Leakage of Information

What does a challenge to break an web mail system and get $10,000, broken within minutes prove? Is it a lesson in vanity? Or about the state of web security? Or about security in general. Probably all.

The most obvious observatoins is that offering $10,000 for anyone who can break your site and being broken within an hour shows that you don't know what you taking about. Maybe it would be a lesson to all security vendors to not believe their own marketing verbiage. A quick browse of the bugtraq vulnerability archives will show how insecure and easy to evade security products can be.

However, judging from the number and seriousness of the incidents reported on the web hacking incidents database, StrongWebmail is not alone and far stronger companies suffers severe incidents, making web applications the weakest link in an organizations information security.

Lastly, we should always remember that there is never perfect security. By making systems more secure we are just raising the price required to attack them and lowering the damage of such an attack, but never. As the old joke goes: the only secure system is one without users.

After focusing earlier this year on Anti-Virus vendors, Uno, the Romanian Hacker is now back and reports in his blog that an Orange France web site dedicated to photo management is vulnerable to SQL injection and that he was able to access 245,000 records from the web site.

Update (Apr 19^th 2009) - (Presumably) the hacker posted a comment to this story with some details. He says that the number of records leaking was much higher: 17,000 Aussies and 7,000 Kiwis. The rest we did not understand and hope that either he or any of you can clarify.

Read more...

Norm Coleman, a former senator from Minnesota, is going through a legal battle to try to win back his seat in the senate. If the way he manages his web site security and the crises it created are an indicator, I am not sure that he has a place there.

Another week, another hack by the HackerBlog, and when it targets an important web site and the impact is severe it is worthy of WHID. This time the Romanian hacker used blind SQL injection to penetrate to the web site of the Telegraph, a leading English daily paper.

Among his findings is a table including 700,000 e-mails, which would be a gold mine for spammers.

The Telegraph response was published on their official blog.

Update (April 19th 2009) - E!News provides additional interesting details about Josh Holly, the hacker who carried out the attack.

A very interesting report by the FBI together with the US Secret service outlines a scheme exploiting SQL injection to steal credit card information from financial institutes.  The attack involves directly attacking HSMs, the banks key vaults in charge of verifying ATM PINs in order to brute force PIN numbers.

The Register reports that the online shop of Psystar, a maker of Mac compatible equipment is heavily leaking technical information that can  be expoited to hack the site.

It wasn't surprising that after attacking a Kaspereski and a BitDefender web sites, Uno, the Romanian hacker,  would continue to strike anti-virus vendors. This time he found a vulnerability in the web site of Finish AV vendor F-Secure. Somewhat less severe than the others, the vulnerability enabled the hacker only to access virus statistics.

It is Twitter again, it is a celebrity again. Why don't they keep their password to themselves. This incident is even uglier as the attacker posted obscene content on the Twitter account of the 16 years old actress Miley Cyrus. This is not the first attack targeting Miley Cyrus. As reported by WHID, her personal G-mail account was hacked last year and personal pictures were stolen and published online.