HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

China, Google and Web Security

Google recently announced that its China based location was the victim of an attack that targeted and compromised a critical internal system used to track the email accounts of those on China’s watch list. The system was designed to comply with government warrants for information concerning Chinese human rights activists. Some suspect China of targeting this specific system to circumvent the official warrant process in order to collect data on other Chinese citizens .



More alarmingly, this attack was not exclusively directed at Google. In all, at least 34 companies including Yahoo, Symantec, Northrop Grumman, Dow Chemical, Washington-based think tanks, and assorted human rights advocacy groups were compromised by the spear phishing attack .


At first rumored to be another Adobe flaw, closer examination by McAfee Labs revealed that the attack (code named “Aurora”) was actually a sophisticated zero-day vulnerability exploit against Microsoft’s Internet Explorer .


What should be most worrisome is not the zero-day in all versions of IE, but the new crop of “advanced persistent threats” that are siphoning money and intellectual property. These APTs are professionally organized, have extensive funding and employ smart people. The result: triple encrypted shell code which downloads multiple encrypted binaries used to drop an encrypted payload on a target machine which then establishes an encrypted SSL channel to connect to a command and control network . This is serious stuff.


Only a few years ago the majority of web-based attacks seemed to be launched by individuals or small groups to collect credit card information. These attacks had seriously consequences, but the magnitude of the losses and the organization of the black market economy were still child’s play by today’s standards.


Current threats from the Eastern bloc are directed at massive monetary gain - probably in the area of tens of millions of dollars . China appears hell bent on stealing state secrets and intellectual property from both governments and private business alike. The stakes are much higher, and the bad guys are much more capable of pulling off the heist.




We have known for a long time that phishing scams have been very effective at exploiting random samples of unsuspecting users. However, the focused targeting of private business is a newer, more sophisticated and lucrative threat. These spear fishing attacks are intensely researched and aimed at top level executives, and will become more common as time passes.


In a directly related point, consider the curious appearance of a new website called iiScan. This service offers to scan your web application for vulnerabilities - for FREE. Just sign up and point their software to your website, and they will, ‘figure out’ how vulnerable to an attack you might be. After the scan is done, they will email you a PDF based report to your email account.


Placing trust is such services has been discussed before, especially concerning cloud security.  It doesn’t take much to imagine all the things that could go wrong in this scenario, even if IE didn’t have multiple zero-day exploits, and a proof of concept embedded malicious PDF exploit had not just been released.


 It might very well turn out that NOSEC Technologies Co., Ltd. (the company behind iiScan) may be legitimate, or at least may have started out that way. Even if they are not actively attacking websites, it shouldn’t take long for them to become a high profile target for either private hackers, or for the Chinese government itself. What would be a better target than a database full of public websites and their known vulnerabilities? These sites, if not already compromised by iiScan, could be used as command and control drones, payload hosts, pieces of a distributed file-system, or merely SPAM relay channels.


Education and Armament


Everyday adds more proof that web application threats are being crafted by motivated professional organizations with deep pockets. Security needs to be taken very seriously, practiced diligently, and all users need be paranoid when surfing the web. This is especially important because the media is very cautious to report all the gory details of the real impact of cybercrime .


Installing preventative software is a good idea, too. Some of the latest tools and devices may help to prevent drive-by malware, spear phishing payloads, etc. Install Firefox and use plug-ins that flag suspected malware host sites. Use a personal web proxy, and restrict evil IPs. You can get the most comprehensive list of Korean and Chinese blocks (including iptables, htaccess files, dns zones, etc) from this page. Above all, stop clicking on those emails from your least technical friends that include an attached PowerPoint or PDF file to deliver a punch line. The villains take the Internet very seriously, and so should you.


UPDATE (1/19/2010):


Thanks to the Full-disclosure list (Marc, Smasher, Dan) for pointing out that the exploit was not nearly as sophisticated as McAfee has led us to believe.


The exaggerated sophistication of the attack re-enforces my point about media FUD - ironic in its own way because the media is quick to exaggerate the sophistication of the attacks, yet minimize the damage associated with them. It’s like getting up off the floor after a sucker punch and taunting "That didn't hurt". The reality is that simple attacks are still very effective - our security education and implementation still has a long way to go.


However, the real point of this article was to encourage a little more critical thinking surrounding software security. Putting blind faith in any type of security device (airport scanners, webapp scanners, etc.) is not good security practice.







One vulnerability can be your downfall

Court papers recently filed in conjunction with the indictment of Albert Gonzalez reveal that SQL Injection attacks were behind the data breach that allowed hackers to steal massive amounts of data from Heartland Payment Systems, TJX, and other businesses. Over 130 million credit and debit card numbers were ultimately obtained, all because of the failure in a web application to properly validate user-supplied data. The level of knowledge required to enact such devastating attacks continues to plummet, and the criminal desire behind them continues to rise. It's amazing what could have been prevented with proper application security in place.



This attack also perfectly illustrates how exploitation techniques have changed in just the past few past years. Once upon a time, hackers were content to steal the data from a database and then leave. Now, they infect the system with malicious software and perpetuate attacks across a much larger time frame, exponentially escalating the damage. The harm that can come from one relatively simple exploitable hole is phenomenal. Keeping your web applications secure has never been more important.  



Security on a shoestring budget

Almost every day a news story reports on data breaches, financial theft and illegal surveillance perpetrated by unknown criminals. It seems that hackers are everywhere, and as a result the fear of consumer fraud continues to rise .


This perception of an increased risk during a period of economic recovery illustrates that these two issues are tightly coupled. In fact, the relationship is fairly clear:  In an economic downturn, we can expect the number of security related incidents to rise.  The nature of this relationship can be understood by examining the software development process, and how it ultimately suffers from a poor economy.


The outcome of shrinking budgets


Some media reports declare that security budgets are healthy , but other articles report that security budgets are shrinking .  The most likely truth is that security budgets are indeed shrinking, but not as dramatically as traditional development budgets are shrinking.


Like other industries, software companies are struggling to do more with much less. Currently, many project initiatives are being scaled back or have been put on. Although security budgets and development budgets are often separate bags of money, both bags are much smaller now than a few years ago.


A shrinking development budget means that the traditional realm of development teams (generating requirements, producing code and quality testing) will suffer from neglect. The reduction of resources (including outsourced development), tighter timelines, and hurried QA will all ultimately allow more vulnerabilities to creep into production code.


Traditional security teams are feeling the strain as well. Compliance audits, penetration testing and third party code reviews are all feeling the pinch. Implementation of security process into the development lifecycle is being postponed due to cost of tools and training. While there may be some money available for security review and compliance audits, there may be no development money left for fixing the issues. The outcome will of course dramatically show that security is neglected as a result of financial cutbacks.


The impact of a bad economy


Even if we ignore reality completely and assume that the number of security vulnerabilities is staying constant, we have to take into account the increased motivation for the attacker. The global reach of the economic crisis coincides nicely with the distributed nature of the internet and as a result, the opportunity for financial reward leads to more daring attacks.


Recently many high profile attacks have been perpetrated by disgruntled former employees , including the network administrator involved in a tense standoff with the city of San Francisco . Other attacks for the purposes of extortion , credit card theft, insider fraud, and ransom are also on the rise.


More and more companies are converting their legacy thick clients into web-based applications to reduce development costs, thereby increasing the number of vulnerabilities found and exploited in the wild . Even as the overall number of web-apps grows, the focus of recent attacks is increasingly directed at Web 2.0 applications because these newer, fancier applications traditionally suffer from a lack of security-aware implementation


Security on a shoestring budget


Given the cloudy economic outlook for the next year or two, and the prognosis for increased web attacks, it seems that security professionals have little hope to of keeping their process on track. Yet, there are ways to mitigate the risk. Many articles have been written about staying secure in this economy , and give tips about doing more with less.


First off, uniquely prioritize the security goals of your project. Each goal should occupy a unique position on the list. Keep in mind that having multiple security goals marked as ‘highest priority’ will not be productive, will divert the focus of the effort, and will increase the likelihood that your security initiative will have minimal impact. Hitting all the low hanging fruit first will create a big ripple effect early on, so be sure to take a look at the OWASP Top 10 for some easy wins. One of the easiest ways to pluck low hanging fruit is with the use of a solid web application scanner to automatically review web applications.


Secondly prepare to take baby steps toward the ever moving goal of ‘security’. Remembering that progress should be slow and steady will help keep you sane.


Automation has a multiplier effect, creating the illusion of a fulltime “around the clock” staff of security drones. Use this effect to your company’s advantage, and automate whatever and whenever you can. Let the computer toil away during off peak times churning out static analysis reports, penetration testing the nightly build, unit testing system components, load testing the beta release, etc.


Finally, the holy grail of any security process is to integrate security into the development lifecycle from the very beginning. This has the additional benefit of being the biggest return on investment as well, since fixing defects before they escape into the wild is cheaper and reduces liability risk for your company. Although many companies choose to infuse security at different points in the software development lifecycle, implementing security at the requirements level is the best place to start .


Although economic forces are motivating an increasing number of digital attacks, having a solid plan and executing it steadily and automatically will help companies survive the uncertain days ahead.

Labels: data breach

Why we can’t count (data loss)

Numbers lie

Recently California made headlines after more than 800 data breach disclosures were filed in the first five months of 2009. Upon closer inspection, the large number of incidents does not represent a rise in actual incidents, but just a change in mandated reporting practices due to California’s new medical data breach law which went into effect on January 1, 2009 .

Unfortunately in practice we have no idea how much private information is lost to data breaches every year, because disclosure laws do not entice businesses to accurately report data breach incidents. While the number of reported incidents appears to be growing, it is a poor reflection of reality, owed in large part to changes in compliance laws. Although we are getting a better estimate on the number of “reported incidents”, the number of “actual” incidents is still unknown.

Data breaches will not decrease

While it seems fairly compelling to believe that increased legislation and financial penalty would motivate all sectors of industry to beef up data security, pragmatism dictates otherwise.

Digital data is like uranium: dense with a high yield. Almost all data breaches are of digital records. In contrast, old-fashioned paper records are fairly secure.  Stealing several thousand paper records is physically risky and combing through them for valuable information is prohibitively time consuming.

Computers make breaches easier and more attractive. Roughly 50% of all incidents are of the non-accidental malicious variety, such as malware, hacking, and laptop theft. These incidents yield 83% of the total number of stolen records reported. A large amount of valuable personal information available for minimal risk is a very attractive value proposition… so attractive that it presents new and increased incentive where none existed before. Of reported financial data breach incidents, 24% are caused by insiders, such as executives, IT administrators and employees, and 55% percent are attributed to outside hacking .

Lack of Incentive

Although data breaches are expensive (on average costing $6.6 million per incident), companies are very slow to take preventative action. Despite compliance laws, many companies still lack sufficient pragmatic (read ‘monetary) incentive to change their security practices . The guidelines currently in place suffer from a number of issues:

Laws are vague: Compliance laws vary from state to state, and often include exemption from disclosure requirements if the stolen private data is “encrypted” – even if the encryption keys are stolen, too. Any data that is publically available from federal, state, or local government sources is also exempt.

Companies can plead ignorance: Of those reported data breaches, 24% do not know or do not specify how much information was compromised. To avoid negative media attention, many victims of large data breaches simply claim “zero” in the “number of records stolen” column .

Notification timelines are usually vague: Loose wording such as “the most expedient time possible” and “without unreasonable delay” serves to allow companies to choose when they disclose their data incidents (except companies in Florida and Ohio).

Most incidents are unreported: According to a survey conducted at the RSA conference in 2007, a full 89% of companies that experienced a data breach did not publically disclose the incident . Assuming that incident disclosure is still largely a voluntary exercise without oversight, we have no reason to suspect that is has changed much for 2008 or 2009.


The interest in personal data is not a fad, and related data breaches will not magically disappear. While private data is lost from many sources, web applications figure prominently in the security equation.

Changes in policy will highlight the enormous number of incidents, and attitudes will have to change from a reactionary “defense” to a proactive security “offense”.

Preventative security medicine is the best and most cost effective policy. For the IT manager, the decision to spend several thousand dollars on current security tools should be an easy one to make. The cost of preventative security pales in comparison to the cost of cleaning of the mess after getting breached.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.