What does a challenge to break an web mail system and get $10,000, broken within minutes prove? Is it a lesson in vanity? Or about the state of web security? Or about security in general. Probably all.

The most obvious observatoins is that offering $10,000 for anyone who can break your site and being broken within an hour shows that you don't know what you taking about. Maybe it would be a lesson to all security vendors to not believe their own marketing verbiage. A quick browse of the bugtraq vulnerability archives will show how insecure and easy to evade security products can be.

However, judging from the number and seriousness of the incidents reported on the web hacking incidents database, StrongWebmail is not alone and far stronger companies suffers severe incidents, making web applications the weakest link in an organizations information security.

Lastly, we should always remember that there is never perfect security. By making systems more secure we are just raising the price required to attack them and lowering the damage of such an attack, but never. As the old joke goes: the only secure system is one without users.

 

After focusing earlier this year on Anti-Virus vendors, Uno, the Romanian Hacker is now back and reports in his blog that an Orange France web site dedicated to photo management is vulnerable to SQL injection and that he was able to access 245,000 records from the web site.

Update (Apr 19^th 2009) - (Presumably) the hacker posted a comment to this story with some details. He says that the number of records leaking was much higher: 17,000 Aussies and 7,000 Kiwis. The rest we did not understand and hope that either he or any of you can clarify.

Read more...

---

Leakage of information from an energy company is usually associated with gas stations fraud such as installing a stealth credit card reader at the pump. However, a report suggests that an incident in which information about 4500 Australian and 1400 Kiwis leaked was a result of a glitch in a web based application for applying for a Shell fuel card. The information obtained included company names, address details, email addresses and some bank account details.

Another week, another hack by the HackerBlog, and when it targets an important web site and the impact is severe it is worthy of WHID. This time the Romanian hacker used blind SQL injection to penetrate to the web site of the Telegraph, a leading English daily paper.

Among his findings is a table including 700,000 e-mails, which would be a gold mine for spammers.

The Telegraph response was published on their official blog.

The Register reports that the online shop of Psystar, a maker of Mac compatible equipment is heavily leaking technical information that can  be expoited to hack the site.