HP Confirms Backdoor In StoreOnce Backup Products

← Back to Stories (view on slashdot.org)

HP Confirms Backdoor In StoreOnce Backup Products

Posted by timothy on Wednesday June 26, 2013 @04:53AM from the top-men-are-on-it dept.

wiredmikey writes "Security response personnel at HP are 'actively working on a fix' for a potentially dangerous backdoor in older versions of its StoreOnce backup product line. The company's confirmation of what it describes as a 'potential security issue' follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP's StoreOnce backup systems. The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password. The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers."

8 of 45 comments (clear)

Min score:

Reason:

Sort:

WTF, HP? by fuzzyfuzzyfungus · 2013-06-26 05:00 · Score: 5, Insightful

So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth? Y'know, the one where obtaining the private key just by having access to the public key baked into every unit isn't dangerously trivial?
That's not a backdoor, by BLToday · 2013-06-26 05:16 · Score: 5, Insightful

That's the main entrance for the NSA.
badg3r5 by TheNinjaroach · 2013-06-26 05:17 · Score: 5, Informative

Google quickly lead me to the SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50 and to a publicly available SHA1 reverse lookup utility that already has the match in it.

--
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
1. Re:badg3r5 by citizenr · 2013-06-26 05:32 · Score: 4, Insightful
  
  Go badg3r5!
  
  --
  Who logs in to gdm? Not I, said the duck.
2. Re:badg3r5 by Anonymous Coward · 2013-06-26 05:35 · Score: 5, Funny
  
  I guess the HP patch, upgrades the string to f3bbbd66a63d4bf1747940578ec3d0103530e21d.
HP is on a Low Sodium Diet by TechyImmigrant · 2013-06-26 05:33 · Score: 3, Funny

>SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password.
HP is on a low sodium diet, they didn't add salt.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
1. Re:HP is on a Low Sodium Diet by Anonymous Coward · 2013-06-26 05:55 · Score: 2, Informative
  
  As pointed out in other comments, the reverse lookup (i.e. rainbow table) is readily available for unsalted hashes.
  You make the mistake that to get a password requires brute force. People aren't stupid, they use the fastest tools available first. If google can tell you the password by simply entering the hash, then yes, it is LESS SECURE then one that is not readily available and REQUIRES brute force
HP by Anonymous Coward · 2013-06-26 05:43 · Score: 5, Funny

The best part of clicking on the link to TFA was the pop-over advertisement from HP that said "How secure is your code?"
Way to go HP!