Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would “cripple the cluster,” according to information provided to The Register by an unnamed source.
The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it’s not hard to find: “Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn’t know existed,” according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public.
The hash hiding the login “is easily brute-forced,” according to Technion, who noted in a later blog that more than 55 users have separately notified him they’d broken the hash. The backdoors are hidden in versions of the LeftHand OS v. 9.0 and higher. They have existed since at least 2009, according to The Register.
DOUBLE WORD SCORE: Both cyber and we take security seriously
Weirdly, I agree totally with this right up and until the last sentence of the last paragraph, hence why I quote it at length:
We must all take our cyber-security seriously
The Observer, Sunday 3 February 2013
It has been a fragile week for cyber-security, with system breaches affecting a quarter-of-a-million Twitter accounts coming on the heels of online assaults against both the New York Times and the Wall Street Journal, apparently by highly sophisticated Chinese hackers.
Given the vulnerability of these high-profile targets, ordinary users might be forgiven for feeling any residual digital euphoria replaced by growing unease. What does it mean to be secure in an online realm where few people understand anything of the frantic combat taking place around them?
When it comes to combating online criminality, attempted cures can look as noxious as the disease. In Britain, the draft communications data dill – a “snoopers’ charter” obliging mobile phone and internet service providers to record the details of all their users’ actions – has proved sufficiently controversial for leading Conservatives to join Nick Clegg in calling for its overhaul.
Elsewhere, still more draconian legislation has been proposed in the name of preventing everything from piracy to political protest; earlier this year, the American programmer and activist Aaron Swartz became perhaps the world’s first martyr to the cause of information freedom after taking his own life while awaiting trial – complete with the threat of punitive prison time – for downloading millions of academic articles.
As more and more of value in our lives migrates online, reconciling freedom of digital action with freedom from exploitation by others is only going to get trickier. A system is only as strong as its weakest component and many domestic users still leave the equivalent of at least one window wide open in their online abodes.
Most governments, experts and corporations would love us to close these windows. For all that burglary metaphors are apt, however, there remains a profound difference between fear of physical crime and the fear of digital disaster. And it’s this emotional disengagement that is perhaps the biggest obstacle of all to individual safety online.
If you wanted to design a problem that people don’t care about, behavioural economics professor Dan Ariely once argued, “you would probably come up with global warming”, because its consequences are so distant in time and space from its causes. Similarly, most cyber-threat stories seem custom designed to disengage ordinary users. They’re largely about other people or abstract possibilities, debated in obscure terms by experts who readily concede their inability to identify the next big threat.
There is also, however, a crucial difference between technology and climate change – because people do actually design digital systems, together with their vulnerabilities, defaults and enticements. We can’t possibly anticipate every threat online and legislative attempts to do so are fated to fail. We can, however, try to change the terms in which we debate them and in which we share warnings, solutions and stories.
From encryption and good password “hygiene” to multiple-step verification, plenty of tools and techniques for safer cyber-living already exist. Nobody, however, bothers to close a window they don’t know is open in a house they don’t think of as their own. For all of us, that needs to change.
The point at where it all goes wrong is that last sentence:
For all of us, that needs to change
– discussion beyond that can go one of two ways:
- the prescriptive: we’re from the government and we’re here to help, we know what change needs to be made and we will make it happen
- the autonomous: like all forms of hygiene, computer security is best taught to the populace; it will never be perfect but can always be better
I find it bizarre that this editorial swings back and forth between “attempted cures can look as noxious as the disease” versus “Most governments, experts and corporations would love us to close these windows” – as if supporting autonomy but fearing that improvement can never happen without state intervention.
So I suppose it’s only fitting therefore that the prescriptive “needs to change” last sentence complements the autonomous “take our information security seriously”; at best this is a neutral position for the Guardian, and at worst it is an invitation for the Home Office to selectively quote this article in a “Even the Guardian recognises that something must be done!” way.
I hear chuntering, to use a word that was used earlier, from many of the SNP Members. I am happy to debate the positive arguments for Scotland remaining part of the United Kingdom with the SNP in a proper context at any stage. However — and I hope that SNP Members and the Scottish Government take this on board — I find it difficult to take that anyone who is seen to disagree with independence finds themselves subjected to cyber-warfare through the Twitter feeds; or, if they work in the voluntary or charitable sector, finds that they receive a phone call; or, if they are a business, finds that they do not get invited to the same circle of events.
The opening grammar gags are probably related (at some remove) to this; however I am quite pleased to see the continuing debasement of the ‘c’ word, in the home that this signals its imminent demise.
The word the honourable member was searching for was feedback. Or input. Not Cyber-Warfare.
HT to Lee.
I’m … shocked. No-one in the private sector would ever have considered protection of data in transit. It’s this sort of foresightedness which amply demonstrates how private sector companies can never hope to compete with the expertise of the likes of NSA, CESG, DSD, etc, in protecting critical infrastructure.
Via; see also commentary below.
VMware has confirmed that the source code for old versions of its ESX technology was leaked by hackers over the weekend – but played down the significance of the spill.
The virtualisation giant said on Sunday that the exposed portions of its hypervisor date back to 2004, and the leak follows the disclosure of VMware source code in April.
“It is possible that more related files will be posted in the future,” Iain Mulholland, VMware’s director of platform security, explained. “We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.”
Mulholland said customers who apply the latest product updates and patches, in addition to following system hardening guidelines, ought to be protected against attacks developed in the wake of the code leak.
“By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected,” he said.