Let me give you a few big examples from history and recent times.

1) Data worth 2 billion dollars lost in courier
In 2007, 25 million child benefit records was sent from one government department to another and was lost by the courier company. The discs were sent by a junior staff member unencrypted and unregistered. The discs contained all kinds of personal data, names and ages of children, bank savings account numbers, partners details and even National Insurance Numbers (Equivalent to the Social Security Numbers).  The costs that this caused UK is not clear but it did involve high profile resignations, weeks and weeks of political debates, banks monitoring millions of accounts for fraudulent activity, etc. Some estimate the data alone could be worth over $2 billion in criminal hands.

2) The Honda Point Disaster (Off California Coast)

Aerial view showing all seven destroyers

This was the largest peacetime loss of U.S. Navy ships in which seven destroyers were lost. This tragedy was not caused by malice. Twenty-three sailors died in the mishap. Two other destroyers were slightly damaged. The navy court ruled it as a fault of the navigators and the captains of each ship. How did this happen? The flagship was equipped with a radio navigational receiver, but ignored the bearings, believing them to be erroneous. No effort was made to take soundings or depth measurements. These operations were not performed due to the need to slow the ships to take readings. The ships were performing an exercise that simulated wartime conditions, hence the decision not to slow down. In this case, the dead reckoning (method of estimating position) was wrong and the mistake fatal. The need to slow the ship might also reminds us of another disaster, the Titanic!

3) Aviation Accidents
Boeing studied commercial jet accidents (not including hijacking, test flights, etc) between 1959 to 2008. They determined the primary cause of Airline hull loss accidents (aircraft beyond repair) to be the following:

Clearly a lot of these are preventable and a lot of lives could have been saved. Flight crew error and the Air traffic control accounts to about 60% of all hull loss accidents.

In Conclusion
Accidents do and will happen, I would recommend developers to think about stupidity and not just malice when building systems. I have two interesting quotes to leave you with.
Albert Einstein - Two things are infinite: the universe and human stupidity; and I’m not sure about the universe.
Hanlon’s Razor - Never attribute to malice that which can be adequately explained by stupidity.

Do share incidents that you have come across during your career.

The problem

Once hackers get into your website either by exploiting known vulnerabilities in any of the installed programs OR by getting FTP access to your server, the first thing they usually do is to plant backdoor scripts to log them in again at a later date. They need some executable script on the server to gain access to MySQL passwords, installation passwords or even edit settings in your wordpress or other installations.  We have also seen situations where the site was left largely unchanged except for malicious javascript code added to the bottom of the index.php or index.html files.

So in short the bad guys have taken over your server and running anything from a backdoor script or launching phishing attacks or sending tons of spam emails. You will not know that your server is hacked until you get blacklisted on spamhaus or your customers get redirected to some random site or worser still when you are contacted by ebay/paypal/some bank saying that your website is phisihing their customers. The problem is that we dont even have an idea that our site is hacked until it is too late or too embrassing.

Simple Solution – Website Change Detection System

We need a script on the server that detects any changes or to any executable file on the server or any new file on the server from HTML, JS, to PHP, ASP, Perl, Python files etc.  If we generate a hash value of all our files and then compare them periodically, then we will be able to detect when our codebase has changed on the server.

These are the steps that our change detection system performs (It takes about 500ms to execute on a typical server):

1. Load configuration file (contains password, exclude list)
2. Check password from request before starting (recommended)
3. Recursively run through every file and sub folder on the server within the current directory of the script.
4. Generate a hash for each file and arrive at the master hash.
5. Compare master hash with hash the user has and alert if different!

Notes:

• This script at this simple level is almost 100% fool proof in detecting changes to the codebaes give that the hacker or bots don’t know of websiteCDS presence.
• At this stage the script cannot detect SQL injection attacks and changes to code that are saved to the database.
• The users hash is not stored on the server at any time, the comparison with master hash can be done at cron script level or using siteup as discussed below.

We have the following code written in PHP but you can do the same with any other scripting language to perform similar checks. We have started the project under google code and is available here: PHP code for WebsiteCDS
See the readme file in the download for help with setup.

Different ways to automate the alert system

Method 1: Using our trusted cron job
A cron job can be setup to run the website CDS, compare the results with the last known valid hash and send out an email alert.

Method 2: With Siteup
Siteup is a free tool for windows systems that can be set to periodically check if your website is reachable. This is recommended for those of us who don’t want to setup a cron job. It can be downloaded here http://www.xequte.com/other/index.html#siteup We can use this to frequently call our change detection system and then use the siteup word search to check if the hash value is the same as what we have from our last codebase update. ( See screenshot )

NOTE: The project & code included is the first version of the change detection system and kindly submit your ideas and comments here or an issue or feature request in google code project for websitecds.

Example of such an attack: Lets take an example of a banking website which provides login to access banking features. (this can be any site which allows users to login).
EG: http://www.poorbanking.com

1) Hacker
Creates a very a link and sends visitors to the site as http://www.poorbanking.com/index.php?PHPSESSID=1234
Lets assume PHPSESSID is the name of the cookie / variable used to store session information. It is very easy for anyone to find this by just visiting the site once.

2) Hacker sends link to the target user.
http://www.poorbanking.com/index.php?PHPSESSID=1234 by email or placed in a blog etc.

3) Victim
Sees the link and clicks on it. The site looks genuine and the victim logs in to the site. At this stage the PHPSESSID is set to PHPSESSID=1234 and user is logged in.

4) The happy hacker
Hacker can keep checking if they can login by simply going to http://www.poorbanking.com/showmeaccount.php?PHPSESSID=1234
where showmeaccount.php is the page after login. They can see that once the user has logged in they can easily get access to the page.

Work around to this problem

Just prior to setting such a session variable, a call to session_regenerate_id() can help to protect against a session fixation attack.

See more information at http://en.wikipedia.org/wiki/Session_fixation