SlideShare a Scribd company logo

Web 2.0 Hacking Incidents – 2009 Q1

Hongyang Wang
Hongyang Wang
TechnologyNews & Politics
1 of 5
Download to read offline
WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1 VULNERABILITIES, TARGETS ATT AC K METHODS AN D MAY 2009
SUMMARY An analysis of recent web hacking incidents performed by the Secure Enterprise 2.0 Forum shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ the Secure Enterprise 2.0 Forum found that:  Q1 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most prevalent attack with 21% of the incidents.  Attack vectors exploiting Web 2.0 features such as user-contributed content nd were commonly employed in Q1: Authentication abuse was the 2 most active attack vector, accounting for 18% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 6 with 8% of the reported attacks.  Leakage of sensitive information remains the most common outcome of web nd hacks (29%), while disinformation came in 2 with 26%, mostly due to the hacking of celebrity online identities. The study is based on incidents recorded in the ‘Web Hacking Incidents Database’ for Q1 2009. More information about the database can be found at www.xiom.com/whid. WHICH ORGANIZATIONS ARE HACKED? Analysis of Q1 incidents reveals a significant rise in the number of Web 2.0 sites hacked. Web 2.0 organizations such as social networks, wikis and community blogging sites (which were not classified as a separate site class until now) suffered most of the hacking incidents this quarter. Naturally, such a steep rise raises questions, so the attacks were analyzed to find the underlying cause for the rise. When examining the data, it was found that a major reason for the steep rise was a series of high-profile attacks on Twitter, which is 2
rapidly becoming a popular social network/micropublishing site. Additionally, since Web 2.0 hacks spread virally, it is easier to detect these hacks. Nevertheless, considering that the most media sites on the Internet are morphing into true Web 2.0 sites, the nearly 40% of Web 2.0 hacks are impressive. Furthermore, it was noted that some attacks against non-Web 2.0 sites, still exploited Web 2.0 technologies. For example, a recent hack against Amazon.com, exploited its community rating engine to delist books. WHICH VULNERABILITIES WERE EXPLOITED? SQL Injection remains the top vulnerability exploited by hackers, only slightly losing ground since previous quarters. The other attack vectors that topped the list are as follows:  Insufficient authentication – while not a new attack vector, insufficient authentication attacks have become increasingly severe due to the proliferation of user-contributed and managed web sites. As such, it is not surprising to see more incidents this quarter.  Automation is fast becoming a major security threat to web applications. Abuse examples range from brute force password attacks, to bypassing the wait queue in reservation systems, to opinion poll skewing.  Cross-Site Request Forgery (CSRF) was recognized several years ago as a potentially potent attack vector. While it took longer than expected to appear, this year it has become a mainstream hacking tool. A rise in the exploit of CSRF vulnerabilities is in line with authentication abuse, since it essentially provides an alternative mechanism for performing actions on behalf of a victim. 3
WHAT IS THE OUTCOME? Most major categories for attack outcomes maintained their standing in Q1 2009. st However, after two years of virtually a tie for 1 place, it seems that information leakage has surpassed defacements for the top spot. Furthermore, a new entrant, “disinformation,” has jumped from the bottom of the list to the second spot. NOTABLE INCIDENTS IN Q1 2009 The online identities of several high-profile celebrities were hacked, including the Twitter accounts of Barak Obama, Britney Spears and the rapper, Kanya West. Two incidents caused particular harm to the violated celebrity. In one, a hacker broke into Twitter, stole a celebrity’s password and used the same password to log on to the celebrity’s Gmail account. The hacker then found and published embarrassing pictures of teen star Miley Cyrus. In the other incident, a hacker broke into female rapper Lil Kim’s MySpace account and used the access to besmirch a colleague. In at least two incidents, false rumors were spread about Apple CEO, Steve Jobs’ health, causing Apple’s stock to plummet. In one of the incidents, an abused user contributed images to Wired.com, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death (see box below). 4
Lastly, multiple vulnerabilities have hit Twitter, causing false tweets to be sent by hundreds of famous people, and user contact information to leak, thus potentially exposing Twitter users to malware. These incidents have made Twitter acutely aware of its responsibility to address the security needs of its customer base. ABOUT THE SECURE ENTERPRISE 2.0 FORUM The Secure Enterprise 2.0 Forum is comprised of top executives at Global Fortune 500 companies that are ready to address the security challenges posed by Web 2.0 technologies, such as wikis, blogs, RSS, widgets and gadgets, personalized homepages, social networks and social bookmarking, which are becoming increasingly popular in the enterprise. The Forum promotes awareness, industry standards, best practices, and interoperability issues related to the introduction of consumer technology into the workplace. Spearheaded by WorkLight, a Web 2.0 for Business Company, the Forum seeks to promote the secure use of Web 2.0 to do business. For more information, visit www.secure-enterprise20.org. 5

Recommended

Sejal Magia
Sejal MagiaSejal Magia
Sejal Magia
sejalmagia
 
Smart spending white paper
Smart spending white paperSmart spending white paper
Smart spending white paper
Yu Tang
 
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRDie elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
news aktuell
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security Policies
Hongyang Wang
 
JavaScript tools
JavaScript toolsJavaScript tools
JavaScript tools
Hazem Saleh
 
Second Life - A Web 2.0 App
Second Life - A Web 2.0 AppSecond Life - A Web 2.0 App
Second Life - A Web 2.0 App
guest13fa63
 
"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit
news aktuell
 
Flowers
FlowersFlowers
Flowers
Clyde Robinson
 

Recommended

Sejal Magia
Sejal MagiaSejal Magia
Sejal Magia
sejalmagia
 
Smart spending white paper
Smart spending white paperSmart spending white paper
Smart spending white paper
Yu Tang
 
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRDie elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
news aktuell
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security Policies
Hongyang Wang
 
JavaScript tools
JavaScript toolsJavaScript tools
JavaScript tools
Hazem Saleh
 
Second Life - A Web 2.0 App
Second Life - A Web 2.0 AppSecond Life - A Web 2.0 App
Second Life - A Web 2.0 App
guest13fa63
 
"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit
news aktuell
 
Flowers
FlowersFlowers
Flowers
Clyde Robinson
 
Present Perfect
Present PerfectPresent Perfect
Present Perfect
Isa Barbio
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
Hongyang Wang
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
Hongyang Wang
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Hongyang Wang
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By Sysomos
Hongyang Wang
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013
Hazem Saleh
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report Final
Hongyang Wang
 
Sylfids
SylfidsSylfids
Sylfids
Поліщук Іван
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713
Hongyang Wang
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
marcuskenyatta275
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
Mark Opanasiuk
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
ScyllaDB
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
ScyllaDB
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
Samy Fodil
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
FIDO Alliance
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
Hyperleger Tokyo Meetup
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
Patrick Viafore
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
FIDO Alliance
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Stefan Dietze
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
BrainSell Technologies
 

More Related Content

Viewers also liked

Present Perfect
Present PerfectPresent Perfect
Present Perfect
Isa Barbio
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
Hongyang Wang
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
Hongyang Wang
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Hongyang Wang
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By Sysomos
Hongyang Wang
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report Final
Hongyang Wang
 

Viewers also liked (9)

Present Perfect
Present PerfectPresent Perfect
Present Perfect
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By Sysomos
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report Final
 
Sylfids
SylfidsSylfids
Sylfids
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 

Recently uploaded (20)

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 

Web 2.0 Hacking Incidents – 2009 Q1

  • 1. WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1 VULNERABILITIES, TARGETS ATT AC K METHODS AN D MAY 2009
  • 2. SUMMARY An analysis of recent web hacking incidents performed by the Secure Enterprise 2.0 Forum shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ the Secure Enterprise 2.0 Forum found that:  Q1 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most prevalent attack with 21% of the incidents.  Attack vectors exploiting Web 2.0 features such as user-contributed content nd were commonly employed in Q1: Authentication abuse was the 2 most active attack vector, accounting for 18% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 6 with 8% of the reported attacks.  Leakage of sensitive information remains the most common outcome of web nd hacks (29%), while disinformation came in 2 with 26%, mostly due to the hacking of celebrity online identities. The study is based on incidents recorded in the ‘Web Hacking Incidents Database’ for Q1 2009. More information about the database can be found at www.xiom.com/whid. WHICH ORGANIZATIONS ARE HACKED? Analysis of Q1 incidents reveals a significant rise in the number of Web 2.0 sites hacked. Web 2.0 organizations such as social networks, wikis and community blogging sites (which were not classified as a separate site class until now) suffered most of the hacking incidents this quarter. Naturally, such a steep rise raises questions, so the attacks were analyzed to find the underlying cause for the rise. When examining the data, it was found that a major reason for the steep rise was a series of high-profile attacks on Twitter, which is 2
  • 3. rapidly becoming a popular social network/micropublishing site. Additionally, since Web 2.0 hacks spread virally, it is easier to detect these hacks. Nevertheless, considering that the most media sites on the Internet are morphing into true Web 2.0 sites, the nearly 40% of Web 2.0 hacks are impressive. Furthermore, it was noted that some attacks against non-Web 2.0 sites, still exploited Web 2.0 technologies. For example, a recent hack against Amazon.com, exploited its community rating engine to delist books. WHICH VULNERABILITIES WERE EXPLOITED? SQL Injection remains the top vulnerability exploited by hackers, only slightly losing ground since previous quarters. The other attack vectors that topped the list are as follows:  Insufficient authentication – while not a new attack vector, insufficient authentication attacks have become increasingly severe due to the proliferation of user-contributed and managed web sites. As such, it is not surprising to see more incidents this quarter.  Automation is fast becoming a major security threat to web applications. Abuse examples range from brute force password attacks, to bypassing the wait queue in reservation systems, to opinion poll skewing.  Cross-Site Request Forgery (CSRF) was recognized several years ago as a potentially potent attack vector. While it took longer than expected to appear, this year it has become a mainstream hacking tool. A rise in the exploit of CSRF vulnerabilities is in line with authentication abuse, since it essentially provides an alternative mechanism for performing actions on behalf of a victim. 3
  • 4. WHAT IS THE OUTCOME? Most major categories for attack outcomes maintained their standing in Q1 2009. st However, after two years of virtually a tie for 1 place, it seems that information leakage has surpassed defacements for the top spot. Furthermore, a new entrant, “disinformation,” has jumped from the bottom of the list to the second spot. NOTABLE INCIDENTS IN Q1 2009 The online identities of several high-profile celebrities were hacked, including the Twitter accounts of Barak Obama, Britney Spears and the rapper, Kanya West. Two incidents caused particular harm to the violated celebrity. In one, a hacker broke into Twitter, stole a celebrity’s password and used the same password to log on to the celebrity’s Gmail account. The hacker then found and published embarrassing pictures of teen star Miley Cyrus. In the other incident, a hacker broke into female rapper Lil Kim’s MySpace account and used the access to besmirch a colleague. In at least two incidents, false rumors were spread about Apple CEO, Steve Jobs’ health, causing Apple’s stock to plummet. In one of the incidents, an abused user contributed images to Wired.com, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death (see box below). 4
  • 5. Lastly, multiple vulnerabilities have hit Twitter, causing false tweets to be sent by hundreds of famous people, and user contact information to leak, thus potentially exposing Twitter users to malware. These incidents have made Twitter acutely aware of its responsibility to address the security needs of its customer base. ABOUT THE SECURE ENTERPRISE 2.0 FORUM The Secure Enterprise 2.0 Forum is comprised of top executives at Global Fortune 500 companies that are ready to address the security challenges posed by Web 2.0 technologies, such as wikis, blogs, RSS, widgets and gadgets, personalized homepages, social networks and social bookmarking, which are becoming increasingly popular in the enterprise. The Forum promotes awareness, industry standards, best practices, and interoperability issues related to the introduction of consumer technology into the workplace. Spearheaded by WorkLight, a Web 2.0 for Business Company, the Forum seeks to promote the secure use of Web 2.0 to do business. For more information, visit www.secure-enterprise20.org. 5