SlideShare a Scribd company logo

Web 2.0 Hacking Incidents – 2009 Q1

Hongyang Wang
Hongyang Wang
TechnologyNews & Politics
1 of 5
Download to read offline
WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1 VULNERABILITIES, TARGETS ATT AC K METHODS AN D MAY 2009
SUMMARY An analysis of recent web hacking incidents performed by the Secure Enterprise 2.0 Forum shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ the Secure Enterprise 2.0 Forum found that:  Q1 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most prevalent attack with 21% of the incidents.  Attack vectors exploiting Web 2.0 features such as user-contributed content nd were commonly employed in Q1: Authentication abuse was the 2 most active attack vector, accounting for 18% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 6 with 8% of the reported attacks.  Leakage of sensitive information remains the most common outcome of web nd hacks (29%), while disinformation came in 2 with 26%, mostly due to the hacking of celebrity online identities. The study is based on incidents recorded in the ‘Web Hacking Incidents Database’ for Q1 2009. More information about the database can be found at www.xiom.com/whid. WHICH ORGANIZATIONS ARE HACKED? Analysis of Q1 incidents reveals a significant rise in the number of Web 2.0 sites hacked. Web 2.0 organizations such as social networks, wikis and community blogging sites (which were not classified as a separate site class until now) suffered most of the hacking incidents this quarter. Naturally, such a steep rise raises questions, so the attacks were analyzed to find the underlying cause for the rise. When examining the data, it was found that a major reason for the steep rise was a series of high-profile attacks on Twitter, which is 2
rapidly becoming a popular social network/micropublishing site. Additionally, since Web 2.0 hacks spread virally, it is easier to detect these hacks. Nevertheless, considering that the most media sites on the Internet are morphing into true Web 2.0 sites, the nearly 40% of Web 2.0 hacks are impressive. Furthermore, it was noted that some attacks against non-Web 2.0 sites, still exploited Web 2.0 technologies. For example, a recent hack against Amazon.com, exploited its community rating engine to delist books. WHICH VULNERABILITIES WERE EXPLOITED? SQL Injection remains the top vulnerability exploited by hackers, only slightly losing ground since previous quarters. The other attack vectors that topped the list are as follows:  Insufficient authentication – while not a new attack vector, insufficient authentication attacks have become increasingly severe due to the proliferation of user-contributed and managed web sites. As such, it is not surprising to see more incidents this quarter.  Automation is fast becoming a major security threat to web applications. Abuse examples range from brute force password attacks, to bypassing the wait queue in reservation systems, to opinion poll skewing.  Cross-Site Request Forgery (CSRF) was recognized several years ago as a potentially potent attack vector. While it took longer than expected to appear, this year it has become a mainstream hacking tool. A rise in the exploit of CSRF vulnerabilities is in line with authentication abuse, since it essentially provides an alternative mechanism for performing actions on behalf of a victim. 3
WHAT IS THE OUTCOME? Most major categories for attack outcomes maintained their standing in Q1 2009. st However, after two years of virtually a tie for 1 place, it seems that information leakage has surpassed defacements for the top spot. Furthermore, a new entrant, “disinformation,” has jumped from the bottom of the list to the second spot. NOTABLE INCIDENTS IN Q1 2009 The online identities of several high-profile celebrities were hacked, including the Twitter accounts of Barak Obama, Britney Spears and the rapper, Kanya West. Two incidents caused particular harm to the violated celebrity. In one, a hacker broke into Twitter, stole a celebrity’s password and used the same password to log on to the celebrity’s Gmail account. The hacker then found and published embarrassing pictures of teen star Miley Cyrus. In the other incident, a hacker broke into female rapper Lil Kim’s MySpace account and used the access to besmirch a colleague. In at least two incidents, false rumors were spread about Apple CEO, Steve Jobs’ health, causing Apple’s stock to plummet. In one of the incidents, an abused user contributed images to Wired.com, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death (see box below). 4
Lastly, multiple vulnerabilities have hit Twitter, causing false tweets to be sent by hundreds of famous people, and user contact information to leak, thus potentially exposing Twitter users to malware. These incidents have made Twitter acutely aware of its responsibility to address the security needs of its customer base. ABOUT THE SECURE ENTERPRISE 2.0 FORUM The Secure Enterprise 2.0 Forum is comprised of top executives at Global Fortune 500 companies that are ready to address the security challenges posed by Web 2.0 technologies, such as wikis, blogs, RSS, widgets and gadgets, personalized homepages, social networks and social bookmarking, which are becoming increasingly popular in the enterprise. The Forum promotes awareness, industry standards, best practices, and interoperability issues related to the introduction of consumer technology into the workplace. Spearheaded by WorkLight, a Web 2.0 for Business Company, the Forum seeks to promote the secure use of Web 2.0 to do business. For more information, visit www.secure-enterprise20.org. 5

Recommended

Sejal Magia
Sejal MagiaSejal Magia
Sejal Magiasejalmagia
 
Smart spending white paper
Smart spending white paperSmart spending white paper
Smart spending white paperYu Tang
 
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRDie elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRnews aktuell
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security PoliciesHongyang Wang
 
JavaScript tools
JavaScript toolsJavaScript tools
JavaScript toolsHazem Saleh
 
Second Life - A Web 2.0 App
Second Life - A Web 2.0 AppSecond Life - A Web 2.0 App
Second Life - A Web 2.0 Appguest13fa63
 
"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeitnews aktuell
 
Flowers
FlowersFlowers
FlowersClyde Robinson
 

Recommended

Sejal Magia
Sejal MagiaSejal Magia
Sejal Magiasejalmagia
 
Smart spending white paper
Smart spending white paperSmart spending white paper
Smart spending white paperYu Tang
 
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRDie elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRnews aktuell
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security PoliciesHongyang Wang
 
JavaScript tools
JavaScript toolsJavaScript tools
JavaScript toolsHazem Saleh
 
Second Life - A Web 2.0 App
Second Life - A Web 2.0 AppSecond Life - A Web 2.0 App
Second Life - A Web 2.0 Appguest13fa63
 
"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeitnews aktuell
 
Flowers
FlowersFlowers
FlowersClyde Robinson
 
Present Perfect
Present PerfectPresent Perfect
Present PerfectIsa Barbio
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Hongyang Wang
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Hongyang Wang
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By SysomosHongyang Wang
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Hazem Saleh
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalHongyang Wang
 
Sylfids
SylfidsSylfids
SylfidsПоліщук Іван
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Hongyang Wang
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

More Related Content

Viewers also liked

Present Perfect
Present PerfectPresent Perfect
Present PerfectIsa Barbio
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Hongyang Wang
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Hongyang Wang
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By SysomosHongyang Wang
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Hazem Saleh
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalHongyang Wang
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Hongyang Wang
 

Viewers also liked (9)

Present Perfect
Present PerfectPresent Perfect
Present Perfect
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By Sysomos
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report Final
 
Sylfids
SylfidsSylfids
Sylfids
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 

Web 2.0 Hacking Incidents – 2009 Q1

  • 1. WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1 VULNERABILITIES, TARGETS ATT AC K METHODS AN D MAY 2009
  • 2. SUMMARY An analysis of recent web hacking incidents performed by the Secure Enterprise 2.0 Forum shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ the Secure Enterprise 2.0 Forum found that:  Q1 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most prevalent attack with 21% of the incidents.  Attack vectors exploiting Web 2.0 features such as user-contributed content nd were commonly employed in Q1: Authentication abuse was the 2 most active attack vector, accounting for 18% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 6 with 8% of the reported attacks.  Leakage of sensitive information remains the most common outcome of web nd hacks (29%), while disinformation came in 2 with 26%, mostly due to the hacking of celebrity online identities. The study is based on incidents recorded in the ‘Web Hacking Incidents Database’ for Q1 2009. More information about the database can be found at www.xiom.com/whid. WHICH ORGANIZATIONS ARE HACKED? Analysis of Q1 incidents reveals a significant rise in the number of Web 2.0 sites hacked. Web 2.0 organizations such as social networks, wikis and community blogging sites (which were not classified as a separate site class until now) suffered most of the hacking incidents this quarter. Naturally, such a steep rise raises questions, so the attacks were analyzed to find the underlying cause for the rise. When examining the data, it was found that a major reason for the steep rise was a series of high-profile attacks on Twitter, which is 2
  • 3. rapidly becoming a popular social network/micropublishing site. Additionally, since Web 2.0 hacks spread virally, it is easier to detect these hacks. Nevertheless, considering that the most media sites on the Internet are morphing into true Web 2.0 sites, the nearly 40% of Web 2.0 hacks are impressive. Furthermore, it was noted that some attacks against non-Web 2.0 sites, still exploited Web 2.0 technologies. For example, a recent hack against Amazon.com, exploited its community rating engine to delist books. WHICH VULNERABILITIES WERE EXPLOITED? SQL Injection remains the top vulnerability exploited by hackers, only slightly losing ground since previous quarters. The other attack vectors that topped the list are as follows:  Insufficient authentication – while not a new attack vector, insufficient authentication attacks have become increasingly severe due to the proliferation of user-contributed and managed web sites. As such, it is not surprising to see more incidents this quarter.  Automation is fast becoming a major security threat to web applications. Abuse examples range from brute force password attacks, to bypassing the wait queue in reservation systems, to opinion poll skewing.  Cross-Site Request Forgery (CSRF) was recognized several years ago as a potentially potent attack vector. While it took longer than expected to appear, this year it has become a mainstream hacking tool. A rise in the exploit of CSRF vulnerabilities is in line with authentication abuse, since it essentially provides an alternative mechanism for performing actions on behalf of a victim. 3
  • 4. WHAT IS THE OUTCOME? Most major categories for attack outcomes maintained their standing in Q1 2009. st However, after two years of virtually a tie for 1 place, it seems that information leakage has surpassed defacements for the top spot. Furthermore, a new entrant, “disinformation,” has jumped from the bottom of the list to the second spot. NOTABLE INCIDENTS IN Q1 2009 The online identities of several high-profile celebrities were hacked, including the Twitter accounts of Barak Obama, Britney Spears and the rapper, Kanya West. Two incidents caused particular harm to the violated celebrity. In one, a hacker broke into Twitter, stole a celebrity’s password and used the same password to log on to the celebrity’s Gmail account. The hacker then found and published embarrassing pictures of teen star Miley Cyrus. In the other incident, a hacker broke into female rapper Lil Kim’s MySpace account and used the access to besmirch a colleague. In at least two incidents, false rumors were spread about Apple CEO, Steve Jobs’ health, causing Apple’s stock to plummet. In one of the incidents, an abused user contributed images to Wired.com, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death (see box below). 4
  • 5. Lastly, multiple vulnerabilities have hit Twitter, causing false tweets to be sent by hundreds of famous people, and user contact information to leak, thus potentially exposing Twitter users to malware. These incidents have made Twitter acutely aware of its responsibility to address the security needs of its customer base. ABOUT THE SECURE ENTERPRISE 2.0 FORUM The Secure Enterprise 2.0 Forum is comprised of top executives at Global Fortune 500 companies that are ready to address the security challenges posed by Web 2.0 technologies, such as wikis, blogs, RSS, widgets and gadgets, personalized homepages, social networks and social bookmarking, which are becoming increasingly popular in the enterprise. The Forum promotes awareness, industry standards, best practices, and interoperability issues related to the introduction of consumer technology into the workplace. Spearheaded by WorkLight, a Web 2.0 for Business Company, the Forum seeks to promote the secure use of Web 2.0 to do business. For more information, visit www.secure-enterprise20.org. 5