Slashdot Mirror

← Back to Stories (view on slashdot.org)

Number of Web Application Hacks Up

Posted by ryuzaki0 on from the i-haxxored-your-netflix-account dept.

An anonymous reader writes "According to an article at Information Week, 'Web site hacks are on the rise and pose a greater threat than the broad-based network attacks...' Citing statistics from the Web Hacking Incidents Database, 'Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet.'"

14 of 53 comments (clear)

  1. Number of hacking attempts by mysqlrocks · · Score: 4, Insightful

    Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003, according to the Web Application Security Consortium.

    And what percentage of "web hacking attacks" are reported to the Web Application Security Consortium? I would venture to guess that a very small number are reported making these numbers statistically meaningless.

    --
    Bradley Holt
    1. Re:Number of hacking attempts by techno-vampire · · Score: 2, Insightful

      That depends. Even if only a small percentage of all web attacks are reported, if that percentage stays stable then a rise in the number reported implies a rise in the total number of attacks. Of course, we don't know if, in fact, the precentage has remained stable or if it's simply that a larger percentage are being reported.

      --
      Good, inexpensive web hosting
    2. Re:Number of hacking attempts by mysqlrocks · · Score: 3, Interesting

      Even if only a small percentage of all web attacks are reported, if that percentage stays stable then a rise in the number reported implies a rise in the total number of attacks.

      Let's assume for a second that 1% of all attacks are reported. That would mean that 16 out of 1600 were reported in 2004 and 58 out of 5800 were reported in 2005. Now, let's say that the percentage of reports increased by 1% point in 2005. So, 1% reported in 2004 and 2% reported in 2005. That would mean that 16 out of 1600 were reported in 2004 and 58 out of 2900 were reported in 2005. So, in this scenario what looked look a 362.5% increase in attacks is actually only a 181.25% increase in attacks. So, a small change in the reported percentage could make a huge difference in the apparent increase. These numbers are so ridiculously low to begin with, I wouldn't be surprised if less than 1% of web attacks are reported. I looked through the list and can think of some attacks I know of to some pretty big sites that weren't reported. Plus, some incidents are pretty generic and don't address a specific attack while others do address specific attacks. So, their definition of a "Web hacking attacks" seems to be quite fluid. Basically what I'm saying is that these numbers are absolutely meaningless.

      --
      Bradley Holt
    3. Re:Number of hacking attempts by hrtserpent6 · · Score: 2, Funny

      According to to the Web Application Security Consortium, there were 58 web hacking attacks in 2005.

      According to zone-h.org, there were 494,988 web hacking attacks in 2005.

      Close enough.

  2. Don't give the "hackers" that much credit... by Ravatar · · Score: 5, Insightful

    I wouldn't say the focus should be on the fact that there are a higher amount of attacks, rather the focus should be on people writing web applications with security low on their priority list.

    1. Re:Don't give the "hackers" that much credit... by oni · · Score: 2, Interesting

      rather the focus should be on people writing web applications with security low on their priority list.

      I agree, and I think that the reason there are people writing web applications and not thinking about security is that web apps are still thought of by businesses as "pretty things to attract customers" rather than, "part of our network"

      Pretty things are low on the list of priorities for managers, so they hire some kid to make their website.

      I can't say that I've *ever* seen PHP or Perl or ASP code that looked like someone put some thought into it. Even things like indentation. Most of the code I've seen it actually looks like the coder just hit return at random times. And if they aren't making an effort to make their code readable and maintainable, then they probably aren't making an effort to make it secure.

      Oh well, this is just the way things are. I really believe that if it weren't for building codes business owners would hire people off the street to construct their office buildings. "they are just slapping bricks together, what's the big deal?? Why should I pay an archetect big bucks for this? I'll get a high-school kid who will give me an office building in a week for $20."

    2. Re:Don't give the "hackers" that much credit... by 0x0000 · · Score: 2, Informative
      I can't say that I've *ever* seen PHP or Perl or ASP code that looked like someone put some thought into it.

      You obviously haven't seen any of my PHP and Perl code (I've never written ASP). Of course, it may be that you haven't seen my web applications code because I'm not a "web designer" - can't get a job in that industry, which speaks to the truth of your assertions concerning who companies hire to create web applications.

      --
      "The Internet is made of cats."
    3. Re:Don't give the "hackers" that much credit... by jrockway · · Score: 2, Informative

      > I can't say that I've *ever* seen PHP or Perl that looked like someone put some thought into it.

      I think you should pay a visit to the CPAN. It's 4G+ of perl modules that are well documented, fully unit-tested, and largely platform independent. I've seen some bad web applications in my time (all PHP incidentally), but there are plenty of excellent perl programmers writing excellent perl code.

      If you're interested in learning to write good Perl, I suggest you take a look at Damian Conway's book, "Perl Best Practices".

      http://www.amazon.com/gp/product/0596001738/102-74 64862-7276945?v=glance&n=283155

      (And of course read Perl's excellent Fine Manual.)

      --
      My other car is first.
  3. Ugh by Wellington+Grey · · Score: 2, Funny

    From the article: Why is this happening? Several reasons. One is the prevalence of hacking tools online that can be found simply by using the Google search engine.

    So does that mean if I do all my web searches on my windows 98 machine using internet explorer but I use MSN search, not google, I'll be OK?

    -Grey

    --
    Silver Clipboard: Time Management Tips
  4. This article is scaremongering by eln · · Score: 2, Insightful

    First off, we're talking 58 attacks in a whole year out of how many millions of websites? Those are pretty good odds.

    Also, the article states this is a big deal partly because more financial institutions are offering services online. But then, they state one of the major reasons for the problem is that web applications are generally not coded with security in mind. If you're coding a web app for a financial institution, and security is not the number one issue on your mind, you should be fired, and the financial institution should be put out of business for hiring your dumb ass in the first place.

  5. Tuttle? by daveo0331 · · Score: 5, Funny

    Who's reporting all these attacks? The city manager of Tuttle, Oklahoma?

    --
    Remember the days when Republicans were the party of fiscal responsibility?
  6. You've got to be Kidding! by Bananas · · Score: 4, Insightful

    You call double-digit hacks a growing trend? Where do these folks live, under a rock? Don't tell me you've never heard of Attrition.org? Just how many HUNDREDS of sites were defaced in the past?

  7. AJAX hacks will be cracked by PietjeJantje · · Score: 3, Insightful

    The number of cracks will rise because of AJAX hacking.
    It's not only the interface and usability which takes a leap in complexity if you want to keep stuff working.
    First, you have data communication on the background, for everyone curious to see. Second, there's a leap in usage and development and thus potential for crackers. Last, the average AJAX developer is inexperienced.

  8. Sourceforge.com was my fault by sphix42 · · Score: 2, Interesting

    My code was left in their code base when they closed their source years ago, but they didn't compensate me or even try to contact me about it. Very sorry for giving you my time and code, OSDN.