First there was the QVC and OpenSocial incidents that I blogged about, but there are others, many others. And a lot of the references can via WASC's Web Hacking Incidents Database (WHID). While the industry won't have it own form of blaster or slammer to wake people up to the problem, maybe like the old saying goes, we'll make up for it in numbers.
1) A pair of college students hacked into the PeopleSoft database of the California State University at Fresno's to change their grades. Looks like they used a tab bit of insider access to get the job done. For their trouble they face potentially 20 years in the pokey and 250K in fines. If convicted or plead out, the charges will likely be reduced way down, but still. Wow! I wonder how this crime compares with that of a DUI.
2) Funny enough, Oracle is suing SAP for hacking their customer portal. According to the story, “Oracle accuses SAP of attaining the log-in information of recent or current Oracle customers and using it to download software and support materials from the Web site for the PeopleSoft and J.D. Edwards product lines. The materials allow SAP to tell Oracle customers that it can support their PeopleSoft and J.D. Edwards products while they transition to SAP products, Oracle said.”
3) Scarborough & Tweed recently disclosed that the personal data (name, address, telephone #, CC#, acct #) of 570 of their U.S. customers may have been compromised through the use of SQL Injection.
4) A couple of hackers that RSnake knew, Sirdarckcat and Kuza55, attempted to compromise him and his site in a prank gone wrong. They were not successful, but RSnake was right to be angry with them for trying. RSnake being the chill and understanding guy that he is and the hackers taking full responsibility for their actions and expressing remorse were able to resolve matter peacfully. All has been forgiven. Its really good to see how these guys were able to work things out without unnecessary escalation.
5) MustLive’s is actively running his Month of Bugs in CAPTCHA's. About one week in and Google, Blogger, reCAPTCHA, and CraigsList are a the notables on his list. CLARIFICATION: With respect to reCAPTCHA, "The issue that was found was actually a drupal specific issue -- it applies equally to any Drupal CAPTCHA implementation. In fact, a patch for this issue has been available for months."
6) Art.com and Vertical Web Media disclosed that someone broken into their websites and nabbed customer names and credit card #'s. Neither said how it occurred.
7) A couple of other defacements took place (Chilean Presidency, Aberdeen City Council), again didn't say the method used, but worthy of a mention.
8) Internet bank Cahoot had an issue where a customer found that by guessing usernames and manipulating URLs they could get access to other accounts.
9) Ryan Barnett spotted some Blind SQL Injection in the wild through WASC's Distributed Open Proxy Honeypot Project. An interesting find! This particular project is going to teach us a lot about webappsec and what is really going on out there. Plus its data set posed unsolved challenges for people to dive into.
10) And while not recent, a really good video demonstration of how to take advantage of XSS on Facebook.