Tuesday, August 28, 2007

Hacker tips published in Wall Street Journal

Network World

Security Strategies




Network World's Security Strategies Newsletter, 08/28/07

Hacker tips published in Wall Street Journal

By M. E. Kabay

On July 30, Vauhini Vara published an article in the _Wall Street Journal_ entitled, “Ten Things Your IT Department Won’t Tell You.” The author explains that office workers like to use corporate-supplied equipment to “keep up with our lives. We do birthday shopping, check out funny clips on YouTube and catch up with friends by e-mail or instant message.”

Alas, she continues, “Our employers sometimes don't like it. Partly, they want us to work while we're at work. And partly, they're afraid that what we're doing compromises the company's computer network - putting the company at risk in a host of ways.” Therefore, she explains, she has asked various experts for ways “to get around the IT departments.”

The 10 topics she investigates are as follows:

Discover the Business of Gaining Organizational Support for your Security Initiatives.

September 10-11, 2007 | The Fairmont Chicago
How do you get everyone from the boardroom to the mailroom to comply with your security initiatives? Come collaborate with peers on critical business topics like this at The Security Standard-the only business summit for senior security executives. For the latest in planning and management strategies. Click here for more details. Click here for more details

1. How to send giant files.
2. How to use software that your company won’t let you download.
3. How to visit the Web sites your company blocks.
4. How to clear your tracks on your work laptop.
5. How to search for your work documents from home.
6. How to store work files online.
7. How to keep your privacy when using Web e-mail.
8. How to access your work e-mail remotely when your company won’t spring for a Blackberry.
9. How to access your personal e-mail on your Blackberry.
10. How to look like you’re working.

Vara provides each topic with these sections:

* The Problem
* The Trick
* The Risk
* How to Stay Safe

I don’t want to get into a discussion of full disclosure of security vulnerabilities here, nor to claim that what Vara has done is in any way illegal. What she and her publication have done, however, is beyond my personal standards for publication in a legitimate, respected newspaper. The motivations behind her detailed instructions are much closer to the dreck published in criminal-hacker publications than in any professional publication I can imagine. The author’s focus is on escaping the consequences for violating security policies. For example, in the section on visiting forbidden Web sites using corporate systems, she writes that “the main risk is getting caught by your boss.” As a second-rank risk, she mentions the possibility that “Online bad guys sometimes buy Web addresses that are misspellings of popular sites, then use them to infect visitors' computers.” Her priorities are to protect people who put the organization at risk and only secondarily to warn the potential rule-breakers of threats to their employer’s data security.

Vara’s “How to Stay Safe” sections are astonishing in their insouciance. For example, her “safety” measures for violating appropriate-use policies include this advice for attempting to wipe audit trails: “Clear your private data as often as possible. Better yet, don't use your work computer to do anything you wouldn't want your boss to know about.” The first sentence clearly condones the misuse of corporate equipment and encourages dissimulation and dishonesty as a safety measure. The second defines the issue entirely in terms of self-protection, with no hint that there might be issues of rights and duties involved.

I invite readers to read Vara’s article for themselves and then to join me in a short series of columns as I analyze her work from an ethical standpoint. I will take the opportunity to illustrate a straightforward process for making ethical decisions that I think would have ensured that Vara’s article not be published - if the editors of the Wall Street Journal actually care about ethical decision-making.

My editor kindly pointed out a vigorous Network World blog entry on Aug. 3 by Linda Musthaler about the Vara article bluntly entitled “At the WSJ, the idiots are running the asylum.” Musthaler points out that the Wall Street Journal published a follow-up article by Vara that could conceivably be an attempt to compensate for her scandalous “Ten Tips,” but I’ll let you judge for yourselves.

More next time.


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. Airline puts Linux PC in every seat
2. Acer to acquire Gateway for $710M
3. Open-source companies to watch
4. How close is World War 3.0?
5. Test your networking nerdiness
6. Storm Worm's virulence may change tactics
7. Defunct SunRocket sues Vonage
8. ProCurve is breathing down Cisco's neck
9. Hot IT jobs: Systems administrator
10. Hackers unlock iPhone from AT&T network

MOST DOWNLOADED PODCAST:
Laptops designed for Linux: Matt Domsch


Contact the author:

M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site.



ARCHIVE

Archive of the Security Strategies Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments:

Post a Comment