Slashdot Mirror
HP Keeps Installing Secret Backdoors In Enterprise Storage
Nerval's Lobster writes "For the second time in a month, Hewlett-Packard has been forced to admit it built secret backdoors into its enterprise storage products. The admission, in a security bulletin posted July 9, confirms reports from the blogger Technion, who flagged the security issue in HP's StoreOnce systems in June, before finding more backdoors in other HP storage and SAN products. The most recent statement from HP, following another warning from Technion, admitted that 'all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.' While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules—not a limitation built in to limit use of backdoors. The entry points consist of a hidden administrator account with root access to StoreVirtual systems and software, and a separate copy of the LeftHand OS, the software that runs HP's StoreVirtual and HP P4000 products. Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would 'cripple the cluster,' according to information provided to The Register by an unnamed source. The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it's not hard to find: 'Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn't know existed,' according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public."
Comment removed based on user account deletion
Years ago I worked on HP3000 servers and there was an hpsupport user on those systems as well. But on the 3000 series it was documented and every sysadmin was aware of it and could change the password if desired. Looks like HP still cares about customer service, but no longer cares about ethics. Sad. They were once a really great company.
Rainbow Tables: enabling ontopic first posts since 2013.
I work for a large networking appliance company. We know these backdoors are a bad idea from a security standpoint. The problem is, customers demand them. They call up and want something fixed--or a customization or diagnosis or whatever--and many times the only way to resolve the issue is to access the box. Most times it's a configuration problem on their end, but often the quickest way to figure this out is to access the internal databases.
On our appliances our backdoors are completely optional--if you disable it, support is completely unable to access the box, period (I know because I helped to write it). But you wouldn't believe how irate customers become when you tell them that you can't help them, even though they're the ones who _chose_ to disable the support access, and clicked through all the warnings.
Could these backdoors be made more secure? Absolutely. But developing, say, a storage appliance and developing a secure remote access protocol (both in terms of software as well as access control) are worlds apart. SSH and SSL are just tiny elements in an overall solution.
I'm not one to argue that convenience and security are necessarily opposed. But it is incredibly hard to find the small set of solutions that provide both maximum convenience and maximum security. And even if you've found a solution in that set, it's incredibly hard to prevent it from degrading over time as developers come and go, introducing bugs as they add and fix features.
If so, please synopsize in non-sensationalist terms.
Non-bullshit, redacted by lawyers version:
Anyone with access to the NAS over the network and an SSH client can enter a username and password, gain elevated privileges to the cluster, and while not allowing access to the data directly from that interface, access can disable the cluster or delete all the data within it, as well as wiping out partition information, etc.
#fuckbeta #iamslashdot #dicemustdie
IBM has, on midrange POWER systems, a service ID that has a constantly changing password. In case of loss of passwords and the like (mind you, passwords for the Service Processor, not the OS itself) you can call IBM and the CE will come, log with the service ID and wait on the phone till rochesters tells him what the password for that machine at that time is.
Neat system, if someone ever finds out how the key is computed it could be defeated but its a lot harder than say, a hard coded password...
DS4000 series System Storage DO have a hardcoded user/pass but the controller has rlogin turned off by default so unless you get to the cage and log in via serial cable it's safe...
The earlier article said they can reset user passwords, if they can do that, they can grant themselves access to the data.
http://www.theregister.co.uk/2013/07/09/hp_storage_more_possible_backdoors/
" lost admin passwords are resettable by HP. One, from November 2011, states: “You will need to call support and they can get into the backed and reset it for you. 1-800-633-3600 'Lefthand Solutions'”. The other, posted by a LeftHand product manager in 2009, states: “Call support. They can reset the password remotely.”
So they CAN get access to the data, because they can change the configuration to give themselves access.
Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.
So trusting any vendor about any security is out of the question. Rolling your own stack is the only way to actually retain any control over your mission critical data.
But it's also standard practice and should come as no surprise to anyone
Or perhaps it is one of the "Seventeen Techniques for Truth Suppression" - 8. Dismiss the charges as "old news."
http://cryptome.org/2012/07/gent-forum-spies.htm
I doubt it. We've got some software like this, and while we were having trouble one day and I was on the phone with their support (who was about as skilled as your local broadband support tech) proceeded to log into our equipment, duplicated my administrator account, log in as me, and start making changes. The log even reported the changes as being done by me. When I realized what was going on I started yelling into the phone "What the fuck do you think you're doing? Holy fucking shit?!?!" The tech on the other end was rather surprised I was upset "Excuse me?" he asked... "How did you just do all that?!?! This is on OUR servers, behind OUR firewall!!! You're under contract with us, none of this should be possible! physically, or legally!" all he said was "Well they don't let me see the contracts. I just click this "Clone account" button and there we go..."
I reported the whole thing to our security director. It ended up in the lawyers lap. Their software basically just tunneled its way out of our network. There were other reasons their software needed to connect to them so they just used the same port to allow their support techs to have basically more access than I, the senior administrator had. Now, instead of having a secure product, we have an unsecured product and the only thing protecting us from them is a "more specific" contract that, again, their techs have no access to read. Also, given the regulations we're under, that tech was violating federal law without even knowing it.
Don't trust your vendors. My management has, after this and several other incidents, come to the conclusion that these sorts of products are more trouble than they're worth. In the near future we'll be building it all in-house and dropping vendors like this. Some stuff, like oracle and microsoft, will be hard to dump. But I bet that given enough time even they will be gone and we'll be on something open source.
Would you rather deal with Rainbow Tables or Bobby Tables?
The thing you're missing is this part:
"While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules - not a limitation built in to limit use of backdoors."
i.e. there is not actually any kind of technical restriction on the use of the backdoor, there is no actual customer control over it. When they say 'we can only use it with the customer's permission' what they mean is 'we told our reps only to use it with the customer's permission and we hope they do what we say, and no-one else finds it, so now...oops'.
78a7ecf065324604540ad3c41c3bb8fe1d084c50 ? Really ? Crap... that's the combination to my luggage.
When I played with MD5 rainbow tables, probably 10-15 years ago, it was an interesting experience.
I signed up to a website and was given a large block of passwords to crunch. I can't remember my block, but it was full of 7 character alpha-numeric passwords. There were some 6 character password blocks left to crunch, but 99% of them were complete.
My P3 450 crunched them all weekend and beyond. In return, I was given complete access to the MD5 rainbow tables, through some forms on a website.
It was a near-instant search.
Assume that your 8 character passwords are fully hashed. All alpha-numeric passwords 7 characters and under were complete back then.
Asking Google to search for hashes is also fun.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.