 |
 |
The most commonly
reported Web site security breach incident is Web site defacement and
sabotage.
In fact, defacement from vandals or other trespassers is an ever-present
and increasing threat to Web sites around the world. Consider the following
facts, organized into these five categories.
Hacking:
An Epidemic on the Rise
Even
an Amateur Can Wreak Havoc on Your Web site
Notable
Web Site Attacks and Defacements
Computer
Security Institute’s Computer
Crime and Security Survey
Hacker's
Latest Tricks
Hacking: An Epidemic on the Rise
- According to CERT, a total of 82,094 incidents were reported in
2002. The number of vulnerabilities is now at 4,129, about TEN TIMES
the amount
reported in 1999 (which was 417)
- Web site defacements recorded for all types of operating systems
rose to 20,371 in the first half of 2002, up 27 percent from the 16,007
recorded
in the same period the year before, according to London security
consultancy Mi2g Ltd.
- Attrition.org—the volunteer organization that mirrored Web site defacements—shut
down saying it could no longer keep up with the overwhelming
number of incidents. Before closing, it mirrored nearly 15,000 defaced
sites, most
of them examples from the past two years.
- US-based Business Software Alliance reported that 60 percent of
larger US businesses expect a major cyber-attack within the next year,
though 45 percent were unprepared for one.
- FBI studies reveal that 80 percent of intrusions and attacks
come from within organizations.
Return to Top
Even an Amateur Can Wreak Havoc on Your Web site
- On www.google.com, a search for “hacker tools” yields
over 180,000 results.
- Conservative estimate: at any given time there are over 30,000 usable
Web sites with downloadable hacker tools, such as password breakers,
vulnerability scanners, defacing software, and others.
- Script kiddies can put your Web site’s domain name in a script
and have it defaced with the click of a mouse.
- LOphtcrack, a password-cracking program, decoded 90 percent of all
passwords at a large high technology company in less than 48 hours
using an off-the-shelf
PC.
Return
to Top
Notable Web Site Attacks and Defacements
- When hackers attacked the New York Times, they replaced its home
page with pornographic images. The images were on display for two hours
before
word of them reached the Web administrators. Then, of course, the
original homepage
was restored; but the defacement kept coming back despite
all efforts,
for eight continuous hours, until all systems were taken
down and restored.
- The U.S. Departments of Energy and the Interior, the US State Department
and the National Park Service all suffered Web page defacements.
In addition, the White House Web site was taken down for three days
after it was continually
mail bombed.
- The largest known attempted extortion case involved CD Universe.
A hacker demanded $100,000 to keep him from publishing the company's
300,000
customer
credit card numbers over the Web.
- The largest simultaneous defacement happened when more than 1,400
Web sites were defaced in a single hack.
Return
to Top
Highlights from the Computer Security
Institute’s
2002 Computer Crime and Security Survey
- Ninety percent of respondents (primarily large corporations and
government agencies) detected computer security breaches within the
last
twelve months.
- Eighty percent acknowledged financial losses due to computer breaches.
- Forty-four percent (223 respondents) were willing and/or able to
quantify their financial losses. These 223 respondents reported $455,848,000
in financial losses.
- As in previous years, the most serious financial losses occurred
through theft of proprietary information (26 respondents reported $170,827,000)
and financial fraud (25 respondents reported $115,753,000).
- For the fifth year in a row, more respondents (74%) cited their
Internet connection as a frequent point of attack than cited their
internal
systems as a frequent point of attack (33%).
- Thirty-four percent reported the intrusions to law enforcement.
(In 1996, only 16% acknowledged reporting intrusions to law enforcement.)
Return
to Top
Tricks of the Trade
Steganography: Proliferating hidden information without your knowledge—is
extremely simple with free and easy to use tools readily available. It
works by replacing bits of useless or unused date in regular computer
files—such as graphics, PDF’s, sound, and HTML—with
bits of different, invisible information. The only way to stop your Web
site from is to ensure your files are hashed and constantly monitored
for changes.
One motive behind some defacements is to use the attack
as a springboard to launch other attacks. For example, a hacker might
replace a popular and trusted homepage with a different version, perhaps
looking much the same as the original. Users can then be tricked into
divulging credit-card details and passwords or they may have laid a mine-field
of hyperlinks that covertly attempt to download viruses to the users
computers.
Hackers and attackers find thousands of new vulnerabilities daily. There
are even Web sites dedicated to sharing this information and to provide
a
forum for
bragging about the latest and greatest hack conquests. These sites include
downloadable bugs, worms and other tools that can be used to attack networks
and corporate Web sites.
Here, have a look for yourself! Bear in mind these are only a small
sample
of the hacking
tools available to everyone who has Internet access.
http://www.zone-h.org
http://www.nmrc.org/
http://www.attrition.org/
http://www.cipherwar.com
ftp://ftp.freelsd.net/ADM/
Return to Top
|
