HP Admits Selling Infected Flash-Floppy Drives

bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space. A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois. Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."

In case anyone wonders

[initialE]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

Re:In case anyone wonders

[MBCook]

That makes sense. But why would I want a flash drive built into it also?

If I want a flash drive, I want it to be smaller than a floppy drive.

If I want a floppy drive, then I'm using floppies and don't need the flash storage.

Re:In case anyone wonders

[Actually,+I+do+RTFA]

I thought you could use any USB drive to install mass storage drivers. It's been a while since I installed XP, but I remember that the installer saw my USB key.

Re:In case anyone wonders

[Qzukk]

But why would I want a flash drive built into it also

Because it makes the thing useful when you're not installing windows.

Re:In case anyone wonders

[Rob+the+Bold]

That makes sense. But why would I want a flash drive built into it also?
One less thing to lose. Twice the utility. Half as many things to plug in. I don't think you care too much that a flash drive designed for servers is too large to easily stuff in a pocket, it's just gonna be sitting in a drawer in the server room, right? Besides, I've got a toaster/oven. HP sells scanner/fax/printer/copiers, why not a floppy/flash? Nash Amphicar?

Re:In case anyone wonders

[initialE]

What you were probably seeing was an emulation layer provided by your motherboard. HP has that even in it's lower end servers now, except that they use it to provide virtual floppies over the network, through their ILO interface. Also handy for doing remote shutdowns and startups. The idea must not have caught on, that's why they're selling these.

Re:In case anyone wonders

[archen]

I don't put floppies into machines, however I DO need them to install old os drivers from time to time. With this I could put the driers onto it with the regular flash interface, then disconnect it and put it into the target machine temporarily during the installation.

I hope you just need to reformat these things because I've been looking for exactly this type of device for a long time (and haven't found any).

Re:In case anyone wonders

[Cheesey]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine!

Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

Re:In case anyone wonders

[MBCook]

OK, I missed something. I don't know if anyone else did because it the summary wasn't clear to me.

This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive.

That's actually a very smart idea.

With that detail this this is not a real floppy drive of any kind, this all makes more sense. Question withdrawn.

Re:In case anyone wonders

[cyanid3]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine! Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea. You can slipstream your storage drivers into your Windows installation media with nLite (www.nliteos.com). Just add them as textmode drivers and the setup will pick up your storage controllers without any fuss. Vista, otoh, allows you to supply drivers via USB drives too.

Re:In case anyone wonders

[Amouth]

to be honest if you are installing windows on servers in a data center.. you build the required rivers into the install image.. sure it takes a bit of work to set up .. but it makes life far far far easier in the long run..

if it is 1 machine to install then sure put a floppy in .. if it is 10+ build your own install image

Re:In case anyone wonders

[Hal_Porter]

Why not just slipstream them? You usually want to put in a extra SP too, so you might as well put in the mass storage drivers too.

In fact mass storage drivers is a bit of mismomer. I think most of the time theproblem is that the Bios on a new machine puts the SATA controller in AHCI mode instead of of legacy compatible mode. XP doesn't include AHCI drivers.

So it's sort of handy to put the Intel MaAHCI drivers on your slipstreamed XP+SP2 CD. I know it works on boards with an Intel SATA countroller in AHCI mode which must be quite a common case. You could add other ones as you find them.

Re:In case anyone wonders

[dave420]

Most shops use slipstreamed Windows CDs with all necessary drivers pre-installed, not floppy disks.

Re:In case anyone wonders

[rickb928]

I've had success in the past using HP's USB tools to create floppy-formatted USB keys and install drivers with that. It's worked on several ProLiant servers... Well before this particular gaffe, and not HP-branded keys. The servers passed all their security checks 2 years ago.

You can do it without the HP keys, just use their software to prep the stick.

Re:In case anyone wonders

[utopianfiat]

Does anyone here have a problem with the fact that HP is clearly not checking the contents of their drives before they leave the factory? Because I think that's pretty important.

Someone's going to reply "blah blah chain of supply blah blah limited liability" but (back in my day) a manufacturer was liable for tainted/poisoned product that originated at the manufacturer. Everyone should be able to demonstrate that a product works before selling it.

Re:In case anyone wonders

Tried it once (in a futile attempt to escape vista) and it didn't work. I tried it a couple of different ways, according to what I could find in various forums. As a result, I have 3 coasters, and I'm stuck on Vista until this summer, when I should be able switch to Linux 95% of the time, and run vista as a virtual Os.

Re:In case anyone wonders

[Cheesey]

Good suggestion. I did try doing this, but could not make it work. After a few attempts, I got my modified Windows CD to boot, but it didn't pick up the new drivers. In the end it was easier to buy a box of floppy disks.

Re:In case anyone wonders

[Workaphobia]

I would think the fact that malware even made it on there at all is indicative of a failure at the same point where they would do such checking, unless they specifically design an extra stage into the process. In any case, I don't think anyone's arguing that HP isn't responsible, liability wise, but that doesn't mean they need to adjust their process to incorporate such checks. Let them decide how to handle changes to their system after they're sued; it may be easier to simply eliminate whatever rogue element got the malware installed in the first place.

Re:In case anyone wonders

[Bat+Country]

You read the article?

Turn in your Slashdot user id and get out now.

Re:In case anyone wonders

[Nwallins]

This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive. This past weekend I had to flash the BIOS on a Tyan server mobo (K8SRE). I have no floppy and the current (and new, as well) BIOS won't boot off USB. What to do? Ensure grub and syslinux are installed. Have a floppy image ready (http://bootdisk.com/bootdisk.htm, or Ubuntu CD)

1. copy floppy.img to, say, /boot/dos/
2. copy memdisk (executable) to /boot/dos/
3. add grub entry:

title Floppy Image
kernel /boot/dos/memdisk
initrd /boot/dos/floppy.img

Now, when the floppy image loads, I will only have access to what's defined in the floppy image. Next, add the BIOS update files:

1. Ensure mtools is installed
2. configure mtools to use the floppy image as A:
3. copy BIOS files into the floppy image

mcopy ~/bios_flash_files/* a:

Now, reboot into the floppy image, flash the BIOS, clear the CMOS, and restart!

Re:In case anyone wonders

Back in my day, our courts decided something similar in a case known as Donoghue v Stevenson. Some of you might even have heard of it. {1932 SC (HL) 31}

Re:In case anyone wonders

[couchslug]

When you have problems with such stuff, it wouldn't hurt to list the hardware involved. Chances are high someone else has had and solved the same problem. I've never had slipstreaming problems, but I throw all the likely drivers I can find on the CD the first time to improve my odds.

Re:In case anyone wonders

[couchslug]

Those HP tools are also popular for prepping USB sticks to boot DOS, Linux, and BartPE.

Re:In case anyone wonders

[toddestan]

I got it to work, pretty much had no choice as it was a laptop so I couldn't add a floppy if I wanted to. Ended up with about 6 coasters plus the one disk that finally worked. Turns out you need to add the driver twice - once so the installer picks it up, then again so the installer knows to copy it to the harddisk. Otherwise, the first part of the install will run fine, then it will totally fail to load after the first reboot.

Re:In case anyone wonders

[msromike]

Uh, I guess that's one way (if you like the retro approach.) Another way is with a USB hard drive, USB pen drive, CD Rom, DVD, etc.

Re:In case anyone wonders

[Digital+Vomit]

It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead.

Why is this not rated +5 Funny?

Security improvements

[headkase]

Although still in a woeful overall state, Vista has one critical security difference from XP that helps here. By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun. So in Vista you can plug a new device when it asks you to autorun say No and then format the sucker. This default is something Microsoft should seriously back-port to XP.

Re:Security improvements

[Raineer]

Totally agree, good thoughts. I still don't like their response that it is "obviously a targeted attack", how the hell does an attack start at the FACTORY?

Re:Security improvements

They should come with an autorun executable that disables autorun in XP!

Re:Security improvements

[Lxy]

There's an option in Group Policy to disable autorun on all drives.

Start --> Run --> gpedit.msc
Computer Configuration --> System --> Turn of Autoplay
Enable on all drives

You're right, this should be default, but at least there's a fix.

Re:Security improvements

[TheGratefulNet]

with xp-pro its easy to find the group policy GUI tool and click on autoplay and autorun and DISABLE THAT CRAP.

I agree it should come disabled! but then, bill was trying to play catchup with the mac. remember, the mac had been polling floppies so that the user could just insert the floppy and not have to click an 'open' box (oh, so much work for poor mac users!).

that must be the reason why MS thought 'auto media detect' was a good idea.

but its the dumbest idea from a security POV. just another illustration that MS 'doesnt get it' when it comes to *basic* security concepts.

the fact that vista asks, well, vista asks EVERYTHING. too much so that people ignore the queries. so its not any more secure, due to human factors issues.

Re:Security improvements

[nicklott]

Great, but who puts either Vista or XP on a proliant server?

Re:Security improvements

[140Mandak262Jamuna]

Thanks. This is precisely the info I was seeking. Would have modded parent +1 informative if I had mod points.

Re:Security improvements

[jimbobborg]

Exactly. And it doesn't state whether it affects only Windows servers. Anyone running Unix or Linux on their Proliants and getting hit with this?

Re:Security improvements

[creepynut]

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition.

In addition, it's nice to have the autorun. Having a dialog asking permission is a nice balance I find.

Re:Security improvements

[SEMW]

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition. Who in their right mind would have XP Home edition installed on an HP ProLiant Server?

Re:Security improvements

[Fast+Thick+Pants]

I've always kept this "noautorun.reg" file around as part of my standard 2k/XP installation:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

Supposed to turn off autorun for all possible drive types, and seems to do the trick. No need to navigate group policy trees in gpedit.msc, which is missing on XP home anyway. Can anyone comment on this more outlandish solution? Is is at all necessary (esp on a fresh install)? Is it kosher?

Re:Security improvements

[Nimey]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


We're deploying that here to stop Autorun viruses that can start via just opening the drive (or right-clicking on Explore, etc.). Nasty things enabled by a Windows design flaw reminiscent of Outlook Express 4 opening attachments automatically.

Re:Security improvements

[Fast+Thick+Pants]

BTW, the "outlandish solution" I linked to is the same one suggested by Nimey a couple posts above.

Re:Security improvements

[headkase]

The general situation is that you're plugging new removable media into your system. Getting into specifics it applies less but the general rule remains.

Re:Security improvements

[Actually,+I+do+RTFA]

Great, but who puts either Vista or XP on a proliant server?

Right, I use Win98. The occassionally having to reboot (every 28 days or so) is made up for by the fact that I know I won't every get bothered with 'updates' again.

Re:Security improvements

[Actually,+I+do+RTFA]

Computer Configuration --> Administrative Templates --> System --> Turn of Autoplay

Re:Security improvements

By default in Vista it will ask you if you would like to autorun. So in Vista you can plug a new device when it asks you to autorun say No Well, duh! Autorunning stuff off freshly installed media or the network was proven as a bad idea a couple decades ago. I'm glad Microsoft finally caught up.

Re:Security improvements

Windows XP: Start -> Run -> services.msc. Double-click "Shell Hardware Detection" and change startup type to disabled. Reboot. This is one of my standard security practices to prevent autorun of usb and CDs, which hackers can use to get past a screen saver password, install viruses, etc. The only downside is manually launching something from a disc when you really want to. Well worth the tradeoff.

Re:Security improvements

[PRMan]

Or you could just hold down Shift...

Oops, Switchfoot nearly got sued by Sony for mentioning that...

Re:Security improvements

[blincoln]

By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun.

Maybe that's true if you have the User Account Control incessant popups enabled. If you turn that off, then it will autorun USB storage devices just like XP, which is stupid. There is no good reason to autorun R/W media. I would argue there's no good reason to autorun read-only media either, but it's definitely true for R/W.

I accidentally infected my PC with what appeared to be a factory-installed worm on an LG UP3# player because of this. I have AVG Free installed, but I had its on-access scanner disabled at the time because I didn't think I did anything risky enough to warrant the performance hit. Now, of course, I have it turned on and disabled autorun in the registry.

Re:Security improvements

By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun. Not really Autorun if it doesn't autorun now does it? Should be renamed.

Strange (as insider activity?)

[nweaver]

The speculation that it was deliberate activity does strike me a little strange:

If you are going to get your malcode onto this, why do something old and crufty when you could do something new.

IIRC, this is used for BIOS updating as well as windows driver schlepping. So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way.

Re:Strange (as insider activity?)

[Thelasko]

So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way. How do you know they haven't?

Re:Strange (as insider activity?)

[Dr.+Cody]

Their Chinese suppliers outsourced the malware the US.

Re:Strange (as insider activity?)

[apoc.famine]

Because if they had, they wouldn't draw attention to this security issue with an easily identified worm. At least, if I were them, I wouldn't call attention to my rootkit like that.

More than likely, it was some low-payed worked who was given a few weeks wages by someone looking for a quick buck, not some super-skilled haxor out for world domination.

Re:Strange (as insider activity?)

[Thelasko]

The malcode that was caught may be "old-n-crufty" but what about the code that wasn't caught? This could be an oversight by a more sophisticated attacker, or a script kiddie replicating something seen elsewhere.

Most likely it's a crime of opportunity. Like stealing a car that had the keys left in it.

Software on these drives? Use Linux to format.

[deragon]

I do not understand it. Do these USB drives are meant to come with software? I believe they are just formated. If such is the case, then they should use some non Windows machines such as Linux to format them with Windows filesystems. I fail to grasp how on a factory floor where drives only need to be formated, worms have an actual chance to jump on the drives. This can only happen if they are using web connected and unsecured Windows machines to format them.

So where's the recall?

[Animats]

Here's the HP HP security notice. This was discovered in January/February, according to HP, but not announced by them until April.

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

Here are the part numbers:

• Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key
• Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key

They're still for sale on Amazon, for example.

In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.

Re:So where's the recall?

[snowful]

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence. All their recall resources are probably still being used in the HP/Compaq laptop mainboard replacement fiasco. Just had mine done.

Re:So where's the recall?

[_KiTA_]

Here's the HP
HP security notice. This was discovered in January/February, according to HP, but not announced by them until April.

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

Here are the part numbers:

• Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key
• Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key

They're still for sale on Amazon, for example.

In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.

Is it a 100% Infection Rate? Is it a specific site that's infecting them? A specific QA tester's machine? Is it Possible for them to just replace the ones that are out but unsold, reformat the returned ones, and reship them?

These are important questions that I would be willing to wager HP's asking themselves in private.

Re:Software on these drives? Use Linux to format.

[anss123]

The malware has not necessary infected the factory. The flash disks probably comes with some software tools, and it might be these tools which got infected.

Could also have been a disgruntled worker.

What about BIOSes?

What stops those who were able to put viruses in USB sticks from installing viruses in BIOSes directly in the factory?

Dear Smart People,

[publicopinion5]

I'm one of those people who doesn't really belong on slashdot due to my outrageously inadequate computer skills. I just appreciate the actually intelligent discussion devoid of complete morons that I couldn't find anywhere else. But question for the people who do belong here: how is deliberately infecting your own products even close to a good idea? I can't imagine this is going to get half the press it deserves, but if this somehow got out past computernerdland (no offense meant), wouldn't that turn millions of people off of buying HP? I feel like I'm missing something here.

Re:Dear Smart People,

[Silver+Sloth]

intelligent discussion devoid of complete morons Sorry, this is /. you're talking about, isn't it. Ah, you must be from Bizarro world.

Re:Dear Smart People,

An actual response opposed to the sarcastic predecessor:

Chances are it was a rogue programmer, meaning it was happening for quite some time (unnoticed by the company themselves) until some other person noticed. If it was deliberate by HP themselves, then a LOT more publicity/lawsuits should soon arise.

Re:Dear Smart People,

Why don't you ask Sony that question.

Re:Dear Smart People,

[SEMW]

No-one's suggesting that this was a deliberate policy decision by HP; the suggestion is that it was a disgruntled worker or somesuch that did it deliberately for some unknown ends.

Corporate Response Missing

[CambodiaSam]

Neither articles indicate that HP is planning on making changes at the factory floor level to prevent further infection. If their only response is to scan and clean it myself, then I might be motivated as a consumer to purchase my flash drives with a big "Gauranteed Fully Formatted" on the box. Plus, this seems REALLY sloppy to me. If HP is allowing this type of software to slip into flash drives, what other types of defects, errors, and all around laziness is going on with other products?

Let me guess

[Malevolent+Tester]

Made in China?

Re:Let me guess

[Digestromath]

I think the dead giveaway was on their feature list.

Your hybrid flash drive is protected from high energy EM radiation by a healthy and brightly coloured coating of heavy lead paint!

Eww...

[maciarc]

Flash floppies that are pre-infected. That's just gross.

Re:Eww...

Just be glad those drives weren't hard.

More likely

was developed in HP-China.

Flash/BluetoothThumbdrive?

[Doc+Ruby]

Has anyone seen a single thumbdrive that includes Flash storage and a Bluetooth antenna, all in one little (and hopefully cheap) device? Perfect would be a Bluetooth dongle with an SDIO, MemoryStick, or CompactFlash slot for detachable memory, but just some permanently bundled Flash on the Bluetooth would be good.

Because...

HP's recall supply chain will dump the recalled product to shady asset recovery firms and it will just end up on Ebay and not destroyed.

(Where do you think recalled Dell batteries went?)

Anonymous for a reason.

Re:Because...

[mgblst]

Good, all they need is a reformat, then they will work again. I hope they don't get destroyed just because they have some bad data on them.

Proliant diag. CDs don't recognize other drives...

[ramirez]

An intersesting things about this is that HP ships diagnostics CDs with their Proliants (PSP "Proliant Support Pack"). The offline hardware diagnostics CD can provide a lot of data, which needs to be provided to HP to get support (sometimes). The diagnostics software has the option to write the data to a USB device. I've tried 3 different types of USB drives and none of them were recognized by the software... I was told by HP support that the USB floppy drive that they provide would work.

Fortunately, we bitched enough to get better support and we don't run Windows so wouldn't be vulnerable to this particular problem.

I bring this up because there may be a number of people out there with Proliants who aquired these drives so that they can get data from HP diagnostics software

Advisory's recommendion is braindead

[vic-traill]

From the advisory:

If the optional HP USB Floppy Drive Key has been used in an environment without current (up-to-date) anti-virus software then the W32.Fakerecy or W32.SillyFDC virus may have spread to any mapped drives on the server. In this case HP recommends that the server and mapped drives are scanned with current (up-to-date) anti-virus software.

Does HP actually think that a potentially worm-infected server should be a/v scanned and (possibly) cleaned, and that's the end of it? That's beyond dumb; any production server so exposed requires a bare-metal rebuild. In the absence of a tripwire-esque delta, you have no understanding of the state of the server installation after undergoing an infect/clean cycle, and there's no way that box should be left in production in that state.

Doesn't suprise me

[Bryansix]

This doesn't surprise me. HP is also partnered with a company called Presto that says in a radio ad that computers are "Expensive (and) hard to use".

This is an ugly situation

[erroneus]

But it is not without precedent. I have heard of device driver floppies and CDs shipping with viruses and the like in the past... as long ago as 10 or more years in fact. The sad thing isn't that it happens. The sad thing is how telling it is of their product QA standards.

They should have clean and isolated systems in place for development and manufacture that isn't connected to the public internet in any way. Furthermore, anything that reaches the public should first be inspected through tight QA standards. The public expects that of high profile manufacturers... worse, the public presumes high QA standards.

This takes me back to a point I was attempting to make in another discussion about the differences that often exist between public expectations and what a company actually delivers. Often times the public never notices the difference, but some times, those differences slap people in the face rather rudely at inopportune times.

I'm not sure when it started to become more common practice to move away from fulfilling public consumer expectations occurred. But the public consumer isn't aware that this shift has occurred yet. But evidence of the quiet shift has been placed in every EULA as far back as anyone can remember that contains disclaimers that their product is suitable for any purpose at all. The laws of some countries and states of the U.S. do not permit the enforcement of some of these disclaimers, but it never stops them from trying to put it past the consumer just the same. But the ugly reality is that 'legal standards' trump quality standards every day that appears on the calendar.

How does it happen?

[KingPrad]

How did they not catch this? Surely every 1000 of these, they pull one off the line and plug it into a computer to check that it actually works, right? Or every 10,000? Don't manufacturers do any kind of continuous QA of the actual product?

Wouldn't an alert from a virus scanner make someone think "that's not right..."?

So basically they didn't bother sparing 5 minutes once a day or week to check one of these things? Nice.

Who made them? What country? What are HP QCs?

[dickmc]

What is notably left out is: Who made them and in what country? What are normal HP quality controls? What is HP planning on changing to prevent this in the future?

Where's the factory?

[absurdist]

China?

Perhaps it's a test run.

Re:Where's the factory?

[Dr.+Cody]

I've purchased/received three MP3/video players during trips to China, and both of them had viruses on them. China is the next big market for botnets, I suppose.

Re:Where's the factory?

[Dr.+Cody]

grrrr "All three," that is.

Only on WinPE 1.x

[SEMW]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives IIRC, Only on Windows installers that use WinPE 1.x. That includes 2003 Server, but not 2008 Server (which uses WinPE 2.1). So hopefully now floppies should actually become a thing of the past.

Not, of course, that that in any way absolves MS -- it's still shocking that floppies were sometimes needed for a server OS released a mere half decade ago! Although at least you could always install remotely over a network using RIS or WDS and avoid the issue entirely, which is I suppose what most enterprises probably do anyway.

Re:Software on these drives? RANT!!

[h.ross.perot]

Possibly; the big 3 do deliver support tools on customer facing media. I would gander the following guess: This is what you funk-tards get for outsourcing; keep it in house OR keep the Quality control persons on YOUR payroll. That way you can fire them when things run afoul. (Soapbox mode OFF)

china...

[hesaigo999ca]

Its simple , the infection happened when they outsourced to China to build the flash drives, and do not have a quality control set in the middle as it arrives into our country without delivering directly to store warehouses...problem and i speak from experience with the textiles importing industry based out of china, is that when you have no quality control in place to review this stuff, such as a drive verificator that you would plug all drives into before sending out, and letting that be in the hands of the Chinese, who are at the root of the cyber attack problem against the states right now, is that they could be putting anything on those drives and we don't check...

SANity check

http://www.acronymfinder.com/af-query.asp?acronym=SANS
System Administration, Networking, and Security Institute (SANS)
Institute's Internet Storm Center (ISC)
http://isc.sans.org/diary.html?storyid=4247

http://www.acronymfinder.com/af-query.asp?Acronym=SAN&Find=find&string=exact
Storage Area Network (SAN)

http://en.wikipedia.org/wiki/SanDisk
SanDisk Corporation

http://japanese.about.com/blqow38.htm
from AnonymousCoward-san

http://babelfish.altavista.com/
sans acronymes le monde serait un meilleur endroit

Coincidence?

[rickb928]

I see a story about Hannaford Bros (supermarket chain in the Northeast U.S.) servers being pwned, sending credit card numbers all over. And they passed PCI, seeming to be secure enough for the card industry. Darn, pwnage is so sucky, especially when your SERVERS are compromised.

Now I see this story about HP accidentally selling branded keys with worms pre-installed. Darn, selling malware is so sucky, especially when you sell it to your favorite customers, for example server customers.

Any chance not just Hannaford, but other HP customers are nailed by this?

The takeaway from this episode, for those of you who aren't quite getting this:

- When you buy a USB key, be sure your machine(s) have functional antivirus and antispyware running,and it's updated.

- Look around for instructions on keeping stuff like USB keys from autorunning. Make it so.

- Format that rascal USB key immediately. Immediately. IMMEDIATELY.

- Don't buy USB keys cause they have cool software preloaded. Pointless to CHOOSE to risk infection. make the manufacturers pay for this by avoiding/refusing this crap. Just sell me a simple key, ok? Sheesh...

And trust no one and no thing.

Amazing, is all I can say. And yes, I wonder if these were manufactured and loaded in China. Bet they are.

We are in so much trouble. Mark my words, soon, 'Made in China' will really mean 'Pwned by China'. If ti doesn't already.

Re:Coincidence?

[ilmdba]

or just fucking use linux or solaris x86 instead of windows...

Re:Coincidence?

[narf]

Hannaford tried that. Didn't work out so well.

Re:Coincidence?

[rickb928]

Easy for you to spew.

Surprisingly, much of the software Hannaford settled on using is jut plain Windows. They did use some Sun for certain things, but the store servers were almost all Windows.

I'm unaware of any settlement software available for *nix. There must be some, but I haven't look so hard for it. And Hannaford isn't unique in the industry for using Windows.

It wasn't long ago that Blockbuster used Alpha-based servers at the stores, running customized SCO SysV. nasty, but it worked really well. Sadly, Alpha CPUs are hard to come by, and I bet they have moved to Windows. But that environment would move to Lunix very well. Other businesses need to build the entire Linux infrastructure, from development environments to remote management. Windows makes it too easy.

And the bottom line here is that the malware got inside the firewall. Most likely, IMHO, via a support tech either browsing or on media, obviously. And they were certified PCI-compliant. Darn.

Frankly, I suspect even a Linux server system could be pwned. I've had to scrape out some very tough trojans from my servers over the years. It ain't easy. 80% of the time I reinstalled clean. Why bother.

Re:Coincidence?

HP has a really big internal network. HP has a lot of people who take their work laptops home and dial VPN into the HP network.
So when your laptop is at home, you go on the internet, get infected. Then you dial into the VPN or bring your laptop back to work.
HP also has a culture of keeping bad news quiet. Got to find the leakers! Who let that information out to the public?!?

I personally witnessed a major worm outbreak at HP some years ago. Of course, it was never disclosed publicly.

People who think that the government is inefficient have never worked for a Fortune 50 company.

Re:Coincidence?

[toddestan]

So, do you also plug the USB drive first into some computer you don't care about just in case it dead shorts the power leads or something like that too?

Re:Coincidence?

Why should we? Why is it too much to expect that a product is free from malware or anything else malicious?
I shouldn't be expected to do tests and/or disinfect my milk bought from a store should I?

Re:Coincidence?

[rickb928]

No, silly. You take the reasonable precaution of formatting unknown media. You don't really know where it's been.

And I haven't fried anything with a bad USB-whatever in my career. I may live a sheltered life, but usually USB ports survive really bad stuff plugged into them, with spectacular exceptions I'm sure.

It's just not prudent to believe your new storage media is clean as whistle. Even hard drives.

'Nix zealots don't know about security - again

"This can only happen if they are using web connected and unsecured Windows machines to format them."

This shows a large degree of naivety to the issues.

The source of infection could equally be a rooted 'nix box or any other platform which had become compromised - even any other box anywhere in the organisation and then poor practice allowing it to compromise a machine in the factory not even connected to a network...although admittedly, such a multiplatform worm would be unlikely, but not impossible.

There is certainly no reason for an assumption that a 'nix box rather than any other platform would have prevented the problem - in fact a non-Windows box may have been _more_ insecure as all too many people falsly assume 'nix to be inherently "secure" and so take inadequte steps to remain (relatively) secure.

Good QC processes could have prevented this (say a separate scan/checksum process in a separate area of the factory to minimise the risk of an insider being able to compromise both stages), including physical security of the items following validation (tamper 'proof' seals etc as with food products/blister packs for medication)
  - but these would add to manufacturing costs and would usually be unappreciated by consumers and so are inherently uncompetative practices. ...so the ultimate fault is with capitalism :)

It wasn't me...it was the one armed HP server!

[insanemime]

See Honey, it's HP's fault that porn was on our computer! All 3 terrabytes of it...nasty bugs. *whistles innocently*

Re:Software on these drives? Use Linux to format.

[Pascoea]

This can only happen if they are using web connected and unsecured Windows machines to format them.

All you have to do is throw in the human element. The first factory worker that plugs his ipod or flash drive full of music into the computer he is using to test/verify/format these devices you are finished.

I've worked as a technician in an electronics manufacturer, the human element is a huge one to contend with.

But it's a server...

[Shuntros]

What kind of idiot runs a workstation OS on a SERVER? Last time I looked, proper server operating systems didn't "autorun" things, especially w32 executables!

Re:Software on these drives? Use Linux to format.

[Intron]

Most likely some employee was using the work equipment for his/her own project and accidentally infected the system. Deliberately targeted does seem unlikely.

HP software is malware *anyway*

[joe_n_bloe]

Anyone who has ever installed an HP scanner or All-in-one knows that the consumerware/bloatware that HP deliberately installs is truly awful. The print monitor behaves strangely, faceless apps hang and get respawned without the existing processes being killed, all kinds of crap is installed that is difficult to remove, and et cetera. If you don't seek out and install the thin "enterprise driver," and find alternative helper apps, you wind up with all this junk.

So I don't see what the big deal with shipping some more malware is. It's HP. *shrug*

Re:In case anyone wonders (OT II)

Someone's going to reply "blah blah chain of supply blah blah limited liability" Naw, I'm just going to reply 'offtopic' since your post had nothing to do with GP's comment...

"pre-infected" means not infected

[EllynGeek]

The important points that are actually pertinent to the article have already been addressed by other slashdotters, so I will take on the thankless but heroic job of grammar nitpicker. The drives were infected. They were not pre-infected. (hey, I had nothing else to do for five minutes. and the poor old "pre" prefix is almost as shamefully abused as "loose/lose".) Literally, pre-infected means before infection, or not infected. Trust the words, grasshoppers- they aren't improved by adding useless or incorrect prefixes.

You're welcome, please leave a donation in the tip jar on your way out.

Re:"pre-infected" means not infected

I think the idea is that the drives are infected BEFORE you even start to use them. That's where the "Pre" prefix comes into play. No tip for you!

Re:"pre-infected" means not infected

[EllynGeek]

Ha, you're a notorious non-tipper anyway!

more information

Product link

Re:Trusting Trust

But it is not without precedent. I have heard of device driver floppies and CDs shipping with viruses and the like in the past... as long ago as 10 or more years in fact. It dates back further than that- http://cm.bell-labs.com/who/ken/trust.html




[AC while at work]

While we're talking naïvety

[xouumalperxe]

From the summary:

"I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois

I think it's also pretty naïve to assume that it is a targeted attack, as such an assumption shifts the blame enormously. While a targeted attack is arguably more dangerous and more worrisome for a certain group of people, such an attack could happen at any number of stages of fabrication, so the fabrication process itself isn't to blame. Reversely, if a random infection makes it to a device sold as a server accessory, that puts both fabrication and quality assurance at fault, the former allowing the infection, the latter for not detecting it. If that's what happens to enterprise products, one has to wonder how much crud gets through in consumer stuff.

I've seen this kind of thing before

[Whuffo]

Products shipping with unplanned "additions" has been going on for years. I remember well when a software company I worked at had something like this come up - the install floppy in our shrink-wrapped packages had a boot sector virus on it.

After digging into what happened it was found that the duplication house where our disks were being duplicated had a QC station where each one was tested to verify a good recording. The operator of that station faced a brain-numbing job; insert disk, hit enter, remove disk, repeat. Of course, that job was filled by the production manager's son - who filled in his free minutes by playing a "free" copy of a game that he got from "someone" on the QC machine.

We had to recall all the packages and ship free disinfecting software to everyone who had bought one; fun times. The duplication house (grudgingly) paid the cost of cleaning up the mess, then we found a different duplication house to use in the future. This time we checked their procedures out a little more closely before signing up.

Something like this is probably what happened to HP. The factory where those drives were made had some worms / viruses loose on their network and when the new drives were plugged in for testing / formatting the malware automatically copied itself over. This would happen after the format / test was complete; the operator wouldn't even know it happened.

Sloppy security practices at the factory was most likely the "source" of the problem. They weren't evil, just stupid. But for HP to know about this and wait for 3 months before letting their customers know - that's criminal. At least it should be...

HP loaded the gun, but who pulled the trigger?

[rharkins]

I'm not trying to diminish HP's responsibility for this mess, but if any server admin admitted that they had picked up one of these worms from any other vector, the commenters here would have spitted and roasted said admin for gross incompetence. Any systems vulnerable to this crap are likely to have much bigger problems in store.

You should use the Driver Packs on your XP Disk

[Joe+The+Dragon]

You should use the Driver Packs on your XP Disk
http://driverpacks.net/DriverPacks/

Also iun the news

[Project2501a]

Unattended Windows 2k3 installs with slipstreamed drivers (from DVD) and/or Windows Deployment Services.

I've never seen a "welcome to such and such" screen in over a year