Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

HP Confirms Backdoor In StoreOnce Backup Products

timothy posted 1 year,27 days | from the top-men-are-on-it dept.

HP 45

wiredmikey writes "Security response personnel at HP are 'actively working on a fix' for a potentially dangerous backdoor in older versions of its StoreOnce backup product line. The company's confirmation of what it describes as a 'potential security issue' follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP's StoreOnce backup systems. The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password. The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers."

cancel ×

45 comments

hands of skills (1)

mostadorthsander (2726857) | 1 year,27 days | (#44114455)

instead of talking over a telephone maybe a group of peoples may have to look through billions of lines of coding to really fix this issue outside the halodeck...

WTF, HP? (5, Insightful)

fuzzyfuzzyfungus (1223518) | 1 year,27 days | (#44114503)

So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth? Y'know, the one where obtaining the private key just by having access to the public key baked into every unit isn't dangerously trivial?

Re:WTF, HP? (0)

Anonymous Coward | 1 year,27 days | (#44114541)

but... how else would the NSA gain access to your backups to ensure their integrity???

Re:WTF, HP? (1)

Anonymous Coward | 1 year,27 days | (#44114643)

No.

But I can think of several highly shameful reasons :-)

Re:WTF, HP? (1)

Anonymous Coward | 1 year,27 days | (#44114775)

So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth?

<voice type="whiny">But that's haaaard! We don't waaaaaanna!</voice>

Re:WTF, HP? (0)

Anonymous Coward | 1 year,27 days | (#44114973)

Because it's easier to give their call center reps a notepad document with this password in it than to train them what SSH is, and how to use SSH keys on whatever ghastly platform they use in call centers. Whatever it is, it can't be good, because I always get told "Please hold for a few minutes while I look this up, our systems are running slowly today."

This is still going on ? (1)

ggraham412 (1492023) | 1 year,27 days | (#44114543)

When did the movie "War Games" come out?

And people are still putting back doors into stuff?

Re:This is still going on ? (1)

Anonymous Coward | 1 year,27 days | (#44116461)

First, this is a product that should never, ever, ever be connected to a public network. The same goes for the SAN systems, some of the older ones of which also apparently had an undocumented default password. It's still sloppy and bad practice for that to be there, but any moron who connects a storage backup system like this to a public network and gets hacked deserves what they get, doing that would be beyond stupid to the point of actually being malicious. The same also goes for similar products from ANY vendor. They're not security hardened and have no business being outside of a very strict firewall that doesn't, under any circumstances, provide any external access to the management interface except perhaps by VPN.
That lowers the risk significantly for basically all customers (who have a brain), not to zero, but if you're attackers are already running rampant on your backend, internal, private management networks there are countless other attack vectors for all of your data and this one would at least in the middle of the list, if not below.

FLOSS (-1)

magic maverick (2615475) | 1 year,27 days | (#44114587)

If ONLY HP had ALLOWED others TO FLOSS their teeth FOR them. Then we could all have FOUND this SERIOUS backdoor OURSELVES!

Once more WE CAN see that NON-FREE software IS bad FOR businesses and EVERYONE ELSE!

Personally, I use DEJA DUP and a HOMEGROWN rsync&dd-based SOLUTION. You MIGHT find CLONZILLA useful.

rainbow tables (1)

Anonymous Coward | 1 year,27 days | (#44114601)

with rainbow tables and no salt it's almost the same as releasing the plaintext: badg3r5

Re:rainbow tables (1)

ArcadeMan (2766669) | 1 year,27 days | (#44114963)

badg3r5 [youtube.com] ?

Re:rainbow tables (0)

Anonymous Coward | 1 year,27 days | (#44115771)

You gave the mobile link, the desktop link is http://youtube.com/watch?v=gx6TBrfCW54&desktop_uri=%2Fwatch%3Fv%3Dgx6TBrfCW54 [youtube.com]

Re:rainbow tables (1)

ArcadeMan (2766669) | 1 year,27 days | (#44116207)

And the desktop link requires Flash, which is why I linked to the mobile version.

Re:rainbow tables (1)

fnj (64210) | 1 year,27 days | (#44117035)

On the other hand, the Flash version actually WORKS on my system. The mobile one does not.

Re:rainbow tables (1)

ArcadeMan (2766669) | 1 year,27 days | (#44118495)

On the other hand, the Flash version doesn't work on mine but the mobile one does.

Re:rainbow tables (1)

fnj (64210) | 1 year,26 days | (#44122785)

The difference is, your system is stupid!! :-) Relax, I'm only kidding. There needs to be a standard that works on BOTH our systems.

That's not a backdoor, (5, Insightful)

BLToday (1777712) | 1 year,27 days | (#44114703)

That's the main entrance for the NSA.

Re:That's not a backdoor, (0)

Anonymous Coward | 1 year,27 days | (#44114853)

No, I'm sorry, it's not. They're better than you can possibly imagine at this game. These are the people who invent cryptographic techniques.

Re:That's not a backdoor, (0)

Anonymous Coward | 1 year,27 days | (#44114897)

Yeah. The thing to remember is that the NSA is as interested in protecting US interests from other countrys' attacks as they are in being able to maintan surveillance and stuff like that. A seven character password? That's not the NSA.

Re:That's not a backdoor, (1)

tqk (413719) | 1 year,27 days | (#44115673)

Yeah. The thing to remember is that the NSA is as interested in protecting US interests ...

Yeah (*cough*Edward Snowden*cough*), right.

CALEA II? (0)

Anonymous Coward | 1 year,27 days | (#44119403)

Maybe you've forgotten, but the NSA/CIA/FBI has been pushing for CALEA II which is *exactly* this. Backdoors into everything.

Since HP is a major vendor to the NSA I can well believe they put it in with prompting from the NSA (maybe one of these super-secret warrants from the kangaroo court). But if they did you'd expect to see similar back doors in their other storage products.... erm like this one for example:

http://www.securityweek.com/backdoor-vulnerability-discovered-hp-msa2000-storage-systems

Yep, seems to be an ongoing theme with HP, backdoor passwords onto their storage products.

Re:That's not a backdoor, (1)

lightknight (213164) | 1 year,27 days | (#44117587)

As do many programmers, usually when they're in the bath tub, just for fun. Now, whether those techniques stand up to the scrutiny of a major dedicated code-breaker is a different discussion.

badg3r5 (5, Informative)

TheNinjaroach (878876) | 1 year,27 days | (#44114725)

Google quickly lead me to the SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50 and to a publicly available SHA1 reverse lookup [sha1-lookup.com] utility that already has the match in it.

Re:badg3r5 (4, Insightful)

citizenr (871508) | 1 year,27 days | (#44114911)

Go badg3r5!

Re:badg3r5 (5, Funny)

Anonymous Coward | 1 year,27 days | (#44114943)

I guess the HP patch, upgrades the string to f3bbbd66a63d4bf1747940578ec3d0103530e21d.

Re:badg3r5 (0)

Anonymous Coward | 1 year,27 days | (#44115969)

Dude, it's 5919b58eec0aa7cd1e3cc7df5cf0c1b9f77473ad.

Or maybe af7de050cd5fd4b0afc30a9cd61f3ac8b8c704c5.

Re:badg3r5 (1)

oPless (63249) | 1 year,27 days | (#44115983)

Mod parent up.

I almost wet myself. ******* indeed!

StoreOnce... is that the same as write-only? (1)

swschrad (312009) | 1 year,27 days | (#44114763)

I had a set of backups like that once. that's why I dumped NT 3.5

Re:StoreOnce... is that the same as write-only? (1)

stewsters (1406737) | 1 year,27 days | (#44115119)

I have a massive write only drive that I would be willing to sell you room on.
yourBackupFiles.tar.gz > /dev/null

Re:StoreOnce... is that the same as write-only? (0)

Anonymous Coward | 1 year,27 days | (#44115401)

no it is WORM. the device is cheap but they get you on buying new media...

HP is on a Low Sodium Diet (3, Funny)

TechyImmigrant (175943) | 1 year,27 days | (#44114921)

>SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password.

HP is on a low sodium diet, they didn't add salt.

Re:HP is on a Low Sodium Diet (1)

Baloroth (2370816) | 1 year,27 days | (#44115101)

A salt does not increase security when cracking only a single password. They help with large sets of passwords, but brute forcing a single password takes the same time whether it is salted or not.

Re:HP is on a Low Sodium Diet (2, Informative)

Anonymous Coward | 1 year,27 days | (#44115189)

As pointed out in other comments, the reverse lookup (i.e. rainbow table) is readily available for unsalted hashes.

You make the mistake that to get a password requires brute force. People aren't stupid, they use the fastest tools available first. If google can tell you the password by simply entering the hash, then yes, it is LESS SECURE then one that is not readily available and REQUIRES brute force

Re:HP is on a Low Sodium Diet (1)

TechyImmigrant (175943) | 1 year,27 days | (#44115965)

Indeed. Properly salted, the brute force cost would be O(2^80). With rainbow tables, assuming your target is in your table dictionary, the cost is much much less.

Salt doesn't fix the backdoor (0)

Anonymous Coward | 1 year,27 days | (#44119567)

It slows the hack of the password, there is still a backdoor the NSA can access.

HP (5, Funny)

Anonymous Coward | 1 year,27 days | (#44115045)

The best part of clicking on the link to TFA was the pop-over advertisement from HP that said "How secure is your code?"
Way to go HP!

At least its not an undocumented default account. (1)

Anonymous Coward | 1 year,27 days | (#44115121)

Some of the latest versions of HP P2000 SAN's have a built in service account enabed by default reachable through telnet/SSH that is totally hidden from the management GUI of the device.

https://www.krystalmods.com/index.php?title=hp-msa-g3-array-hidden-admin-user&more=1&c=1&tb=1&pb=1 [krystalmods.com]

HP eventually released an advisory about it suggesting you change the password.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02662287 [hp.com]

You keep using that word... (0)

Anonymous Coward | 1 year,27 days | (#44115277)

'potential' security issue

I do not think it means what you think it means.

Re:You keep using that word... (1)

lightknight (213164) | 1 year,27 days | (#44117629)

Lol. To a businessman's ears, it means "no" security issue; to a network admin's ears, it means "they're already in your database, copying your tables, and leaving lewd comments about your tastes in desktop managers."

badg3r5 badg3r5 badg3r5 badg3r5 (0)

Anonymous Coward | 1 year,27 days | (#44115329)

MU5HR00M MU5HR00M

Second reason not to use this product (1)

Karl Cocknozzle (514413) | 1 year,27 days | (#44115691)

The first is that it costs more than a king's ransom to buy and isn't that great when you do. So I guess that's three. Sorry.

a bit offtopic, but.. (1)

excelsior_gr (969383) | 1 year,27 days | (#44116603)

it's sad to watch HP fall into ruins, but it seems that me that everything they touch turns into coal instead of gold. They used to build decent hardware. My brother owns an HP handheld from the time before the smartphone craze that had a stylus, Windows mobile (from the era when it actually used to work), a *shitload* of software and GPS. They acquired Compaq and the laptop I bought from them back in 2004 was built to last. Then they phased out all the Compaq products and the laptops they have been marketing since are all crap IMHO. They also killed the Compaq Fortran Compiler with the promise to launch a modernized version for some serious number-crunching on HP-servers that never materialized. When they bought Palm I was looking forward to my new phone that I would buy from them, but all that came out was the half-assed HP Pre 3 and then they dumped that too. WebOS died a shameful death. At home have a long lineage of HP printers and scanners that go back to the Deskjet 1120C from the 90ies that is a parallel port inkjet A3 printer that may still be functional if I tried to revive it. I uses ink cartridges that are the size of my fist and don't dry easily. Shortly after that all they made was give-away printers and all-in-ones that capitalized on the high price of their fart-sized cartridges. Then they stated that they want to offer cloud services, which obviously left me out as their intended audience, but I still kept an eye on them.

And now this story...

Farewell HP, it was good while it lasted.

A satisfied customer.

2nd HP fail (1)

Max DollarCash (2874161) | 1 year,27 days | (#44117167)

HP dataprotector was also on bugtraq a few weeks back with the software containing a "hardcoded" password... HP is security fail!
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...