Posts Tagged ‘hacking’

Breach Security has released it’s Web Hacking Incidents Database (WHID) 2009 Bi-Annual Report, indicating that social networking sites were the most targeted market for hackers so far this year.

The data, compiled from application-related security incidents that are publicly reported, indicates that 19% of the hacks in the first half of 2009 were targeting social networking sites like Twitter and Facebook. This is the first year when social networks became an attack sector. In 2008, government was the leading sector being targeted. The data also indicates a 30% increase in overall web attacks compared to the first half of 2008.

“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”

Download a copy of the report here.

Also making major news right now is the indictment of Albert Gonzalez on charges of hacking into the Heartland Payment Systems. Gonzalez is already awaiting trial over his involvement in the TJX hack, putting him as part of the hacking team behind two of the largest hacker-based breaches in history. Read more here.

For almost every password-protected website there’s a way to recover your password – the “Forgot Your Password?” link is ubiquitous. But it’s also dangerous. 

If you want to recover your password, chances are someone else can recover it for you. Most password-recovery systems will ask you a series of “security” questions such as ‘What is your cats name?’ or ‘Where did you grow up?’… problem is, in the age of Google and social networking sites like Facebook, that data is no longer secure.

Some web security experts are now calling these password reset tools the weakest link in Web security.

One web expert asked permission to hack into the bank accounts for several friends. Using only information he found online, he was able to trigger the bank reset, access the email via another password reset, then access the bank accounts. You can read more about his “social hack” experiment published here on Scientific American.

Security experts are positing that it won’t be long before portfolios of personal information will be bought and sold for large-scale password-reset hacking attempts.

So, what’s the solution? Coming up with secure challenge questions is not an easy task. A preference-question (such as “Do you like opera?”) set may work more effectively than fact-based questions. There’s a fabulous discussion about this password issue going on at MSNBCs Red Tape Chronicles here.

Great reference for additional reading: Security Questions in the Era of Facebook (PDF) by Ariel Rabkin.

Via red tape ; image: clarita @morguefile