HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: February 2009

Attacks on U.S. government computer networks are on the rise

According to 'federal records', there was a 40% increase in attacks on U.S. government computer networks last year. That's a  really raw number, especially when considering the number of 'successful' attacks aren't released, only 1% of federal  agencies even have 'fully developed' tracking systems, and that government statistics involving any aspect of security are likely to be adjusted for the necessity of the moment. Even if part of that spike was the result of better tracking (when did 1% become 'better'?), and in spite of the fact the number might have been manipulated, there's enough truth there to know the number of attacks on government networks is increasing. It looks like that's due to both targeted attacks from foreign powers trying to access sensitive information, and from normal 'cybercrime' (whether that's malware, misdirection, or malfeasance). There is currently a federally mandated 60 day cyber security review taking place. Let's hope some better solutions are developed quickly. When you can only track 1% of what's really happening, it unfortunately puts one in mind of the levees before Katrina. 



The security industry should hold itself to higher standards

At a previous job I worked on the application testing side of web security—breaking in-house/contract built applications, commercial off-the-shelf (COTS) applications, appliances, and partner’s sites (which were built with all of the above). While most of these weren’t security related, more than a few of them were.

Time after time, web applications or appliances built by “security companies” turned up a ridiculous amount of vulnerabilities. I won’t go so far as to make bold statements about how every developer at every security company should be an expert (though it would be nice), but certainly these places should have rigorous testing methodologies at all stages before product release… right? (see Rafal’s blog for lots more posts about that). Security products should have fewer vulnerabilities… right?

One of the under-used features over at OSVDB.org is the ability to search by products that are identified as “security software.”This search reveals fourteen pages—over 400 issues—of flaws in security products (though not all of them web related). Sadly, if my experience is any indication of how this works throughout the industry, there are tons more that were never publicly released due to contract and political restrictions.

Take, for example, a certain network traffic collection, storage and security analysis appliance I tested 3 or 4 years ago. It had a “hidden” web directory of administration scripts, and about half of them lacked an authentication call. This let you do “minor” things like running shell command or viewing all the captured network data. After communicating with the vendor, they fixed the problem half a year later—but it was never publicly disclosed.

So, how can you trust your security products you may need to rely on in court, when they are not secure? Two years ago, and upheld last month by an appeals court, a judge determined that the failure of the manufacturer to release the source code to a breathalyzer machine was a violation of due process and thus impacted the defendant’s ability for a fair trial—the test results were not admissible as evidence. This was a bold defense strategy, and, in my opinion, the right decisions by the judges involved.

So how far off are we from a defendant questioning forensic evidence or logs when the software or tool that collected it had a critical security flaw? Or has this already happened and I missed it?

Maybe it doesn’t matter in the long-run. Paul Ohm writes in his blog post Being Acquitted Versus Being Searched (YANAL) that by the time the trial comes and you try to make a compelling argument about tainted evidence, they’ve likely gathered so much more via surveillance/warrants that it won’t matter if you are able to discredit some portion of it.

Despite what Ohm says, I still like the idea that a real-life Alan Shore will raise the bar for security software makers. Only if the bottom-line is in jeopardy will most companies decide investments in getting their own security-house in order is worth it.

Use protection (and common sense) this Valentine's Day

Cupid's arrow might have a little more sting than usual this year. Hackers are getting better and better at masking their intentions and taking advantage of people's desires, whether that's for love, friendship, or just something to read on Digg. Expect another flurry of fake Valentine's Day E-cards designed to lure people to malware sites where their systems can become infected with keyboard loggers to steal passwords and account information, or otherwise turned into a spam-serving 'bot. Another method of enticing victims to these sites is by placing fake 'valentines' underneath car windshield wipers with a url luring them to a dating site, or something similar.  The normal recommendations really just don't seem to work when the curiosity of the human heart is involved. There's not a virus scanning application in the world that can prevent that. The only real method of protection is for potential victims to utilize some common sense--don't accept E-cards from people you don't know, and don't think that a flyer stuffed under a windshield wiper somehow holds the key to finding love. 



Prajakta Jagdale at ShmooCon: Blinded by Flash - Widespread Security Risks Flash Developers Don't See

ShmooCon begins today in DC, and as usual, they have lined up an informative and topical schedule of security talks. The HP Web Security Research Group's own Prajakta Jagdale is scheduled to speak on Saturday at 2pm about the security of applications developed using the Adobe Flash Platform. Prajakta and the group have completed an in-depth research project where they studied numerous applications built on the Adobe Flash Platform and found that many of the security issues that are common in Web applications also exist in applications developed with Adobe Flash. Here is an overview of Prajakta's ShmooCon talk and a little bit about her background: In a rush to adopt the dazzling Flash technology, website developers tend to use quick and dirty hacks to get their applications to work and in the process sidestep any security features provided by the technology. The presentation will look at applications built on the Adobe Flash Platform encountered in the wild that are a result of insecure development practices and demonstrate the ease with which they can be compromised. Prajakta Jagdale is a Research Engineer with the HP Web Security Research Group. Her current research efforts are concentrated towards identifying security risks associated with RIA technologies. This research involves developing innovative techniques to enable automated web assessment tools to crawl and analyze RIA applications through the use of both static source code analysis and dynamic runtime analysis.


More information about her presentation can be found here: http://www.shmoocon.org/presentations-all.html



Tags: SWFScan

Educating the Massess About Security

In my last post I talked about zombies and warnings and such (and, ok, a little bit about security). I'm not too surprised at the press the sign changing is getting, since traffic and driving are things the vast majority of us deal with. However, I'm disappointed that very few people in the mainstream media are taking the opportunity to talk about broader security issues.

I searched, and did not find one interview with a sign manufacturer to talk about how physical or keypad/password security will be improved in the future, or with DOT management about purchasing better locks and changing default passwords. Sadly, there are tons of articles talking about the applicable laws and crimes a person could be charged with if caught tampering with these devices.

Additionally, some of the reports are talking about removing information from the internet. Take this Associated Press article:

Some Web sites, such as Jalopnik.com, have published tutorials titled "How to Hack an Electronic Road Sign" as a way to alert security holes to traffic-safety officials. Wert said he had no immediate plans to take down Jalopnik's how-to guide.

Has removing information from the internet ever actually succeeded in either keeping that information private or protecting a resource? There have been a few cases where it was a complete and notable failure (DECSS T-Shirt, anyone?). Kudos to Mr. Wert for keeping the information on the web site--it's already in several other places already. The horse is already out of the bag.

Mitch Wagner over at InformationWeek wrote:

It's easy to scold those government agencies for failing to take basic safety measures, and I suppose it's justified -- but, still, road departments have other things to do. Like, y'know, taking care of the roads.

No! No! No! It is completely justified to "scold" them, and it is absolutely their responsibility (and the manufacturer's) to secure their equipment and job sites. Mr Wagner says their job is "taking care of the roads," which implies keeping them safe, which means keeping hooligans from changing road signs. It's not a giant leap.

It's everyone's job to take basic security precautions. How different would this story would be if the first widespread misuse of this information was as part of a terrorist attack?


Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.