HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Jessica Biel ‘most dangerous’ celebebrity search name

Jessica Biel is the most dangerous celebrity on the Internet, at least as far as searches go. According to McAfee, a whopping 20% of searches for Jessica Biel images, videos, and dowloads lead to sites that contain malicious software of one type or another.  It might not be very sophisticated, but it's certainly effective. Cybercriminals are masters of manipulation if nothing else. As long as users are 'too quick to click,' as the expression goes, this type of attack will continue to entice large numbers of victims into downloading malware and infecting their systems.



Labels: Malware

Advice for a Hacked Site

If Google detects that your website is hosting malware, it is pretty clear your site has been attacked. Attackers are consistently using automated attack tools looking for SQL Injection points, trying to include files remotely, or attempting to determine ssh passwords via guessing. A frightening trend with SQL Injection attacks concerns how an attacker will insert links to javascript content used to serve malicious links that may try and automatically compromise the users of your website.  When this happens, Google will automatically detect this and actively deter users from visiting your  website. Here are some of the  basic recovery steps that need to be taken to ensure all content that was  possibly modified by the attacker will be removed. It is also  important to note this is not legal advice and should not  be used as such. If you are experiencing monetary loss, consider engaging the proper authorities and hiring a consultant  who is certified to handle these situations. The steps below are  simply a very rough set of guidelines on one way that a security  analyst might approach securing a hacked website.




0. Disconnect from the Internet


The last thing you need is to get attacked again while  performing forensic analysis or restoring your       database/website to its former glory. Remove your server from this possibility by disconnecting it from the Internet. If your website was hacked, simply turning off the webserver is probably a sufficient countermeasure.


1. Backups!


You need to backup your entire site and backend database at this point. It is important to perform this step as later you will actually be deleting all your current content and replacing it with a backed-up version. This is recommended to ensure the attacker has not modified anything on your site. For example, the attacker might have installed a backdoor or a dynamic script that would allow shell access to the server.


1b. Save All Logs and Analyze Them


All server logs should be saved from the attacked machine. If your organization has familiarity with web/network based attacks, then spending some time looking through logs would be beneficial as it may help identify the attackers point of entry. This will obviously help in remediating the issues and detecting how widespread the vulnerability may be.


2. Change all Authentication!


If an attacker has been able to modify your database or filesystem, it is very likely he/she has also stolen the   credentials needed to access your website. This includes usernames/passwords needed to login to any private areas on the website, and any usernames/passwords that are also users on the local machine such as the root user or the administrator passwords, especially if any remote administration (like OpenSSH) is used on the website. Don't forget to remove any ssh/rsa private keys either as they can no longer be trusted.


2b. Reinstall OS (optional? maybe)


Pedantic administrators worried about security and not able to pinpoint the vector used to compromise their website wuld completely reimage the webserver, as bots or key-loggers may have been installed. This is most likely a severe case.However, it may be an acceptable precautionary step depending on how sensitive the webserver or content is to the organization.


 3. Restore Previous Backups


You can no longer trust the code or data that your website is serving or using to serve data. Thus you need to restore to a point in which you did trust your code and data. This is probably going to be a painful process, but it will still be better than being consistently hacked multiple times in the future.  If you have no database backup, don't give up. Consider using the OWASP Scrubbr utility. This utility is designed to analyze database records and look for suspicious looking links that will help you identify and remove malicious content. It also has the side affect of helping you pinpoint where your problems may lie. Generally writing to specific fields within the database only occurs on a few pages, so the search for where the input validation needs to occur will be limited.


4. Perform Some Simple Code Audits


You already have accepted that a hack has occurred, so it makes sense to spend some time looking through critical path code to make sure no obvious mistakes were made.This could mean hiring a consultant to analyze your codebase or utilizing your developers to examine the code by running opensource tools like Nikto on your site. Both would provide beneficial data as to where to suspect malicious activity, and improve your security posture. If you found something suspicious in the logs of your webserver, you should spend some time verifying those specific areas but it is important to note that even though the attacker used door #1, that doesn't mean  door #2 isn't sitting there available right now. Security is an ongoing process and especially after an attack time should be spent securing and analyzing your current codebase. This is important because generally mistakes within webapps are systemic and not just a one off error that only happens in one place within your codebase.


5. Turn the Site Back On


Feeling better, hopefully having identified some issues, it is now time to turn on the web server (hopefully with a clean bill of health).




You're probably thinking to yourself, "this seems like a lot of work, is it really all necessary?". The answer to this question is maybe. Of course this is a nebulous answer to that question, but the actual recovery from an attack might only require a few of the steps listed above. The real trick is in deciding which of those steps are needed (optimization) and the answer to that depends on the type of attack you've encountered. For example, if your site was attacked by just a simple drive-by SQL Injection bot then it is probably sufficient take the following subset of steps.


(1 + 1b) To make sure you have your bases covered and by looking at the logs you can identify the injection points the bots were trying to exploit. (4) Once you've identified the pages being attacked, you (or a consultant) can then verify those pages either have or do not have SQL Injection vulnerabilities. (3) Clean up your database, make sure all offending links can be cleaned, whether this is manually, with your own tool, or using OWASP's Scrubbr.


Of course it is not always easy to identify what type of malware has been attacking your website. There are services available that will perform this types of analysis for you. You can contact either Armorize (http://hackalert.armorize.com/default.php) or ClickFacts (http://www.clickfacts.com/) who will audit the types of malware being served by your website. Since they have specific knowledge in these areas, they will probably be able to tell you specifically which attack has been used and recommend steps for cleaning up your website.





Labels: hacked| Malware

News of Michael Jackson's death blazes across the web--what if it were a hoax?

Over at the SEOmozBlog, Danny Dover has a really interesting post about how, and how fast, the news of Michael Jackson's death travelled across the web. I won't go through it here, but it's a fascinating read. Less than an hour after the 911 call the news was appearing on the web. Less than three hours after the call and Twitter was a little sluggish with all the happenings (approximately 1500 mentions per minute of Michael Jackson's death), whereas MSNBC, the first "traditional" news organization to confirm his death, was just posting the first confirmation.

So what does this have to do with security, really? Well, not much on the face. But this information travelled so amazingly fast, I couldn't help but wonder what would have happened if it were all a big fake--if the earliest source(s) of information on this story were either made up or placed with malicious intent by insiders or hackers? It seems to me that a well-orchestrated hoax might get picked up by some minor celebrity news sites, then a few larger ones, maybe Digg, and from there the Twitter blaze seems inevitable. How many users could be duped into following links to a "story" (through bit.ly or tinyurl.com of course) before it can be investigated, denied and squashed? I'm betting a lot.

We have read countless stories of scammers/spammers/phishers using hot news stories (Iran, for example) in order to drive traffic to their malware, but have there been any instances of them faking potentially hot news for this purpose? I'd love to hear of any that have already happened--but if there are none, I'm betting one will be here soon.

Labels: Malware| phishing

Social Insecurity

Not too long ago, one could trust the big corporate names to run clean websites. You had to go surfing down some shady back alleys of the web to expose yourself to malware. Those were the naïve days of the pre-adolescent internet, when firewalls and spam filters were not words that your mom and dad could casually drop over dinner. Those days are gone.

A recent report shows that the most recognized names on the internet are now becoming the biggest targets for hackers . It used to be that finding malware on high profile sites was like the idea of strip clubs in Disneyland:  unimaginable. However, hackers have matured and turned their attention to high profile social networks, targeting these trendy websites for massive ROI . These sites combine a massive user base, allow custom content creation (tweets, status updates, etc.), and  give third party applications access to user data, all of which combine to give hackers new attack vectors to exploit .

Why social networks are great targets

These new social aggregators attract staggering numbers of users, and a few of the most popular boast more active profiles than Russia has residents . Since online social networks are meant to show off ‘social capital’, the successful ones tend to turn these online popularity contests into even more users .  This snowball effect provides the high concentration of online users that attracts online criminals. Modern social sites provide more than just massive numbers of users: they also provide stickiness . Large sites like eBay were very popular targets a few years back, but even current retailers such as eBay or Amazon cannot compete with Facebook for reaching and holding American attention .

Massively interconnected networks, both real and digital, are able to spread information incredibly quickly. This is great if you are spreading good news, or paychecks. It is not so good if you are spreading bogus stock tips or the Swine Flu . The spread of digital information even resembles its real-life counterpart under rigorous scientific scrutiny .  However, unlike the real world where it takes eight hours to get a germ infected body from London to New York City, digital malware can spread far more quickly .

Although we may not realize what consequences we invite by providing even modest amounts of personal information to social networks, we are quickly learning. Recent publications show it is possible to discover of 'hidden' user information by predicting missing links and ‘merging social graphs’ .  Trying to remain anonymous for the benefit of privacy is futile, since even data that is ‘scrubbed’ of personally identifiable information can be easily de-anonymized with advanced statistical algorithms .

Some of the most popular social networking sites also allow third party applications to play on the site with little or no supervision. Although most current third party application malware is easily detectable, many believe that the introduction of stealth malware (masquerading as useful applications) is on the horizon . As social networks move to allow these applications access to more personal data, the potential for abuse is staggering .

How to protect yourself

Don’t join a social network if you don’t like tattoos, since social networks are far more permanent. Tattoos can be removed, but even if a site allows for the complete removal of personal data from the company’s servers, Google and the Internet Archive make sure that is a meaningless point. The internet is forever - or at least until the next electromagnetic apocalypse.

Use common sense. Often users unwittingly reveal sensitive information through status updates, picture uploads, etc. Ignoring the embarrassing position people can find themselves in at a job interview, this type of information is used with great success by old fashioned con artists. Avoid common scams by arming yourself with information on some recent scams, and learn to spot suspicious online offers for free computers . Don’t use the same password on every site you visit. And even if you think you are a hard core security professional, it can’t hurt to brush up on the latest scams making the internet rounds .

Last but not least, set and maintain your privacy settings . The default privacy settings provided by many sites are fairly insecure, and most users never even bother to adjust them . Also remember that security settings are often voluntarily overridden. Simply sending or responding to someone on Facebook gives them access to your details for 30 days, whether you actually know them or not. In this case, silence is not only golden, but much more secure.

Labels: Malware

Paris Hilton's Web Site Infecting Users

Paris Hilton’s website was infected with some pretty nasty malware over the past weekend. ScanSafe (who discovered the compromise) said that over 15,000 sites were detected to have this malware installed, including an ad on MLB.com.   So far, most AV products aren't stopping it, either. Visitors to  parishilton.com were prompted with a sham pop-up that they needed an 'upgrade' to continue browsing the site.  Both the 'Cancel' and 'OK' options caused the malware to be downloaded. According to ScanSafe, only a hard quit (CTRL-ALT-DELETE) would stop it from occurring (by closing it via the Task Manager? Not sure what that really means).  Basically, an I-frame was embedded in the site, which pointed to a .pdf on a malicious site (you69tube.com). Once the downloader was executed by clicking ‘OK’ or ‘Cancel’, a Trojan rootkit was installed on the user’s system.  A normal user would have had their banking credentials and personal information put at risk (software designed to capture banking information was the first malicious package installed). Enterprise users risked having their HTTP and network traffic redirected and intercepted. That's just as bad as it sounds. The working theory now is that the original vulnerability in the site was in the open CMS package Joomla...more than likely via our old friend, SQL Injection.   Seems the operators of the site haven’t weren’t keeping up to date with their patches. <br><br>
How can you protect yourself? For starters, businesses should block youtube69.com. Users should realize AV products are no guarantee against infection and should stick to trusted sources when upgrading anything. Be aware when visiting obvious targets (celebrity sites, etc.) of the potential risks.




Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.