[ Tuesday, August 02, 2005 ]


Coolest conference name: Black Hat. Apparently, there's an information security conference in Las Vegas every year called Black Hat, and apparently, there are some holes in Cisco's internetwork operating system (IOS) router software that one of the Black Hat presenters, Michael Lynn, was going to describe. Apparently Cisco got Lynn's employer, ISS, to agree to take the descriptive information off of the pdf of his presentation. Lynn quit ISS in protest, and gave the presentation to a wildly appreciative Black Hat crowd (you call the jamboree "Black Hat," you gotta expect a few outlaws). Cisco sought an injunction, which resulted in a legal agreement among Cisco, Lynn, Black Hat and ISS not to further disclose the information (is Black Hat's law firm called "Black Suit"?).

Now, however, as there is no honor among thieves, copies of Lynn's pdf are now out there on the internet. Cisco has a patch for the problems, apparently, but still doesn't want the exploitation information out there, for its customers who haven't installed the patch. ISS has fired off "cease and desist" letters to at least some of those who are posting the information.

What does this all mean? Beats the hell out of me. But it is a good lesson for everyone who is subject to HIPAA (and even those who aren't) that you need to keep track of your systems and software, find out about security issues ASAP, and make sure you patch up any security issues as soon as you find out about them. That may mean making sure your IT staff knows what's up, or leaning on your vendors to make sure they're taking the right steps to keep your backside covered.

It also means that it's sometimes pretty fun to watch these geeks and hackers run with scissors, if you know what I mean. At least I get to put lots of links in. Hot links. Hmm, makes me hungry.

Jeff [10:21 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template