Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hidden Backdoor Discovered On HP MSA2000 Arrays

CmdrTaco posted more than 3 years ago | from the i'm-your-backdoor-man dept.

HP 197

wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

cancel ×

197 comments

Wow... (5, Funny)

Ethanol-fueled (1125189) | more than 3 years ago | (#34552382)

The hard coded user and password in the HP MSA2000 is set to: username: admin

password: !admin

WaHAHAHAHAH! Not even "n9xe2uPAthe9" or even "Mr.Snuffles". And it is exactly the same as the very generic username, except for one extra character. It's almost as bad(or perhaps even worse) then using "123456" or even "password." [slashdot.org]

This further proves that "faith based security" - relying on vendors to provide systems with built-in robust security- is not a good practice.

Well...nah, I won't even go there. Too easy. I'm trying to be a good boy. Would somebody like to post a sysadmin's prayer for us?

Re:Wow... (1)

chemicaldave (1776600) | more than 3 years ago | (#34552446)

Who would ever guess that the password for admin is "!admin" or "not admin?" Secure beyond belief!

Re:Wow... (1)

Anonymous Coward | more than 3 years ago | (#34552568)

!I

Re:Wow... (5, Funny)

beanpoppa (1305757) | more than 3 years ago | (#34553222)

Steve-"Hey, Frank! What should I make the password for our backdoor admin account?" Frank-"Definitely NOT admin!" Steve-"Ok."

Re:Wow... (0)

f3rret (1776822) | more than 3 years ago | (#34553660)

Wouldn't !admin mean subfactorial[admin]?

Re:Wow... (4, Funny)

mrsteveman1 (1010381) | more than 3 years ago | (#34552476)

Yes but you've now seen the ! so it's NOT admin, we'll have to keep looking.

Those HP guys are clever.

Re:Wow... (2)

DarkOx (621550) | more than 3 years ago | (#34553028)

Its because whoever would use that login is obviously not the admin.

Re:Wow... (1)

ocdscouter (1922930) | more than 3 years ago | (#34553328)

I guess he's not Brian, either.

Re:Wow... (4, Interesting)

pixelpusher220 (529617) | more than 3 years ago | (#34553242)

On a serious note, with a user name of 'admin', would that prevent an actual user account being created with 'admin' as the name?

Wonder if that might be a new check to run on vendor systems to weed out the truly stupid 'features' like this one. Run a script to create frequently used admin accounts and see if any fail due to them already existing.

Re:Wow... (1)

Beardo the Bearded (321478) | more than 3 years ago | (#34553676)

To be fair, to use that login you have to go through a few steps:

1. You have to be shrunk down and enter you own brain.
2. Remove your common sense.
3. Show the back door your admin and not admin.

Re:Wow... (2, Interesting)

Anonymous Coward | more than 3 years ago | (#34552718)

Anyone started testing other HP equipment for the same issue?

Not familiar with the product in question, but it's possible a superuser account could have been embedded like this so they could reset data on RMA'd units without having to pull the chips... or for remote troubleshooting. That doesn't make it any less stupid, but if it's here there's no reason it couldn't exist in other similar products... or even not so similar ones.

Probably worth checking if you have any HP gear in house, better safe than sorry.

Some other examples (3, Interesting)

Anonymous Coward | more than 3 years ago | (#34552754)

Your point about relying on vendors is a superb one. Here's another data point to be concerned with.

A lot of startups, and not-so-small companies, source their boxes from Asian manufacturers. This is generally known, and not a surprise. What may be a surprise is that not even the vendor who turns it into an server type of product is authorized to open the box. If they do, the warranty is voided. The top end boxes will go for +$15K a pop, so you can darn well be certain that the vendor doesn't open the system.

This is a superb opportunity for Chinese manufacturers to put in a back door to an embedded server product. I can think of a half dozen vendors, who's names everyone recognizes, which do this.

Good luck on securing that.

Re:Some other examples (1)

h4rr4r (612664) | more than 3 years ago | (#34552794)

We have servers that cost a lot more than that, we open them all the time.

Re:Some other examples (1)

icebike (68054) | more than 3 years ago | (#34553172)

What does opening the box have to do with backdoor passwords?

I looked inside the case of my NAS recently, and didn't see any passwords. Does that mean I am safe?

Re:Some other examples (1)

skarphace (812333) | more than 3 years ago | (#34553736)

I looked inside the case of my NAS recently, and didn't see any passwords. Does that mean I am safe?

You obviously aren't looking hard enough.

Re:Wow... (1)

zill (1690130) | more than 3 years ago | (#34552884)

"Mr.Snuffles"

How did you find my password?

Re:Wow... (0)

Anonymous Coward | more than 3 years ago | (#34553214)

That's not my password.

I use 5...4...3...2...1...

Re:Wow... (0)

Anonymous Coward | more than 3 years ago | (#34552900)

Give me the serenity to accept my users ineptitudes, my CFO's shortsitedness and help me curb my frustrations.
Also, please help prevent anyone from finding the bodies.

Re:Wow... (1)

idontgno (624372) | more than 3 years ago | (#34553610)

Oh, yeah, that 80s group... "Admin (Not Admin)". I loved that song. [wikipedia.org]

Re:Wow... (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34553662)

Would somebody like to post a sysadmin's prayer for us?

Our Router, which art in IOS
hallowed be thy interface
thy packets come
thy routing be done
on the LAN as it is on the Web.
Give us this day our daily Clues
And forgive us our LARTings
As we LART those who make stupid service requests
And lead us not into Windows support
but deliver us from lusers
For thine is the Network
The Bandwidth and the Packet
For the duration of the DHCP lease.
Amen

Re:Wow... (1)

Anonymous Coward | more than 3 years ago | (#34553740)

I would laugh except I've run across an agency where the management decreed that all the admin level accounts would be renamed with a "!" in front of them, for unspecified security reasons. (It's probably just to make going through audit logs easier.) So, now any noob that gets a hold of a user list will know exactly which accounts to brute force. !johndoe for the win!

No one ever got fired for buying HP . . . (2)

drsmack1 (698392) | more than 3 years ago | (#34552404)

Oh wait...

And the password is..... (4, Funny)

drsmack1 (698392) | more than 3 years ago | (#34552448)

cntraltdelete

If that is too long to type, you can use the shortcut keys on your keyboard. This HP thing goes deep. . . .

Looks like a big "fuck you" to Uncle Sam. (-1, Troll)

Lilith's Heart-shape (1224784) | more than 3 years ago | (#34552622)

Don't we hear every so often about how the US government wants backdoors into otherwise secure systems and crypto algorithms for "national security" or "law enforcement" purposes? I suspect that the MSA2000 was required to have a backdoor to appease Uncle Sam, and somebody at HP decided that if Uncle Sam wanted a backdoor, Uncle Sam could damn well have a goate.cx-esque backdoor.

Re:Looks like a big "fuck you" to Uncle Sam. (1)

DNS-and-BIND (461968) | more than 3 years ago | (#34552728)

Uhhh....your Ameriphobia is showing. When all you do all day is think about how America is bad, then it's not surprising when you invent scenarios in which you are correct. I am reminded of the Baptist preacher who thinks that every time someone gets an STD, it must be the work of Satan.

Re:Looks like a big "fuck you" to Uncle Sam. (1, Troll)

Lilith's Heart-shape (1224784) | more than 3 years ago | (#34552874)

Zip up. Your flag-waving nationalism is showing.

Re:Looks like a big "fuck you" to Uncle Sam. (1)

jdgeorge (18767) | more than 3 years ago | (#34553272)

Zip up. Your flag-waving nationalism is showing.

I love my country, salute my flag, and honor the soldiers who have fought to keep us safe. From foreigners. With uninteresting opinions. Who should butt out!

THAT is flag-waving nationalism. As it is generic, you may easily reuse it for your own nationalistic purposes, which I will, of course, ignore, because you are probably a foreigner. So butt out. :-)

Re:Looks like a big "fuck you" to Uncle Sam. (1)

Lilith's Heart-shape (1224784) | more than 3 years ago | (#34553526)

Actually, I'm an alien, an exile from Planet Transsexual.

Re:Looks like a big "fuck you" to Uncle Sam. (1)

jdgeorge (18767) | more than 3 years ago | (#34553656)

Heh... No such thing as too much Tim Curry. Carry on.

Re:Looks like a big "fuck you" to Uncle Sam. (1, Informative)

OzPeter (195038) | more than 3 years ago | (#34552938)

Uhhh....your Ameriphobia is showing. When all you do all day is think about how America is bad, then it's not surprising when you invent scenarios in which you are correct

U.S. Tries to Make It Easier to Wiretap the Internet [nytimes.com]

FBI drive for encryption backdoors is déjà vu for security experts [arstechnica.com]

Yeah .. you're right .. its Ameriphobia when US companies are complying the gubmint

Re:Looks like a big "fuck you" to Uncle Sam. (3, Insightful)

Jeng (926980) | more than 3 years ago | (#34553230)

Perhaps I didn't read close enough, but I didn't see anyone complying.

The FBI and NSA can ask for the moon, doesn't mean they are going to get it.

From reading your link perhaps you should have a case of Indiaphobia or United Arab Eremitesphobia.

There are other countries in this world with the pull to have back doors included, its not a u.s.a. specific issue.

Re:Looks like a big "fuck you" to Uncle Sam. (1)

OzPeter (195038) | more than 3 years ago | (#34553380)

Perhaps I didn't read close enough, but I didn't see anyone complying.

The FBI and NSA can ask for the moon, doesn't mean they are going to get it.

From reading your link perhaps you should have a case of Indiaphobia or United Arab Eremitesphobia.

There are other countries in this world with the pull to have back doors included, its not a u.s.a. specific issue.

Oh I agree this is not an American phenomenom, and it was really funny when people were getting all up in arms over the phone equipment supplied to Iran. And the case in Greece with the phone system was also a very very sophsicated backdoor hack that probably was (some) government related. But as to companies complying. Do you really think that part of a companies advertising campaign is "We support all government requested back doors!"

Re:Looks like a big "fuck you" to Uncle Sam. (1)

tlhIngan (30335) | more than 3 years ago | (#34552746)

Don't we hear every so often about how the US government wants backdoors into otherwise secure systems and crypto algorithms for "national security" or "law enforcement" purposes? I suspect that the MSA2000 was required to have a backdoor to appease Uncle Sam, and somebody at HP decided that if Uncle Sam wanted a backdoor, Uncle Sam could damn well have a goate.cx-esque backdoor.

In this case, it's hoped that competitors to Uncle Sam's campaign contributors buy this storage array for cheap and easy industrial espionage. It's not about national security or law enforcement, it's ensuring US companies can exercise their right to make a profit. If it involves hacking into a competitor's system and downloading all their data, even better. No one would suspect their disk array!

Re:Looks like a big "fuck you" to Uncle Sam. (5, Interesting)

Anonymous Psychopath (18031) | more than 3 years ago | (#34552824)

Don't we hear every so often about how the US government wants backdoors into otherwise secure systems and crypto algorithms for "national security" or "law enforcement" purposes? I suspect that the MSA2000 was required to have a backdoor to appease Uncle Sam, and somebody at HP decided that if Uncle Sam wanted a backdoor, Uncle Sam could damn well have a goate.cx-esque backdoor.

Exactly! What happened was that they used this type of storage array to hold data on the 9/11 cover-up, and also to edit the footage of the "moon landing". Also the specs for their black surveillance whisper copters.

Or someone at HP is a moron.

Re:Looks like a big "fuck you" to Uncle Sam. (1)

ppanon (16583) | more than 3 years ago | (#34552882)

I think Uncle Sam would have been a little more creative in choosing the backdoor password since it would have, in large part been USA companies rendered vulnerable. This indicates, I think, either a disgruntled worker who didn't care about picking a hard to find backdoor, or an agent for the foreign government of a country that does a lot of outsourcing who wanted anybody discovering the backdoor to think it was a disgruntled worker. Sometimes it's all about plausible deniability.

Re:Looks like a big "fuck you" to Uncle Sam. (3, Interesting)

DarkOx (621550) | more than 3 years ago | (#34553266)

Its probably nothing like that. Some idiot on the service side of the house probably convinced some VP that a backdoor was needed so the support people could deal with customers who had lost the passwords or when they had to refurbish and RMA and wanted to be lazy and not have to replace any chips or flash the thing or whatever. That VP then made the software team add the backdoor. I think on the MSA15000 there is a check the make sure the password does not match the user name, which I might have run across when familiarizing myself with it with it prior to deployment. They developers probably wanted to make the password match the user name (its hidden after all) but also did not want to run into that test code somewhere even with the hard coded value.

That being said, admin was an aggressively stupid choice and hard coded back doors at least rank as very stupid to begin with.

Re:Looks like a big "fuck you" to Uncle Sam. (2)

Nimey (114278) | more than 3 years ago | (#34552932)

How d'you know it wasn't some Chinese firmware programmer?

Re:Looks like a big "fuck you" to Uncle Sam. (0)

Anonymous Coward | more than 3 years ago | (#34553178)

Because the Chinese would be smarter and subtler than that - unless they thought I'd think that about them, which proves it!

Sigh. Consparicy theorists (4, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#34553012)

It amazes me how many Slashdot has, how quickly people here will believe some amazingly complex and willy explanation over a simple and obvious one. So what is the obvious one here? Simple: HP support. They want to be able to get in to the units to help their customers, and do shit like recover passwords (which customers will lose). So they add their special hardcoded maintenance account.

Seriously, going from this to "OMG government conspiracy," based on NO additional evidence means you are presupposing. You've decided on a conclusion (that the government requires everything to have a backdoor, which is 100% false) and are then making a massive illogical leap with no supporting evidence to that.

Re:Sigh. Consparicy theorists (0)

Lilith's Heart-shape (1224784) | more than 3 years ago | (#34553068)

You've decided on a conclusion (that the government requires everything to have a backdoor, which is 100% false) and are then making a massive illogical leap with no supporting evidence to that.

I do that all the time when I'm bored. Then again, I think that Jacqueline Kennedy paid Lee Harvey Oswald to whack her husband because she was tired of his philandering.

Re:Sigh. Consparicy theorists (1)

Beardo the Bearded (321478) | more than 3 years ago | (#34553708)

Weird. I always thought that the woman in the limo was Lee Harvey Oswald in drag, and Jacquie was the one with the rifle in the repository.

Re:Sigh. Consparicy theorists (0)

Anonymous Coward | more than 3 years ago | (#34553100)

It amazes me how many Slashdot has, how quickly people here will believe some amazingly complex and willy explanation over a simple and obvious one. So what is the obvious one here?

That the Government wants access to our back door to, I guess, stick more in there?

Re:Sigh. Consparicy theorists (3, Informative)

OzPeter (195038) | more than 3 years ago | (#34553136)

Seriously, going from this to "OMG government conspiracy," based on NO additional evidence means you are presupposing.

And you have totally fallen for it. The gubmint is one step ahead of you already by using psychology to defeat your common sense. They selected the account/passsword to masquerade as an HP support account, knowing that if it was found out that people like you (or should I say gubmint shills????????) would try and convince the rest of us that it was all an innocent mistake!

Try and refute *that* Mr G-Man!

Re:Sigh. Consparicy theorists (2)

The_mad_linguist (1019680) | more than 3 years ago | (#34553390)

Try and refute *that* Mr G-Man!

Time, Mr. Ozpeter...
Is it ... really that time ag...ain? It seems asifyou only ... just arrived.

You've done a great - deal in a ... small time span. You've doneso well, in fact, that I'vereceived some ... interesting offers for your services.

Re:Sigh. Consparicy theorists (2)

OzPeter (195038) | more than 3 years ago | (#34553688)

in fact, that I'vereceived some ... interesting offers for your services.

$120 per hour for labour, $60 per hour for travel time > 1 hour from home base. All expenses at cost, and own use car mileage paid at full government rebate amounts. All time (labour and travel) over 40 hours per week to be booked at time and a half. Over 60 hours a week at double time. All flights over 3 hours to be booked at business class or better, and where available gate lounge fees to be paid.

So can we do business?

Re:Sigh. Consparicy theorists (0)

Anonymous Coward | more than 3 years ago | (#34553382)

It amazes me how many Slashdot has, how quickly people here will believe some amazingly complex and willy explanation over a simple and obvious one. So what is the obvious one here? Simple: HP support. They want to be able to get in to the units to help their customers, and do shit like recover passwords (which customers will lose). So they add their special hardcoded maintenance account.

This is plausible. Too bad they didn't do it right, like by adding a user with a private 2048 bit DSA key, and using SELinux to make sure nobody can see the key except for the SSH process. Even this might not be paranoid enough, depending on the numbers of deployed machines, SELinux vulnerabilities, and numbers of SSH vulnerabilities that make it possible to read memory illegitimately.

Re:Sigh. Consparicy theorists (3, Insightful)

DarkOx (621550) | more than 3 years ago | (#34553490)

OK but an MSA2000 is NOT a toy. It might not be the first class SAN solution for large caps but they certainly power lots of medium business with billion dollar a year bottom revenue lines. Those companies are big enough to care about security and big enough to employ at least one competent systems administrator even if they will then force him to use some second rate monkeys for help. That person one should NOT be forgetting the password, what if something happens to him? Well they way I did it is I wrote that stuff down. The sensitive passwords were kept in a safe deposit box on CD-ROM inside an AES encrypted zip file at the bank the CEO had the other key and knew the password to the zip as well. $25 dollars a year is a small investment to ensure that one of us will be able to obtain that information if needed. Anyone buying an MSA2000 can afford that and come up with a similar suitable arrangement.

If HP *needs* a backdoor for serving the units its 2010 they really should have some alternate log in method, perhaps a serial header on the controller system board or something so that you would have to give them physical access or an attacker would have to gain physical access and the credentials should be a certificate file so their will be no guessing the 4Kb password.

Re:Sigh. Consparicy theorists (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34553520)

While there is a logical place for support accounts, particularly with fancy enterprise junk where phoning home to the mothership when things go sour is considered a feature; but hardcoded passwords are an amazingly stupid way of setting them up.

Even a superb hardcoded password is going to sneak out eventually, even if only after the units start to be scrapped(but before all of them leave production). At a bare minimum, the hardcoded password would have to be unique per unit. Even better, use something like a cryptographic challenge/response system, so even an attacker with silicon level access can only learn HP's public key, which is useless, and HP can still do their thing.

Because of the needs of humans, passwords have their place; but for anything automated/serious, cryptographic techniques are the only way to go. Anything else is pitifully amateurish.

Re:Sigh. Consparicy theorists (2)

LordLucless (582312) | more than 3 years ago | (#34553542)

Really? I see nobody here mentioning conspiracy theories (certainly nobody modded up) except you. The thing is, we don't care why HP did it. What we care is that they did. And regardless of what they were going to use it for, what it can be used for is compromising the security of a user's system. It may not have been malevolent, but it was certainly condescending (users are to stupid to manage their own system) and it definitely compromises security.

Re:Sigh. Consparicy theorists (2)

random_ID (1822712) | more than 3 years ago | (#34553546)

I find it baffling, myself. Anyone smart enough to create this backdoor (for whatever reason) should be smart enough to pick a better username/password.

Re:Sigh. Consparicy theorists (1)

NeutronCowboy (896098) | more than 3 years ago | (#34553550)

Here's the thing though: this is an incredibly bad way to support hardware.

#1: Your customers actually don't trust you when they find out that there's a hardcoded user in the hardware. Why? Because businesses with a proper understanding of security know that this is a massive security hole, and will refuse to buy that hardware.
#2: There's already a way to get admin-level access to hardware: ask the client for it. If they don't want you to connect to their internals with their own password, there are things like VPNs and temporary admin password - again stuff that is basic IT methodology. Yeah, it's a bit harder than just handing things over to the vendor and say "Fix it", but it's vastly better.
#3 If user recovery is the issue, the solution is wrong. The proper solution is a hardware reset button that has no user-level API. Yes, all the settings are borked. Export them, reset, import them back in. Yes, it's harder, but it's the right thing to do.

Yes, you are correct: this is all for the purpose of easy support. However, it's braindead, and any company with an IT department worth its name will refuse to run hardware with this "feature", and should look closely into vendors with a better understanding of security.

And that's coming from someone who used to work for HP.

Hello Joshua ... (3, Funny)

tgd (2822) | more than 3 years ago | (#34552630)

How about a nice game of chess?

Re:Hello Joshua ... (1)

Nikola Tesla and You (1490547) | more than 3 years ago | (#34553108)

It would have been really funny and clever if they had used that as the password...

Ok so two things (1)

Aerorae (1941752) | more than 3 years ago | (#34552634)

1) Why the hell would any manufacturer hard code ANY passwords or users and
2) Just how many of these systems are out there, in which areas of the private & public sectors?

Re:Ok so two things (4, Interesting)

Saishuuheiki (1657565) | more than 3 years ago | (#34552684)

One would assume that you would hardcode it so if the user loses his password, he can call the company. And trust me, they WILL lose their password.

One would hope that the password is put somewhere that a firmware flash can change it however.

Re:Ok so two things (4, Insightful)

sqlrob (173498) | more than 3 years ago | (#34552972)

That doesn't need a single hardcoded password. Generate one based on the serial number of the device. Recoverable, and a heck of a lot more secure than a single password for everybody.

Re:Ok so two things (1)

Anonymous Coward | more than 3 years ago | (#34553566)

Based on the serial number? That's security through obscurity of the worst kind. The question an attacker has to guess is "Which algorithm did they use to generate the password?" There are only 20 or so good algorithms. Less than 5 bits of entropy. The only way to make such a scheme work would be to salt the hash, and store the salt on HP's campus. That is a big logistical problem, considering how manufacturers operate their manufacturing lines.

No, that is not good enough. It is much better to use a single, enormous private key with suitable access controls (like SELinux). How many guesses will it take to compute the public key for an unknown 2048 bit private key? A lot more than can be done before the Sun swallows up the Earth.

Livingston Routers (Yes, I'm old) (2)

Joe U (443617) | more than 3 years ago | (#34553764)

Livingston (now Lucent) routers had a recovery mode where you physically had to flip a DIP switch and read a key to them.

If I remember correctly, this would get you one factory default wipe, so you could get back in and then restore the settings.

IMHO, this is the only type of solution that works, you need physical access, AND have to be willing to restore from backup.

Re:Ok so two things (1)

LWATCDR (28044) | more than 3 years ago | (#34553004)

Okay I understand that but this is dumb. Maybe require a physical button or key to be turned on the server to allow that password to be used! Or maybe an USB device with crypto on it plugged in to activate it?
I mean really people HP must have people that are at least as smart as I am.

Re:Ok so two things (2)

Jah-Wren Ryel (80510) | more than 3 years ago | (#34553110)

One would assume that you would hardcode it so if the user loses his password, he can call the company. And trust me, they WILL lose their password.

They should have done something that at least has a chance of verifying physical access to the machine - like making the password a derivative of the serial number.
As in luser admin calls HP says he's locked out, HP asks for serial number, runs it through some algorithm only known to HP that outputs the password for that system.
That's not perfect either, but it would be a big improvement over harcoding the same damn password for all units.

Re:Ok so two things (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34553590)

Even better than a secret algorithm, which are generally bad juju, you might as well just use well-known and well tested cryptographic techniques: Each unit's service backdoor would be its MAC address, signed with an HP private key(stored with the same care reserved for SSL root certs and the like). The unit would just have to know its own MAC address and HP's public key to be able to verify the validity of the signature...

Re:Ok so two things (1)

SnarfQuest (469614) | more than 3 years ago | (#34553316)

You can give them a document, and tell them that it will cost $10,000 to recover the keys on it if they lose it, and spend 3 hours explaining how important this is, and they will be unable to locate it 3 days later. Don't underestimate the ability of an employee to forget where they left their lunch, much less an important password.

Re:Ok so two things (1)

h4rr4r (612664) | more than 3 years ago | (#34553414)

Which is why the password could be generated from known facts but not ones an outsider would be likely to get right. So combine serial number, date of purchase, company name, contact phone number and whatever else you want, then hash all that to get the password that cannot be lost but is hard to guess.

Re:Ok so two things (2)

biskit (55311) | more than 3 years ago | (#34553346)

One would assume that you would hardcode it so if the user loses his password, he can call the company. And trust me, they WILL lose their password.

One would hope that the password is put somewhere that a firmware flash can change it however.

Or it might even be resold to someone else who doesn't know the password - used equipment exists - and they don't engrave the password on the outside. But sometimes for this 'hidden' password to work, there must be another condition on the equipment to be present - like loopback plugs in place.

Re:Ok so two things (1)

Anonymous Coward | more than 3 years ago | (#34552840)

1. Backdoor for "Administrator forgot password" (not that it really justifies it, but either it is that or government conspiracy which seems less likely)
2. Lots, and many sectors including sensitive areas like data archives for healthcare services. This just created an IT security nightmare for some very large companies (think fortune 250) and likely government too (though the U.S. government tends to prefer Dell over HP most of the time).

Re:Ok so two things (3, Informative)

TopSpin (753) | more than 3 years ago | (#34552922)

Just how many of these systems are out there, in which areas of the private & public sectors?

Lots and most of them. MSA2000 are common. HP been selling them for years. Although it has been superseded by newer models the channel still has a large supply [google.com] . Pretty good hardware for the money.

Re:Ok so two things (3, Insightful)

zero_out (1705074) | more than 3 years ago | (#34553066)

They probably put a hardcoded u/n & p/w into the system early in development to ensure that their login security system worked, then implemented configurable logins, forgetting to remove the hardcoded one.

When I code something that is meant to be configurable, I first hardcode some values to ensure that the code works, then I code a configurable text-file based system, like ini or properties files. Finally, I move on to implementing the desired configuration method, such as LDAP, SQL, or HTTP GET. Anything sensitive is encrypted, of course. I have always remembered to remove the hardcoded values, but I've seen colleagues forget to do the same.

Almost Kernel.org (1)

allquixotic (1659805) | more than 3 years ago | (#34552664)

Just a while back, kernel.org got some infrastructure upgrades, including two HP MSA70s. Hopefully this invisible user account doesn't affect their boxen, seeing how they're a different (but similar) model number.

Re:Almost Kernel.org (3, Informative)

Anonymous Coward | more than 3 years ago | (#34552816)

The MSA70 is just a disk-shelf, and is connected to the host via. SAS: there is no way to connect an MSA70/50/30 to an IP network.

While we're at it, you'd really have to go out of your way to expose something like an MSA2000 to the wider internet, as you'd have to be stupid enough to be running your storage network on a routable range with external routing from your edge. Basically, you'd have to a giant fuckwit.

leaks (0)

Anonymous Coward | more than 3 years ago | (#34552688)

HP to blame for WikiLeaks?

That's funny, because (3, Funny)

seebs (15766) | more than 3 years ago | (#34552732)

Whenever you type '!admin' all I see is '******'. Whereas, if I type 'hunter2', all you see is '*******'.

Re:That's funny, because (1)

Stregano (1285764) | more than 3 years ago | (#34552826)

pl3as3d0ntst3almyp4ssw0rd

lets try this out

Re:That's funny, because (1)

Stregano (1285764) | more than 3 years ago | (#34552866)

Wait a second...

Re:That's funny, because (0)

Anonymous Coward | more than 3 years ago | (#34552926)

BASH.org has clearly kept you entertained.

Re:That's funny, because (1)

SnarfQuest (469614) | more than 3 years ago | (#34553016)

You should never fall for one of these scams, else your ******** might get exposed by a key logger. I'm careful that I only enter my ******** when I am sure that no keylogger is attached to my keyboard. If you are careful, noone will ever guess your ******** even without these extra processes used to hide them.

Password regs ? (0)

Anonymous Coward | more than 3 years ago | (#34552742)

aren't all passwords supposed to be "encrypted" ?

Not working here (5, Informative)

jonathanhowell (673180) | more than 3 years ago | (#34552832)

A quick login test on my MSA 2012i G3 doesn't work.

"Access denied"

more testing later.
J

Re:Not working here (2)

kordaff (899913) | more than 3 years ago | (#34553026)

Yeah I figured you wanted me to change that for ya, so i went ahead and did so.
--

Re:Not working here (1)

operagost (62405) | more than 3 years ago | (#34553218)

That's funny, but like the article says the password can't be changed. This will have to be fixed with a firmware update.

Re:Not working here (1)

GodfatherofSoul (174979) | more than 3 years ago | (#34553164)

Send me your IP, I'll take a look.

Re:Not working here (5, Informative)

jgtg32a (1173373) | more than 3 years ago | (#34553284)

On the article some guy said it is only accessible through the serial port.

Re:Not working here (4, Insightful)

MozeeToby (1163751) | more than 3 years ago | (#34553438)

On the article some guy said it is only accessible through the serial port.

Which kind of changes the whole tone in my opinion. I'm of the persuasion that if a black hat has physical access to your hardware, you've already lost. It's still shockingly bad practice from a vendor, but if this is true it goes from a serious issue to a moderate one.

Re:Not working here (1)

h4rr4r (612664) | more than 3 years ago | (#34553442)

Then this is much less of an issue.

If the attacker can get to the serial port they can just trash the thing if they want too.

Re:Not working here (2)

idontgno (624372) | more than 3 years ago | (#34553690)

Unless someone put a dial-in modem or telnet-to-serial converter on the maintenance port. You know, for ease of oh-dark-thirty troubleshooting? I mean, rapid response to late-night network trouble calls.

I've been a sysadmin at a largish installation. Maintenance modems aren't rare. You might hope the out-of-band command channels would be at least as secure as the in-band ones.

Re:Not working here (1)

yakatz (1176317) | more than 3 years ago | (#34553730)

According to a comment [securityweek.com] on the original article:
Try 'manage' as the username.

Why are we complaining? (0)

Anonymous Coward | more than 3 years ago | (#34552930)

It's not a vulnerability it's a feature.

ObWarGames (1)

Anonymous Coward | more than 3 years ago | (#34552944)

Mr. Potato Head! Mr Potato Head! Back doors are not secrets!

Not uncommon! (1)

Anonymous Coward | more than 3 years ago | (#34552956)

Dell Tape storage systems have the same thing. Running a tcpdump while the support rep is logging in should get it for you :-)

Re:Not uncommon! (1)

countSudoku() (1047544) | more than 3 years ago | (#34553362)

NO SSH?!?! That's even funnier! Does the tcpdump give you any info on when the motherboard for the tape drive controller and back-plane are going to melt down in a heap of bubbling goo?

This is probably a mistake. A real backdoor would have a snazzier passwd as well as its code buried where someone would not easily spot it. Or a special customer service generated one, like every other company worth their salt.

epic win for use case to outsource? (1)

TravisHein (981987) | more than 3 years ago | (#34553032)

I can't believe this would have been done by anyone inside HP?

The Cisco teleconference backdoor could be deadly (2)

Invisible Now (525401) | more than 3 years ago | (#34553122)

Read the Cisco vulnerability report: root control of the device...

Think where this teleconferencing suites are used: The Whitehouse, Pentagon, Central Command and every three star command...

Who might want to lurk on some reality TV?

Oblig Wargames Reference (1)

steve6534 (809539) | more than 3 years ago | (#34553130)

Mr. Potato Head, Mr. Potato Head ! Backdoors are NOT secrets !

Who OEMs these? DotHill? (0)

Anonymous Coward | more than 3 years ago | (#34553174)

The back sure looks extremely DotHill-ish [4rgroup.com] , and not LSI or some other storage vendor's hardware.

Someone needs to start checking other DotHill arrays....

Of course, this won't affect most people ... (0)

Anonymous Coward | more than 3 years ago | (#34553184)

Naturally, this isn't a huge concern, because all companies using disk arrays of this type have admin access via a secure subnet that only IT staff have access to, via dedicated network ports and dedicated PCs, with no way for traffic to reach the arrays from the outside world.

Right?

Right?

Uh ... guys?

This is so 80's security (0)

Anonymous Coward | more than 3 years ago | (#34553200)

I first remember seeing this type of security described in the 80's movie, 'Wargames'.

Wikileaks - how they do it (1)

igadget78 (1698420) | more than 3 years ago | (#34553224)

Username: Julian
Password: Assange

Re:Wikileaks - how they do it (0)

Anonymous Coward | more than 3 years ago | (#34553278)

Username: Julian
Password: !Assange

FTFY

FEAR (5, Insightful)

mysidia (191772) | more than 3 years ago | (#34553530)

If someone disables the building's primary security system, defeats the lock on your front door, breaks in, when nobody's there, figures out where your MSA is, defeats your server room's dedicated primary alarm system, breaks through the steel fire door into your server room, defeating the ANSI GRADE 1 industrial access control locks, figures out the precise cage where your MSA2000 is located, defeats the cage locks, figures out the combination to open your cabinet, and somehow removes the faceplate without triggering the intrusion alarm, or motion detectors, noise sensors, and surveillance cameras attached to the server room's secondary security/environment monitoring system.

Then yes... there is a small chance someone might be able to insert a serial connector into your MSA to login as this GUI-unavailable backdoor user without the perp getting caught pretty quickly.

By the way, the 'password security' on many routers can be defeated by sending a BREAK via serial console during reboot, or by pushing a recessed RESET button. Where is the outrage?

Help me out here (1)

mikein08 (1722754) | more than 3 years ago | (#34553674)

These super secret access points are there so the maintenance guys can get access when they need it? Not in my shop. If vendor's maintenance people need access, I'll be the one to give it to them and I'll be the one to deny it if necessary. It's my equipment, my data, my computing facility and no one outside my organization is going to get into it without my permission. If I owned equipment which has undisclosed (to me) access points, I'm suing the manufacturer for as much money as I can possibly can get. Such actions by vendors/manufacturers are unconscionable.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...