Breach Security Labs Publishes Report on Significant Web Hacking Incidents in 2007

Government, social networking and web hosting providers among the most frequently compromised websites; nearly 70 percent financially motivated

CARLSBAD, Calif., February 5, 2008 – Breach Security Labs, the research arm of Breach Security, Inc., the leading provider of real-time, continuous web application security, today announced the findings of its annual web hacking incident report. Based on data gathered in 2007 through the Web Hacking Incidents Database (WHID) project overseen by the Web Application Security Consortium (WASC), the findings indicate that 40 percent of attacks were waged to harvest personal data. Sixty seven percent of all attacks in 2007 were “for profit” motivated. Claiming over 20 percent of the total, SQL injections dominate as the most common techniques used in the attacks. Breach Security’s vice president of security research, Ofer Shezaf, is the WHID project leader.

Established in 2005, the WHID focuses on reported web hacking incidents, enabling researchers to go beyond a basic-level discussion of web vulnerabilities and provide deeper analysis of real-world incidents such as the types of sites, motivation, source and impact of each attack. Among the criteria required for incidents to be named in the 2007 WHID Web Incident Report, they must be publicly reported, associated with web application vulnerabilities and have an identified outcome.

The 2007 WHID data indicates that more than 44 percent of incidents over the course of the year were tied to non-commercial sites such as government and education. WHID researchers speculate that these numbers are potentially influenced by a higher rate of disclosure at such organizations due to laws requiring public disclosure of breaches in which sensitive information was leaked.

On the commercial side, poorly designed or vulnerable web applications were most commonly exploited from Internet-exclusive businesses such as social networking, search engine and hosting providers. With member numbers on sites such as MySpace and Facebook exceeding the tens of millions, this is especially worrisome. As membership grows, attack impact could increase exponentially.

“Web application security is about visibility,” said Jeremiah Grossman, WASC co-founder and CTO of WhiteHat Security. “As researchers, it’s vital that we are able to see what the hackers can exploit, what they are exploiting, examining why and how, and based on this, trending where they’re going to exploit next.”

In analyzing the raw data, the WHID research team reports that each attack averaged a loss of over 6,000 personal records and bits of sensitive information. In addition to the highly publicized issue of web application defects—including the recent SANS Institute prediction that there will continue to be major vulnerabilities in nearly 50 percent of web applications in 2008—WHID analysis reveals that nearly one-third of incidents were a result of an operational issue, such as unintentionally publishing sensitive information online, rather than a programming mistake.

“Given their prevalence, a certain level of web application defects are expected and many times even tolerated by organizations. These findings are a testament to the need for constant protection for web applications already in production,” said Shezaf. “Through ongoing security industry initiatives such as those supported by WASC, researchers are able to shed light on attack trends and advise vendors and end-user organizations accordingly.”

About WASC

The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best- practice security standards for the World Wide Web. As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security. Membership and participation in WASC related activities is free and open to all. For more information, visit: http://www.webappsec.org/.

About Breach Security

Breach Security, Inc. is the leading provider of real-time, continuous web application security that protects sensitive web-based information. Breach Security’s products protect web applications from hacking attacks, data leakage and identity theft, as well as vulnerabilities caused by insecurely coded applications. Breach Security’s solutions also support compliance requirements for the Payment Card Industry (PCI) Data Security Standard (DSS). The company’s WebDefend web application firewall is ICSA Labs certified. Founded in 2004, Breach Security is headquartered in Carlsbad, California. For more information, please visit www.breach.com.

About Breach Security Labs

Established in 2005, Breach Security Labs is the research arm of Breach Security, Inc. Breach Security Labs conducts and sponsors research and open source projects which focus on web application security. In addition to open source and research projects, Breach Security Labs provides the security content, including rules, correlations and signatures for Breach Security’s web application security products including WebDefend and ModSecurity.
 
Breach Labs takes active roles in the leading web application security industry organizations such as the Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC). Breach Security Labs team members are WASC officers and lead the OWASP chapters in the UK and Israel.

###

Breach Security, WebDefend and ModSecurity are trademarks of Breach Security, Inc. All other brand, product and service names are the trademarks, registered trademarks or service marks of their respective owners.