HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

85% of IT security decision makers think successful external attacks very unlikely

A new report this week from ITC reveals that eighty-five percent of IT security decision makers think that losing data via an external threat is  "very unlikely." Wow. Once upon a time, anyone involved in application security had a need to educate potential customers on why application security was important. You remember. It's not the network layer anymore...the application layer is where the attacks are occurring. That hasn't changed. It's one thing to think that your internal threats are greater than your external threats. What with 'curious' employees and such, that's understandable. But it's something else entirely to think that external threats simply aren't relevant. I'm sure the company that rhymes with smartland payment blisstyms thought so, too.

 

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220301560

 

One vulnerability can be your downfall

Court papers recently filed in conjunction with the indictment of Albert Gonzalez reveal that SQL Injection attacks were behind the data breach that allowed hackers to steal massive amounts of data from Heartland Payment Systems, TJX, and other businesses. Over 130 million credit and debit card numbers were ultimately obtained, all because of the failure in a web application to properly validate user-supplied data. The level of knowledge required to enact such devastating attacks continues to plummet, and the criminal desire behind them continues to rise. It's amazing what could have been prevented with proper application security in place.

 

 

This attack also perfectly illustrates how exploitation techniques have changed in just the past few past years. Once upon a time, hackers were content to steal the data from a database and then leave. Now, they infect the system with malicious software and perpetuate attacks across a much larger time frame, exponentially escalating the damage. The harm that can come from one relatively simple exploitable hole is phenomenal. Keeping your web applications secure has never been more important.  

 

http://www.networkworld.com/news/2009/082409-us-says-sql-injection-caused.html

Hacking has evolved

This is a great article about the value of a hacked PC to an attacker. While this focuses on personal PCs, all of these reasons can also apply to compromised web servers. Remember, web hacking has evolved. Script kiddies began by defacing web sites and conducting other forms of cyber vandalism. As applications grew in complexity, so did the attacks. Suddenly, it was all about the data as hackers learned how to extract the data contained in applications via SQL Injection and other methods. Now, though, the attacks are designed to compromise a web server and use it as a platform to spread malware (or worse) and conduct other crime. And as the threats grow, so does the need to integrate security throughout the application lifecycle.    

 http://voices.washingtonpost.com/securityfix/2009/05/the_scrap_value_of_a_hacked_pc.html?wprss=securityfix

Instant High Score!

One of our security researchers just happened to stumble across this interesting Highscores area of a free Flash skeet shooting game. Notice scores 6-10. Now I'm not saying he had anything to do with this. What I am saying is that if your query parameters are able to be manipulated, some hacker will mess up your application just to see if he can. And if that part of the site is insecure, what else is?

 

 

 

 

 

 

 

The Internet is an unsafe place

Two recent studies have cast some light on the current state of web application security. How bad is it out there?  Bad. 82% of web sites had either a Critical, High, or Urgent vulnerability within the past calendar year, with Cross-Site Scripting being the most prevalent.

   

Once upon a time, Cross-Site Scripting was viewed as little more than an annoyance.  As the use of JavaScript has become something just short of ubiquitous, and its functions increasingly more complex, the risk to both web sites and users has expanded tremendously. And as the report shows, the problem is as much one of scale as anything.

  

What really stands out is that users used to have to worry about picking something up when visiting the 'red light' districts of the Internet. Now, it's the ‘branded' sites that are delivering malware. Attackers have realized that you can distribute a lot more malware from a national retailer's site than you can from a 'red light' site. There really is no safe harbor.

  

Compounding the issue are users themselves. If not taking the phishing bait, they are using the same password for multiple sites, making attacks against social networking sites which don't contain 'sensitive' information nevertheless effective.

 

For now, it's the same old story. Until web site owners start baking security into the Application Management Lifecycle, and users start thinking more about security, the Internet is going to continue to be a relatively unsafe place.

 

 

Universities are natural targets for cyber criminals

A major state university is currently notifying as many as 160,000 students that their personal information (including social security numbers) might have been accessed in 2008. Complicating matters, the breach wasn't discovered until a year later.

It used to be that universities were natural targets for attackers because of the student body itself. Defacing a web site was a fun game for script kiddies, and anybody that could achieve a 'Ferris Beuller' would head to the top of the class, quite literally.

Now, though, it's no longer fun and games (if it ever really was). State and federal budget cuts have impacted security as well as everything else, and large universities offer more attack 'bang for the buck' than almost any other target out there. Natural student turnover via graduation, transfer, and dropping out only increases the amount of information and personal data stored and accessible for who knows how long. In this case, some of the records went back to 1999.

I'm sure in 10 years we will still be seeing attacks that breach data that old. Long story short, universities should realize they are ground zero as far as criminal cyber attacks go. The irony is that the cost of notification will often be more expensive than what the criminals ultimately gain from fencing the data.

Extortion can mean double jeopardy for personal health information providers

I've been thinking a bit more about the personal health information extortion attempt that's been in the news recently, and which Ken Swinney mentioned in his  Keep the snakes at bay  post yesterday. If you haven't been following the story, the gist is that a state agency responsible for identifying prescription medication abuse was hacked and compromised. Their site was then replaced with a ransom note demanding 10 million dollars for access to the database.

Under current guidelines, would this have required that patients be notified of a potential breach? It's hard to say without knowing all the specifics, and what 'concerned entities' were involved. Under the new HIPAA breach notification rules  that go into effect this September, though, notifications would most definitely be required.If nothing else, that's a lot of postage.

I can only imagine that we'll see more and more incidents of this nature in the future. In fact, this is not the first extortion attempt involving personal health information to become public in the past year. One of the nation's largest processors of pharmacy prescriptions (think benefit claims) also suffered an extortion attempt roughly six months ago. Smartly, they didn't pay. Even so, public extortion of this kind is double jeopardy for those who maintain personal health information (or financial, for that matter). At that point, providers are already in violation of any applicable legislation, and will be subject to those fines and penalties no matter what approach is taken in recovering the compromised data.

 

http://news.cnet.com/8301-1009_3-10233348-83.htmla

  

 

Keep the snakes at bay

Recently, a state agency announced that their site had been compromised by computer hackers. The attackers left a ransom note on the web site claiming that they had captured 8.3 million patient records and 35.6 million prescriptions. The attackers also claimed to have created a password-protected, encrypted backup of the data.  For a mere $10 million the miscreants offered to “gladly send along the password.”


To quote the great philosopher Morpheus, “Welcome to the desert of the real.”


Warnings about security flaws in web applications have been ignored by most for as long as web applications have existed. A small contingent of evangelists, including folks in our own HP Application Security group, have consistently warned about the existence and exploitability of these vulnerabilities.


The U.S. Department of Health and Human Services Inspector General, in a report dated October 27, 2008, stated that “limited actions” by the Centers for Medicare & Medicaid Services (CMS) have “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities.” Voluntary compliance (an oxymoron?) was a key problem cited for this lack of effectiveness.


Some suggest that healthcare records simply should not be made available via the public internet. That’s a lot like saying people shouldn’t eat greasy cheeseburgers. It may be true, but it’s not gonna stop.


The first step to understanding the real problem is recognizing that the availability of information, even healthcare information, is a growing part of our everyday lives. You wouldn’t put sharp kitchen knives on the floor where your toddler could reach them, would you? If you did do something this dangerous, would you then punish the toddler for cutting himself?


We need to stop wondering why snakes bite and start wondering what we can do to put a healthy distance between our toes and the snakes.

The federal government has enacted new, strong provisions to begin forcing developers of healthcare management software applications to provide notice of breaches to the medical providers they serve, who can in turn notify the affected individuals. This is a huge step, because in the past HIPAA compliance was a burden borne by the medical providers. If they aren’t notified of the breach, nobody is the wiser…until somebody finds out at the pharmacy that all of their pain prescriptions have already been filled by some nice young gentleman.

Now that software application developers are held accountable for security, I believe we’ll start to see some distance between us and the snakes. By the time these software developers figure out they need a plan for their web application security, they’ll find out HP has been there all along.


Ken Swinney
R&D Group Manager
HP Application Security Center

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation