ne

ws

6In

fose

curity

Tod

ay

May/Ju

ne 2

004

HP exploits new bugs to f ix its systemsSarah Hilley

HP exploits newly released

high-risk vulnerabilities on its

corporate systems in order to clean

up its own shop revealed the

company at a seminar at its

research centre in Bristol on 27

May.

The hardware giant’s researchers

explained how the company has

successfully thwarted Blaster and

Sasser by finding the causal flaws

first and exploiting them before

virus writers could.

"We break into a system using a

vulnerability and make it safe,”

said Richard Brown, a labs

researcher.

Once HP compromises a

machine, it applies remedial action.

The vulnerability scanner gets the

remedial payload from an

operations server. The payload can

range from a simple pop-up

message, warning a user to patch,

to isolation of a vulnerable

machine from the network.

The company has been

exploiting flaws on its 240,000

machines since CodeRed and this

proactive exploitation is a core part

of its information security policy.

In order to restrict damage, the

company’s exploits don’t

propagate.

By contrast, Welchia, the so-

called ‘do gooder worm’ that tried

to clean up the mess left by Blaster

only caused more harm than good

by clogging up networks, said

Brown.

When you outsource to India, where doesyour data go? Not where you think ...Sarah Hilley

M any outsourced IT services are being subcontracted from Indian

providers to countries such as Sudan, Iran and Bulgaria, which

increases the security risk.

Risk management professionals are warning companies to stop and

check that their service provider in India is actually performing

contracted offshore services itself and not outsourcing further to other

countries.

Some companies in India are faced with a labour shortage and lack of

proper infrastructure to cope with the burst of business from the west.

“ They can’t deliver what they’ve signed up to deliver, said Samir

Kapuria, director of strategic solutions at security consultancy, @stake,

“ so they outsource to other countries where the cost is lower.”

Colin Dixon, project manager at the Information Security Forum

(ISF), said many ISF members have reported this problem during an

ongoing investigation by the elite security club into outsourcing risks.

“ Contracts should contain a clause banning offshoring companies

from further outsourcing without the client’s knowledge,” said Dixon.

Companies are being put in the awkward position of “ relying on the

Indian provider to perform due diligence on their subcontractors and

you don’t know if they are able to do that,” he said.

The elongating outsourcing chain multiplies the risk. It “ leads to a

high degree of separation in the development of applications for

example,” said Kapuria.

Compliance with corporate governance also gets more complicated as

the responsibility lies with the company and not the provider. And

adherence to regulations gets even harder to control if services are being

outsourced twice.

Most ISF members have identified the issue and stopped it before

signing a contract, said Dixon.

But Kapuria said that some of

@stake’s clients didn’t find out

about the double outsourcing until

after the contract was signed.

Intrusion detection traffic

coming from outside India alerted

some banks that subcontracting

was taking place, said Kapuria.

70% of blue-chip companies in

the ISF are currently outsourcing.

Kapuria

Bug-fixed applications stillinsecureBrian McKenna

Companies are de-lousing

applications only to find

them even buggier one year on.

Forthcoming research from

Imperva, an application security

vendor, will show that companies

that the vendor has penetration

tested over the last four years

tend to be vulnerability-ridden as

ever.

Shlomo Kramer, Imperva's CEO,

said that the reason why potential

customers are shying clear of

enterprise application security

products is the "false conception

that they are abeto overcome the

problem of application level

security by fixing the bugs in the

programme. That is very

expensive, and is also futile since

in real life you always have

vulnerabilities in code, and in the

time that your programmers fix

the bugs they will introduce

others".

Kramer, who co-founded Check

Point, denied that app-level

attacks are more theoretical than

real. "We have done 300 plus

penetration tests at financial

organizations around the world.

These are very security savvy

organizations, and we found that

90% of them were susceptible to

very damaging application-level

attack.

The company's Application

Defense Center, which made the

news in April with some research

that demonstrated how Google

could be used to launch

application level attacks, will be

detailing its new findings in a

forthcoming white paper.

The Pru getssmart withspam

Prudential, a UK-based

financial company, has

installed a spam intelligence

service from Tumbleweed, which

clamps down on the number of

emails being blocked accidentally

by spam filters.

Out of the 40,000 emails

received by Prudential everyday,

14,500 are now blocked as spam

by filtering software.

Prudential has opted for the

Dynamic Anti-spam service,

(DAS) an Internet-based

subscription service, which

analyses spam and legitimate

emails from around the world to

help categorise what is and isn’t

spam.

“ Since DAS was installed, we

see a threefold increase in blocked

spam messages,” said Nick De

Silva, Web hosting and Messaging

Manager, Prutech.

“ Before, we used Tumbleweed

MMS lexical scanning (using a

manually-updated word list) to

detect spam,” he said.