HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: April 2009

Matt Wood sets his own price

Matt Wood of the HP Web Security Research Group shows how a hacker can change a trade show registration price by exploiting an application security vulnerability in a cloud-based service.



Top Five Web Application Vulnerabilities 4/13/09 - 4/26/09

1) Apache Geronimo Application Server Multiple Remote Vulnerabilities

Apache Geronimo Application Server is susceptible to multiple vulnerabilities including Cross-Site Scripting, HTML Injection, directory traversal, and Cross-Site Request Forgery.   Successful exploitation could give an attacker the means to access sensitive information, steal cookie-based authentication credentials, and perform actions as an authenticated user. An update which addresses these vulnerabilities has been released. Contact the vendor for more information.


2) SAP cFolders Cross-Site Scripting and HTML Injection Vulnerabilities

SAP cFolders is susceptible to Cross-Site Scripting and HTML Injection vulnerabilities. Successful exploitation could give an attacker the means to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve these issues are available. Contact the vendor for more details.


3) CS Whois Lookup 'ip' Parameter Remote Command Execution Vulnerability

CS Whois Lookup is susceptible to a remote command execution vulnerability.  Remote attackers can exploit this vulnerability to execute arbitrary commands with the privileges of the affected application, possibly leading to its compromise as well as that of the underlying web server.  A fix has not yet been released. Contact the vendor for additional information.


4) phpMyAdmin Configuration File PHP Code Injection Vulnerability

phpMyAdmin is susceptible to a remote PHP code-injection vulnerability. An attacker can leverage this vulnerability to inject and execute arbitrary malicious PHP code in the context of the webserver process, which could lead to a compromise of the application and underlying system.  Updates which resolve this issue are available. Contact the vendor for more information.


5) Novell Teaming User Enumeration Weakness and Multiple Cross-Site Scripting Vulnerabilities

Novell Teaming is susceptible to multiple Cross-Site Scripting vulnerabilities and a user enumeration weakness. These vulnerabilities can be exploited to discover the names of legitimate users, execute code in the browser of an unsuspecting user, and steal cookie-based authentication credentials. Advisories with patch instructions have been issued. Contact the vendor for further details.


Intrusions test both the government and private industry

According to knowledgeable sources, the Obama administration will soon establish a new military command responsible for coordinating the defense of Pentagon computer networks and improving U.S. cyber offensive capabilities. This will hopefully move towards putting one voice in charge of securing critical defense assets and better coordination of efforts between the NSA, Pentagon, and Department of Homeland Security, among others. What's still unclear are what recommendations will be made for private businesses in securing key infrastructure such as the electricity grid and the telecommunications network.  There has been a spate of high profile stories regarding intrusions into both Pentagon and infrastructure computers. Here are two of the biggest:


Computer Spies Breach Fighter-Jet Project


Electricity Grid in U.S. Penetrated By Spies

If a Pentagon asset is vital enough, it will not be connected to the Internet. This reportedly kept the "classified" portions of the Joint Strike Fighter designs from being breached. For good and ill, though, many utilities rely on the Internet to conduct remote management of their equipment, retrieve date/time stamps, etc. With this convenience comes quite a risk. Supervisory Control And Data Acquisition (SCADA) systems can remotely manage computers that control everything from water supply valves to the security systems at nuclear power plants. Placing ever reliant Internet applications on top of SCADA systems that weren't designed to be accessible via the wild and wooly Internet has created a less than ideal situation. Similar to what we saw in the Verizon Data Breach report, most of these holes aren't being found by the utilities themselves, either, but in this case by U.S. intelligence agencies. What we currently have is untenable...a wide open system that we know is under increasingly sophisticated attack, and critical industries unable to secure themselves. The irony is that the next level of "smart" technology used to control the electrical grid will be even more reliant on the Internet. Let's hope that securing private yet vital infrastructure networks is given appropriate funding,  and that an appropriate balance can be found between protection and privacy.


New Personal Health Information (PHI) breach guidelines included in stimulus package

Under the American Recovery and Reinvestment Act of 2009 passed in February (otherwise known as the stimulus package), the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), must issue rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached. As a first step, the (FTC) has now issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach. This is a positive move towards building federal standards for Personal Health Information (PHI) breaches that at least match the same requirements given other important data such as credit card numbers.

The stimulus package also tries to close the current Health Insurance Portability and Accountability Act (HIPAA) notification 'loophole' by recognizing that there are now new entities (for example, third-party storage vendors) that collect consumers’ health information that are not covered by the current breach of data guidelines. Beginning September 16th,  “covered entities” under HIPAA will be required to give breach notifications, and “business associates” of HIPAA-covered entities will be required to report breaches of PHI to the covered entities. Until the HHS and FTC can issue new guidelines, the new HIPAA requirements should ensure that affected individuals from physicians to patients are notified within 60 days of discovery of a breach. This will apply to any organization that utilizes or maintains “unsecured protected health information.”

There is definitely a need for federal guidelines regarding PHI breaches. Currently (and until September when the new HIPAA requirements go into effect), only two states (California and Arkansas) require breach notifications for all concerned entities.  What exists now is a mishmash of existing state and federal regulations concerning PHI breaches that only serves to breed confusion.  And that’s not helped by organizations (third-party storage vendors, for example) who aren’t following simple standards of customer service when notifying either patients or physicians of PHI breaches because they don’t yet have to.  As we've seen with Wall Street, self-regulation is not always the best answer, especially when it comes to delivering bad news. Companies should be aware that any breach of PHI will soon require across the board notification from consumer to health care provider, and that lack of compliance can result in hefty fines. The stimulus package created four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are also effective immediately. As well, there are also new state guidelines enacted this year that contain hefty penalties for non-compliance. California guidelines adopted this year as part of SB 541 have penalties for violations including $25,000 per patient for unauthorized access, use, or disclosure of patients’ records, $17,500 for each subsequent occurrence of access to an affected patient’s records, and $100 per day of delayed reporting of a breach.  Any company that is involved with PHI would be well served to step up security efforts to avoid a breach now that the consequences are more severe, and to have a notification policy in place and ready to go in the unfortunate event of a breach.


Labels: compliance| hipaa| phi

Verizon's 2009 Data Breach Investigation Report released today

Today's release of WebInspect 8.0 (death, taxes or WebInspect...you make the call) couldn't be more timely. Verizon's 2009 Data Breach Investigation Report also came out today, and it once again shows the need for web application security testing. There are certain trends which just keep accelerating. The number of vulnerabilities in web applications keep rising, and the damage that attackers can do by exploiting these vulnerabilities keeps increasing. Hackers are hooking together several vulnerabilities in a chain of attack that can quickly escalate the impact of seemingly minor vulnerabilities by leading to installation of malware, keystroke loggers, etc.

If your organization processes data with any kind of value (social security numbers, credit card numbers, etc.), it’s a matter of fact that you will be attacked by organized criminals. 99 percent of all breached records were compromised from servers and applications.  It would take a lot of lost laptops to make a dent in that.

Another interesting point is in how much protection compliance to regulations such as PCI can truly offer. According to the report, 81 percent of organizations who must adhere to the Payment Card Industry Data Security Standard (PCI-DSS) had been in non-compliance before they suffered a successful breach. If there are regulatory concerns that affect your organization, you are definitely playing with fire by being in non-compliance.

So how important is testing? Verizon's Data Breach report put it like this:

"SQL injection attacks, cross-site scripting, authentication bypass and exploitation of session variables contributed to nearly half of the cases investigated that involved hacking. Web application testing has never been more important."

The costs of cleanup after a successful intrusion can be high. The Pentagon (who has to worry about attacks ranging from bored teenagers to nation-states, among other things) recently revealed that it spent $100 million over the prior six months repairing the damage caused to its networks by attacks. I'm not certain how much of that was due to web application vulnerabilities (the Pentagon is famously tight-lipped about such things), but would bet my last doughnut that their exploitation led to more damaging attacks.

Long story short, there are a lot of components that go into creating a successful security policy. Deactivating the user credentials of former employees, for instance. Changing default passwords, for another. It’s increasingly apparent, though, that the importance of scanning your web applications for security vulnerabilities cannot be understated, and that web application vulnerabilities left untreated will ultimately be exploited.

You can read Verizon's 2009 Data Breach Investigation Report here: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf


And you can find more information about WebInspect 8.0 here:


Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Top Kudoed Posts
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.