Real Life Examples

• Phishing
  • On the weekend of January 3, 2009, several users on the social network Web site, Twitter, became victims of a phishing attack. The users were deceived into giving away their passwords when they received an e-mail similar to one that they would receive from Twitter with a link that read, “hey, check out this funny blog about you…”. The link redirects to a site masquerading as the real Twitter site. Any personal information entered by the user on the fake site is then captured by the attacker.

    Twitter responded by reporting the offending domain, and changing the affected users’ passwords.

  • On November 25, 2014 some employees of the Partners HealthCare became the victims of the phishing emails, compromising 3,300 patients’ data. The following is the excerpt from the http://www.beckershospitalreview.com/, dated May 1, 2015:

    The personal information of approximately 3,300 patients may have been compromised after a group of employees at Boston-based Partners HealthCare engaged with phishing emails.

    According to a notice from the health system, some Partners employees received the phishing emails Nov. 25, 2014 and, believing the emails were legitimate, responded to them. By responding to the phishing emails, the hackers were able to access the employees’ email accounts within the Partners network.

    Potentially compromised information includes names, addresses, birth dates and telephone numbers. Some Social Security numbers and some clinical information and health insurance information may have also been compromised, according to Partners. However, the EMR system was not accessed.

    Those affected include patients of Partners and affiliated hospitals Brigham and Women’s Hospital, Brigham and Women’s Faulkner Hospital, Massachusetts General Hospital, North Shore Medical Center, Partners Continuing Care and Newton-Wellesley Hospital, all in Boston except Newton-Wellesley Hospital in Newton, Mass.

    Since learning of the attack, Partners secured the email accounts, contacted law enforcement and started an investigation into the phishing attack.

    As of now, Partners has received no indication that any of the exposed patient information has been misused.

    http://www.beckershospitalreview.com/healthcare-information-technology/partners-healthcare-falls-victim-to-email-phishing-attack-compromising-3-300-records.html
    

• Password
  • On Sunday, January 4th, 2009, a hacker known only as GMZ, used a tool he developed to launch a dictionary attack against the account of a Twitter user named Crystal. The program ran for several hours overnight automatically trying different English words. When “he checked the results Monday morning at around 11:00 a.m. E.T., he found he was in Crystal’s account.” GMZ soon realized that Crystal was actually a Twitter staffer with administrative privileges. He was able to compromise several high-profile accounts by resetting their passwords and making them available to fellow hackers. Some of these included the accounts of President Elect Barack Obama, Britney Spears, CBS News and Fox News.
• Cryptography
  • The following excerpt is from the New York times, dated August 17, 2009:

    The man who prosecutors said had masterminded some of the most brazen thefts of credit and debit card numbers in history was charged on Monday with an even larger set of digital break-ins.

    In an indictment, the Justice Department said that Albert Gonzalez, 28, of Miami and two unnamed Russian conspirators made off with more than 130 million credit and debit card numbers from late 2006 to early 2008.

    Prosecutors called it the largest case of computer crime and identity theft ever prosecuted. According to the government, the culprits infiltrated the computer networks of Heartland Payment Systems, a payment processor in Princeton, N.J.; 7-Eleven Inc.; Hannaford Brothers, a regional supermarket chain; and two unnamed national retailers.

    An unspecified portion of the stolen credit and debit card numbers were then sold online, and some were used to make unauthorized purchases and withdrawals from banks, according to the indictment, which was filed in United States District Court in Newark…

    Richard Wang, manager of SophosLabs, a security company, said the case provided more evidence that retailers and banks needed to strengthen industry standards and encrypt credit card numbers when they are transmitted between computers. Currently, major banks agree to encrypt such data only when it is stored.

    http://www.nytimes.com/2009/08/18/technology/18card.html?_r=2&ref=business
    

• Integer errors
  • There is a Facebook group called “If this group reaches 4,294,967,296 it might cause an integer overflow. “ This value is the largest number that can fit in a 32 bit unsigned integer. If the number of members of the group exceeded this number, it might cause an overflow. Whether it will cause an overflow or not depends upon how Facebook is implemented and which language is used – they might use data types that can hold larger numbers. In any case, the chances of an overflow seem remote, as roughly 2/3 of the people on earth would be required to reach the goal of more than 4 billion members.
  • On December 25, 2004, Comair airlines was forced to ground 1,100 flights after its flight crew scheduling software crashed. The software used a 16-bit integer (max 32,768) to store the number of crew changes. That number was exceeded due to bad weather that month which led to numerous crew reassignments.
  • Many Unix operating systems store time values in 32-bit signed (positive or negative) integers, counting the number of seconds since midnight on January 1, 1970. On Tuesday, January 19, 2038, this value will overflow, becoming a negative number. Although the impact of this problem in 2038 is not yet known, there are concerns that software that projects out to future dates – including tools for mortgage payment and retirement fund distribution – might face problems long before then. Source: Year 2038 Problem” http://en.wikipedia.org/wiki/Year_2038_problem

  • A software vulnerability in Boeing’s new 787 Dreamliner jet has the potential to cause pilots to lose control of the aircraft, possibly in mid-flight, Federal Aviation Administration officials warned airlines recently. The bug—which is either a classic integer overflow http://en.wikipedia.org/wiki/Integer_overflow or one very much resembling it—resides in one of the electrical systems responsible for generating power, according to memo the FAA issued last week https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-10066.pdf .
• Input validation
  • In December 2005, a Japanese securities trader made a $1 billion typing error, when he mistakenly sold 600,000 shares of stock at 1 yen each instead of selling one share for 600,000 yen. A few lines of code may have averted this error. Fat fingered typing costs a trader’s bosses £128m, The Times Online, December 09, 2005
  • Web applications are highly vulnerable to input validation errors. Inputting the invalid entry “!@#$%^&*()” on a vulnerable e-commerce site may cause performance issues or denial of service on a vulnerable system or invalid passwords such as “pwd’” or “1=1— ” may result in unauthorized access. http://www.processor.com/editorial/article.asp?article=articles%2Fp3112%2F32p12%2F32p12%2F32p12.asp&guid=&searchtype=&WordList=&bJumpTo=True
  • A Norwegian woman mistyped her account number on an internet banking system. Instead of typing her 11-digit account number, she accidentally typed an extra digit, for a total of 12 numbers. The system discarded the extra digit, and transferred $100,000 to the (incorrect) account. A simple dialog box informing her that she had typed too many digits would have helped avoid this expensive error. Olsen, Kai. “The $100,000 Keying error” IEEE Computer, August 2008
  • The site xssed.com lists nearly 13,000 vulnerable Web pages, including sites such as yahoo.com, google.com, msn.com, facebook.com, craigslist.com and cnn.com
  • The Risks digest (http://catless.ncl.ac.uk/Risks ) – an invaluable resource on computing systems gone wrong – carried a report of an electronic commerce web site that failed to verify the quantity of items ordered. After accidentally typing “1.1” for the desired quantity of an item (instead of one), an amused customer found that the system would let him order 1.1 cocktail shakers at $9.99 each, for a total of $10.99. A simple check to verify that the quantity was an integer value would have eliminated the absurd possibility of ordering one-tenth of a cocktail shaker.Source: Richard Kaszeta, “Lack of sanity checking in Web shopping cart software “ Risks Digest, 23(51) http://catless.ncl.ac.uk/Risks/23.51.html#subj11
• Buffer overflow
  • Buffer overflow vulnerabilities were exploited by the the first major attack on the Internet. Known as the Morris worm, this attack infected more than 60,000 machines and shut down much of the Internet for several days in 1988. Source: Carolyn Duffy Marsan, Morris Worm Turns 20: Look what it’s Done, Network World, October 30, 2008 http://www.techworld.com.au/article/265692/morris_worm_turns_20_look_what_it_done/
  • A buffer overflow in a 2004 version of AOL’s AIM instant-messaging software exposed users to buffer overflow vulnerabilities. If a user posted a URL in their “I’m away” message, any of his or her friends who clicked on that link might be vulnerable to attack. AOL’s response was to suggest that users update to a new version that would fix the bug. Source: Paul Roberts “AOL IM ‘Away’ message flaw deemed critical”, Infoworld, August 9, 2004 http://www.infoworld.com/article/04/08/09/HNaolimflaw_1.html
  • The Blaster worm that attacked Microsoft Windows Systems in August 2003 relied upon a known buffer overflow in remote procedure call facilities. Once it was installed on a given computer, Blaster would attempt to find other vulnerable computers. Upon finding a vulnerable computer, Blaster would issue instructions that would create a process on the target and cause the worm to be downloaded to it. CERT® Advisory CA-2003-20 W32/Blaster worm http://www.cert.org/advisories/CA-2003-20.html