HP's Dunn to step down amidst hacking scandal
Robert Lemos, SecurityFocus 2006-09-12
Hewlett-Packard announced on Tuesday that Chairwoman Patricia Dunn would step down early next year to be replaced by CEO Mark Hurd, amidst calls by critics for her resignation and increasing scrutiny of the tactics used by investigators to track down a media leak on the board.
Dunn will resign as chairwoman after the company's January 18 board meeting, but will remain on the board as a director, the company said in a release. In a second statement, Dr. George A. Keyworth II, the board member fingered by the investigation as the source of the leaks, announced his resignation from the board.
In comments included in the official releases, the chairwoman disavowed that she knew of the type of techniques that investigators, hired by her, would use to track down a member of the board who had leaked confidential discussions to the media.
"These leaks had the potential to affect not only the stock price of HP but also that of other publicly traded companies," Dunn said in the statement provided by HP. "Unfortunately, the investigation, which was conducted by third parties, included certain inappropriate techniques. These went beyond what we understood them to be, and I apologize that they were employed."
Dunn's pending resignation is the latest fallout from a brewing controversy over the techniques used by third-party investigators to obtain the personal phone records of HP directors and the nine reporters that may have received information about confidential board discussions. Investigators hired by the company's chairwoman to find the leak employed pretexters to gain access to the records.
In the past, the act of pretexting used deception and subterfuge to convince a victim to turn over information useful to a private investigator. In the computer security world, the technique is frequently called social engineering. Yet in the information age, pretexting that gains access to another company's computer system without authorization is punishable under the Computer Fraud and Abuse Act of 1986 at the federal level and various other cybercrime statutes at the state level, said James Aquilina, a former federal cybercrime prosecutor running the Los Angeles office of Stroz Friedberg LLC, a national computer forensics and cyber-consulting firm.
"Characterizing the practice of pretexting as falling within some 'gray area' perhaps ignores the basic fact that its success depends upon the use of falsity and deception," Aquilina said. "That, coupled with unauthorized access, and evidence of certain damages suffered by the hacked telecom provider or its customer, likely brings the practice within reach of the (Computer Fraud and Abuse) Act, and at a minimum, California's penal code."
As the controversy enters its second week, Hewlett-Packard faces a prolonged investigative siege touched off by the chairwoman's resolve to find the leak. Investigations into the technology giant's conduct have been opened by no less than five agencies: The Office of Attorney General for the State of California, the U.S. Department of Justice, the Federal Communications Commission, the Securities and Exchange Commission and the House of Representative's Committee on Energy and Commerce.
For the Attorney General for the State of California, Bill Lockyear, the question is not whether the information was obtained in violation of computer-crime statutes, but who is to blame for the acts.
"The Attorney General has already said that crimes have been committed," said Thomas Dresslar, spokesperson for California Attorney General's Office. "We are interviewing people. We are obtaining documents. We are doing our own thing."
The attorney general intends to charge the private investigators with violations of the state's cybercrime statutes, Dresslar said.
Federal prosecutors from the U.S. Department of Justice and the U.S. House of Representative's Committee on Energy and Commerce have also begun investigating the tactics used by the third-party investigators employed by HP.
"We have been informally contacted by the United States Attorney's Office for the Northern District of California requesting information similar to that sought by the California Attorney General," the company said in its quarterly financial report to the Securities and Exchange Commission (SEC), published on Monday. "We are cooperating fully with these inquiries."
In a letter to HP dated Monday, the House Committee on Energy and Commerce requested that the technology giant provide information regarding the name of the outside firm that investigated the board leaks, the appropriate contracts for the work, and the names of any contractors hired by that firm to do additional investigative work. The Committee also requested a list of all individuals targeted by the investigation, any HP employees that aided the investigations and copies of any reports produced by the investigators.
The Committee, which has had hearings on the used of pretexting, voiced concern over the matter.
"The Committee is troubled by this information, particularly given that it involves HP--one of America's corporate icons--using pretexting and data brokers to procure the personal telephone records of the members of its Board of Directors and of other individuals without their knowledge or consent," stated the letter, which was signed by its Chairman Joe Barton, R-Texas, and three other members.
Telecommunications giant AT&T has shown its resolve to hunt down pretexters that hack into its systems.
The company filed two civil lawsuits in the past two weeks against pretexters using the federal computer crime provisions known as the Computer Fraud and Abuse Act of 1986. The company is searching for the identities of nine individuals who used unauthorized accessed to AT&T systems to obtain phone records. The lawsuit does not target any of the three e-mail addresses so far revealed in the fallout from the HP board scandal, and an AT&T spokesman declined to talk about the company's investigation into that case.
"By and large, it was unauthorized access online--we believe it's illegal," said Walt Sharp, spokesman for the San Antonio-based telecommunications giant. "These are not public records. They are AT&T business records. These lawsuits are designed to identify who the perpetrators are and to seek injunctions to stop their behaviors and seek damages against them."
The lawsuits, filed in Texas and California, name nine e-mail addresses used by individuals who accessed AT&T's systems without authorization: brnroton@yahoo.com, carebear@yahoo.com, fashizzol@juno.com, free@yahoo.com, freefalling04@yahoo.com, gogo@hotmail.com, holla@aol.com, hon@aol.com, and wealthysinner@yahoo.com. To date, three e-mail addresses have been revealed in conjunction with the unauthorized computer access to the phone records of reporters and directors under investigation by HP's chairwoman Dunn: mike@yahoo.com, redsox9855@yahoo.com, and red@yahoo.com.
Hewlett-Packard's board of directors had met for a second time on Monday to discuss the company's response to the mounting criticism--and rising legal ramifications--of the tactics used during the hunt for a director who leaked sensitive company information to the media. The company announced that the chairwoman would resign in January, but remain on the board. While the punishment for the board's leader that initiated and spearheaded the investigation may seem light, HP's CEO Hurd strongly stated that the investigative techniques were unacceptable.
"I am taking action to ensure that the inappropriate investigative techniques will not be employed again. They have no place in HP," Hurd said in the HP statement announcing Chairwoman Dunn's pending resignation.
Private investigators are wary of the increasing uproar over the tactics used by HP's investigators, because many professional investigators still make use of pretexting in some form and still want to be able to access phone records.
"There should be a way to access these records for legitimate reasons," said Bruce Hulme, legislative director and former president of the National Council of Investigation and Security Services, a national association for private investigators. "What if this was a case of an HP employee leaking information to Dell? I don't want to see a general law passed that outlaws the use of subterfuge or pretext or pretense, because there are legitimate applications as an investigation tool."
Every field has its euphemism for lying and deception. In politics, it's spin. In computer security, it's social engineering. And in the world of private investigators, it's pretexting. In the past, private investigators have not assumed someone else's identity using pretexting, but taken on a role to gain access to information, said Jimmie Mesis, a private investigator and the editor-in-chief for PI Magazine.
"Pretexting is perception management," Mesis said. "You can't go up to someone and say, I'm a private investigator, you won't get information that way. It can be as simple as calling up a neighbor to get the target's phone number or some other piece of information."
Mesis also worries that legislation drafted in response to the HP scandal could result in less access to phone records for responsible private investigators. He points out that the public can benefit when investigators are allowed to do broader searches on records, what computer security experts call data mining.
"Closing up the records is not just a bad thing for PIs, but a bad thing for the public," Mesis said. "It helps protect the criminals."
Access to such records helped find the six-year-old daughter of a man whose wife took the child and left four years prior, Mesis said. While the police could not broaden the search to include relatives phone records, Mesis's firm was able to find a call from the woman to her father by searching his phone records. Less than a day later, the private investigators had located the woman and the child.
Despite the scandal surrounding it, Hewlett-Packard's investigation into the board member leaking information to the media also shows the utility of using phone records. The investigation pinpointed the person, Dr. George A. Keyworth II, a former science advisor to late U.S. President Ronald Reagan, who was asked to resign at a board meeting on May 22, 2006. He refused, but noted Silicon Valley venture capitalist Thomas Perkins resigned in protest over Dunn's actions. He later requested information on how the information had been obtained, and his requests led to HP filing an additional statement with the U.S. Securities and Exchange Commission that touched off the current furor.
On Tuesday, HP announced that Keyworth would resign after all. In a statement announcing his resignation, Keyworth said it was time to move on past the controversy.
"The comments I made to the CNET reporter were, I believed, in the best interest of the company and also did not involve the disclosure of confidential or damaging information," Keyworth stated. "There is but one issue now and that is that (CEO) Mark Hurd and the company have every opportunity to move beyond the current morass."
Keyworth called the investigators unauthorized access to AT&T's systems "an invasion of my privacy and that of others" that "was ill-conceived and inconsistent with HP's values."
Even among private investigators, the legality of lying to convince someone to hand over information continues to be a big question mark. Some investigators believe that consumer protection laws, which outlaw deceptive trade practices, are applicable to pretexting situations.
"Pretexting is illegal and it always has been--it really isn't a gray area," said John Healy, the principal investigator for Litigation Intelligence Services and a retired NH state police officer. "The consumer protection laws are all identical. When you get a gallon of gas, you get a gallon. And it applies to any deception in any business, so it applies to pretexting."
However, most private investigators do not know enough of about computer crime laws to differentiate between simple deceptions and gaining unauthorized access to a computer system through fraudulent claims. Moreover, some believe that the records are so poorly secured that no true security measures are being bypassed.
Mesis believes that an argument could be made that AT&T's lack of security essentially put the records into the public domain. A person's phone number and social-security number are so easy to obtain that the two pieces of data are more a way of identifying someone, not bypassing a security system, Mesis said.
"The phone company has a flaw in how they give out information," said the private investigator. "The PIs have not gotten the data by impersonating someone else, but by providing information to get information."
Privacy experts are also taking AT&T to task for its weak system for protecting consumers' call records. While accessing the online systems and gaining the information likely falls afoul of state and federal law, telecommunications providers need to take better steps to protect information, said Lillie Coney, associate director for the Electronic Privacy Information Center (EPIC).
"The key thing to remember is that the private sector's reliance on social-security numbers as a default ID number has led to this potential for abuse and has proved itself to be a bad decision," Coney said.
While AT&T would not comment on whether they would seek to change their security measures in the future to protect against such attacks, the company's spokesman did say they company is always looking at the possibility.
"This is a constant process of revisiting security measures," said AT&T's Sharp. "These people out there are always looking for ways to work around the security, and we have to look at that and determine what's the best way to deal with it."
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment