Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Latest web hacking incidents

from [Ofer Shezaf] Network Security [Permanent Link]
Subject: Latest web hacking incidents
Date: Thu, 18 Oct 2007 07:54:57 -0400 

Following are the latest addition to the Web Hacking Incidents Database
(WHID), a Web Application Security Consortium project. For further
information about the incidents including reference to further
information about each incident, refer to WHID's site at
http://www.webappsec.org/projects/whid/


WHID 2007-48: MSU investigating hacking incident
        Reported: 17 October 2007
        Occured: 09 October 2007
        Incident Type: Security Breach
        WASC Threat Classification: Unknown 

Information including birth date and social security number of 1400
students who enrolled online to the Montana State University has been
stolen by hackers. While no technical explanation is provided, the fact
that only students who enrolled online where affected points to a web
site breach.


WHID 2007-47: Commerce Bank, a US regional bank, hacked
        Reported: 12 October 2007
        Occured: 10 October 2007
        Incident Type: Security Breach
        WASC Threat Classification: SQL Injection 

3,000 records were exposed and 20 actually stolen at Commerce Bank, a
small bank in Central USA. While the vulnerability exploited is not
clear, SQL injection was mentioned. Therefore the record is uncertain
and based on further information, it might be withdrawn.


WHID 2007-46: School Web site breached? Personal info of Pembroke
workers, volunteers accessible for months
        Reported: 11 October 2007
        Occured: 02 October 2007
        Incident Type: Vulnerability Disclosure
        WASC Threat Classification: Insufficient Authorization 

Personal information on anyone who worked or volunteered for the
Pembroke schools in the last four years was accessible via the Internet
because of a weakness in the district's computer system. The
information, including names, birth dates and Social Security numbers,
was available from May until Oct. 2, when school officials learned of
the problem.


WHID 2007-45: XSS flaw makes PM say: "I want to suck your blood"
        Reported: 10 October 2007
        Occured: 09 October 2007
        Incident Type: Security Breach
        WASC Threat Classification: Cross-site Scripting 

Using XSS on the sites of both Australian major political parties a
security researcher nicknamed Bsoric caused the Liberal Party's Web site
to read: "John Howard says: I want to suck your blood", while another
script caused a window to pop up on the Labor Party's Web site, urging
viewers to "Vote Liberal!"

WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out
        Reported: 10 October 2007
        Occured: 06 October 2007
        Incident Type: Security Breach
        WASC Threat Classification: Other 

A hacker exploited a leftover admin function on eBay to block users and
close sales.


---
About WHID: The web hacking incident database (WHID) is a Web
Application Security Consortium project dedicated to maintaining a list
of web applications related security incidents. 

The database is unique in tracking only media reported security
incidents that can be associated with a web application security
vulnerability. We also try to limit the database to targeted attacks
only. Please refer to the FAQ for further information on what you will
find and what you will not find in WHID.

WHID goal is to serve as a tool for raising awareness of the web
application security problem and provide information for statistical
analysis of web applications security incidents. WHID has been features
in Information Week  and slash dot.


Ofer Shezaf
ofers@breach.com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119

CTO, Breach Security; 
Chair, OWASP Israel; 
Leader, ModSecurity Core Rule Set Project; 
Leader, WASC Web Hacking Incidents Database Project




-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional XSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009405
-------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Latest web hacking incidents, Ofer Shezaf <=
Previous by Date:  OWASP San Jose AppSec Conference 2007 Agenda, Tutorials, and Social Events Update, Dave Wichers
Next by Date:  [TOOL] w3af - Web Application Attack and Audit Framework, Andres Riancho
Previous by Thread:  OWASP San Jose AppSec Conference 2007 Agenda, Tutorials, and Social Events Update, Dave Wichers
Next by Thread:  [TOOL] w3af - Web Application Attack and Audit Framework, Andres Riancho
Indexes:  [Date] [Thread] [Top] [All Lists]