ne
ws
6In
fose
curity
Tod
ay
May/Ju
ne 2
004
HP exploits new bugs to f ix its systemsSarah Hilley
HP exploits newly released
high-risk vulnerabilities on its
corporate systems in order to clean
up its own shop revealed the
company at a seminar at its
research centre in Bristol on 27
May.
The hardware giant’s researchers
explained how the company has
successfully thwarted Blaster and
Sasser by finding the causal flaws
first and exploiting them before
virus writers could.
"We break into a system using a
vulnerability and make it safe,”
said Richard Brown, a labs
researcher.
Once HP compromises a
machine, it applies remedial action.
The vulnerability scanner gets the
remedial payload from an
operations server. The payload can
range from a simple pop-up
message, warning a user to patch,
to isolation of a vulnerable
machine from the network.
The company has been
exploiting flaws on its 240,000
machines since CodeRed and this
proactive exploitation is a core part
of its information security policy.
In order to restrict damage, the
company’s exploits don’t
propagate.
By contrast, Welchia, the so-
called ‘do gooder worm’ that tried
to clean up the mess left by Blaster
only caused more harm than good
by clogging up networks, said
Brown.
When you outsource to India, where doesyour data go? Not where you think ...Sarah Hilley
M any outsourced IT services are being subcontracted from Indian
providers to countries such as Sudan, Iran and Bulgaria, which
increases the security risk.
Risk management professionals are warning companies to stop and
check that their service provider in India is actually performing
contracted offshore services itself and not outsourcing further to other
countries.
Some companies in India are faced with a labour shortage and lack of
proper infrastructure to cope with the burst of business from the west.
“ They can’t deliver what they’ve signed up to deliver, said Samir
Kapuria, director of strategic solutions at security consultancy, @stake,
“ so they outsource to other countries where the cost is lower.”
Colin Dixon, project manager at the Information Security Forum
(ISF), said many ISF members have reported this problem during an
ongoing investigation by the elite security club into outsourcing risks.
“ Contracts should contain a clause banning offshoring companies
from further outsourcing without the client’s knowledge,” said Dixon.
Companies are being put in the awkward position of “ relying on the
Indian provider to perform due diligence on their subcontractors and
you don’t know if they are able to do that,” he said.
The elongating outsourcing chain multiplies the risk. It “ leads to a
high degree of separation in the development of applications for
example,” said Kapuria.
Compliance with corporate governance also gets more complicated as
the responsibility lies with the company and not the provider. And
adherence to regulations gets even harder to control if services are being
outsourced twice.
Most ISF members have identified the issue and stopped it before
signing a contract, said Dixon.
But Kapuria said that some of
@stake’s clients didn’t find out
about the double outsourcing until
after the contract was signed.
Intrusion detection traffic
coming from outside India alerted
some banks that subcontracting
was taking place, said Kapuria.
70% of blue-chip companies in
the ISF are currently outsourcing.
Kapuria
Bug-fixed applications stillinsecureBrian McKenna
Companies are de-lousing
applications only to find
them even buggier one year on.
Forthcoming research from
Imperva, an application security
vendor, will show that companies
that the vendor has penetration
tested over the last four years
tend to be vulnerability-ridden as
ever.
Shlomo Kramer, Imperva's CEO,
said that the reason why potential
customers are shying clear of
enterprise application security
products is the "false conception
that they are abeto overcome the
problem of application level
security by fixing the bugs in the
programme. That is very
expensive, and is also futile since
in real life you always have
vulnerabilities in code, and in the
time that your programmers fix
the bugs they will introduce
others".
Kramer, who co-founded Check
Point, denied that app-level
attacks are more theoretical than
real. "We have done 300 plus
penetration tests at financial
organizations around the world.
These are very security savvy
organizations, and we found that
90% of them were susceptible to
very damaging application-level
attack.
The company's Application
Defense Center, which made the
news in April with some research
that demonstrated how Google
could be used to launch
application level attacks, will be
detailing its new findings in a
forthcoming white paper.
The Pru getssmart withspam
Prudential, a UK-based
financial company, has
installed a spam intelligence
service from Tumbleweed, which
clamps down on the number of
emails being blocked accidentally
by spam filters.
Out of the 40,000 emails
received by Prudential everyday,
14,500 are now blocked as spam
by filtering software.
Prudential has opted for the
Dynamic Anti-spam service,
(DAS) an Internet-based
subscription service, which
analyses spam and legitimate
emails from around the world to
help categorise what is and isn’t
spam.
“ Since DAS was installed, we
see a threefold increase in blocked
spam messages,” said Nick De
Silva, Web hosting and Messaging
Manager, Prutech.
“ Before, we used Tumbleweed
MMS lexical scanning (using a
manually-updated word list) to
detect spam,” he said.