HP Security Research Blog
The HP Security Research blog provides a platform for security experts from across HP to discuss innovative research, industry observations, and updates on the threat landscape to help organizations proactively identify and manage risk.

Displaying articles for: February 2014

The Value of Low Priority Issues

The big news at the beginning of this week, just as we were all heading to the RSA conference, was a bug in the Apple implementation of SSL/TLS. I’ve been asked a few times whether HP Fortify SCA finds this issue – and it does. The interesting thing is how we identify it.

HP Grants $250,000 to Scholarship for Women Studying IT Security

HP announced that it will grant $250,000 to the Scholarship for Women Studying Information Security (SWSIS) program, and will work closely with academic institutions worldwide to develop course content to help students learn the fundamentals of IT security.

Labels: HP| security

Alina POS Malware

Alina continues to evolve, and Alina’s code now serves as the foundation for the JackPOS malware. As of February 2014, over 4500 payment cards belonging to U.S. and Canadian users have been compromised by JackPOS. Alina’s persistent nature and the author’s ability to alter Alina via the C&C console makes combatting this malware a difficult task.

HPSR Threat Intelligence Briefing - Episode 11

Iranian hacker groups and their allies launched increasing numbers of cyber attacks over the last year, despite strict state controls of Internet traffic including: spying, censorship, and filtering laws and technology. 


In this report (see attached report for full content), we examine Iran’s cyber warfare capabilities, particularly the hacker groups that serve as a force multiplier to Iran’s continually expanding cyber presence. The report covers how these groups recruit and train members, the primary actors involved, TTPs, motivations, and indicators of state sponsorship by the regime. Through this analysis, the goal is to educate the reader on the capabilities of these groups and the significance and implications of state sponsorship of underground cyber actors. It also advises potential targets on mitigation strategies in the face of state sponsored cyber activities.


How I learned to hack my TV (and started worrying about the future)

Everything in our home is connected to the Internet these days. Our thermostats and surveillance cameras are going to the cloud. Our refrigerators and TVs are online. Even the rice cooker can be connected to the Internet. Outside the home, we have the likes of Smart Rifles, and even though it is not clear if they can be connected to the Internet or not, they do support device-to-device Wi-Fi connections. We and our machines are increasingly connected,in ways we don’t necessarily expect or consider.

Failed patches: Getting paid twice is nice

What happens when a vendor patch fails...

Security education for the new generation

The security challenges facing the industry are mounting while attracting and retaining security talent is growing more difficult. What can we do to educate the next generation of computer scientists about security?


Tags: NGFW| rsa| security

JSF outputText tag: the good, the bad and the ugly

While working on a JSF (Java Server Faces) test case recently I had one of those WHAT?!?! moments - where something you take for granted starts behaving in a completely different way from how you expect. In this case it was even worse, since the behavior I was observing was breaking my application security and undermining the trust I place on libraries and frameworks as a developer.

Handling Zero Day disclosures at RSA

Handling vulnerability disclosures shouldn’t be difficult—here’s how to make sure you’re doing it right.   

Labels: HP| security

HP Security Research Threat Intelligence Briefing episode 10 - ZDI 2013 in review

It’s that time again, when we look at the vulnerability year that was and muse about the vulnerability year that will be. 2013 was a huge year for the Zero Day Initiative – we purchased more cases this year than in any other since the inception of the ZDI program 10 years ago. And what cases they were – vulnerabilities unearthed in widespread critical software used by enterprises and the greater computing community alike.  In this month’s Threat Briefing we walk 2013’s vulnerabilities, talk vendors, and think out loud about where this is going in 2014.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.