HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Educating the Massess About Security

In my last post I talked about zombies and warnings and such (and, ok, a little bit about security). I'm not too surprised at the press the sign changing is getting, since traffic and driving are things the vast majority of us deal with. However, I'm disappointed that very few people in the mainstream media are taking the opportunity to talk about broader security issues.


I searched, and did not find one interview with a sign manufacturer to talk about how physical or keypad/password security will be improved in the future, or with DOT management about purchasing better locks and changing default passwords. Sadly, there are tons of articles talking about the applicable laws and crimes a person could be charged with if caught tampering with these devices.


Additionally, some of the reports are talking about removing information from the internet. Take this Associated Press article:



Some Web sites, such as Jalopnik.com, have published tutorials titled "How to Hack an Electronic Road Sign" as a way to alert security holes to traffic-safety officials. Wert said he had no immediate plans to take down Jalopnik's how-to guide.


Has removing information from the internet ever actually succeeded in either keeping that information private or protecting a resource? There have been a few cases where it was a complete and notable failure (DECSS T-Shirt, anyone?). Kudos to Mr. Wert for keeping the information on the web site--it's already in several other places already. The horse is already out of the bag.


Mitch Wagner over at InformationWeek wrote:



It's easy to scold those government agencies for failing to take basic safety measures, and I suppose it's justified -- but, still, road departments have other things to do. Like, y'know, taking care of the roads.


No! No! No! It is completely justified to "scold" them, and it is absolutely their responsibility (and the manufacturer's) to secure their equipment and job sites. Mr Wagner says their job is "taking care of the roads," which implies keeping them safe, which means keeping hooligans from changing road signs. It's not a giant leap.


It's everyone's job to take basic security precautions. How different would this story would be if the first widespread misuse of this information was as part of a terrorist attack?


 

Changing Road Signs is Dangerous. Zombies are not funny.

Zombie warning signsLike mentioning a bomb while in the TSA line, there are some things you just don’t joke about. As any sane person with a Zombie Escape Plan (ZEP) will tell you, you’ve got to heed warnings and take immediate and drastic measures to ensure survival—cutting across lanes, the center divider, and heading in the opposite direction would be a good start in this situation.

 

So, I urge these “hackers” to please refrain from putting up messages about zombies. Or robots. Or aliens. Anything else is fair game, including… puppies, kittens and the geniuses behind the “credit default swap.”


 


Well, perhaps a better solution would be to change the default passwords, or locking the control panels up?


 


We’ve been preaching the changing of defaults in the security business for years, and it has finally taken root in the rest of IT and in many cases our business units. But it seems the message isn’t being heard outside office environment. However, end-user education is only one step in the process—manufacturers of all types of equipment need to take security seriously.

 

As more and more traditionally non-computerized equipment is attached to computers (and networks) this type of issue will be on the rise. Sure, a road sign hack seems funny, but what important message was there before? What if a computerized crane were recalibrated in some way to make distance measurements inaccurate? Is there a “secret” string of zeroes that will let you mess with the software running your shiny new hybrid?

 

Who knows the answers to these things… manufacturers, of course! Only by forcing their end-users to change default passwords, or better yet, not having them at all, can we prevent the “easy hack” that allowed the fake zombie warning. After all, you don’t need to educate them if they have no insecure choice.

 

In the meantime (and just like security testing), sane people please adjust your ZEP to account for false positives.  The rest of you: don’t cry zombie.

 

 

URL Authentication - IE Silliness

IE dropped support for URL authentication (e.g., http://user:smileytongue:ass@example.com/) around 2004. There are plenty of discussions out there about the merits and problems with URL authentication, so I won't comment on it yet again. However, it is still in the RFC.


If you try to load a URL with authentication in IE 6, you see the message "Invalid Syntax Error: Page Cannot Be Displayed" -- which at least points to the fact that there may be a problem with the link you followed. However, I happened to notice in IE 7 that they've dumbed it down a little further: "Windows cannot find 'http://user:smileytongue:ass@example.com/'. Check the spelling and try again"


If you don't put the "http://" in your browser (because for years browsers have been teaching people not to type the protocol), you get the completely different error "The webpage cannot be displayed."  


Way to go IE team! Rather than providing a better user experience, you hint that the site name is incorrect and leave it alone. Good job helping to educate your users.


Incidentally, Firefox, Safari and Opera will ignore invalid syntaxes like http://@example.com/ so you could create links that exclude IE users, should you be into that sort of thing for fun or profit.

TigerDirect.com's "Improved" Security Policy

While checking my email this morning, I suspected that yet another message eluded my SPAM filter.  Much to my surprise, the subject line "Your TigerDirect Account Update" from 'TigerDirect@promo.tigeronline.com' was legitimate.  Unfortunately, reading the message was more troubling than the contents of many other SPAM messages I routinely receive.  Within this message, I'm told that "in an effort to improve security, we have eliminated certain previously allowed characters for use in the creation of a password. (Example: ><@')." What's even more troubling is the next line: "Our records indicated
that one or more of these characters were used in your password."
  As
indicated by their "records," it's apparent my password is stored
as plain text or, at a minimum, in a state that can be reversed to
reveal the actual password composition.

Click on the thumbnail below for the full message:

 At first glance, there are several things wrong with this scenario:

  1. This email correspondence actually alerts users to the fact that the security level has been reduced, not "improved" or otherwise strengthened.
  2. Secure storage of confidential or sensitive information (in this case "password") is absent or inadequately implemented.  If any attacks are successful and allow access to the main "records" repository, user information is vulnerable to compromise.  If this is incorrect and all information really IS stored securely, I'd like to know how my password was deemed "non-compliant" with the "improved" security policy.
  3. After resetting my password, it's apparent that there is no password policy (beyond 4-12 characters).  The user is permitted to supply the password "pass" with success.
Suggested Password Policy Improvements for TigerDirect.com:
  1. First and foremost, store sensitive information as a hashed value; never store sensitive information as plain text.
  2. Enforce the use of secure passwords using the following criteria:
    • Minimum password length between 7-12 characters.
    • Set a minimum number of occurrences of Upper- and Lower- case characters.
    • Set a minimum number of occurrences of numeric and special characters.
  3. Implement an incremental delay or temporary account suspension period after a series of unsuccessful login attempts.
Of course, bridging the gap between a good security practice and usability has its limitations, but the absence of a defined password policy is always an incorrect answer.  A hybrid approach to the above guidelines is the best measure between human convenience and security.  Hopefully TigerDirect.com will recognize the alarming security practices present in their current password policy and the reader will proceed with caution while using websites that practice unsafe security practices.

Resources:

"Preventing a Brute Force Attacks"

http://www.spidynamics.com/spilabs/education/articles/brute-force.html

"Selecting Secure Passwords" (While this link mainly applies to OS password policies, the general theory is the same).

http://www.microsoft.com/smallbusiness/support/articles/select_sec_passwords.mspx 

 

 

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.