|
The Web Hacking Incidents Database
Last update:07 November 2007
List of incidents of class Unknown
Other
WASC threat
classifications:
Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm
There are 44 incidents of class Unknown
Date: 28 October 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
A hacker gained access to names and encrypted credit card numbers of Arts.com. While the reason is not known, since the information is known to belong to online shoppers who made transactions from July to September we assume it was a web site breach.
References:
Date: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach.
References:
Date: 03 October 2007
Incident Type: Security Breach
WASC Threat Classification: unknown
Defacement are a dime a dozen this days, and are not normally reported by WHID. Even invisible defacements in which sites are changed in order to infect their clients with malicious code are becoming too common. But this time it is the site of a security organization, and not just any one, but China's internet security organization. So in the light of the hot debate about china as the source of all hacking, we think that this story has a value.
References:
Date: 18 September 2007
Incident Type: Security Breach
WASC Threat Classification: unknown
Vertical Web Media, publisher of Internet Retailer magazine, suffered a
security breach and credit card information of readers had been stolen.
The Irony is that Internet Retailed magazine is covering the risks of
e-commerce.
While the actual technique used is not known, signs are that it was a
web hack as it was done by a distributed network of bots all over the
world and since the information stolen belonged to customers who paid
online.
The information stolen includes names, addresses, e-mail addresses,
phone numbers, credit card account numbers and card expiration dates.
The number of records stolen is unknown.
References:
Date: 02 September 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
This very serious hacking incident provides insight into a lot
of the failures information security in general and web application
security particularly beyond the simple fact that the web site of the
largest state owned bank in India was invisibly defaced with Trojan
inflicting code.
Firstly, the entire discussion in the references is about the
Trojan payload, with no word about the vulnerability that led to the
defacement. Actually a reviewer on the SiteAdvisor report gives the
green mark to the web site after the Trojan is removed, without
requiring any information about the actual problem.
Secondly, most trust systems, including SiteAdvisor,
completely fail to detect the breach. Which makes me think about those
trust models: they check that the site was not breached, while they
should check that the site is not vulnerable. I guess the reason is
that their primary goal is to detect intentionally malicious sites and
not breaches is normative sites, but others use them to assess the
level of security of the later.
References:
Date: 29 August 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Yet another defacement, and as usual in the political arena.
However, this one is worth a note as the attack is very targeted, while
usually such political defacements are carried quote randomly against
sites loosely related to the opponent and usually has little to do with
the actual message the attackers want to convey. In this case the
defacement seems to be a direct response to the hot debate about
housing prices in Spain.
References:
Date: 24 July 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Defacements seem to start dominating this list. Alas, they are the most obvious web site hacks out there. While not every defacement is reported in the Web Hacking Incidents Database, key ones are. I included this one since the attacked web site is significant, and since it emphasizes what is becoming a major goal of attacking: politics and international affairs.
As a side note, this incident is also interesting because it was repeated after discovered and presumably fixed, which goes a long way to show how much effort there is in protecting web sites and how difficult it cab be.
References:
Date: 20 July 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
While defacements are usually not the bread and butter of this database, when it hits an important government site, especially of a ministry in charge of information technology, it is worth mentioning it.
References:
Date: 22 June 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
As you may know, defacement usually do not find their way to WHID, especially if the method used is not known. However, since in this case the victim was the Belgian police, I though it is worth including.
References:
Date: 15 June 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Somebody snitched names, social security number and birth dates of approximately 1500 students at the vet school of UC Davis. Indication is that the web application used by the students was as fault. The school's web site described the incident as a result of "the computer attacker being able to manipulate a university computing application to accept unauthorized commands". A disgruntled cow?
References:
Date: 10 June 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
The web site of the prime minister of Kerala (an Indian State) was hacked and defaced. The local police has contacted the Interpol to help in finding who is behind the web site hacking.
References:
Date: 19 May 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
References:
Date: 23 April 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.
References:
Date: 19 April 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
An undisclosed vulnerability in a web application at the University of Virginia allowed hackers to access names, social security numbers and birth dates of faculty members from May 2005 until April of 2007. Approximately 5700 records where stolen in 54 distinct break-ins.
References:
Date: 23 February 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Names and social security numbers of former employees of Fruit of the Loom where available for download from the company's web site.
References:
Date: 21 February 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
The personal information of about 3,000 current and former Georgia Tech employees may have been compromised.
References:
Date: 18 February 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
11,500 credit card numbers have been stolen from the web site of Johnny's Selected Seeds a small ($13M in revenue per annum) on line vendor of seeds in Main. 20 of these are known to have been abused. As usual, the hack was discovered because of fraudulent use of stolen credit cards rather than security measures used protect the web site.
The direct cost of the breach, informing customers, researching the incident and upgrading the protection of the web site cost the company tens of thousands of dollars.
References:
Date: 18 January 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
A massive security breach, estimated to be the largest in history, has been discovered at TJX companies, a major US retail chain operating chains such as such as Bob's Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright. The extent of the breach is still unclear but the hack may have started as early as July 2005 and information stolen is from as early as 2003 and up until the discovery at December 2006. Apart from credit card and debit card numbers driver license numbers were also stolen.
As of today a single arrest was done in this case in Florida, in which 5 people were arrested for using the stolen information to steal $8 million. The arrested people are believed to have bought the information and are probably not the hackers.
Information regarding the method used to hack TJX computers is still not available.
References:
Date: 03 January 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
On January 3, a hacker broke into Indiana's government web site and made off with personal information for 71,000 health care aides who obtained certifications from the state, as well as 5,600 credit card numbers from people who had paid the state through the IN.gov web site.
While officials in Indiana tried to write it off as a harmless prank played by a teenager, the U.S. Department of Justice has also been investigating the case, and they believe the same hacker is responsible for attempts on other state government web sites.
References:
Date: 27 November 2006
Incident Type: Security Breach
WASC Threat Classification: Unknown
A small credit union web site was hacked and the traffic redirected to a pharming site. About 180 users where redirected, out of which 12 where tricked into providing their personal information to the attackers. $500 are known to have been stolen from one of the victims.
References:
Date: 29 August 2006
Incident Type: Security Breach
WASC Threat Classification: Unknown
References:
Date: 16 March 2006
Incident Type: Security Breach
WASC Threat Classification: Unknown
A musical instrument and sound gear Web site that advertises its relationship with artists such as Dave Matthews, Carlos Santana and Mary J. Blige was breached and notified some customers that their credit card information may have been stolen.
References:
Date: 13 February 2006
Incident Type: Security Breach
WASC Threat Classification: Unknown
A site of a minor league baseball team was hacked and personal details of fans was stolen.
References:
Date: 27 December 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Unknown
Web site used to file online for housing at KU was shutdown for lack of proper security measures to prevent visitors from viewing personal information about others
References:
Date: 21 December 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
User data stolen from an online game web site. The hacker tried to extort RPG by threatening to publish the users' data. The news item states that the hack was a result of a flaw in custom web site software.
References:
Date: 09 December 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
A UK Church charity web site was hacked and at least 3000 credit card numbers where stolen. Credit card information is known to have been used by the hackers. While no specific details are given, the article indicates that the way site was hacked.
References:
Date: 05 December 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
Web site was used for fraudulent TAX claims
References:
Date: 01 November 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
Information was stolen from Guidance software, a vendor of forensic software. At least 3,800 credit card numbers where stolen and some are known to be abused. In one case a card was charged $20,000 for fraudulent AdWords fees.
The attack happened in November but was not discovered until mid December.
Guidance software has many top secret customers and it seems the information about them also leaked.
References:
Date: 08 September 2005
Incident Type: Security Breach
WASC Threat Classification: Denial of Service, Unknown
Teen convicted of threatening an ISP with DOS attack, among other computer hacking activities
References:
Date: 07 September 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
A 12 years old guess login information of a woman and abused her account, stealing game items from her.
References:
Date: 01 August 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
References:
Date: 31 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
Official answer from Blogger. "This was not the result of a hack attempt but of a subtle bug that occurred because our Developer's Network blog is a special case [it's got two names, 'code.blogger.com' and 'code.blogspot.com'].
References:
Date: 29 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
References:
Date: 29 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
A bug in an eBay site allowed Phishers to redirect users to their own servers after feeling details at the genuine eBay site
References:
Date: 26 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
A man hacked into a competing web site
References:
Date: 15 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
References:
Date: 06 July 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
Microsoft UK site defaced due to server misconfiguration
References:
Date: 05 June 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
References:
Date: 03 June 2005
Incident Type: Security Breach
WASC Threat Classification: Unknown
The web site was modified to include password stealing code
References:
Date: 08 March 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Unknown
An undisclosed application security issue on Cisco web site required resetting passwords for all registered users.
References:
Date: 12 January 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Unknown
Parameter tampering enabled exposing sensitive information in G-Mail
References:
Date: 01 October 2003
Incident Type: Security Breach
WASC Threat Classification: Unknown
A person convicted of blackmailing Best Buy. He threatened to expose a breach in the company's web site if not paid $2.5 million.
References:
Date: 29 November 2002
Incident Type: Security Breach
WASC Threat Classification: Unknown
A company put its earnings report on site before its official release, but did not linked to it. Reuters found the document and published it.
References:
Date: 11 August 2000
Incident Type: Security Breach
WASC Threat Classification: Unknown
Kazakhstan nationals tried to extort $200,000 from financial information magnate Michael Bloomberg in exchange for not exploiting supposed security holes in his Web site.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
