Disinformation

Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as demonstrated by previous incidents such loose security enables hackers to distort the results.

This time a hacker succeeded in manipulating Time's poll for most influential people in 2009.

Update (Apr 19^th 2009) - The initial Mooney Twitter worm has evolved into a series of 5 worms at the time of writing, each exploiting a different vulnerability in Twitter. The latest one specifically focuses on twitter accounts who have a high number of followers thus targeting celebrities such as Ashton Kutcher and Oprah Winfrey according to Graham Cluley from Sophos.

A report suggests that the UK retail site of the electronic equipment giant Panasonic was hacked and prices of products where set to pennies. Since the incident followed a layoff of 15,000 employees, it is assumed to be a disgruntled employees doing.

Celebrities web presence hacking is topping 2009 incidents list, and rappers seem to lead. However this report in the Ampersand, like the Lil Kim story from the same week,is somewhat questionable. In both cases it seem that uncomfortable content was blamed on hacking.

West's story is somewhat ironic as he used his blog to remind users of the untruthfulness of his web presence.

When reviewing all the rappers incidents, my conclusion is that they are more susceptible to content spoofing because it is much easier for hackers to imitate their language and style.

This incident might have not gotten into the Web Hacking Incident Database a year ago. However a heated discussion on the Web Application Security Consortium threat classification project reminded me that content spoofing is a potent attack vector by itself, actually one of the most dangerous there.

Wiki is one of those platforms that by design allow content be changed. It is its philosophy, and Wikipedia is the premier wiki out there. It is not a surprise that it is a prime target to content spoofing, as the story about the unexpected demise of two US senators during Obama's inauguration.

You can read more about the unique security philosophy of Wikis in my recent article and presentation about the subject.

Insufficient Anti-Automation is fat becoming the #1 threat to web sites. Since Captcha has been proved practically useless, especially when there is a financial gain from automating access to the site, sites are pretty much defenceless against harmful automation. Techdirt's story about Craigslist losing the battle against automation tool is a very good example of this serious problem.

Read the comments, they are enlightening. As usual, one of the problem when spam is involved is defining if and what is a wrong doing and what is a  valid action. Some commenters say that Craigslist has become useless due to the spam, while others say that Craiglist is the worst censors on the Internet not letting small time businesses work. Other argue about whether this is a crime or not. 132 comments, and they keep coming 8 months after the article has been published.

I am not sure why rappers web presence is so often hacked. They might be the first generation of artists to use the web, brightly combining great Internet skills with technophobia which leads to basic operational errors. Or it might be the underground nature of the artists that (mis)manage their web presence by themselves.

Lil Kim is joining Soulja Boy in being cyber abuse, or so she claims, saying that a blog entry calling Naturi Naughton, the actress who portrays her in a new film, “tasteless and talentless.”, is a fake.

It seems that if the worse thing that can happen to hackers is a real accident to Apple's CEO Steve Jobs. The number of hacks devoted to informing us about his fictitious accidents is just overwhelming. In this case AnantaSec reports a hack into Mac Rumors feed that was possible simply because a file with the administrator password was laying around accessible to anyone due to an administration error.

John Abell from Wired magazine often writes about Apple's CEO health. However, this report about Job suffering a cardiac arrest, was neither his nor true. The culprit was Wired public image viewing utility which lets people upload am image and than presented the image as part of the Wired web site, banner and domain included.

This is a wonderful example of a web application design flaw. There was nothing wrong with the code, however the design of the feature enabled it to be abused.

Further information:

• Abell's own report on the incident

This story about student hacking a Pottsville, PA school online system and changing grades demonstrated again that password stealing is by far the most common method in which web sites are hacked.

While it is usually not considered a vulnerability in the application itself, I think that application that expose administrative or high privileges interface to the web should include authentication beyond a simple password. A school grading system is one example. The Twitter administrative interface hacked last week is another example.