The Ethical Hacker Network - Trusted Vendors?

Latest Additions

Who's Online

SecurityMonkey

Jr. Member

Offline

Posts: 89

Trusted Vendors?

« on: October 31, 2012, 10:41:32 PM »

There has been a lot of talk in the US and Australia about Huawei and if they should be allowed to bid for or supply hardware for project that could be classified as “national infrastructure”.

Huawei have refuted the claims of both governments that the PLA have too much control of the company and may use it as a tool to infiltrate government networks.

To prove that there hardware / software in not a threat they have offered to allow governments to inspect the code that runs on there hardware.

This article is interesting as it points out that even if you find no backdoor in the software when you find a bug and call the Huawei service team you are opening the front door and allowing them full access to your company!

This doesn’t only go for Huawei, maybe we should all be a little worried about who it is we allow in our data centers! Can you trust IBM / DELL / HP fully?

I’m not saying that any of the companies listed above are evil, all I am saying is that we should keep this in mind when selecting vendors or partners.

http://etherealmind.com/the-huawei-security-problem-isnt-the-hardware-its-engineers-fixing-the-bugs/


« Last Edit: November 01, 2012, 04:07:21 AM by SecurityMonkey »	Logged

www.securitymonkey.net

chrisj

Hero Member

Offline

Posts: 1163

Re: Trusted Vendors?

« Reply #1 on: November 01, 2012, 09:30:39 AM »

I think the better way of dealing with this, is seeing what other companies provide theses services, and then find out if they can out preform (either in equipment or service) Huawei.

I get international business, but I'm starting to think it might be worth copying some of China's model. You want to sell your product here, you have to have a factory making it here. Limited import. Government inspections at random. Etc.

As for offering to let someone inspect your code... What coding standards are there, how long do they have to inspect it. Are they going to inspect each sub release, and as we all know, just because we can't find the hole doesn't mean it's not there.


	Logged

OSWP, Sec+

ajohnson

Recruiters
Hero Member

Offline

Posts: 1057

aka dynamik

Re: Trusted Vendors?

« Reply #2 on: November 02, 2012, 01:43:38 PM »

Quote from: chrisj on November 01, 2012, 09:30:39 AM

As for offering to let someone inspect your code... What coding standards are there, how long do they have to inspect it. Are they going to inspect each sub release, and as we all know, just because we can't find the hole doesn't mean it's not there.

This. Let's assume it's acceptable at on the onset; what if something changes five years down the road. If you're seriously going to use this as an attack platform, you'd be willing to commit to the long-con.

Regarding third party vendors, Dell, HP, etc., the way I've always handled it in the past was to leave any sort of remote access disconnected/disabled until it was needed, and then have someone monitor/oversee everything the technician does. Giving a vendor free-reign 24/7 certainly seems to create an unnecessary exposure.


	Logged

WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.

chrisj

Hero Member

Offline

Posts: 1163

Re: Trusted Vendors?

« Reply #3 on: November 03, 2012, 12:36:35 PM »

I used to get comments from upper management, and complaints from my staff, that I wouldn't let "trusted" vendors walk around UN-escorted. Be it the Same guy that had been coming to fix the copiers for years, or the Storage Vendor's people who were on site 2 days a week at some point.

Sorry slight thread highjack there. But the point is, just because you use them, doesn't mean they should be trusted. Argument I've started at my current client's site, and the full time direct-hires have picked up and ran with. Just because they're a trusted business partner doesn't mean you give them access to the bank accounts.