HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: July 2009

Security on a shoestring budget

Almost every day a news story reports on data breaches, financial theft and illegal surveillance perpetrated by unknown criminals. It seems that hackers are everywhere, and as a result the fear of consumer fraud continues to rise .

 

This perception of an increased risk during a period of economic recovery illustrates that these two issues are tightly coupled. In fact, the relationship is fairly clear:  In an economic downturn, we can expect the number of security related incidents to rise.  The nature of this relationship can be understood by examining the software development process, and how it ultimately suffers from a poor economy.

 

The outcome of shrinking budgets

 

Some media reports declare that security budgets are healthy , but other articles report that security budgets are shrinking .  The most likely truth is that security budgets are indeed shrinking, but not as dramatically as traditional development budgets are shrinking.

 

Like other industries, software companies are struggling to do more with much less. Currently, many project initiatives are being scaled back or have been put on. Although security budgets and development budgets are often separate bags of money, both bags are much smaller now than a few years ago.

 

A shrinking development budget means that the traditional realm of development teams (generating requirements, producing code and quality testing) will suffer from neglect. The reduction of resources (including outsourced development), tighter timelines, and hurried QA will all ultimately allow more vulnerabilities to creep into production code.

 

Traditional security teams are feeling the strain as well. Compliance audits, penetration testing and third party code reviews are all feeling the pinch. Implementation of security process into the development lifecycle is being postponed due to cost of tools and training. While there may be some money available for security review and compliance audits, there may be no development money left for fixing the issues. The outcome will of course dramatically show that security is neglected as a result of financial cutbacks.

 

The impact of a bad economy

 

Even if we ignore reality completely and assume that the number of security vulnerabilities is staying constant, we have to take into account the increased motivation for the attacker. The global reach of the economic crisis coincides nicely with the distributed nature of the internet and as a result, the opportunity for financial reward leads to more daring attacks.

 

Recently many high profile attacks have been perpetrated by disgruntled former employees , including the network administrator involved in a tense standoff with the city of San Francisco . Other attacks for the purposes of extortion , credit card theft, insider fraud, and ransom are also on the rise.

 

More and more companies are converting their legacy thick clients into web-based applications to reduce development costs, thereby increasing the number of vulnerabilities found and exploited in the wild . Even as the overall number of web-apps grows, the focus of recent attacks is increasingly directed at Web 2.0 applications because these newer, fancier applications traditionally suffer from a lack of security-aware implementation

 

Security on a shoestring budget

 

Given the cloudy economic outlook for the next year or two, and the prognosis for increased web attacks, it seems that security professionals have little hope to of keeping their process on track. Yet, there are ways to mitigate the risk. Many articles have been written about staying secure in this economy , and give tips about doing more with less.

 

First off, uniquely prioritize the security goals of your project. Each goal should occupy a unique position on the list. Keep in mind that having multiple security goals marked as ‘highest priority’ will not be productive, will divert the focus of the effort, and will increase the likelihood that your security initiative will have minimal impact. Hitting all the low hanging fruit first will create a big ripple effect early on, so be sure to take a look at the OWASP Top 10 for some easy wins. One of the easiest ways to pluck low hanging fruit is with the use of a solid web application scanner to automatically review web applications.

 

Secondly prepare to take baby steps toward the ever moving goal of ‘security’. Remembering that progress should be slow and steady will help keep you sane.

 

Automation has a multiplier effect, creating the illusion of a fulltime “around the clock” staff of security drones. Use this effect to your company’s advantage, and automate whatever and whenever you can. Let the computer toil away during off peak times churning out static analysis reports, penetration testing the nightly build, unit testing system components, load testing the beta release, etc.

 

Finally, the holy grail of any security process is to integrate security into the development lifecycle from the very beginning. This has the additional benefit of being the biggest return on investment as well, since fixing defects before they escape into the wild is cheaper and reduces liability risk for your company. Although many companies choose to infuse security at different points in the software development lifecycle, implementing security at the requirements level is the best place to start .

 

Although economic forces are motivating an increasing number of digital attacks, having a solid plan and executing it steadily and automatically will help companies survive the uncertain days ahead.

Labels: data breach

HP Application Security Center on Twitter

You can now follow the HP Application Security Center on Twitter....we'll have frequent updates about a wide range of web application security topics and happenings. Join us at: 


http://twitter.com/HP_AppSecurity

Firefox port "number" bugs... phishing potential?

We generally assume proper TCP port validation restricts them from 1 to 65535 (except in some offbeat cases). With some applications and operating systems, a name can be used to represent a port. For example, on a *nix system, telnet can connect to port 21 with the command “telnet localhost ftp” by looking up “ftp” in /etc/services.

Web browsers typically only handle numbers, and don’t do the name translation. So, typing in an alpha string for a port number should generate an error…right? Not necessarily.

It turns out that in Firefox (up to 3.5), if you provide a string as port number it is simply ignored. This makes some amount of sense—it’s not a number, so discard it. However, if history has taught us anything, even the slightest deception will be abused by the phishing crowd. Consider the following URL:

               http://secure.login.server.at:example.com/

It’s fairly easy to miss that it’s not “secure.login.server.at.hp.com” but rather “secure.login.server.at” with a port number of “example.com.” Someone causally checking out their links might miss that one. In this case, the alpha string should not just be ignored, but an error presented to the user.

Phishing threat aside, there was also another odd bug in Firefox’s port number handling: very large numbers wrap around a buffer, such that you can work your way right back to the standard range by simply incrementing the number properly. The following, obviously invalid port, actually works in Firefox (below 3.07):

                http://hp.com:90194313296/

And it takes you to port 80 on hp.com. To convince yourself it’s not simply dropping the number, try:

                http://hp.com:90194313659 (port 443)
                http://hp.com:90194313295 (port 79)

I’m not exactly sure what evil this can be used for. Certainly, you can create links on a site that only Firefox can follow (as Internet Explorer and others reject the port as invalid), and I’m willing to bet search engines and other HTML parsing programs will ignore it as well. What good will that do you? Who knows, but I’m sure someone more evil than me might figure something out.

The port wrapping bug was fixed in FF 3.07 on bug 473587.

The port name bug is still unfixed. I decided to publish this despite the fact that it's not patched because they have made the Bugzilla entry public, which means someone up to no good can see it as well. The information, if you like to take a stab at fixing it, is filed under bug 479485.

Labels: TCP Ports

Top Five Web Application Vulnerabilities 7/08/09 - 7/19/09

 1) Oracle Secure Enterprise Search 'search_p_groups' Parameter Cross-Site Scripting Vulnerability


Oracle Database is susceptible to a Cross-Site Scripting vulnerability that affects the Secure Enterprise Search component.  If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems.  Updates which resolve this issue are available. Contact the vendor for further details.


http://www.securityfocus.com/bid/35681


2) Cisco Unified Contact Center Express (CCX) Arbitrary Script Injection Vulnerability


Cisco Unified Contact Center Express (CCX) is susceptible to an arbitrary script injection vulnerability due to a failure of the application to sanitize user-supplied input. Successful exploitation will give an attacker the means to execute arbitrary code in context of the user running the application, possibly leading to further attacks. Fixes which address this issue have been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/35705


3) Cisco Unified Contact Center Express CRS Administration Interface Directory Traversal Vulnerability


Cisco Unified Contact Center Express is susceptible to a directory traversal vulnerability.  Successful exploitation would give an attacker the means to view, edit, or delete any file on the server via the CRS Administration interface. Other attacks would likely be possible.  Updates which address this issue have been released. Contact the vendor for more details.


http://www.securityfocus.com/bid/35706


4) WordPress Multiple Existing/Non-Existing Username Enumeration Weaknesses


WordPress is susceptible to multiple existing/non-existing username enumeration weaknesses as different responses are returned for each. Attackers can exploit these weaknesses to discover legitimate login usernames, which would likely aid in conducting brute-force password cracking attacks.  A fix has not yet been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/35581


5) WordPress 'wp-admin/admin.php' Module Configuration Security Bypass Vulnerability


WordPress is susceptible to a security bypass vulnerability. Authenticated users can leverage this issue to gain access to configuration scripts, giving them access to sensitive information and possibly the ability to escalate privileges. Successful exploitation would likely lead to other attacks.  Updates which address this issue are available. Contact the vendor for further details.


http://www.securityfocus.com/bid/35584

Embiggen those short urls!

Over the weekend, someone asked me to help reverse some obfuscated Javascript. He'd gotten it through a link on Twitter, from a corporate blog. It was, of course, using a URL shortening service, making it more difficult to easily see where the destination was (a bunch of ad spam).


In this case, it seems likely the poster didn't bother to vet the link before posting--and thus sent out a link to an advertising page. Not very cool, twitter user, not very cool at all!


So, while posters should actually read things before they post them, readers need to protect themselves, too. Here are a couple of ways you can figure out where you're going before you actually go there:



  • TInyurl has the preview service, which will set a cookie (preview=1) . When you click links to tinyurl.com, you'll be taken to an intermediary page which lists the expanded URL.

  • bit.ly has their own Firefox plugin which will show a preview when you mouse-over a bit.ly link.


If you're a Firefox user,  you have a few solutions available to you in the way of add-ons:



  • LongURL Mobile Expander gives you a mouse-over view of the expanded URL (much like bit.ly's own addon), but for multiple services.

  • Long URL Please replaces the short URLs in the page, so you can directly view them. This is pretty handy, but does actually change the page content--which could be problematic.


Of course, URL shortening (and lengthening!) services are a dime-a-dozen (and seem to appear and disappear on a weekly basis), so no solution is going to let you preview all of them, but covering the most popular should go a long way.


What other ways you can see your destination--and does anyone have recommendations for Safari or IE?


nyURL.com - shorten that long URL into a tiny URL
http://tinyurl.com/preview.php

Labels: tinyurl

Why we can’t count (data loss)

Numbers lie


Recently California made headlines after more than 800 data breach disclosures were filed in the first five months of 2009. Upon closer inspection, the large number of incidents does not represent a rise in actual incidents, but just a change in mandated reporting practices due to California’s new medical data breach law which went into effect on January 1, 2009 .


Unfortunately in practice we have no idea how much private information is lost to data breaches every year, because disclosure laws do not entice businesses to accurately report data breach incidents. While the number of reported incidents appears to be growing, it is a poor reflection of reality, owed in large part to changes in compliance laws. Although we are getting a better estimate on the number of “reported incidents”, the number of “actual” incidents is still unknown.


Data breaches will not decrease


While it seems fairly compelling to believe that increased legislation and financial penalty would motivate all sectors of industry to beef up data security, pragmatism dictates otherwise.


Digital data is like uranium: dense with a high yield. Almost all data breaches are of digital records. In contrast, old-fashioned paper records are fairly secure.  Stealing several thousand paper records is physically risky and combing through them for valuable information is prohibitively time consuming.


Computers make breaches easier and more attractive. Roughly 50% of all incidents are of the non-accidental malicious variety, such as malware, hacking, and laptop theft. These incidents yield 83% of the total number of stolen records reported. A large amount of valuable personal information available for minimal risk is a very attractive value proposition… so attractive that it presents new and increased incentive where none existed before. Of reported financial data breach incidents, 24% are caused by insiders, such as executives, IT administrators and employees, and 55% percent are attributed to outside hacking .


Lack of Incentive


Although data breaches are expensive (on average costing $6.6 million per incident), companies are very slow to take preventative action. Despite compliance laws, many companies still lack sufficient pragmatic (read ‘monetary) incentive to change their security practices . The guidelines currently in place suffer from a number of issues:


Laws are vague: Compliance laws vary from state to state, and often include exemption from disclosure requirements if the stolen private data is “encrypted” – even if the encryption keys are stolen, too. Any data that is publically available from federal, state, or local government sources is also exempt.


Companies can plead ignorance: Of those reported data breaches, 24% do not know or do not specify how much information was compromised. To avoid negative media attention, many victims of large data breaches simply claim “zero” in the “number of records stolen” column .


Notification timelines are usually vague: Loose wording such as “the most expedient time possible” and “without unreasonable delay” serves to allow companies to choose when they disclose their data incidents (except companies in Florida and Ohio).


Most incidents are unreported: According to a survey conducted at the RSA conference in 2007, a full 89% of companies that experienced a data breach did not publically disclose the incident . Assuming that incident disclosure is still largely a voluntary exercise without oversight, we have no reason to suspect that is has changed much for 2008 or 2009.


Summary: 


The interest in personal data is not a fad, and related data breaches will not magically disappear. While private data is lost from many sources, web applications figure prominently in the security equation.


Changes in policy will highlight the enormous number of incidents, and attitudes will have to change from a reactionary “defense” to a proactive security “offense”.


Preventative security medicine is the best and most cost effective policy. For the IT manager, the decision to spend several thousand dollars on current security tools should be an easy one to make. The cost of preventative security pales in comparison to the cost of cleaning of the mess after getting breached.

Jump Start Application Security Initiatives with SaaS

HP Application Security's own Caleb Sima, Chenxi Wang of Forrester Research, and Vinnie Liu of Stach and Liu give a great presentation about why corporations with seemingly insurmountable application security issues would do well to implement a SaaS solution. Tight timelines, limited budgets, and a lack of security experts? Compliance deadlines and hundreds of applications to secure? Learn how companies can leverage SaaS to meet these challenges.

  

Register for the presentation at:

  

http://www.csoonline.com/webcast/494866/?source=csocib_071309

Top Five Web Application Vulnerabilities 6/24/09 - 7/07/09

1) IBM Rational ClearQuest CQWeb Server Cross-Site Scripting and Information Disclosure Vulnerabilities


IBM Rational ClearQuest is susceptible to a Cross-Site Scripting and information disclosure vulnerabilities.  These can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, execute malicious code on end user systems, or gain access to sensitive information which could likely be used to conduct more damaging attacks.  Updates which address these issues have been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/35490


2) Sun Java Web Console Cross-Site Scripting Vulnerability


Sun Java Web Console is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting can be can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials.  Updates which resolve this issue have been released. Contact the vendor for more details.


http://www.securityfocus.com/bid/35513


3) IBM Tivoli Identity Manager Multiple Cross-Site Scripting Vulnerabilities


IBM Tivoli Identity Manager is susceptible to multiple Cross-Site Scripting vulnerabilities. An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Fixes are available. Contact the vendor for further details.


http://www.securityfocus.com/bid/35566


4) Ruby on Rails 'http_authentication.rb' Nil Credentials Authentication Bypass Vulnerability


Ruby on Rails is susceptible to an authentication bypass vulnerability. An attacker can leverage this vulnerability to gain access to protected resources, likely leading to more damaging attacks. Updates which resolve this vulnerability are available. Contact the vendor for additional details. 


http://www.securityfocus.com/bid/35579


5) Sun Java System Access Manager Cross-Domain Controller (CDC) Cross-Site Scripting Vulnerability


Sun Java System Access Manager is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site.  Updates which resolve this issue have been released. Contact the vendor for further information.


http://www.securityfocus.com/bid/35527

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.