:::: MENU ::::

Posts Categorized / Web Security

  • Apr 03 / 2009
  • 3
Web Security

How to remove Conficker?

I don’t normally talk about this type of security but I have had a number of people ask me in the last week about the Conficker worm as well as you haven’t been able to escape the talk within the press. There are reports that anywhere from 1 million to 10 million computers are infected.   If you keep your Windows and antivirus up to date or use a Mac, I wouldn’t freak out.  Find out all the details from the Conficker Work Group here.  I thought I’d provide you a helpful list of tools (depending on what virus scanner you currently use)  that can remove it from your computer if you are infected:

Remember to keep doing your Windows and Antivirus updates! 🙂

  • Mar 23 / 2009
  • 2
Web 2.0, Web Security

HP SWFScan – FREE Flash Security Tool


Today we have released a FREE flash security tool, SWFScan (Pronounced “Swiff Scan”), that will help developers find, fix and prevent security vulnerabilities in applications developed on the Adobe Flash platform.  In the last few years, especially with the release of Adobe Flex (ActionScript 3), we have seen an explosion of web sites built on or containing Adobe Flash components. (Opera Developer Center Study in October 2008 found 30-40% of web sites contained Flash)  However, like with the explosion of any technology, there is also an explosion in discovery of ways that the technology has been exploited by hackers, too often developers building applications on the Adobe Flash platform leave unintended security vulnerabilities in their code. (eg.  Hard coding passwords and encryption keys into their applications)

Here’s a quick video of Billy Hoffman talking of a specific example called Billy ‘Wins’ a Cheesburger:

During the research and development of HP SWFScan, the HP Web Security Research Group tested about 4,000 SWF files and found the following issues to be the most alarming:

  • 16% of Flash applications using Flash 8 and below have XSS vulnerabilities
  • 77% of Flash 9 and 10 applications contain developer debugging information and source code file references
  • 35% of all Flash applications violate Adobe’s security best practices

So…How does it work?

HP SWFScan takes an application developed on the Adobe Flash Platform and decompiles it revealing the ActionScript source code.  The tool then takes the ActionScript and performs static analysis to understand the applications behaviors. SWFScan will then identify the vulnerabilities that lie under the surface of the application which are not detectable with traditional dynamic methods.  (It is also the first security tool to address both ActionScript 2 & 3)

It not only identifies the vulnerability within the code, but also describes how it can be exploited as well as suggested ways of remediating (Including Adobe’s Best Practices)

HP SWFScan can analyze any SWF file regardless of the version of Flash or ActionScript, and no matter whether it is located on your local computer or available via a URL.

The HP Web Security Research Group have developed HP SWFScan in the name of helping our customers and developers around the world make the web a safer place.

Download a FREE copy here: www.hp.com/go/swfscan



  • Feb 12 / 2009
  • 1
Web 2.0, Web Security

Twitter Security Tip – ‘Hot Stove’ Theory

Following on from my most successful blog post last month, here is another internet security tip for all you Twitter users.  My buddy Jack Bauer was kind enough to share this with me:


The Twitter folk are also onto it:

WARNING: If you see a link prefaced by “don’t click,” it is a trick
and you *really* should not click (we’re on it)

but I would back Jack Bauer anyday over anyone else.

If you do click these links (Even though they say “don’t”; A bit of the hot stove theory, ‘don’t touch the stove, it’s hot’ but you always touch it just to check for yourself and then get burnt as a result) you will probably end up with some form of malware on your computer.

Stay Safe

  • Jan 24 / 2009
  • 15
Web Security

Top 10 Ways to Protect Yourself on the Internet

Constantly in the media we are hearing of people’s personal information being stolen
and exploited from the web.  This week Information Week reported that 70 of the top 100 web sites  either hosted malicious content or contained hidden links designed to redirect users to malicious sites.

Whoa!  Is the Internet still safe to use? My number 1 tip for staying safe on the Internet was only use trusted websites…this isn’t quite accurate anymore!

Working in web application security I am privilege to work with some of the greatest minds in this field who really make you look at the Internet in a whole new way.  I decided to ask them, “What do you recommend to protect yourself and your activities on the Internet?” Here’s what they said:

  1. Get yourself a credit card with a low limit that you only use for Internet transactions;  Easy to track unauthorised use and if it is exploited, risk is minimized.  Also look for one with Fraud Protection & zero liability.
  2. Never click on a link you recieve in an email; You don’t really want that cheap viagra!  If you really want to visit the website, retype the url into the browser.
  3. Keep you OS, Browser and Virus Scanner patched and up to date; Don’t ingnore the warning messages from Microsoft and others in the bottom left of your screen.
  4. Use a ‘throwaway’ e-mail if I have to fill out a form on a site to download something;  create an extra account at Gmail, Hotmail or Yahoo.
  5. Keep individual passwords for the sites that really matter (ie. your banking sites, e-mail, etc…) ; You don’t want all your accounts to be compromised if one is exploited. Probably not a good idea to make your Facebook password the same as your internet banking one!
  6. Never enter any personal information over an unencrypted connection; No brainer!!  Look for that padlock (Although still proceed with caution!)
  7. Never accept unsigned or unknown certificates for sites that need your personal info;  You want to be careful who has your personal info!
  8. Turn off your wireless and Bluetooth on your Laptop when you are not using it;  A great way to invite unwanted vistors!
  9. Don’t leave your computer connected to a hotel network or public wifi more than you need to be;  People can find you and your personal info very easily!!
  10. Block browser popups; Not only are they annoying but a great way of transporting malware

To be totally safe and secure:

  1. Don’t turn your computer on
  2. When you must break (1), do not connect to the internet
  3. When you must break (2), telnet to port 80

Please leave your personal tips in the comments!

Thanks Erik, Pat & Joe

Stay Safe & Secure

  • Dec 11 / 2008
  • 0
Web Security

Hacking 101….It’s not that hard

Recently Caleb Sima, CTO of  HP Application Security Center, (Founder of SPI Dynamics) presented at the HP Software Universe in Vienna, Austria.

This video is very entertaining and in language anyone can understand.  You’ll see how easy hacking really is with a live demonstration.  He busts some of the Web Application Security Myths out there.  You will never look at a Web page in the same way.  It becomes clear that there is a lot that needs to be done by many to secure their web apps.

[media id=1 width=320 height=240]

Source: HP Videos
©2008 Hewlett-Packard Development Company, L.P.

  • Dec 01 / 2008
  • 0
Web Security

Web Application Security…..Why should we care?

As you can see, I spend most of my time thinking about Web Application Security and what is going on in the world to do with this. (It’s my job!)  Even if it isn’t your job,  just a little research into the web security and you will look at the WWW in a whole new way.  Everyday we are reading about new attacks on prominant websites, like yesterday we heard of the CBS website being attacked by Russion Hackers.  In this case they were able to distribute malware to vistors to the CBS website. (Read Article)

So why is it we have to do more about web application security?

Security risks are getting greater and greater everyday and they will continue to get greater as we go into 2009 and beyond.    7-10 years ago, hackers were out for a little individual fame.  They may hack into a site, change some text or maybe an image and then go boast to their underground friends.  The cost to the victim was minimal, more of an incovienience.  As we all know over the last few years what we can do on the web has become a whole lot more sophisticated and with this we entrust a whole lot more personal, confidential information to the web world.  We bank online, apply for credit, shop online and organisations we entrust all this information too transfer it internally across the web.  As we, end users, have changed our patterns and increased our use of the web, the cyber criminals have also increased at a greater rate the exploitation of the web.  Hacking is now an industry and it is growing.  The cost to an organization can not only be large on the money side but also a huge cost in loss of face.  Yes, there is an increase in regulations out there that require organizations to meet higher security standards, but there is a whole lot more we can do as organisations and  individuals.

For the last 15 years organizations have spent millions of dollars securing the perimeter of their organizations with firewalls and their servers with things like Intrusion Prevention Systems (IPS). Everyone has done a pretty good job of this and we could almost go as far as saying that the network and servers have been locked down. Millions of dollars well spent! However, the inherent architecture of the web opens holes in these systems. For example, you need to open port 80 or 443(SSL) to enable web traffic to come into your organizations. By allowing your trusted users to come it through these ports, you are also allowing hackers access to your systems also. (In fact hackers love SSL. It means they can hack undetected!) Organizations need to shift their focus and invest in securing their applications to combat this. With many shifting to Web 2.0, the perimeter has just shifted, putting more control in the hackers hands. (I think a future blog post is required here)

So, how do you secure your applications?

Almost all web application security vulnerabilities lie within the code itself. Yes, you guessed it (Well at least I hope you did), security vulnerabilities are a code defect. You need to write secure code! Simple! Not really….we have a problem here. We have a gap. Security specialists know security but they don’t know the code and Developers know the code but they don’t know security. This is where organizations need to mandate secure coding practices and build this as part of the Security Program. Educating about and eliminating the the OWASP Top Ten is a good start. To aid developers there are a number of solutions out there that developers can use to scan and validate their code and at the same time teach them secure coding.  (HP DevInspect is an example)

Address web application security at the development level is a good approach, but to ensure you organization is best protected and to compliment secure coding, your should also check your applications for vulnerabilities during QA as well as post production (New vulnerabilities are discovered everyday).  An organization serious about web application security should implement a combination of manual penetration testing and web vulnerability scanners (HP has one of these also :)) at these points.

Last year the Web Application Security Consortium did a study of almost 32,000 websites.   Over 85% of these websites had a vulnerability that coupld give hackers the ability to read, modify and transmit sensitive data.

Are you secure?  Do you actually know?

  • Jun 14 / 2008
  • 0
Travel, Web Security

Moving to Silicon Valley

I recently accepted a new position at HP that will see me departing Sydney in August to take up residence in California. I am now the Global Product Marketing Manager for HP Application Security Center.  In a way it will be sad saying goodbye to many good friends in Sydney and not visiting the great countries of Asia as much but for me this is one of my dreams to go and work in the hub of all great things technological.

Off to Vegas (Again!!) for HP Software Universe………….