down Pennsylvania Government

Reported: 28 January 2008
Occurred: 06 January 2008

Classifications:

Attack Method: SQL Injection
Country: USA
Outcome: Planting of Malware
Outcome: Defacement
Vertical: Government

You dfon

References:

Hackers Take Down Pennsylvania Government
News Story, Linux Journal, 10 January 2008
Hackers Force Pa. to Shut State Web Site
News Story, AP, 04 January 2008
Pennsylvania State Disconnects from Internet Over Chinese Hacker Phearz
News Story, Geeks Are Sexy, 09 January 2008
Officials say no data was compromised by hackers
News Story, Post Gazette, 06 January 2008

WHID 2008-04: RIAA web site cleared

Reported: 22 January 2008
Occurred: 20 January 2008

Classifications:

Attack Method: Cross Site Scripting (XSS)
Attack Method: SQL Injection
Attack Method: Denial of Service
Attack Method: SQL Injection
Country: Global
Country: USA
Outcome: Defacement
Outcome: Downtime
Outcome: Defacement
Vertical: Entertainment

The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.

References:

RIAA wiped off the net
News Story, The Register, 21 January 2008
This link runs a slooow SQL query on the RIAA's server. Don't click it; that would be wrong
Attack Code, Reddit, 20 January 2008
RIAA Website Wiped Clean by "Hackers"
Blog Entry, Torrent Freak, 20 January 2008

WHID 2008-03: FTC settles with a retailer for lack of reasonable security

Reported: 19 January 2008
Occurred: 19 January 2008

Classifications:

Attack Method: SQL Injection
Country: USA
Outcome: Disclosure Only
Vertical: Retail

An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good".

The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.

References:

Online Retailer Settles Charges That It Left Consumer Data Open To Hackers
News Story, Information Week, 18 January 2008
FTC Wags Finger At Site For Weak Consumer Data Security
News Story, Storefront Backtack, 18 January 2008
n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046
Case File, Federal Trade Commission, 17 January 2008

WHID 2008-01: Information stolen from geeks.com

Reported: 08 January 2008
Occurred: 05 January 2008

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Retail

Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV).

The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment....

And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.

References:

Update: 'Hacker safe' Web site gets hit by hacker
News Story, Copmuter World, 07 January 2008
'Hacker Safe' Geeks.com Hacked
News Story, Information Week, 07 January 2008
Geeks.com Website Hacked, Customer Data Stolen
News Story, Consumerist,

WHID 2007-79: Infamous Russian malware gang used SQL injection to penetrate US government sites

Reported: 01 January 2008
Occurred: 09 November 2007

Classifications:

Attack Method: SQL Injection
Country: Brazil
Country: USA
Origin: Russia
Outcome: Planting of Malware
Vertical: Government

RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.

References:

Infamous Russian malware gang vanishes
News Story, News.com, 09 November 2008
US Gov sites Hacked with SQL Injection
Blog Entry, Bill Pennington, 09 November 2008

WHID 2007-77: HostGator: cPanel Security Hole Exploited in Mass Hack

Reported: 01 January 2008
Occurred: 23 September 2007

Classifications:

Attack Method: Known Vulnerability
Country: USA
Outcome: Planting of Malware
Software: cPanel
Vertical: Service Providers

Hackers exploited an unknown cPanel vulnerability to break into HostGator servers and plant malware on hosted sites.

References:

HostGator: cPanel Security Hole Exploited in Mass Hack
News Alert, NetCraft, 23 September 2007
Hacked HostGator Sites Distribute IE Exploit
News Alert, NetCraft, 22 September 2008

WHID 2007-76: A large web hosting firm inflicted by mass malware installation

Reported: 01 January 2008
Occurred: 23 May 2007

Classifications:

Attack Method: Known Vulnerability
Country: USA
Outcome: Planting of Malware
Software: cPanel
Vertical: Service Providers

The Washington Post ran a story about a large scale infiltration to IPower, a major hosting provider. According to the story and the following comments, it seems that the problem is plunging IPower for a long time without being resolved. Put in perspective the PlusNet incident which was serious but swiftly handled and publicly acknowledged by the company.

Actually the problem is so dominant that a recent StopBadware report lists Ipower as by far the most Malware infected hosting company. Reports mention that the problem started as early as mid 2006.

The root cause of the breach here is mentioned as being a vulnerability in either Apache, PHP or cPanel. I have selected the third as being more probably until further evidence materialize.

References:

Cyber Crooks Hijack Activities of Large Web-Hosting Firm
Blog Entry, Washington Post, 23 May 2007
StopBadware.org Identifies Companies Hosting Large Numbers of Websites That Can Infect Internet Users With Badware
Press Release, StopBadware, 04 May 2007

WHID 2007-74: Web host breach may have exposed passwords for 6,000 clients

Reported: 01 January 2008
Occurred: 17 September 2007

Classifications:

Attack Method: Known Vulnerability
Country: USA
Outcome: Leakage of Information
Software: Cerberus Helpdesk
Vertical: Service Providers

A known vulnerability in the helpdesk software used by hosting provider Layered Technologies resulted in leakage of information, including names, addresses, phone numbers and email addresses of up to 6,000 of the company's clients.

References:

Web host breach may have exposed passwords for 6,000 clients
News Story, The Register, 19 September 2007

WHID 2007-71: Hacker uses Social Security numbers from Ohio court site

Reported: 22 December 2007
Occurred: 22 December 2007

Classifications:

Attack Method: Credential/Session Prediction
Country: USA
Outcome: Monetary Loss
Outcome: Leakage of Information
Outcome: Identity Theft
Vertical: Security & Law Enforcement

The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.

The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.

References:

Hacker uses Social Security numbers from Ohio court site
News Story, Ohio.com/AP, 22 December 2007
Feds take over municipal court Web hacking probe
News Story, Columbus Dispatch, 20 December 2007

WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection

Reported: 20 December 2007
Occurred: 20 December 2007

Classifications:

Attack Method: SQL Injection
Country: USA
Origin: Indonesia
Outcome: Defacement
Vertical: Security & Law Enforcement

Just like WHID 2007-60, this hack is probably a representative of many other incidents. The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your soul" on the Web site of the police department in Tucson, Arizona. Only unlike regular defacement, this time it is not the front page but rather the news section that was modified.

As many you know, the news section is one of the few database driven parts in many mostly static sites, as it allows the site owner to add news without requiring a web designer. Therefore it came as no surprise that the attack was identified by a public source as an SQL injection attack.

References:

Indonesian hacker touches souls by bringing down police web site
News Story, The Register, 20 December 2007

WHID 2007-65: Facebook suing a porn site over automated access

Reported: 19 December 2007
Occurred: 28 June 2007

Classifications:

Attack Method: Insufficient Anti-automation
Country: USA
Country: Canada
Vertical: Internet

Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler.

Going forward we are going to add such incidents to WHID if there is a reason to believe that they are not friendly, even if the actual goal of the attack cannot be easily classified. The Facebook case at hand is a perfect example: while the details are not clear, the fact that Facebook filed a law suit implies that there is fire behind the smoke.

References:

Facebook vs. John Doe
Court Document, US District Court, San Jose, CA, 23 October 2007
Facebook sues Canadian smut firm over hacking
News Story, The Register, 17 December 2007
Facebook suing Ontario porn firm
News Story, The Star, 16 December 2007

WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked

Reported: 19 December 2007
Occurred: 26 November 2007

Classifications:

Attack Method: Known Vulnerability
Country: USA
Outcome: Link Spam
Software: WordPress
Vertical: Politics

Whether comment spam by itself is an application failure or a necessary evil for site allowing rich comments is an open question. However it is reported that in this case vulnerability in WordPress allowed the spammers to actually penetrate the site and modify pages and not just abuse comments.

References:

Another inconvenient truth: Al Gore's Web site hacked
News Story, PC World, 26 November 2007
Blog Link Spam Claims Another Victim: Al Gore
Blog Entry, Wired, 27 November 2007

WHID 2007-64: Information about Duke's Students and Applicants Stolen

Reported: 19 December 2007
Occurred: 01 December 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Education

The personal data of nearly 1,400 prospective Duke Law School students may have been stolen by a hacker from two separate databases, one including the prospective students' data and another filled with requests for information about the school.

References:

Hacker may have stolen Duke students' data
News Story, UPI, 05 December 2007

WHID 2007-69: The Orkut XSS Worm

Reported: 19 December 2007
Occurred: 19 December 2007

Classifications:

Attack Method: Cross Site Scripting (XSS)
Country: USA
Outcome: Worm
Vertical: Internet

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.

References:

The Orkut XSS Worm
Blog Entry, GNU Citizen, 19 December 2007
Orkut XSS
Blog Entry, Sounds From The Dungeon, 19 December 2007
Orkut XSS worm in the wild
Blog Entry, CGI Security, 19 December 2007
Orkut Worm Code (and why was Google so slow to respond?)
Blog Entry, TechnoSocial, 19 December 2007

WHID 2007-59: Hackers jack Monster.com, infect job hunters

Reported: 21 November 2007
Occurred: 20 November 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Planting of Malware
Vertical: Internet

A Crimeware iframe tag on a site is not news anymore. On Monster.com it is.

References:

Hackers jack Monster.com, infect job hunters
News Story, Computer World, 20 November 2007

WHID 2005-64: Woman scammed QVC for $400,000+ in Internet glitch

Reported: 20 November 2007
Occurred: 01 March 2005

Classifications:

Attack Method: Abuse of Functionality
Country: USA
Outcome: Monetary Loss

A woman exploited a bug in QVC shopping network web site to get, without paying, more than 1800 items worth $412,000 items from the March to November 2005. The glitch enabled her to cancel orders she placed at a specific time and still get the product.

References:

Woman scammed QVC for $400,000+ in Internet glitch
News Story, TG Daily, 30 October 2007
N.C. woman admits 400G scam of QVC
News Story, Phily.com, 26 October 2007

WHID 2007-56: TJMaxx XSS Vulnerability

Reported: 07 November 2007
Occurred: 23 September 2007

Classifications:

Attack Method: Cross Site Scripting (XSS)
Country: USA
Outcome: Disclosure Only
Vertical: Retail

A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.

References:

TJMaxx XSS Vulnerability
Blog Entry, RObert Hansen (Rsnake), 23 September 2007

WHID 2007-58: Internet Retailer Publisher Victim of Customer File Hack

Reported: 07 November 2007
Occurred: 18 September 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Media

Vertical Web Media, publisher of Internet Retailer magazine, suffered a security http://www.theregister.co.uk/2007/08/17/gentoo_disconnects_vulnerable_server/breach and credit card information of readers had been stolen. The Irony is that Internet Retailed magazine is covering the risks of e-commerce.

While the actual technique used is not known, signs are that it was a web hack as it was done by a distributed network of bots all over the world and since the information stolen belonged to customers who paid online.

The information stolen includes names, addresses, e-mail addresses, phone numbers, credit card account numbers and card expiration dates. The number of records stolen is unknown.

References:

Internet Retailer Publisher Victim Of Customer File Hack
News Story, NBC.com, 18 September 2007

WHID 2007-51: 570 Scarborough & Tweed customers' personal information accessed by SQL injection

Reported: 04 November 2007
Occurred: 30 September 2007

Classifications:

Attack Method: SQL Injection
Country: USA
Outcome: Leakage of Information
Vertical: Retail

The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.

References:

570 Scarborough & Tweed customers' personal information accessed by SQL injection
Blog Entry, PogoWasRight.Org, 03 November 2007
Scarborough & Tweed
Legal Document, State of New Hampshire, 26 October 2007

WHID 2007-49: Hackers Block Sale of Colorado Rockies World Series Tickets

Reported: 25 October 2007
Occurred: 23 October 2007

Classifications:

Attack Method: Denial of Service
Country: USA
Outcome: Loss of Sales
Vertical: Sports

The site of the Rockies was taken down by a denial of service preventing fans from buying tickets for the World Series games.

Like any DDoS attack, it is very hard to know if it was an application layer or network layer attack, but since this attack had a very significant financial impact by crippling a web site, we think it deserve a place in WHID.

References:

Hackers Block Sale of Colorado Rockies World Series Tickets
News Story, Associated Content, 24 October 2007

WHID 2007-48: MSU investigating hacking incident

Reported: 17 October 2007
Occurred: 09 October 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Education

Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.

References:

MSU investigating hacking incident
News Story, Montana's News Station, 16 October 2007

WHID 2007-47: Commerce Bank, a US regional bank, hacked

Reported: 12 October 2007
Occurred: 10 October 2007

Classifications:

Attack Method: SQL Injection
Country: USA
Outcome: Leakage of Information
Vertical: Finance

3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.

References:

US regional bank hacked
, The Register,
Customer information compromised at bank
News Story, Columbia Tribune, 10 October 2007

WHID 2007-46: School Web site breached? Personal info of Pembroke workers, volunteers accessible for months

Reported: 11 October 2007
Occurred: 02 October 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Education

Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.

References:

School Web site breached? Personal info of Pembroke workers, volunteers accessible for months
News Story, Patriot Ledger, 11 October 2007

WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out

Reported: 10 October 2007
Occurred: 06 October 2007

Classifications:

Attack Method: Insufficient Authentication
Country: USA
Outcome: Loss of Sales
Vertical: Retail

A hacker exploited a leftover admin function on eBay to block users and close sales.

References:

Hacker Breaks Into eBay Server, Locks Users Out
News Story, PC World, 08 October 2007
eBay Explains Security Hole Used by Hacker
News Story, Action Bytes, 09 October 2007

WHID 2007-40: County's Web site hacked; no data lost

Reported: 02 September 2007
Occurred: 20 August 2007

Classifications:

Attack Method: Known Vulnerability
Country: USA
Outcome: Defacement
Vertical: Government

Defacements seem to dominate the list recently, probably because they reach everywhere. Two important conclusions from this particular one are that patch management is a key problem and that it is a problem mainly at government sites across the world.

References:

County's Web site hacked; no data lost
News Story, Journal Gazetter, 28 August 2007

WHID 2007-35: Data lapse involved 51,000 at a hospital

Reported: 30 July 2007
Occurred: 25 July 2007

Classifications:

Attack Method: Insufficient Authentication
Country: USA
Outcome: Leakage of Information
Vertical: Health

In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.

References:

Data lapse involved 51,000, St. Vincent says
News Story, Indy Star, 25 July 2007

WHID 2007-34: Fox News leaks secret files

Reported: 25 July 2007
Occurred: 23 July 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Media

Fox News left non public files on a directory accessible to everyone on their web server.

References:

Foxnews File Disclosure
Blog Entry, The Hacker Webzine, 23 July 2007
Fox News leaks secret files
News Story, The Inquierer, 24 July 2007

WHID 2007-28: US Embassy probes hacking of online visa appointment system

Reported: 17 June 2007
Occurred: 13 June 2007

Classifications:

Attack Method: Insufficient Authentication
Country: Jamaica
Country: USA
Outcome: Deceit
Vertical: Government

If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.

While this might be classified as a business process design flaw, isn't security also about this?

References:

US Embassy probes hacking of online visa appointment system
News Story, RJR 94FM, 13 June 2007

WHID 2007-23: Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget

Reported: 12 June 2007
Occurred: 03 June 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Security & Law Enforcement

A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.

This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.

References:

Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget
News Story, The Spy Who Billed Me, 03 June 2007

WHID 2007-24: Hackers access personal info on faculty members at Univ. of Virginia

Reported: 12 June 2007
Occurred: 19 April 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Education

An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.

References:

Hackers access personal info on faculty members at Univ. of Virginia
News Story, Computer World, 11 June 2007
Two Universities Hit By Security Breaches
News Story, Information Week, 11 June 2007
U.Va. Faculty Names, SSN Security Breach
Victim's Report, Univ. of Va., 08 June 2007

WHID 2007-25: University of Iowa Molecular and Cellular Biology Program Security Incident

Reported: 12 June 2007
Occurred: 19 May 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Education

Approximately 1100 students and faculty members' personal information records which includes social security numbers were exposed by a vulnerable web application at the Molecular and Cellular Biology program at the University of Iowa. The report suggests that the application was actually compromised.

References:

UI Notifies Graduate Program Students, Faculty About Security Breach
Victim's Report, Univ. Of Iowa, 19 May 2007
Two Universities Hit By Security Breaches
News Story, Information Week, 11 June 2007

WHID 2007-26: $1,000,000 CNBC stock trading contest hacked

Reported: 12 June 2007
Occurred: 11 June 2007

Classifications:

Attack Method: Insufficient Anti-automation
Attack Method: Insufficient Session Expiration
Country: USA
Outcome: Deceit
Vertical: Media

The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.

The interesting anecdote is that the person who discovered the issue has used a different, but also questionable technique of maintaining a very large number of portfolios automatically managed by automated programs using the fact that the game allowed a user to have any number of portfolios but only the best one is counted. Kosher, but stinks.

This story remind an older story about a predictable delay in a poker game that enabled gamblers to beat the house.

References:

$1,000,000 CNBC stock trading contest hacked
Blog Entry, Jeremiah Grossman, 11 June 2007
CNBC's Easy Money
News Story, Business Week, 07 June 2007

WHID 2007-27: Files From Google On the Streets

Reported: 12 June 2007
Occurred: 30 May 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Internet

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.

References:

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google. Breaking News: Files From Google On the Streets
Blog Entry, The Hacker Webzine, 30 May 2007

WHID 2007-19: Hacker accessed data at University of Missouri

Reported: 09 May 2007
Occurred: 08 May 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Education

A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.

References:

Hacker accessed data at University of Missouri
News Story, MSNBC, 08 May 2007
One-at-a-time hacker grabs 22,000 IDs from Univ. of Missouri
News Story, Computerworld, 09 May 2007
May 2007 Security Incident
Victim's Report, University of Missouri, 08 May 2007

WHID 2007-18: Microsoft.com defaced

Reported: 06 May 2007
Occurred: 03 May 2005

Classifications:

Attack Method: SQL Injection
Country: USA
Origin: Saudi Arabia
Outcome: Defacement
Vertical: Technology

This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!

References:

Microsoft.com defaced
News Story, zone-H, 03 May 2007

WHID 2007-16: USDA admits data breach, thousands of social security numbers revealed

Reported: 23 April 2007
Occurred: 23 April 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Government

Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.

References:

USDA admits data breach, thousands of social security numbers revealed
News Story, Axcess News, 23 April 2007

WHID 2007-15: High School Hackers Cancel School With Fake Snow Day

Reported: 05 April 2007
Occurred: 09 February 2007

Classifications:

Attack Method: Insufficient Authentication
Country: USA
Outcome: Defacement
Vertical: Education

Two girls modified a schools home page by adding a note that school was closed due to a snow storm. The attack was probably done using a rouge admin accounts.

References:

High School Hackers Cancel School With Fake Snow Day
News Story, http://www.firstcoastnews.com/news/strange/news-article.aspx?storyid=75657, 09 February 2007

WHID 2007-14: Your Free MacWorld Expo Platinum Pass

Reported: 02 April 2007
Occurred: 11 January 2007

Classifications:

Attack Method: Credential/Session Prediction
Country: USA
Outcome: Loss of Sales
Vertical: Technology

A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.

References:

Macworld crack offers VIP passes, hacker says
News Story, CNet, 12 January 2007
Your Free MacWorld Expo Platinum Pass (valued at $1,695)
Advisory, Grutz, 11 January 2007

WHID 2007-13: Hackers hit Georgia Tech and steal personal info

Reported: 02 April 2007
Occurred: 21 February 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Education

The personal information of about 3,000 current and former Georgia Tech employees may have been compromised. The informatoin included names, addresses, Social Security numbers and other sensitive information, including about 400 state purchasing card numbers.

References:

Hackers hit Georgia Tech and steal personal info
News Story, Atlanta Business Chronicle, 21 February 2007

WHID 2007-10: Super Bowl Site Hacked with Trojan, Key logger

Reported: 30 March 2007
Occurred: 02 February 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Planting of Malware
Vertical: Sports

Hackers penetrated the Dolphins stadium web site just days before the Super Bowl was held there and modified the home page to include a Trojan inflecting script.

References:

Hacker installs malicious code on Dolphin Stadium website
News Story, CBS/AP, 02 February 2007
Malicious Website: Super Bowl XLI / Dolphin Stadium
Advisory, WebSense, 02 February 2007
Super Bowl Dolphin Stadium Website Trojan
Analysis, eSet, 02 February 2007
Chinese servers host malicious cursor attacks
News Story, Security Focus, 30 March 2007

WHID 2007-06: Hackers swipe seed company's customers' data

Reported: 29 March 2007
Occurred: 18 February 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Identity Theft
Outcome: Monetary Loss
Outcome: Leakage of Information
Vertical: Retail

11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.

The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.

References:

Hackers swipe seed company's customers' data
News Story, Kennebec Journal, 03 March 2007
Maine Seed Company Website Hacked: Demonstrates SMB Vulnerability & Questions Hacker Safe Seals
Blog Entry, Realtime IT compliance, 03 March 2007

WHID 2007-05: Hacking John McCain

Reported: 29 March 2007
Occurred: 27 March 2007

Classifications:

Attack Method: Misconfiguration
Country: USA
Outcome: Defacement
Vertical: Politics

An open source developer virtually defaced John McCain's MySpace page. He did not have to commit any crime, because the page pulled an image directly from the open source developer's site.

References:

Hacking John McCain
Blog Entry, , 27 March 2007
Oops! John McCain's MySpace page gets pranked
News Story, CNet, 27 March 2007

WHID 2007-07: Westerly Hospital data breach affects 2,000

Reported: 29 March 2007
Occurred: 02 March 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Health

Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.

The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.

References:

Westerly Hospital data breach affects 2,000
News Story, Providence Business News, 02 March 2007
Patient Data Incident
Vistim's Report, , 05 March 2007

WHID 2007-09: Former Fruit of the Loom workers' identities compromised

Reported: 29 March 2007
Occurred: 23 February 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Retail

Names and social security numbers of former employees of Fruit of the Loom where available for download from the company's web site.

References:

Former Fruit of the Loom workers' identities compromised
News Story, The Northwest Georgian, 23 February 2007

WHID 2007-04: College glitch avails student information to public

Reported: 27 March 2007
Occurred: 10 March 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Education

A student at a community college in Sacramento who was "Googling" himself last month found his name, among 2000 others, in a file accidentally left by school staff online and picked by Google crawler.

References:

College glitch avails student information to public
News Story, The Arizona Republic, 10 March 2007

WHID 2007-01: Credit Card Information stolen from Indiana's Web Site

Reported: 26 March 2007
Occurred: 03 January 2007

Classifications:

Attack Method: Unknown
Country: USA
Outcome: Leakage of Information
Vertical: Government

On January 3, a hacker broke into Indiana's government web site and made off with personal information for 71,000 health care aides who obtained certifications from the state, as well as 5,600 credit card numbers from people who had paid the state through the IN.gov web site.

While officials in Indiana tried to write it off as a harmless prank played by a teenager, the U.S. Department of Justice has also been investigating the case, and they believe the same hacker is responsible for attempts on other state government web sites.

References:

Hacker Suspected Of Multistate Break-In Spree
News Story, Information Week, 23 March 2007
Hacker Accesses Credit Card Info On State Web Site
News Story, The Indy Channel, 09 February 2007
State Notifies 71,000 Workers Of Web Site Breach
News Story, The Indy Channel, 21 March 2007
State: Web Site Breach May Have Been Prank
News Story, The Indy Channel, 22 March 2007

WHID 2007-03: UI put staff data on Web

Reported: 26 March 2007
Occurred: 10 March 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Education

Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused.

References:

UI put staff data on Web
News Story, Spokesman Review, 10 March 2007
Victim's report, Vandal Identity Resource Center,

WHID 1999-1: eBay downplays security hole

Reported: 04 April 2006
Occurred: 19 April 1999

Classifications:

Attack Method: Cross Site Scripting (XSS)
Country: USA
Outcome: Disclosure Only

A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.

References:

eBay downplays security hole
News Story, CNet, 19 April 1999
'EBayla' Bug Strikes eBay
News Story, Wired, 19 April 1999
The Ebayla Bug And How To Protect Yourself
Advisory, Because We Can (Miror), 21 April 1999

WHID 2004-11: Phishers Manipulate SunTrust Site to Steal Data

Reported:
Occurred: 28 September 2004

Classifications:

Attack Method: Cross Site Scripting (XSS)
Country: USA
Outcome: Phishing
Vertical: Finance

Phishing based on XSS

References:

Phishers Manipulate SunTrust Site to Steal Data
Technical Infromation, NetCraft, 28 September 2004

WHID 2000-4: Sensitive files left unprotected on Western Union's Web

Reported:
Occurred: 10 September 2000

Classifications:

Attack Method: Misconfiguration
Attack Method: Failure to Restrict URL Access
Country: USA

Sensitive files were left in a publicly accessible directory during a maintenance window

References:

Western Union Web site hacked
News Story, CNet, 10 September 2000

WHID 2000-3: Gaffe at Amazon leaves email addresses exposed

Reported:
Occurred: 06 September 2000

Classifications:

Attack Method: Abuse of Functionality
Country: USA
Outcome: Leakage of Information

E-mail addresses of other customers displayed by mistake, no hacking was required

References:

Gaffe at Amazon leaves email addresses exposed
News Story, CNet, 06 September 2000

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.