<![CDATA[[SecurityRatty] tag: hps]]> http://securityratty.com/tag/hps Wed, 13 Feb 2008 16:12:03 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Selling 0day Exploit Code]]> http://securityratty.com/article/6fecfbd98ce0e43927152713256b4ea0 http://securityratty.com/article/6fecfbd98ce0e43927152713256b4ea0 We all know it happens, but it is rarely exposed as clearly as Adam Pennenberg did in his article for Fast Company, The Black Market Code Industry. It turns out that this 0day seller was an HP employee:

According to the consultant who snared Marester, his quarry’s skills appear quite sophisticated. His wares, if they performed as advertised, could help a hacker take down machines running that particular software anywhere in the world. His real name is Steve Rigano; he’s a self-employed network consultant from Grenoble, France, who works full time at HP, where he is listed in the switchboard and maintains an hp.com email address. He told me that he saw nothing wrong with offering tools and techniques that targeted the company providing his paycheck.

A self-taught hacker, Rigano says he discovered the vulnerabilities and coded the exploits on his own time, which he says is none of HP’s business. “I have the right to sell what I want,” he says. He told me he attracted mostly Chinese and Russian buyers, but claimed he never found takers for the HP or SAP “vulns” and exploits. He said he stopped selling black-market code in January but didn’t explain why.

Most security companies I have been acquainted with frown on this type of activity, as I am sure HP has. It’s hard for them to sell security products and services when their employees are selling the very tools the company is purportedly defending against.

]]> Mon, 30 Jun 2008 14:55:01 +0000 fast company company consultant rigano steve rigano self-taught hacker network consultant hacker sap vulns Selling 0day Exploit Code <![CDATA[Who Are the Information Security Experts?]]> http://securityratty.com/article/f4f9c8ed56a1b5e4d34585b0c64fb0e0 http://securityratty.com/article/f4f9c8ed56a1b5e4d34585b0c64fb0e0 Recently an executive at HP claimed that his company now employs 9 out of the top 11 security people due to HP’s acquisition of SPI Dynamics:

“Nine out of the world’s top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it’s not immediately clear who ranked those top 11.”
- Mark Potts, CTO of Software, Hewlett-Packard

Now eWeek has produced a list of the 15 most influential people in security today. Here is the quick non-multimedia version:

  1. Tavis Ormandy, Google Security Team
  2. Ivan Krstic, One Laptop Per Child
  3. Chris Paget, IOActive
  4. Bunnie Huang, Bunnie Studios
  5. Michal Zalewski, Google
  6. Window Snyder
  7. The MOAB Hackers
  8. Dino Dai Zovi
  9. Michael Howard, Microsoft
  10. HD Moore, Metasploit
  11. Dave Aitel, Immunity
  12. Bronwen Matthews, Microsoft
  13. John Pescatore, Gartner
  14. Rob Thomas and Team Cymru
  15. Stefan Esser, Hardened PHP Project

I don’t see any SPI Dynamics or HP people on this arguably less biased list. I do see 3 of my former collegues from @stake: Dave Aitel, Dino Dai Zovi, and Window Snyder. Seeing that giants Microsoft and Google only got 2 each on the list and @stake has 3 it lends credence that @stake was the place to be for hard core security people.

Wikipedia has a nice large list of computer security specialists.

]]> Wed, 13 Feb 2008 16:12:03 +0000 security security hackers computer security specialists security people due spi dynamics spi dynamics acquisition people google security team dino dai zovi Who Are the Information Security Experts?