Security Watch | Matt Hines » September 2006

September 28, 2006 | Comments: (0)

HP made me do it

TAGS: Security

If you haven't been following the HP case recently you either need to stop working so much, stop reading blogs on how to turn cat fur into yarn, or just plain get out more.

I was secretly hoping that when I came up with the cat hair into yarn idea that I would come up with zip on a Google search, but I was wrong.

Anyway, I have my two cents to add to the whole HP scandal.

This whole HP thing has happened to me.

Well, not exactly in direct relation to HP, or in terms of 'pretexting' and having some PI snag my phone records, or actually having anything to do with HP whatsoever.

But I have been told by an executive 'I don't care what it takes, I want this done and done now'.

And I'll bet dollars to doughnuts you've heard these words uttered (or yelled) in your direction more than once in the recent past.

Isn't what this entire hubbub is really about?

Right now we have to do more with less money and people, so this type of command coming down from the top happens all too frequently. Unfortunately, someone down the chain turned off their ethics filter and 'did what needed to get done' because they were told to. And this individual (or individuals) probably had some slight (either founded or unfounded) fear of losing their job if they failed.

Only now, we have more corporate oversight. And someone got wise to the fact that their phone records were being accessed without their permission.

These two factors contributed to this whole HP thing becoming a debacle and unraveling none too cleanly.

So next time someone says 'I don't care what it takes, just get it done' let's all take a minute to make sure our ethics filters are in place and turned on. Because, as HP is finding out, turning off the filters can lead to one heck of a fur ball.

On the flip side

I think I made mention last year that I think the selling of data that you unintentionally create but may not own (aka your phone records) should be against the law. Unfortunately, it's taken something like the HP scandal to have people really investigate this sort of privacy violation. So a potentially good thing to come out of this debacle is that it may be more difficult for someone to gain access to your (supposedly private) phone records without your explicit authorization.

Posted by Victor R. Garza on September 28, 2006 12:34 PM

September 25, 2006 | Comments: (0)

Does your computer have rabies?

TAGS: Security

Ah yes, the day we give up on our old friend because they're acting a bit crazy. Maybe they're trying to bite us, or maybe send out a few spam emails without us knowing about it, maybe even installing a keylogger to capture our private information and send it to nefarious individuals. It's not our little friend's fault, it can't help being bitten, especially with the company it has to keep these days, running around with sometimes unsavory types who may or may not have had their shots. Just yesterday it was romping around without a care in the world and now it's sluggish and limping along, baring it's teeth at anyone who comes close.

Nonetheless, it's time we took our foaming-at-the-mouth old friend out back and put a bullet between his eyes. And it's not all bad fer old Yeller. Quick and painless OS reinstall and we've got a new puppy, jumping up and down with a boatload of energy and no mange.

I had to breakdown and commit this atrocity last night. The sound of the shotgun blast is still ringing in my ears. The security practice I work for had decided that one of our client's machines was just too far gone and that we should wipe it and start from scratch. The client is fairly new and has been maintaining their systems fairly haphazardly up until we came into the picture.

I and another principal don't like to give up on such systems, but this specific IBM laptop was just too far gone and we (I) eventually had to pull the trigger. Now we can deploy sound security policies and keep this machine current without too many headaches. It seems to me that gone are the days of trying to fix these systems, at least trying extraordinary measures (and spending the client's money) to keep them on life support while they bite and struggle the whole time.

I remember with some shock when I read about Microsoft condoning this same practice earlier this year. But it looks like even with all the security tools I have at my disposal that a machine can just get way too diseased to come back to us. Too many apps installed and uninstalled, too many registry entries mangled, too many nefarious programs slipping in.

These days time is just too short, so I guess I'll have to keep more shotgun shells handy.

Posted by Victor R. Garza on September 25, 2006 08:38 PM

September 03, 2006 | Comments: (0)

Caveat Emptor, especially with hackers

TAGS: Security

I've come across an interesting article posted in InfoWorld's sister publication, ComputerWorld, regarding the trustworthiness of hackers.

I've got one thing to say about trusting hackers.

Just say no.

That's not to say I don't trust hackers. I do, but I like the 'trust, but verify' model myself.

If you haven't realized it yet, hackers play games, and are always trying to find the shortest or most elegant route to a destination. In other words, they're constantly trying to game the system.

So, suffice to say that you should watch your back when dealing with anyone like this, and that goes beyond just those labeled strictly as 'hackers'. I'm talking about the individuals that go out of their way to setup an elaborate practical joke at your office, or spend countless hours tracking down a small problem when others would have given up or taken an easier route to fix an issue. These individuals are a special breed, and while all of us have these tendencies to a lesser degree, it's these folks that have it honed to a fine skill, and we have may of them to thank for keeping vendors honest. But, if you present an opportunity to be played, punked, or pwned, you will be.

Now, I don't completely agree with what Frank Hayes has to say in his article, as I think that he's being overly cynical. And I'm sure that this is especially the case because I was one of the people who helped break the Cisco WiFi story at this year's BlackHat.

But I do agree with Hayes' conclusion:

But even if we now have to view these researchers with the same jaundiced eye we once reserved for our most shameless vendors, they're still worth our attention. We may believe them less, but we haven't got much choice.

After all, when it comes to uncovering security holes, if you can't trust hackers, who can you trust?

'nuff said.

More tidbits

Check out Andrew Lockhart's synopsis of several of this year's 'Vegas offerings here. Yes, he does work for the wireless security vendor Network Chemistry. I took a look at them a while back and they've got some good stuff.

And I came across this breakdown of some interesting wireless technology vendors to watch.

And if you went as lucky as the rest of us this year freezing inside a smoke filled hotel while it was a hundred degrees outside, you can now check out this year's archived BlackHat presentations. Interesting reading.

Posted by Victor R. Garza on September 3, 2006 11:35 AM