SlideShare une entreprise Scribd logo

Web 2.0 Hacking Incidents – 2009 Q1

Hongyang Wang
Hongyang Wang
TechnologieActualités & Politique
1  sur  5
Télécharger pour lire hors ligne
WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1 VULNERABILITIES, TARGETS ATT AC K METHODS AN D MAY 2009
SUMMARY An analysis of recent web hacking incidents performed by the Secure Enterprise 2.0 Forum shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ the Secure Enterprise 2.0 Forum found that:  Q1 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most prevalent attack with 21% of the incidents.  Attack vectors exploiting Web 2.0 features such as user-contributed content nd were commonly employed in Q1: Authentication abuse was the 2 most active attack vector, accounting for 18% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 6 with 8% of the reported attacks.  Leakage of sensitive information remains the most common outcome of web nd hacks (29%), while disinformation came in 2 with 26%, mostly due to the hacking of celebrity online identities. The study is based on incidents recorded in the ‘Web Hacking Incidents Database’ for Q1 2009. More information about the database can be found at www.xiom.com/whid. WHICH ORGANIZATIONS ARE HACKED? Analysis of Q1 incidents reveals a significant rise in the number of Web 2.0 sites hacked. Web 2.0 organizations such as social networks, wikis and community blogging sites (which were not classified as a separate site class until now) suffered most of the hacking incidents this quarter. Naturally, such a steep rise raises questions, so the attacks were analyzed to find the underlying cause for the rise. When examining the data, it was found that a major reason for the steep rise was a series of high-profile attacks on Twitter, which is 2
rapidly becoming a popular social network/micropublishing site. Additionally, since Web 2.0 hacks spread virally, it is easier to detect these hacks. Nevertheless, considering that the most media sites on the Internet are morphing into true Web 2.0 sites, the nearly 40% of Web 2.0 hacks are impressive. Furthermore, it was noted that some attacks against non-Web 2.0 sites, still exploited Web 2.0 technologies. For example, a recent hack against Amazon.com, exploited its community rating engine to delist books. WHICH VULNERABILITIES WERE EXPLOITED? SQL Injection remains the top vulnerability exploited by hackers, only slightly losing ground since previous quarters. The other attack vectors that topped the list are as follows:  Insufficient authentication – while not a new attack vector, insufficient authentication attacks have become increasingly severe due to the proliferation of user-contributed and managed web sites. As such, it is not surprising to see more incidents this quarter.  Automation is fast becoming a major security threat to web applications. Abuse examples range from brute force password attacks, to bypassing the wait queue in reservation systems, to opinion poll skewing.  Cross-Site Request Forgery (CSRF) was recognized several years ago as a potentially potent attack vector. While it took longer than expected to appear, this year it has become a mainstream hacking tool. A rise in the exploit of CSRF vulnerabilities is in line with authentication abuse, since it essentially provides an alternative mechanism for performing actions on behalf of a victim. 3
WHAT IS THE OUTCOME? Most major categories for attack outcomes maintained their standing in Q1 2009. st However, after two years of virtually a tie for 1 place, it seems that information leakage has surpassed defacements for the top spot. Furthermore, a new entrant, “disinformation,” has jumped from the bottom of the list to the second spot. NOTABLE INCIDENTS IN Q1 2009 The online identities of several high-profile celebrities were hacked, including the Twitter accounts of Barak Obama, Britney Spears and the rapper, Kanya West. Two incidents caused particular harm to the violated celebrity. In one, a hacker broke into Twitter, stole a celebrity’s password and used the same password to log on to the celebrity’s Gmail account. The hacker then found and published embarrassing pictures of teen star Miley Cyrus. In the other incident, a hacker broke into female rapper Lil Kim’s MySpace account and used the access to besmirch a colleague. In at least two incidents, false rumors were spread about Apple CEO, Steve Jobs’ health, causing Apple’s stock to plummet. In one of the incidents, an abused user contributed images to Wired.com, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death (see box below). 4
Lastly, multiple vulnerabilities have hit Twitter, causing false tweets to be sent by hundreds of famous people, and user contact information to leak, thus potentially exposing Twitter users to malware. These incidents have made Twitter acutely aware of its responsibility to address the security needs of its customer base. ABOUT THE SECURE ENTERPRISE 2.0 FORUM The Secure Enterprise 2.0 Forum is comprised of top executives at Global Fortune 500 companies that are ready to address the security challenges posed by Web 2.0 technologies, such as wikis, blogs, RSS, widgets and gadgets, personalized homepages, social networks and social bookmarking, which are becoming increasingly popular in the enterprise. The Forum promotes awareness, industry standards, best practices, and interoperability issues related to the introduction of consumer technology into the workplace. Spearheaded by WorkLight, a Web 2.0 for Business Company, the Forum seeks to promote the secure use of Web 2.0 to do business. For more information, visit www.secure-enterprise20.org. 5

Recommandé

Sejal Magia
Sejal MagiaSejal Magia
Sejal Magia
sejalmagia
 
Smart spending white paper
Smart spending white paperSmart spending white paper
Smart spending white paper
Yu Tang
 
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRDie elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
news aktuell
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security Policies
Hongyang Wang
 
JavaScript tools
JavaScript toolsJavaScript tools
JavaScript tools
Hazem Saleh
 
Second Life - A Web 2.0 App
Second Life - A Web 2.0 AppSecond Life - A Web 2.0 App
Second Life - A Web 2.0 App
guest13fa63
 
"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit
news aktuell
 
Flowers
FlowersFlowers
Flowers
Clyde Robinson
 

Recommandé

Sejal Magia
Sejal MagiaSejal Magia
Sejal Magia
sejalmagia
 
Smart spending white paper
Smart spending white paperSmart spending white paper
Smart spending white paper
Yu Tang
 
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PRDie elf wichtigsten Faktoren für ein Top-Gehalt in der PR
Die elf wichtigsten Faktoren für ein Top-Gehalt in der PR
news aktuell
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security Policies
Hongyang Wang
 
JavaScript tools
JavaScript toolsJavaScript tools
JavaScript tools
Hazem Saleh
 
Second Life - A Web 2.0 App
Second Life - A Web 2.0 AppSecond Life - A Web 2.0 App
Second Life - A Web 2.0 App
guest13fa63
 
"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit"Do you speak global?" Internationale Kommunikation und Pressearbeit
"Do you speak global?" Internationale Kommunikation und Pressearbeit
news aktuell
 
Flowers
FlowersFlowers
Flowers
Clyde Robinson
 
Present Perfect
Present PerfectPresent Perfect
Present Perfect
Isa Barbio
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
Hongyang Wang
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
Hongyang Wang
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Hongyang Wang
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By Sysomos
Hongyang Wang
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013
Hazem Saleh
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report Final
Hongyang Wang
 
Sylfids
SylfidsSylfids
Sylfids
Поліщук Іван
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713
Hongyang Wang
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
Remote DBA Services
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 

Contenu connexe

En vedette

Present Perfect
Present PerfectPresent Perfect
Present Perfect
Isa Barbio
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
Hongyang Wang
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
Hongyang Wang
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Hongyang Wang
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By Sysomos
Hongyang Wang
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report Final
Hongyang Wang
 

En vedette (9)

Present Perfect
Present PerfectPresent Perfect
Present Perfect
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
 
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
Early Stage Web Product Management By Dan Olsen 090728040916 Phpapp02
 
Inside Twitter By Sysomos
Inside Twitter By SysomosInside Twitter By Sysomos
Inside Twitter By Sysomos
 
Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013Efficient JavaScript Unit Testing, JavaOne China 2013
Efficient JavaScript Unit Testing, JavaOne China 2013
 
It Sector Risk Assessment Report Final
It Sector Risk Assessment Report FinalIt Sector Risk Assessment Report Final
It Sector Risk Assessment Report Final
 
Sylfids
SylfidsSylfids
Sylfids
 
Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713Twitter Wanghongyang Backup Security 20090402 0713
Twitter Wanghongyang Backup Security 20090402 0713
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Dernier (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Web 2.0 Hacking Incidents – 2009 Q1

  • 1. WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1 VULNERABILITIES, TARGETS ATT AC K METHODS AN D MAY 2009
  • 2. SUMMARY An analysis of recent web hacking incidents performed by the Secure Enterprise 2.0 Forum shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ the Secure Enterprise 2.0 Forum found that:  Q1 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most prevalent attack with 21% of the incidents.  Attack vectors exploiting Web 2.0 features such as user-contributed content nd were commonly employed in Q1: Authentication abuse was the 2 most active attack vector, accounting for 18% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 6 with 8% of the reported attacks.  Leakage of sensitive information remains the most common outcome of web nd hacks (29%), while disinformation came in 2 with 26%, mostly due to the hacking of celebrity online identities. The study is based on incidents recorded in the ‘Web Hacking Incidents Database’ for Q1 2009. More information about the database can be found at www.xiom.com/whid. WHICH ORGANIZATIONS ARE HACKED? Analysis of Q1 incidents reveals a significant rise in the number of Web 2.0 sites hacked. Web 2.0 organizations such as social networks, wikis and community blogging sites (which were not classified as a separate site class until now) suffered most of the hacking incidents this quarter. Naturally, such a steep rise raises questions, so the attacks were analyzed to find the underlying cause for the rise. When examining the data, it was found that a major reason for the steep rise was a series of high-profile attacks on Twitter, which is 2
  • 3. rapidly becoming a popular social network/micropublishing site. Additionally, since Web 2.0 hacks spread virally, it is easier to detect these hacks. Nevertheless, considering that the most media sites on the Internet are morphing into true Web 2.0 sites, the nearly 40% of Web 2.0 hacks are impressive. Furthermore, it was noted that some attacks against non-Web 2.0 sites, still exploited Web 2.0 technologies. For example, a recent hack against Amazon.com, exploited its community rating engine to delist books. WHICH VULNERABILITIES WERE EXPLOITED? SQL Injection remains the top vulnerability exploited by hackers, only slightly losing ground since previous quarters. The other attack vectors that topped the list are as follows:  Insufficient authentication – while not a new attack vector, insufficient authentication attacks have become increasingly severe due to the proliferation of user-contributed and managed web sites. As such, it is not surprising to see more incidents this quarter.  Automation is fast becoming a major security threat to web applications. Abuse examples range from brute force password attacks, to bypassing the wait queue in reservation systems, to opinion poll skewing.  Cross-Site Request Forgery (CSRF) was recognized several years ago as a potentially potent attack vector. While it took longer than expected to appear, this year it has become a mainstream hacking tool. A rise in the exploit of CSRF vulnerabilities is in line with authentication abuse, since it essentially provides an alternative mechanism for performing actions on behalf of a victim. 3
  • 4. WHAT IS THE OUTCOME? Most major categories for attack outcomes maintained their standing in Q1 2009. st However, after two years of virtually a tie for 1 place, it seems that information leakage has surpassed defacements for the top spot. Furthermore, a new entrant, “disinformation,” has jumped from the bottom of the list to the second spot. NOTABLE INCIDENTS IN Q1 2009 The online identities of several high-profile celebrities were hacked, including the Twitter accounts of Barak Obama, Britney Spears and the rapper, Kanya West. Two incidents caused particular harm to the violated celebrity. In one, a hacker broke into Twitter, stole a celebrity’s password and used the same password to log on to the celebrity’s Gmail account. The hacker then found and published embarrassing pictures of teen star Miley Cyrus. In the other incident, a hacker broke into female rapper Lil Kim’s MySpace account and used the access to besmirch a colleague. In at least two incidents, false rumors were spread about Apple CEO, Steve Jobs’ health, causing Apple’s stock to plummet. In one of the incidents, an abused user contributed images to Wired.com, while in the other, someone broke into a live Mac Rumors feed to announce Job’s death (see box below). 4
  • 5. Lastly, multiple vulnerabilities have hit Twitter, causing false tweets to be sent by hundreds of famous people, and user contact information to leak, thus potentially exposing Twitter users to malware. These incidents have made Twitter acutely aware of its responsibility to address the security needs of its customer base. ABOUT THE SECURE ENTERPRISE 2.0 FORUM The Secure Enterprise 2.0 Forum is comprised of top executives at Global Fortune 500 companies that are ready to address the security challenges posed by Web 2.0 technologies, such as wikis, blogs, RSS, widgets and gadgets, personalized homepages, social networks and social bookmarking, which are becoming increasingly popular in the enterprise. The Forum promotes awareness, industry standards, best practices, and interoperability issues related to the introduction of consumer technology into the workplace. Spearheaded by WorkLight, a Web 2.0 for Business Company, the Forum seeks to promote the secure use of Web 2.0 to do business. For more information, visit www.secure-enterprise20.org. 5