Subscribe to RSS - Insufficient Authentication

Insufficient Authentication

Share/Save

Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as demonstrated by previous incidents such loose security enables hackers to distort the results.

This time a hacker succeeded in manipulating Time's poll for most influential people in 2009.

Incident Outcome: 
Share/Save

While we have no public record of an exploit in this case, it seems that the mare discovery of vulnerabilities in sage new SaaS (software as a service) offering created so much damage to classify it as an incident.

Sage is the leading provider of accounting software in the UK and it was about to launch a trendy small business SaaS offering. However as ZDnet reports, serious security flaws were discovered in the public beta and the company has to call off the launch. Who discovered the issues? naturally the competition. Duane Jackson, the CEO of a tiny rival company reported them on his blog

Tags: 
Attacked System: 
Incident Outcome: 
Share/Save

Updated (Feb 22nd 2009) - the Washington Post updates that the hack exploited a problem with the default configuration of the authentication module used for authenticating remote administrators. As a result we categorized this incident under "insufficient authentication" and "misconfiguration".

Incident Outcome: 
Share/Save

TechCrunch reports that for a short period of time, SpeedDate, an online dating service did not require a password. If you knew someone's user name you could login. Talking about "lack of sufficient authentication controls..."

 

Incident Outcome: 
Share/Save

Celebrities web presence hacking is topping 2009 incidents list, and rappers seem to lead. However this report in the Ampersand, like the Lil Kim story from the same week,is somewhat questionable. In both cases it seem that uncomfortable content was blamed on hacking.

West's story is somewhat ironic as he used his blog to remind users of the untruthfulness of his web presence.

When reviewing all the rappers incidents, my conclusion is that they are more susceptible to content spoofing because it is much easier for hackers to imitate their language and style.

Incident Outcome: 
Share/Save

This story about student hacking a Pottsville, PA school online system and changing grades demonstrated again that password stealing is by far the most common method in which web sites are hacked.

While it is usually not considered a vulnerability in the application itself, I think that application that expose administrative or high privileges interface to the web should include authentication beyond a simple password. A school grading system is one example. The Twitter administrative interface hacked last week is another example.

 

Incident Outcome: 
Share/Save

Alex Papadimoulis tells in a brilliantly humoristic way about the lack of security of the Federal Suppliers Guide's web site. The guide, is presumably limited to federal procurement agents only, but at the time of writing the credential checking was done on the client in JavaScript and for a single global user name and password.

Beyond making a mockery of the claim that the guide was limited to federal agents only, it also seemed to be a marketing method as it limits the potential advertisers from checking who is in the guide. After getting in Alex contacted some of the advertisers to find out that none of them got any value from the guide. Alex did not join, and I wonder how much Alex's report lowered the Federal Suppliers Guide earning.

Incident Outcome: 
Share/Save

Update (Jan 11th 2009) - The hacker bragged about the hack and revealed that it was a brute force dictionary attack against an administrator account. Twitter does not block repetitive login failures therefore enabling brute force attacks. We are still leaving the incident classification "insufficient authentication" in addition to brute force as we feel an administration interface should have additional authentication mechanism and not just a password.



Twitter announced that a hacker broke into 33 accounts including Obama's now inactive twitter. The hack is a result of a flaw in a web based support tool used by twitter, which where evidently accessible externally without proper authorization.

It is important to note that this incident is not related to Twitter phishing attack which occurred on the previous weekend.

This incident highlights the issue of public facing administration interfaces, which often combine strong functionality with lesser attention to quality and therefore security. As organizations virtualize, those interfaces become available over the Internet, often without sufficient protection.

You can read some of the funny things that the hacker published in different twitters on Read Write Web.

Additional information:

Incident Outcome: 
Attacked System: 
Data Item: 
Share/Save

This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.

I am sure that the guys at Light Blue Touchpaper have the expertise to protect their WordPress installation, but they don’t have the time. They made the compromise between ease of management of their web site and its security. Actually my personal blog might be just as vulnerable, since as I write this I am very much not paying attention to its security.

Apart from, or actually because of  the fact that the victims are security experts, this story is noteworthy due to two additional twists in the plot:

  • Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
  • The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.

Additional information:

Incident Outcome: 
Attacked System: 

Pages