HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: July 2007

TigerDirect.com's "Improved" Security Policy

While checking my email this morning, I suspected that yet another message eluded my SPAM filter.  Much to my surprise, the subject line "Your TigerDirect Account Update" from 'TigerDirect@promo.tigeronline.com' was legitimate.  Unfortunately, reading the message was more troubling than the contents of many other SPAM messages I routinely receive.  Within this message, I'm told that "in an effort to improve security, we have eliminated certain previously allowed characters for use in the creation of a password. (Example: ><@')." What's even more troubling is the next line: "Our records indicated
that one or more of these characters were used in your password."
  As
indicated by their "records," it's apparent my password is stored
as plain text or, at a minimum, in a state that can be reversed to
reveal the actual password composition.

Click on the thumbnail below for the full message:

 At first glance, there are several things wrong with this scenario:

  1. This email correspondence actually alerts users to the fact that the security level has been reduced, not "improved" or otherwise strengthened.
  2. Secure storage of confidential or sensitive information (in this case "password") is absent or inadequately implemented.  If any attacks are successful and allow access to the main "records" repository, user information is vulnerable to compromise.  If this is incorrect and all information really IS stored securely, I'd like to know how my password was deemed "non-compliant" with the "improved" security policy.
  3. After resetting my password, it's apparent that there is no password policy (beyond 4-12 characters).  The user is permitted to supply the password "pass" with success.
Suggested Password Policy Improvements for TigerDirect.com:
  1. First and foremost, store sensitive information as a hashed value; never store sensitive information as plain text.
  2. Enforce the use of secure passwords using the following criteria:
    • Minimum password length between 7-12 characters.
    • Set a minimum number of occurrences of Upper- and Lower- case characters.
    • Set a minimum number of occurrences of numeric and special characters.
  3. Implement an incremental delay or temporary account suspension period after a series of unsuccessful login attempts.
Of course, bridging the gap between a good security practice and usability has its limitations, but the absence of a defined password policy is always an incorrect answer.  A hybrid approach to the above guidelines is the best measure between human convenience and security.  Hopefully TigerDirect.com will recognize the alarming security practices present in their current password policy and the reader will proceed with caution while using websites that practice unsafe security practices.

Resources:

"Preventing a Brute Force Attacks"

http://www.spidynamics.com/spilabs/education/articles/brute-force.html

"Selecting Secure Passwords" (While this link mainly applies to OS password policies, the general theory is the same).

http://www.microsoft.com/smallbusiness/support/articles/select_sec_passwords.mspx 

 

 

SPI Labs advises avoiding iPhone feature

The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: 

  • Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
  • Tracking phone calls placed by the user
  • Manipulating the phone to place a call without the user accepting the confirmation dialog
  • Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
  • Preventing the phone from dialing 

These types of attacks can be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm. 

For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss. 

SPI Labs researchers reported these issues to Apple on July 6 and are working with Apple to remediate the problems. However, SPI Labs recognizes the unique urgency of these issues and the large number of people that could be affected. As such, SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues.

Labels: iPhone| Safari| XSS
Search
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation