Subscribe to RSS - Monetary Loss

Monetary Loss

What does a challenge to break an web mail system and get $10,000, broken within minutes prove? Is it a lesson in vanity? Or about the state of web security? Or about security in general. Probably all.

The most obvious observatoins is that offering $10,000 for anyone who can break your site and being broken within an hour shows that you don't know what you taking about. Maybe it would be a lesson to all security vendors to not believe their own marketing verbiage. A quick browse of the bugtraq vulnerability archives will show how insecure and easy to evade security products can be.

However, judging from the number and seriousness of the incidents reported on the web hacking incidents database, StrongWebmail is not alone and far stronger companies suffers severe incidents, making web applications the weakest link in an organizations information security.

Lastly, we should always remember that there is never perfect security. By making systems more secure we are just raising the price required to attack them and lowering the damage of such an attack, but never. As the old joke goes: the only secure system is one without users.


A zero day XSS vector enables hackers to include in an eBay offer an arbitrary code which is executed by both FireFox and IE. As a result they were able to spoof the content of the offer, so that the user saw different information than the details known to eBay.

Incident Outcome: 

While we have no public record of an exploit in this case, it seems that the mare discovery of vulnerabilities in sage new SaaS (software as a service) offering created so much damage to classify it as an incident.

Sage is the leading provider of accounting software in the UK and it was about to launch a trendy small business SaaS offering. However as ZDnet reports, serious security flaws were discovered in the public beta and the company has to call off the launch. Who discovered the issues? naturally the competition. Duane Jackson, the CEO of a tiny rival company reported them on his blog

Incident Outcome: 
Attacked System: 

A very interesting report by the FBI together with the US Secret service outlines a scheme exploiting SQL injection to steal credit card information from financial institutes.  The attack involves directly attacking HSMs, the banks key vaults in charge of verifying ATM PINs in order to brute force PIN numbers.

Attack Method: 

A report suggests that the UK retail site of the electronic equipment giant Panasonic was hacked and prices of products where set to pennies. Since the incident followed a layoff of 15,000 employees, it is assumed to be a disgruntled employees doing.

Incident Outcome: 
Attack Method: 

Insufficient Anti-Automation is fat becoming the #1 threat to web sites. Since Captcha has been proved practically useless, especially when there is a financial gain from automating access to the site, sites are pretty much defenceless against harmful automation. Techdirt's story about Craigslist losing the battle against automation tool is a very good example of this serious problem.

Read the comments, they are enlightening. As usual, one of the problem when spam is involved is defining if and what is a wrong doing and what is a  valid action. Some commenters say that Craigslist has become useless due to the spam, while others say that Craiglist is the worst censors on the Internet not letting small time businesses work. Other argue about whether this is a crime or not. 132 comments, and they keep coming 8 months after the article has been published.

This gem is taken out of a press release issued by a hosting provider. According to the press release, InfoGov, a UK provider of risk management solutions, switched hosting its sites to a new provider because the previous one did not provide adequate solution to an SQL injection attack that penetrated the site and inflicted Malware on InfoGov customers.

Probably yet another fallout from the on going Asprox attack, this incident is interesting as it emphasises the responsibility that customers expect service providers to take in protecting from web based attacks.

Attack Method: 

As a side story to ValueClick indictment of deceptive marketing by the FTC, the FTC investigation also found SQL injection vulnerabilities and lack of sufficient encryption of sensitive customer information. These findings contributed to the $2.9 million fine the FTC levied on ValueClick as well as to the company being dumped from managing eBay's affiliate program.

Incident Outcome: 

Alex Papadimoulis tells in a brilliantly humoristic way about the lack of security of the Federal Suppliers Guide's web site. The guide, is presumably limited to federal procurement agents only, but at the time of writing the credential checking was done on the client in JavaScript and for a single global user name and password.

Beyond making a mockery of the claim that the guide was limited to federal agents only, it also seemed to be a marketing method as it limits the potential advertisers from checking who is in the guide. After getting in Alex contacted some of the advertisers to find out that none of them got any value from the guide. Alex did not join, and I wonder how much Alex's report lowered the Federal Suppliers Guide earning.

Incident Outcome: 

In an attack with an alarming similarity to the COX incident (WHID 2008-45), but with a far greater potential damage, hackers changes the DNS records for CheckFree, the largest bill payment service in the USA. Customers where redirected to servers in the Ukraine, which attempted to install a password login software on their computers.

The change was done using correct credentials to login to the administrative web site of Network Solutions, CheckFree domain registrar. It is yet unknown how the hackers got the credentials. Since Phishing attacks against domain registrars including Network Solutions have started to surface recently, a good guess is that it was through a Phishing attack.

According to CheckFree report to the authorities, it estimates that around 160,000 customers where expoesed to the attack, and informed 5 million potential victims who may have been among this group.

Additional information:

Attack Method: