HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: May 2009

Instant High Score!

One of our security researchers just happened to stumble across this interesting Highscores area of a free Flash skeet shooting game. Notice scores 6-10. Now I'm not saying he had anything to do with this. What I am saying is that if your query parameters are able to be manipulated, some hacker will mess up your application just to see if he can. And if that part of the site is insecure, what else is?








Talking Headers: Part 1

Some people collect coins, DVDs or comic books. Others collect cars or Star Wars toys. Among other things, I like to collect HTTP headers. They take up a lot less space than cars, and can have a much higher return value than Mark McGwire's rookie card--as long as you something interesting.

From time to time I like to look through my collection for rare gems... like these, which caught my eye this week:

  • x-real-server

  • real-hostname

These are the two most popular of a few slight variations. The header name itself is generally useless (more on that some other day)--it is, of course, the value that matters. Unfortunately, the vast majority of these are boring as heck--the server's name with (or without) the www. In a few cases, however, they reveal something interesting--something other than the server's name.

At least one of them in my collection is likely the host's internal or "real" hostname (a cartoon character). Another is a completely different host/domain combination (perhaps the hosting company's machine name which the virtual host is running on?). And yet another reveals that it's actually "cgi01"--maybe a good indication there's a "cgi02" and that they'd be good places to look for... lots of CGI programs.

Earth shattering? No. Interesting, and with the potential to reveal a bit about your servers? Yes.

As always when building your web infrastructure, stop every bit of useless information that heads outbound--no matter how innocuous it may seem. You never know what an attacker may be able to leverage for attacks or social engineering, and you never know what future holds for new attacks or exploits.

And just for a bit of a product plug, WebInspect will now check for these variations.

For some fun headers, see Andrew Wooster's post from nearly 4 years ago.

Labels: Headers| HTTP| Research

Social Insecurity

Not too long ago, one could trust the big corporate names to run clean websites. You had to go surfing down some shady back alleys of the web to expose yourself to malware. Those were the naïve days of the pre-adolescent internet, when firewalls and spam filters were not words that your mom and dad could casually drop over dinner. Those days are gone.

A recent report shows that the most recognized names on the internet are now becoming the biggest targets for hackers . It used to be that finding malware on high profile sites was like the idea of strip clubs in Disneyland:  unimaginable. However, hackers have matured and turned their attention to high profile social networks, targeting these trendy websites for massive ROI . These sites combine a massive user base, allow custom content creation (tweets, status updates, etc.), and  give third party applications access to user data, all of which combine to give hackers new attack vectors to exploit .

Why social networks are great targets

These new social aggregators attract staggering numbers of users, and a few of the most popular boast more active profiles than Russia has residents . Since online social networks are meant to show off ‘social capital’, the successful ones tend to turn these online popularity contests into even more users .  This snowball effect provides the high concentration of online users that attracts online criminals. Modern social sites provide more than just massive numbers of users: they also provide stickiness . Large sites like eBay were very popular targets a few years back, but even current retailers such as eBay or Amazon cannot compete with Facebook for reaching and holding American attention .

Massively interconnected networks, both real and digital, are able to spread information incredibly quickly. This is great if you are spreading good news, or paychecks. It is not so good if you are spreading bogus stock tips or the Swine Flu . The spread of digital information even resembles its real-life counterpart under rigorous scientific scrutiny .  However, unlike the real world where it takes eight hours to get a germ infected body from London to New York City, digital malware can spread far more quickly .

Although we may not realize what consequences we invite by providing even modest amounts of personal information to social networks, we are quickly learning. Recent publications show it is possible to discover of 'hidden' user information by predicting missing links and ‘merging social graphs’ .  Trying to remain anonymous for the benefit of privacy is futile, since even data that is ‘scrubbed’ of personally identifiable information can be easily de-anonymized with advanced statistical algorithms .

Some of the most popular social networking sites also allow third party applications to play on the site with little or no supervision. Although most current third party application malware is easily detectable, many believe that the introduction of stealth malware (masquerading as useful applications) is on the horizon . As social networks move to allow these applications access to more personal data, the potential for abuse is staggering .

How to protect yourself

Don’t join a social network if you don’t like tattoos, since social networks are far more permanent. Tattoos can be removed, but even if a site allows for the complete removal of personal data from the company’s servers, Google and the Internet Archive make sure that is a meaningless point. The internet is forever - or at least until the next electromagnetic apocalypse.

Use common sense. Often users unwittingly reveal sensitive information through status updates, picture uploads, etc. Ignoring the embarrassing position people can find themselves in at a job interview, this type of information is used with great success by old fashioned con artists. Avoid common scams by arming yourself with information on some recent scams, and learn to spot suspicious online offers for free computers . Don’t use the same password on every site you visit. And even if you think you are a hard core security professional, it can’t hurt to brush up on the latest scams making the internet rounds .

Last but not least, set and maintain your privacy settings . The default privacy settings provided by many sites are fairly insecure, and most users never even bother to adjust them . Also remember that security settings are often voluntarily overridden. Simply sending or responding to someone on Facebook gives them access to your details for 30 days, whether you actually know them or not. In this case, silence is not only golden, but much more secure.

Labels: Malware

Top Five Web Application Vulnerabilities 5/12/09 - 5/25/09

1) Novell GroupWise WebAccess Multiple Security Vulnerabilities

Novell GroupWise WebAccess is susceptible to multiple vulnerabilities including Cross-Site Scripting and issues of security restriction bypass. Attackers who successfully exploit these vulnerabilities could steal cookie-based authentication credentials, and gain access to sensitive information.   Updates which resolve these vulnerabilities have been released. Contact the vendor for additional information.


2) Sun Java System Portal Server Error Page Cross Site Scripting Vulnerability

Sun Java System Portal Server is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities have been released. Contact the vendor for further details.


3) Sun Java System Communications Express Multiple Cross-Site Scripting Vulnerabilities

Sun Java System Communications Express is susceptible to multiple instances of Cross-Site Scripting. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site. Updates which resolve these issues have been released. Contact the vendor for more information.


4) HP System Management Homepage Unspecified Cross Site Scripting Vulnerability

HP System Management Homepage is susceptible to an unspecified Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue have been released. Contact the vendor for additional details.


5) phpMyAdmin 'setup.php' PHP Code Injection Vulnerability

phpMyAdmin is susceptible to a PHP Code Injection vulnerability. An attacker can leverage this vulnerability to inject and execute arbitrary malicious PHP code in the context of the web server process, which could lead to a compromise of the application and underlying system.  Updates which resolve this issue are available. Contact the vendor for further information.


The Internet is an unsafe place

Two recent studies have cast some light on the current state of web application security. How bad is it out there?  Bad. 82% of web sites had either a Critical, High, or Urgent vulnerability within the past calendar year, with Cross-Site Scripting being the most prevalent.


Once upon a time, Cross-Site Scripting was viewed as little more than an annoyance.  As the use of JavaScript has become something just short of ubiquitous, and its functions increasingly more complex, the risk to both web sites and users has expanded tremendously. And as the report shows, the problem is as much one of scale as anything.


What really stands out is that users used to have to worry about picking something up when visiting the 'red light' districts of the Internet. Now, it's the ‘branded' sites that are delivering malware. Attackers have realized that you can distribute a lot more malware from a national retailer's site than you can from a 'red light' site. There really is no safe harbor.


Compounding the issue are users themselves. If not taking the phishing bait, they are using the same password for multiple sites, making attacks against social networking sites which don't contain 'sensitive' information nevertheless effective.


For now, it's the same old story. Until web site owners start baking security into the Application Management Lifecycle, and users start thinking more about security, the Internet is going to continue to be a relatively unsafe place.



Microsoft's ClickOnce Firefox add-on

With Firefox, I just went to download a certain new version 2.0 web browser and and was surprised that after hitting the license accept button Firefox started up an installer, downloaded the application and installed it without any prompts or questions. This is not the security experience with Firefox I've been accustomed to.

I did some digging around in the page's code, a little searching, and found I had the "Microsoft .NET Framework Assistant" installed into my Firefox add-ons. A little more digging and I found it was silently installed with .NET 3.5 SP1. Yes, that's right, I said silently. What's more, the default settings of this add-on allow sites to start installers without prompting.

That second checkbox also points to another minor annoyance--that the add-on reports the installed .NET versions to every website you visit via the User-Agent string. Nice.

While you can change the settings via Firefox, and even disable it, the icing on the cake you can't actually uninstall it without jumping through hoops. Microsoft's Brad Abrams, in a blog post, said:

We added this support at the machine level in order to enable the feature for all users on the machine.  Seems reasonable right?  Well, turns out that enabling this functionality at the machine level, rather than at the user level means that the "Uninstall" button is grayed out in the Firefox Add-ons menu because standard users are not permitted to uninstall machine-level components.  

Oh, Brad, I'm frightened. What kind of a place is this? No--it doesn't sound reasonable. Microsoft should have published it in Mozilla's add-on directory like everyone else and not quietly changed their biggest (browser) competitor's product , drastically weakening its security in the process.

To uninstall the extension completely, you'll have to follow the steps outlined in Brad's post, which involve registry editing and directly editing Firefox's configuration.

While this is not exactly ground-breaking news here on the internet--there are plenty of pages crying foul with this whole deal--I hadn't heard of it, so it seemed worth posting about to spread the word just a little bit. And we should all review our primary browser's add-ons/extensions on a regular basis.

Labels: Microsoft

Universities are natural targets for cyber criminals

A major state university is currently notifying as many as 160,000 students that their personal information (including social security numbers) might have been accessed in 2008. Complicating matters, the breach wasn't discovered until a year later.

It used to be that universities were natural targets for attackers because of the student body itself. Defacing a web site was a fun game for script kiddies, and anybody that could achieve a 'Ferris Beuller' would head to the top of the class, quite literally.

Now, though, it's no longer fun and games (if it ever really was). State and federal budget cuts have impacted security as well as everything else, and large universities offer more attack 'bang for the buck' than almost any other target out there. Natural student turnover via graduation, transfer, and dropping out only increases the amount of information and personal data stored and accessible for who knows how long. In this case, some of the records went back to 1999.

I'm sure in 10 years we will still be seeing attacks that breach data that old. Long story short, universities should realize they are ground zero as far as criminal cyber attacks go. The irony is that the cost of notification will often be more expensive than what the criminals ultimately gain from fencing the data.

Top Five Web Application Vulnerabilities 4/28/09 - 5/10/09

1) Multiple Symantec Products Log Viewer Script Injection Vulnerabilities

Multiple Symantec Products are susceptible to browser-exploitable script injection vulnerabilities due to improper sanitization of user-supplied input used in dynamically created content.  Successful exploitation would give an attacker the means to steal cookie-based authentication credentials, or simply alter how the site appears.  Other attacks are likely possible.  Updates which resolve these issues have been released. Contact the vendor for additional details.


2) Citrix Web Interface Unspecified Cross-Site Scripting Vulnerability

Citrix Web Interface is susceptible to a Cross-Site Scripting vulnerability.  If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which address this issue have been released. Contact the vendor for more information.


3) IceWarp Merak Mail Server Multiple Vulnerabilities

IceWarp Merak Mail Server is susceptible to multiple vulnerabilities including SQL Injection, Cross-Site Scripting, and other input validation issues. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or be utilized in conducting additional database attacks. Updates which resolve these issues have been released. Contact the vendor for further information.


4) GlassFish Enterprise Server Multiple Cross-Site Scripting Vulnerabilities

GlassFish Enterprise Server is susceptible to multiple Cross-Site Scripting vulnerabilities. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site.  Updates which resolve these issues are available.  Contact the vendor for additional information.


5) Jetty Cross-Site Scripting and Information Disclosure Vulnerabilities

Jetty is susceptible to a Cross-Site Scripting and an information disclosure vulnerability. These vulnerabilities could be exploited to execute code in the browser of an unsuspecting user, steal cookie-based authentication credentials, or access sensitive information.  A fix which resolves these vulnerabilities has been released. Contact the vendor for more details.


Extortion can mean double jeopardy for personal health information providers

I've been thinking a bit more about the personal health information extortion attempt that's been in the news recently, and which Ken Swinney mentioned in his  Keep the snakes at bay  post yesterday. If you haven't been following the story, the gist is that a state agency responsible for identifying prescription medication abuse was hacked and compromised. Their site was then replaced with a ransom note demanding 10 million dollars for access to the database.

Under current guidelines, would this have required that patients be notified of a potential breach? It's hard to say without knowing all the specifics, and what 'concerned entities' were involved. Under the new HIPAA breach notification rules  that go into effect this September, though, notifications would most definitely be required.If nothing else, that's a lot of postage.

I can only imagine that we'll see more and more incidents of this nature in the future. In fact, this is not the first extortion attempt involving personal health information to become public in the past year. One of the nation's largest processors of pharmacy prescriptions (think benefit claims) also suffered an extortion attempt roughly six months ago. Smartly, they didn't pay. Even so, public extortion of this kind is double jeopardy for those who maintain personal health information (or financial, for that matter). At that point, providers are already in violation of any applicable legislation, and will be subject to those fines and penalties no matter what approach is taken in recovering the compromised data.





Keep the snakes at bay

Recently, a state agency announced that their site had been compromised by computer hackers. The attackers left a ransom note on the web site claiming that they had captured 8.3 million patient records and 35.6 million prescriptions. The attackers also claimed to have created a password-protected, encrypted backup of the data.  For a mere $10 million the miscreants offered to “gladly send along the password.”

To quote the great philosopher Morpheus, “Welcome to the desert of the real.”

Warnings about security flaws in web applications have been ignored by most for as long as web applications have existed. A small contingent of evangelists, including folks in our own HP Application Security group, have consistently warned about the existence and exploitability of these vulnerabilities.

The U.S. Department of Health and Human Services Inspector General, in a report dated October 27, 2008, stated that “limited actions” by the Centers for Medicare & Medicaid Services (CMS) have “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities.” Voluntary compliance (an oxymoron?) was a key problem cited for this lack of effectiveness.

Some suggest that healthcare records simply should not be made available via the public internet. That’s a lot like saying people shouldn’t eat greasy cheeseburgers. It may be true, but it’s not gonna stop.

The first step to understanding the real problem is recognizing that the availability of information, even healthcare information, is a growing part of our everyday lives. You wouldn’t put sharp kitchen knives on the floor where your toddler could reach them, would you? If you did do something this dangerous, would you then punish the toddler for cutting himself?

We need to stop wondering why snakes bite and start wondering what we can do to put a healthy distance between our toes and the snakes.

The federal government has enacted new, strong provisions to begin forcing developers of healthcare management software applications to provide notice of breaches to the medical providers they serve, who can in turn notify the affected individuals. This is a huge step, because in the past HIPAA compliance was a burden borne by the medical providers. If they aren’t notified of the breach, nobody is the wiser…until somebody finds out at the pharmacy that all of their pain prescriptions have already been filled by some nice young gentleman.

Now that software application developers are held accountable for security, I believe we’ll start to see some distance between us and the snakes. By the time these software developers figure out they need a plan for their web application security, they’ll find out HP has been there all along.

Ken Swinney
R&D Group Manager
HP Application Security Center

Even in recession, web application security spending to increase

A recent OWASP survey found that over a quarter of IT organizations plan to spend more money specifically for web application security.  Another 36% expect web application security spending to remain at current levels. Considering the state of the economy, those are good numbers. Even with recessionary belt-tightening and across the board budget reductions, web application security isn't being ignored because more enterprises understand it simply can't be ignored. Granted, this survey was conducted on a site devoted to web application security, so the responders are much more likely to care than 'other' IT professionals. But, if anybody should know that security spending is going up or at least staying the same, it's them. Let's call that a push.

There are some other good nuggets within thesurvey. This is the best selling point I've heard for web application security in quite some time. "Organizations that have suffered a public data breach spend more on security in the development process than those that have not." We'll call that the 'barn door axiom'.  If you've been breached, the pain ensures you do what you can to mitigate the risk of another incident. And the best way to do that is building security into the development process, not brushing it on after the product has been released.


Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us

HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation