.

Trusted Vendors?

<<

S3curityM0nkey

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon May 16, 2011 6:47 pm

Post Wed Oct 31, 2012 10:41 pm

Trusted Vendors?

There has been a lot of talk in the US and Australia about Huawei and if they should be allowed to bid for or supply hardware for project that could be classified as “national infrastructure”.

Huawei have refuted the claims of both governments that the PLA have too much control of the company and may use it as a tool to infiltrate government networks.

To prove that there hardware / software in not a threat they have offered to allow governments to inspect the code that runs on there hardware.

This article is interesting as it points out that even if you find no backdoor in the software when you find a bug and call the Huawei service team you are opening the front door and allowing them full access to your company!

This doesn’t only go for Huawei, maybe we should all be a little worried about who it is we allow in our data centers! Can you trust IBM / DELL / HP fully?

I’m not saying that any of the companies listed above are evil, all I am saying is that we should keep this in mind when selecting vendors or partners.

http://etherealmind.com/the-huawei-secu ... -the-bugs/
Last edited by S3curityM0nkey on Thu Nov 01, 2012 4:07 am, edited 1 time in total.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Nov 01, 2012 9:30 am

Re: Trusted Vendors?

I think the better way of dealing with this, is seeing what other companies provide theses services, and then find out if they can out preform (either in equipment or service) Huawei.

I get international business, but I'm starting to think it might be worth copying some of China's model. You want to sell your product here, you have to have a factory making it here. Limited import. Government inspections at random. Etc.

As for offering to let someone inspect your code... What coding standards are there, how long do they have to inspect it. Are they going to inspect each sub release, and as we all know, just because we can't find the hole doesn't mean it's not there.
OSWP, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Nov 02, 2012 1:43 pm

Re: Trusted Vendors?

chrisj wrote:As for offering to let someone inspect your code... What coding standards are there, how long do they have to inspect it. Are they going to inspect each sub release, and as we all know, just because we can't find the hole doesn't mean it's not there.


This. Let's assume it's acceptable at on the onset; what if something changes five years down the road. If you're seriously going to use this as an attack platform, you'd be willing to commit to the long-con.

Regarding third party vendors, Dell, HP, etc., the way I've always handled it in the past was to leave any sort of remote access disconnected/disabled until it was needed, and then have someone monitor/oversee everything the technician does. Giving a vendor free-reign 24/7 certainly seems to create an unnecessary exposure.
The day you stop learning is the day you start becoming obsolete.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Nov 03, 2012 12:36 pm

Re: Trusted Vendors?

I used to get comments from upper management, and complaints from my staff, that I wouldn't let "trusted" vendors walk around UN-escorted. Be it the Same guy that had been coming to fix the copiers for years, or the Storage Vendor's people who were on site 2 days a week at some point.

Sorry slight thread highjack there. But the point is, just because you use them, doesn't mean they should be trusted. Argument I've started at my current client's site, and the full time direct-hires have picked up and ran with. Just because they're a trusted business partner doesn't mean you give them access to the bank accounts.
Last edited by rattis on Sat Nov 03, 2012 12:38 pm, edited 1 time in total.
OSWP, Sec+

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software