IT at fault for some security vulnerabilities: HP

It’s hell out there – there being the world outside your firewall that’s trying to rip it down.

You can tell by news reports of intrusions, you can tell by the amber and red lights flashing on dashboards in the NOC and you can tell by – another – annual security report from a vendor.

The latest is the Hewlett-Packard 2012 Cyber Risk Report, which has one piece of good news: The number of critical vulnerabilities in the wild seem to be on the decline.

The rest is bad news: Mature technologies such as Java and SCADA systems (which control factories and utilities) continue to be exploited, mobile platforms are a major growth area for vulnerabilities, and Web applications remain a substantial source of vulnerabilities.

On this last, HP says cross-site scripting (also called XSS) remains a major threat to organizations and users. And an effective defence against cross-frame scripting “remains noticeably absent.”

The report draws from exploit data collected by HP security product labs as well as from the Open Source Vulnerability Database (OSVDB).

But security problems organizations face are sometimes the fault of software developers or Web developers and not just crafty attackers, according to Mark Painter, an HP security product marketing manager.

 “We tested over 100,000 URLs for the standard mitigation technique for cross-frame scripting,” he said in an interview, where clicking on a link takes a person not to where they want to go but to a frame on a malicious page.

“Less than one per cent of those URLs used the x-frame header correctly.”

Those URLs tested weren’t all simple Web pages. Twenty per cent had a password form, Painter said, so had they been spoofed could have lead to the loss of personal information.

Organizations and developers are “just slow to respond to these long-time vulnerabilities,” he complained.

Known SCADA (supervisory control and data acquisition) system vulnerabilities now total 191 from 22 in 2008, Painter said. He blamed the Stuxnet worm (allegedly attributed to U.S. and Israeli government developers who found a way to attack Iranian uranium enrichment facilities using Siemens controllers), for encouraging hackers to probe SCADA systems.

“When you put a Web front-end on something that was never-designed to be Web-accessible you introduce all kinds of vulnerabilities.”

With the increasing attention in cyber-warfare – recently highlighted by the U.S. government — those numbers will continue to rise, Painter predicted.


As for mobile app vulnerabilities, 266 were found last year, compared to 159 in 2011.

Seventy-seven per cent of mobile apps were vulnerable some form of information, HP [NYSE: HPQ] found. Forty-eight per cent could allow an attacker to gain access to some part of the app that wasn’t supposed to be open.

“Over the course of our testing it’s very apparent that when coding mobile applications developers are just not considering the security implications of how they store, transmit or access their data.”

“In a lot of ways its like mobile developers are making the same mistakes they made 10 years ago with Web applications.”

Not only that, IT departments make fundamental mistakes, the report suggests, like someone at a firm that created the following directory:

No authentication was needed to get into the folder, which, obviously, listed passwords.

Other examples of corporate vulnerabilities

Which begs the question – and it has been asked before – has the cyber security war been lost?

“I wouldn’t say the war is lost, but we definitely need to mobilize some troops. It’s just the pace of the world – everybody’s pressured to put applications out there. And you know the old saying: Security is not something you can brush on at the end: You’ve got take it in. It’s still being bolted on at the end way too much.”

You can download the entire report here.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now