Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would “cripple the cluster,” according to information provided to The Register by an unnamed source.
The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it’s not hard to find: “Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn’t know existed,” according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public.
The hash hiding the login “is easily brute-forced,” according to Technion, who noted in a later blog that more than 55 users have separately notified him they’d broken the hash. The backdoors are hidden in versions of the LeftHand OS v. 9.0 and higher. They have existed since at least 2009, according to The Register.
DOUBLE WORD SCORE: Both cyber and we take security seriously
Weirdly, I agree totally with this right up and until the last sentence of the last paragraph, hence why I quote it at length:
We must all take our cyber-security seriously
The Observer, Sunday 3 February 2013
It has been a fragile week for cyber-security, with system breaches affecting a quarter-of-a-million Twitter accounts coming on the heels of online assaults against both the New York Times and the Wall Street Journal, apparently by highly sophisticated Chinese hackers.
Given the vulnerability of these high-profile targets, ordinary users might be forgiven for feeling any residual digital euphoria replaced by growing unease. What does it mean to be secure in an online realm where few people understand anything of the frantic combat taking place around them?
When it comes to combating online criminality, attempted cures can look as noxious as the disease. In Britain, the draft communications data dill – a “snoopers’ charter” obliging mobile phone and internet service providers to record the details of all their users’ actions – has proved sufficiently controversial for leading Conservatives to join Nick Clegg in calling for its overhaul.
Elsewhere, still more draconian legislation has been proposed in the name of preventing everything from piracy to political protest; earlier this year, the American programmer and activist Aaron Swartz became perhaps the world’s first martyr to the cause of information freedom after taking his own life while awaiting trial – complete with the threat of punitive prison time – for downloading millions of academic articles.
As more and more of value in our lives migrates online, reconciling freedom of digital action with freedom from exploitation by others is only going to get trickier. A system is only as strong as its weakest component and many domestic users still leave the equivalent of at least one window wide open in their online abodes.
Most governments, experts and corporations would love us to close these windows. For all that burglary metaphors are apt, however, there remains a profound difference between fear of physical crime and the fear of digital disaster. And it’s this emotional disengagement that is perhaps the biggest obstacle of all to individual safety online.
If you wanted to design a problem that people don’t care about, behavioural economics professor Dan Ariely once argued, “you would probably come up with global warming”, because its consequences are so distant in time and space from its causes. Similarly, most cyber-threat stories seem custom designed to disengage ordinary users. They’re largely about other people or abstract possibilities, debated in obscure terms by experts who readily concede their inability to identify the next big threat.
There is also, however, a crucial difference between technology and climate change – because people do actually design digital systems, together with their vulnerabilities, defaults and enticements. We can’t possibly anticipate every threat online and legislative attempts to do so are fated to fail. We can, however, try to change the terms in which we debate them and in which we share warnings, solutions and stories.
From encryption and good password “hygiene” to multiple-step verification, plenty of tools and techniques for safer cyber-living already exist. Nobody, however, bothers to close a window they don’t know is open in a house they don’t think of as their own. For all of us, that needs to change.
The point at where it all goes wrong is that last sentence:
For all of us, that needs to change
- discussion beyond that can go one of two ways:
- the prescriptive: we’re from the government and we’re here to help, we know what change needs to be made and we will make it happen
- the autonomous: like all forms of hygiene, computer security is best taught to the populace; it will never be perfect but can always be better
I find it bizarre that this editorial swings back and forth between “attempted cures can look as noxious as the disease” versus “Most governments, experts and corporations would love us to close these windows” – as if supporting autonomy but fearing that improvement can never happen without state intervention.
So I suppose it’s only fitting therefore that the prescriptive “needs to change” last sentence complements the autonomous “take our information security seriously”; at best this is a neutral position for the Guardian, and at worst it is an invitation for the Home Office to selectively quote this article in a “Even the Guardian recognises that something must be done!” way.
I hear chuntering, to use a word that was used earlier, from many of the SNP Members. I am happy to debate the positive arguments for Scotland remaining part of the United Kingdom with the SNP in a proper context at any stage. However — and I hope that SNP Members and the Scottish Government take this on board — I find it difficult to take that anyone who is seen to disagree with independence finds themselves subjected to cyber-warfare through the Twitter feeds; or, if they work in the voluntary or charitable sector, finds that they receive a phone call; or, if they are a business, finds that they do not get invited to the same circle of events.
The opening grammar gags are probably related (at some remove) to this; however I am quite pleased to see the continuing debasement of the ‘c’ word, in the home that this signals its imminent demise.
The word the honourable member was searching for was feedback. Or input. Not Cyber-Warfare.
HT to Lee.
I’m … shocked. No-one in the private sector would ever have considered protection of data in transit. It’s this sort of foresightedness which amply demonstrates how private sector companies can never hope to compete with the expertise of the likes of NSA, CESG, DSD, etc, in protecting critical infrastructure.
Via; see also commentary below.
VMware has confirmed that the source code for old versions of its ESX technology was leaked by hackers over the weekend – but played down the significance of the spill.
The virtualisation giant said on Sunday that the exposed portions of its hypervisor date back to 2004, and the leak follows the disclosure of VMware source code in April.
“It is possible that more related files will be posted in the future,” Iain Mulholland, VMware’s director of platform security, explained. “We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.”
Mulholland said customers who apply the latest product updates and patches, in addition to following system hardening guidelines, ought to be protected against attacks developed in the wake of the code leak.
“By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected,” he said.
The massacre apparently resulted from a previously unseen exploit that let level one characters access the kill commands for every player and computer-controlled character in the area. A few quick-witted players managed to record video of the massacre as it was happening, showing characters dropping left and right in the formerly safe confines of the cities.
Blizzard quickly issued a hotfix for the exploit, which it says “should not be repeatable.” The company is now conducting a “thorough investigation” into what it considers a very serious matter. “We apologize for the inconvenience some of you experienced as a result of this and appreciate your understanding,” community manager Nethaera wrote in an official forum post.
Also, old news; virtual viruses. not exactly computer viruses.
Really, I can’t be arsed.
“N million passwords stolen – cyberterror!” is not the right way to think;”N million passwords stolen – it must be tuesday”, is.
— Alec Muffett (@AlecMuffett) September 3, 2012
Gosh I remember when they were Electronic Arts:
FIFA 13 will receive tightened security in a bid to avoid the issues suffered by some in FIFA 12 with suspicious activity surrounding Ultimate Team packs, EA labels president Frank Gibeau has confirmed.
“We learned a lot from the experience. A lot of companies are suffering from this right now. There’s a lot of sophisticated hacking happening in the gaming industry and it’s a continuous battle,” Gibeau told Joystiq.
“We take it very seriously, put a lot of resources on it. The learning from the FIFA example last year has been incorporated this year. There’s some incremental and additional things. I don’t want to get too detailed because I don’t want to tip our hand. Rest assured, we take it very seriously.”
EA hired a Microsoft security expert to help combat the chances of future loopholes from within games, Gibeau said, adding that it’s a battle that can’t be won, but it is that EA has to “continuously stay on top of.”%3
— Irfan Asrar (@Irfan_Asrar) August 21, 2012
We wait with baited breath to discover whether Norton clocks the latest Tor Browser Bundle as malware, as apparently one Tor user has reported – and if so, we’d like to know why/how it got that way.
Can anyone else help @Irfan_Asrar with analysing this?
Hello, I’m a journalist and have fallen for the: something must be done, this is something, therefore we must do it – cyberfallacy.
It’s hard to tell whether this is just lazy or malevolent, but small-government advocates of gridlock are going to have a hard time explaining to people on Main Street how maintaining the post office isn’t an essential role of government. Reform is the opposite of inaction. If these bipartisan bills that passed the Senate are in need of fixing, then fix ’em—or take responsibility for the looming failure.
Of course, the Senate has its own embarrassments to be held accountable for—and I’m not just talking about Harry Reid invoking Romney’s dad in a cheap campaign attack. The fact that Senate Republicans filibustered a bipartisan attempt to pass a cyber-security bill is not just an indignity, but a dereliction of duty.
We can’t wait for a digital Pearl Harbor to take this 21st-century threat seriously, but the siren song of special interests once again distracted from the national interest. The fact that some senators treated the amendment process as a Christmas tree for their own priorities (like Sen. Chuck Schumer, who attached a post-Aurora gun-control provision onto the bill) also didn’t help the prospects of passage. But this epic failure could have serious national-security consequences.
Tell me, John, what these consequences will be like. At length, if you please.
And then watch as we, the internet security community, tear apart your assumptions, sources and extrapolations.