HP admits to backdoors in storage products Hewlett-Packard has agreed that there is an undocumented administrative account in its StoreVirtual products, and is promising a patch by 17 July. The issue, which seems to have existed since 2009, was brought to the attention of The Register by Technion, the blogger who earlier published an undocumented backdoor in the …
They will provide a patch and they will allow you to disable that support account. HP will just have a new private back door account though.
Who thought it was a good idea to have a support account that could reset the device to factory defaults? How many customers screwed their config up so bad and locked themselves out that they had to call HP to wipe the box?
Not as bad a Netscreen firewalls though; if you have the serial number, you can use it to wipe a firewall as long as you can get access via CLI or GUI to it.
"f course. There is no hardware reset switch anymore, so to avoid lost passwords bricking the device, they will always have to have a backdoor into it."
Yes, in their wisdom HP decided that the support account is more secure than hardware reset switch.
Most of the kit from various vendors is resettable if you have physical access to it and is generally not an issue as most corporate environments have physical access controls in place to stop just anyone fiddling with the kit .
I'd like to know how they came to the conclusion that remote access is more secure than requiring physical access. I would kind of understand if they had opted for combination of the two, so that you would need one method to enable the other method (for a brief time period before it automatically times out again).
Config reset switch may cause trouble, if it is a temptingly looking red button on the back panel. Inside the controller unit it's reasonably secure. Certainly better than any remote access solutions.
Perhaps it was done for the so-called "dark sites" with no permanent staff? But still not a good explanation. In that case, driving n+n miles would be a proper punishment for screwing up.
http://www.merriam-webster.com/dictionary/sinister :
Definition of SINISTER
1
archaic : unfavorable, unlucky
2
archaic : fraudulent
3
: singularly evil or productive of evil
4
a : of, relating to, or situated to the left or on the left side of something; especially : being or relating to the side of a heraldic shield at the left of the person bearing it
b : of ill omen by reason of being on the left
"credentials would not pass complexity tests required by many websites as they use no numerals, symbols or capital letters"
So what? Why would anyone want to use a complex, hard to remember password with some strange C0mBinAtion of characters? All that happens is that the lusers end up writing it down on a sticky note under the keyboard. Strong passwords do not have to be complex or hard to remember.
More relevant is that it doesn't matter what the password is, or how complex, if is the same on every box!.
I have a file somewhere of "standard passwords" for the default admin accounts on all sorts of hardware; once your device is on this list, it is not secure, regardless of howmany %$º{Ç in the password.
"More relevant is that it doesn't matter what the password is, or how complex, if is the same on every box!."
And that's the real b**ger of this issue.
It's a universal hole in everyone's hardware.
But you have to ask how many other mfgs do it?
The trouble is properpassword management is a PITA.
Store them on a secure website? Congratulations all your passwords belong to the USG.
For the love of Pete at least make the serialnumber part of the login or password, that way your customers at least have a chance in fending off the haxors. Using "admin" and the serial number would at least narrow access down to reasonable levels or at least not to everyone plus dog. Yikes!
"Complexity is irrelvant in passwords,what's important is length."
What's important is the number of bits of entropy in the password (although I guess you could say that's the length when expressed in binary). I reckon your second password counts as about 60 bits. Written English has only 1-3 bits of entropy per character, so there's a good chance your passwords pretty similar in strength - it's certainly not definitely the case that the password you say is better really is the better one.
This is fairly common practice in the industry. Some vendors (EMC) may have additional security measures in place (ESRS) to access the equipment but most large storage vendors have vendor accounts on the arrays, many hidden from their customers.
Many start ups are taking this more seriously and I've seen an increase of devices from start up that require you to manually start a reverse tunnel to allow them access to the arrays. Ask your large vendors to start utilizing similar practices for better security.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
