‘You may never want to go online again’

By A. Asohan March 12, 2013

The newly-formed HP Security Research organization has released its first annual Cyber Security Risk Report
Web and mobile vulnerabilities on the rise, many older attack methods still getting traction

‘You may never want to go online again’ HEWLETT-Packard has upped the ante with the formation of the HP Security Research (HPSR) organization, which brings under one roof the various disparate teams working on security for the company.

The company intends to translate insight into action, says Paul Muller (pic), IT management evangelist at HP Software, speaking at a media briefing in Kuala Lumpur recently.

And much of that insight will come from its annual Cyber Security Risk Report, the first of which was just released recently. The report draws on sources such as the Open Source Vulnerability Database (OSVDB), HP Zero-Day Initiative (ZDI) vulnerability data, HP DVLabs vulnerability and exploit analysis, HP Fortify on Demand static and dynamic security testing data, HP Fortify Software Security Research and Security Compass (an HP partner) mobile vulnerability data.

In addition to the annual risk report, HPSR will publish reports that provide the most current security intelligence available. This research will be delivered through biweekly threat briefings, as well as free summary briefings available to the public on HP’s website and iTunes. Premium vertical- and client-specific briefings will be available to paid subscribers.

“This is really fascinating stuff, and very scary too,” says Muller on its first report, cheekily adding, “You may never want to go online again.”

The top-line findings: Critical vulnerabilities fell from 23% in 2011 to 20% in 2012, but one in five vulnerabilities still give attackers total control of their target.

OSVDB data from 2000–2012 shows that of the six most submitted vulnerability types, four – SQL injection, cross-site scripting, cross-site request forgery, and remote file includes – exist primarily or exclusively in Web applications.

“Everyone wants to get to the data, and the best place to do it is the database,” Muller. “So the biggest source of vulnerability is still SQL Server injections, despite the fact that this has been known for many years, is easy to detect and relative easy to fix.”

Cross-site scripting (XSS) remains a widespread problem, with 44.5% and 44% of the applications in HP’s data sets suffering from the vulnerability. In one case, analysis of a multinational corporation showed that 48.32% of its web applications were vulnerable to some form of XSS.

Furthermore, new methods of exploiting this vulnerability continue to be found, as demonstrated by the large portion of ZDI vulnerability submissions focused on XSS, going by the Cyber Security Risk Report.

According to Muller, XSS is essentially what is used when you’re using a browser to get at your banking data – the bad guys sets up a URL to get at that data while it is being shared with the legitimate site.

“You get that link (to the bad guy’s URL) via a phishing email – it connects to the genuine website, but the information is picked up during the exchange,” says Muller (click figure to enlarge).

“The problem is that people who develop such banking applications aren’t particularly devious; they don’t think like bad guys, they don’t keep thinking about how they’re going to be hacked,” he adds. “Then again, this is something that is very easy to detect, and very easy to fix.”

Disclosures grew 19% from 6,844 in 2011 to 8,137 in 2012, although 2012 disclosures remain 19% lower than the peak in 2006. “This is a good sign,” says Muller. “More people are getting comfortable disclosing security breaches.”

But less comforting is how much the physical world is being paired with or integrated into the cyber-world.

“Security is not just about IT systems either – the power and cooling systems in this building is connected to a computer,” notes Muller. “The computer connects the IT world to the physical world through a system called Scada (Supervisory Control And Data Acquisition).”

And such systems are becoming favorite hunting grounds for hackers. According to OSVDB data, only 76 vulnerabilities were disclosed in Scada systems from 2008 through 2010.

However, after the Stuxnet worm was discovered in an Iranian uranium enrichment plant in 2010, much attention has been focused on the security of Scada systems. In 2011, there were 164 vulnerabilities disclosed in SCADA systems, and the number rose again to 191 in 2012, representing a 768% increase from 2008 numbers (click figure to enlarge).

It doesn’t get better on the mobile front either. The last five years have seen a 787% increase in mobile application vulnerability disclosures, with novel technologies, such as near-field communications (NFC), introducing previously unseen vulnerability types.

NFC technology is used as a part of consumer payment solutions either as a chip in some credit cards, or as part of a mobile wallet solution.

There are several attack scenarios to consider when sensitive information such as credit card or account number data is being transmitted through an NFC channel, HP says:

Eavesdropping: Attempting to intercept the NFC transmission data communication (e.g., NFC proxy);

Data manipulation: Attempting to manipulate the NFC transmission data communication (e.g., to determine erroneous outcomes);

Interception attacks: Attempting to take advantage of active-passive modes of the device to send and receive NFC transmission data communication; and

Theft: Attempting to gain unauthorized access to the mobile payment application (as if the device were stolen or lost) and reviewing the file storage on the device for sensitive information.

The Cyber Security Risk Report can be downloaded here.

Previous Installment:

HP gets serious about security, controversial Autonomy deal bearing fruit

Related Stories:

‘Hackers’ – tech reality finally catches up with Hollywood?

Stuxnet, Flame and the new world disorder

Mobile and Android malware threats continue to rise