SlideShare ist ein Scribd-Unternehmen logo

Web 2.0 Hacking Incidents – 2009 Q1

Hongyang Wang
Hongyang Wang
TechnologieNews & Politik
1 von 5
Downloaden Sie, um offline zu lesen
WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1 VULNERABILITIES, TARGETS ATT AC K METHODS AN D MAY 2009
SUMMARY An analysis of recent web hacking incidents performed by the Secure Enterprise 2.0 Forum shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ the Secure Enterprise 2.0 Forum found that:  Q1 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most prevalent attack with 21% of the incidents.  Attack vectors exploiting Web 2.0 features such as user-contributed content nd were commonly employed in Q1: Authentication abuse was the 2 most active attack vector, accounting for 18% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 6 with 8% of the reported attacks.  Leakage of sensitive information remains the most common outcome of web nd hacks (29%), while disinformation came in 2 with 26%, mostly due to the hacking of celebrity online identities. The study is based on incidents recorded in the ‘Web Hacking Incidents Database’ for Q1 2009. More information about the database can be found at www.xiom.com/whid. WHICH ORGANIZATIONS ARE HACKED? Analysis of Q1 incidents reveals a significant rise in the number of Web 2.0 sites hacked. Web 2.0 organizations such as social networks, wikis and community blogging sites (which were not classified as a separate site class until now) suffered most of the hacking incidents this quarter. Naturally, such a steep rise raises questions, so the attacks were analyzed to find the underlying cause for the rise. When examining the data, it was found that a major reason for the steep rise was a series of high-profile attacks on Twitter, which is 2
rapidly becoming a popular social network/micropublishing site. Additionally, since Web 2.0 hacks spread virally, it is easier to detect these hacks. Nevertheless, considering that the most media sites on the Internet are morphing into true Web 2.0 sites, the nearly 40% of Web 2.0 hacks are impressive. Furthermore, it was noted that some attacks against non-Web 2.0 sites, still exploited Web 2.0 technologies. For example, a recent hack against Amazon.com, exploited its community rating engine to delist books. WHICH VULNERABILITIES WERE EXPLOITED? SQL Injection remains the top vulnerability exploited by hackers, only slightly losing ground since previous quarters. The other attack vectors that topped the list are as follows:  Insufficient authentication – while not a new attack vector, insufficient authentication attacks have become increasingly severe due to the proliferation of user-contributed and managed web sites. As such, it is not surprising to see more incidents this quarter.  Automation is fast becoming a major security threat to web applications. Abuse examples range from brute force password attacks, to bypassing the wait queue in reservation systems, to opinion poll skewing.  Cross-Site Request Forgery (CSRF) was recognized several years ago as a potentially potent attack vector. While it took longer than expected to appear, this year it has become a mainstream hacking tool. A rise in the exploit of CSRF vulnerabilities is in line with authentication abuse, since it essentially provides an alternative mechanism for performing actions on behalf of a victim. 3
WHAT IS THE OUTCOME? Most major categories for attack outcomes maintained their standing in Q1 2009. st However, after two years of virtually a tie for 1 place, it seems that information leakage has surpassed defacements for the top spot. Furthermore, a new entrant, “disinformation,” has jumped from the bottom of the list to the second spot. NOTABLE INCIDENTS IN Q1 2009 The online identities of several high-profile celebrities were hacked, including the Twitter accounts of Barak Obama, Britney Spears and the rapper, Kanya West. Two incidents caused particular harm to the violated celebrity. In one, a hacker broke into Twitter, stole a celebrity’s password and used the same password to log on to the celebrity’s Gmail account. The hacker then found and published embarrassing pictures of teen star Miley Cyrus. In the other incident, a hacker broke into female rapper Lil Kim’s MySpace account and used the access to besmirch a colleague. In at least two incidents, false rumors were spread about Apple CEO, Steve Jobs’ health, causing Apple’s stock to plummet. In one of the incidents, an abused user contributed images to Wired.com, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death (see box below). 4
Lastly, multiple vulnerabilities have hit Twitter, causing false tweets to be sent by hundreds of famous people, and user contact information to leak, thus potentially exposing Twitter users to malware. These incidents have made Twitter acutely aware of its responsibility to address the security needs of its customer base. ABOUT THE SECURE ENTERPRISE 2.0 FORUM The Secure Enterprise 2.0 Forum is comprised of top executives at Global Fortune 500 companies that are ready to address the security challenges posed by Web 2.0 technologies, such as wikis, blogs, RSS, widgets and gadgets, personalized homepages, social networks and social bookmarking, which are becoming increasingly popular in the enterprise. The Forum promotes awareness, industry standards, best practices, and interoperability issues related to the introduction of consumer technology into the workplace. Spearheaded by WorkLight, a Web 2.0 for Business Company, the Forum seeks to promote the secure use of Web 2.0 to do business. For more information, visit www.secure-enterprise20.org. 5

Empfohlen

Sejal Magia
Sejal MagiaSejal Magia
Sejal Magiasejalmagia
 
Smart spending white paper
Smart spending white paperSmart spending white paper
Smart spending white paperYu Tang
 
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRDie elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRnews aktuell
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security PoliciesHongyang Wang
 
JavaScript tools
JavaScript toolsJavaScript tools
JavaScript toolsHazem Saleh
 
Second Life - A Web 2.0 App
Second Life - A Web 2.0 AppSecond Life - A Web 2.0 App
Second Life - A Web 2.0 Appguest13fa63
 
"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeitnews aktuell
 
Flowers
FlowersFlowers
FlowersClyde Robinson
 

Empfohlen

Sejal Magia
Sejal MagiaSejal Magia
Sejal Magiasejalmagia
 
Smart spending white paper
Smart spending white paperSmart spending white paper
Smart spending white paperYu Tang
 
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRDie elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRnews aktuell
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security PoliciesHongyang Wang
 
JavaScript tools
JavaScript toolsJavaScript tools
JavaScript toolsHazem Saleh
 
Second Life - A Web 2.0 App
Second Life - A Web 2.0 AppSecond Life - A Web 2.0 App
Second Life - A Web 2.0 Appguest13fa63
 
"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeitnews aktuell
 
Flowers
FlowersFlowers
FlowersClyde Robinson
 
Present Perfect
Present PerfectPresent Perfect
Present PerfectIsa Barbio
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Hongyang Wang
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Hongyang Wang
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By SysomosHongyang Wang
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Hazem Saleh
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalHongyang Wang
 
Sylfids
SylfidsSylfids
SylfidsПоліщук Іван
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Hongyang Wang
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Weitere ähnliche Inhalte

Andere mochten auch

Present Perfect
Present PerfectPresent Perfect
Present PerfectIsa Barbio
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Hongyang Wang
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Hongyang Wang
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By SysomosHongyang Wang
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Hazem Saleh
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalHongyang Wang
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Hongyang Wang
 

Andere mochten auch (9)

Present Perfect
Present PerfectPresent Perfect
Present Perfect
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By Sysomos
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report Final
 
Sylfids
SylfidsSylfids
Sylfids
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713
 

Kürzlich hochgeladen

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Web 2.0 Hacking Incidents – 2009 Q1

  • 1. WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1 VULNERABILITIES, TARGETS ATT AC K METHODS AN D MAY 2009
  • 2. SUMMARY An analysis of recent web hacking incidents performed by the Secure Enterprise 2.0 Forum shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ the Secure Enterprise 2.0 Forum found that:  Q1 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most prevalent attack with 21% of the incidents.  Attack vectors exploiting Web 2.0 features such as user-contributed content nd were commonly employed in Q1: Authentication abuse was the 2 most active attack vector, accounting for 18% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 6 with 8% of the reported attacks.  Leakage of sensitive information remains the most common outcome of web nd hacks (29%), while disinformation came in 2 with 26%, mostly due to the hacking of celebrity online identities. The study is based on incidents recorded in the ‘Web Hacking Incidents Database’ for Q1 2009. More information about the database can be found at www.xiom.com/whid. WHICH ORGANIZATIONS ARE HACKED? Analysis of Q1 incidents reveals a significant rise in the number of Web 2.0 sites hacked. Web 2.0 organizations such as social networks, wikis and community blogging sites (which were not classified as a separate site class until now) suffered most of the hacking incidents this quarter. Naturally, such a steep rise raises questions, so the attacks were analyzed to find the underlying cause for the rise. When examining the data, it was found that a major reason for the steep rise was a series of high-profile attacks on Twitter, which is 2
  • 3. rapidly becoming a popular social network/micropublishing site. Additionally, since Web 2.0 hacks spread virally, it is easier to detect these hacks. Nevertheless, considering that the most media sites on the Internet are morphing into true Web 2.0 sites, the nearly 40% of Web 2.0 hacks are impressive. Furthermore, it was noted that some attacks against non-Web 2.0 sites, still exploited Web 2.0 technologies. For example, a recent hack against Amazon.com, exploited its community rating engine to delist books. WHICH VULNERABILITIES WERE EXPLOITED? SQL Injection remains the top vulnerability exploited by hackers, only slightly losing ground since previous quarters. The other attack vectors that topped the list are as follows:  Insufficient authentication – while not a new attack vector, insufficient authentication attacks have become increasingly severe due to the proliferation of user-contributed and managed web sites. As such, it is not surprising to see more incidents this quarter.  Automation is fast becoming a major security threat to web applications. Abuse examples range from brute force password attacks, to bypassing the wait queue in reservation systems, to opinion poll skewing.  Cross-Site Request Forgery (CSRF) was recognized several years ago as a potentially potent attack vector. While it took longer than expected to appear, this year it has become a mainstream hacking tool. A rise in the exploit of CSRF vulnerabilities is in line with authentication abuse, since it essentially provides an alternative mechanism for performing actions on behalf of a victim. 3
  • 4. WHAT IS THE OUTCOME? Most major categories for attack outcomes maintained their standing in Q1 2009. st However, after two years of virtually a tie for 1 place, it seems that information leakage has surpassed defacements for the top spot. Furthermore, a new entrant, “disinformation,” has jumped from the bottom of the list to the second spot. NOTABLE INCIDENTS IN Q1 2009 The online identities of several high-profile celebrities were hacked, including the Twitter accounts of Barak Obama, Britney Spears and the rapper, Kanya West. Two incidents caused particular harm to the violated celebrity. In one, a hacker broke into Twitter, stole a celebrity’s password and used the same password to log on to the celebrity’s Gmail account. The hacker then found and published embarrassing pictures of teen star Miley Cyrus. In the other incident, a hacker broke into female rapper Lil Kim’s MySpace account and used the access to besmirch a colleague. In at least two incidents, false rumors were spread about Apple CEO, Steve Jobs’ health, causing Apple’s stock to plummet. In one of the incidents, an abused user contributed images to Wired.com, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death (see box below). 4
  • 5. Lastly, multiple vulnerabilities have hit Twitter, causing false tweets to be sent by hundreds of famous people, and user contact information to leak, thus potentially exposing Twitter users to malware. These incidents have made Twitter acutely aware of its responsibility to address the security needs of its customer base. ABOUT THE SECURE ENTERPRISE 2.0 FORUM The Secure Enterprise 2.0 Forum is comprised of top executives at Global Fortune 500 companies that are ready to address the security challenges posed by Web 2.0 technologies, such as wikis, blogs, RSS, widgets and gadgets, personalized homepages, social networks and social bookmarking, which are becoming increasingly popular in the enterprise. The Forum promotes awareness, industry standards, best practices, and interoperability issues related to the introduction of consumer technology into the workplace. Spearheaded by WorkLight, a Web 2.0 for Business Company, the Forum seeks to promote the secure use of Web 2.0 to do business. For more information, visit www.secure-enterprise20.org. 5