back to article HP StoreOnce has undocumented backdoor

HP is being accused of leaving a serious security vulnerability in its StoreOnce SAN system: a hard-coded administrator account in its management software. According to this blog post published under the handle Technion, weeks of contact with HP's Software Security Response Team have failed to elicit a response, so the poster …

COMMENTS

This topic is closed for new posts.
Silver badge
Paris Hilton

>“The password is just seven characters long and draws on a ten-year old meme”

Rick Astley strikes again. The password is obviously "rikroll".

Paris - because I'm never gonna give her up, never gonna let her down...

4
0
Silver badge
WTF?

Launch all zig. For great justice!

The first thing that sprang to mind when I read the article was: "AYBABTU"

3
0
Anonymous Coward

Nah: It's gotta be "lolcats"

3
0

If it's an unseeded SHA-1 hash...

...it'll be cracked in absolutely no-time if the password is just 7 characters long.

My graphics card can crack unseeded 8 character (a-zA-Z0-9) SHA-1 passwords under a day.

3
0

Re: If it's an unseeded SHA-1 hash...

Curiosity got the better of me and since I’m not at home with my GPU’s on hand to crack SHA-1’s I decided to Google the hash.

Didn't take long indeed.

2
0
Coat

Backdoor in a SAN?

That would make it "StoreTwice". Or possibly "WipeOnce", depending on exactly what the attacker has in mind.

My coat's the one with pockets full of evil hardware.

4
0
Facepalm

SANS reverse hash calculator

Here:

https://isc.sans.edu/tools/reversehash.html

18 of the last 20 hashes solved at the time of writing are of the hash in question...

4
0

Re: SANS reverse hash calculator

That's a cracking (excuse the pun) website, add another hash to that list.

3
0
Facepalm

Re: SANS reverse hash calculator

Why did I look up? Now I've got that song stuck in my head again :doh:

1
0
Anonymous Coward

Re: SANS reverse hash calculator

Why did I look up?

Because as everybody knows Badger loves . . . mashed potatoes! He makes them into shapes and eats them every-day! Bodger and Badger, Bodger and Badger. La, la , la ...

1
0
Coat

Mushroom MUSHROOM!

Almost forgot this gem:

(may be NSFW - not the video - but the comments)

http://www.youtube.com/watch?v=EIyixC9NsLI

0
0

So what?

So many people don't change the default passwords anyway, by fear of losing it. Ask any EMC engineer how many Clariions on customer sites still have the default admin password...

1
2
Anonymous Coward

Re: So what?

Because there is a difference between user stupidity and vendor incompetance.

2
0
Anonymous Coward

Re: So what?

So it'd be nice to be allowed the choice.

1
0
Silver badge

From the blog :

There's no excuse for hating your users this much.

Says it all, really.

2
1
Happy

Hack once?

1
2
Silver badge
Facepalm

"Undocumented"?

The MSA claim was male dog genitalia so, not having a Storeonce unit to look at, I went to have a look at the manuals on the hp public website. Took me five minutes of browsing to find out that the hpsupport account is discussed in the Storeonce B6000 user manuals (HP StoreOnce B6000 Series Backup System Maintenance &Service Guide, August 2012). It also has an hp internal link (page 13) to the website hp field engineers have to go to for the time-limited password generation tool for use after the password has been reset from the factory default at installation, which suggests to me that Technion has a unit where the install engineer did not reset the factory default password upon installation. Just like the MSA admin account non-story he goes on about. No wonder hp have been ignoring him.

The first moral of the story is only let accredited people that know what they are doing install your stuff. The second moral is don't rush to declare a "built-in back door" without doing at least five minutes of browsing.

1
5
Gold badge
Unhappy

Re: "Undocumented"?

"The first moral of the story is only let accredited people that know what they are doing install your stuff. The second moral is don't rush to declare a "built-in back door" without doing at least five minutes of browsing."

Wrong.

The first moral of this story is don't develop an installation process that requires such an account in the first place. If it's a brand new fresh-out-the-box product it should have no fixed accounts and part of the config should be to set up the first account (probably through the mfg's website).

That might make theft a bit easier to track as well.

4
2
Silver badge
Facepalm

Re: "Undocumented"?

"....The first moral of this story is don't develop an installation process that requires such an account ...." Like Technion, you need to RTFM, it's not an installation account it's a general servicing account for use by field engineers for doing stuff under the bonnet.

"......If it's a brand new fresh-out-the-box product it should have no fixed accounts....." Really? So Windows Server shouldn't come with any default accounts like Administrator? Just looking around my office I have Brocade and CiSCO switches, all which come with default installation accounts, several storage devices ditto. Do you actually touch hardware?

My advice is, if you have a Storeonce unit (or any appliance) that you don't know if the defaults have been reset then check it. If you're unsure how to do it for a Storeonce (and it may be an hp engineer only task, I don't know), then call the support line.

0
8

This post has been deleted by its author

Silver badge
FAIL

Re: BlueGreen Re: "Undocumented"?

Ooh, look, my very own sheeple stalking me! The fun question is what happens to a sheeple when it gets too far from the flock? Wandering into an actual technical thread must have been such a strain for ickle BlueGreen.....

0
6
Silver badge

Re: BlueGreen "Undocumented"?

You neither replied to any of my points in my other post, because you are cannot do so without looking stupid, nor the above point about you not understanding the basics of windows server security. Perhaps technical threads aren't your strength either?

Instead, more matt bryant zero content condescension. MBZCC for short, henceforth.

3
1
Silver badge
FAIL

Re: BlueGreen Re: BlueGreen "Undocumented"?

"You neither replied to any of my points in my other post...." Your post has been answered and your errors exposed, please go back and learn your mistakes like a good little sheep.

".....because you are cannot do so without looking stupid....." LOL! You are actually stalking and frothing in a completely unrelated thread and want to say I look stupid! Have you dropped more acid?!?!?!? Serioulsy, you need to go seek professional help.

0
5
Anonymous Coward

@Matt Bryant - Re: "Undocumented"?

Cool down, Matt! Cisco switches and routers have no default installation account. As you were saying, do you actually touch this kind of hardware ?

4
0
Silver badge
Happy

Re: @Matt Bryant - "Undocumented"?

"....Cisco switches and routers have no default installation account...." They do, it just comes with NO PASSWORD by default! When you do the initial setup on something like a 3750 you just put in the IP 10.0.0.1 and go straight into the settings where you put in the management port IP address, gateway, etc. I have known users that did not then go to the "Advanced" and put a password in for telnet access, which effectively leaves you with an admin login via http with no password protection at all!

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp43320

IIRC, the bigger CISCO switches like the 7000 series do have a default login account on the CP which you have to set a password on at installation, but this is kinda pointless considering the fall-back CMP (which can grab console control from the CP) has no password on its default login!

So, yes, you are right, CISCO devices actually have WORSE security.

1
1

HP StoreOnce has undocumented backdoor

Well I think we can all agree that there isn't now - whichever way you look at it.

4
0
Anonymous Coward

The Post Office is going to be busy...

Thanks!!

0
0
Anonymous Coward

Well well well

It took less than 100 ms to crack the password with is : badg3r5

Not a secure imho!

0
1
los

addressed in latest code

http://www.securityweek.com/hp-confirms-backdoor-storeonce-backup-product-line

2
0

userid pw

I heard the userid was admin and password sys1 not sure why so boring I would have expected userid matt and password bryant

1
0
Silver badge
Facepalm

Re: Allison Park Re: userid pw

"I heard the userid was admin...." Alli, you do nothing to help yourself convince others that you should be listened to when your information sources are so frequently plain wrong. Maybe you shoul dstop using rumours to base your technical arguments on? The userid is hpsupport, as pointed out in the blog and this thread. Do please try and keep up!

0
0
Paris Hilton

Re: Allison Park userid pw

it was a joke..... funny ha ha......btw..and i know you know this I really hate being called anything but Allison. Maty

sad but true HP killing HP3000 and now VMS is no joke....if you want to be serious :-D

as someone recently said....

"As I said last week when reporting that Hewlett-Packard has decided not to port the latest OpenVMS 8.4 release to the current "Poulson" Itanium 9500 processors from Intel and has basically sunsetted the hardware platform on the older Itanium 9300-based Integrity servers that are several years long in the tooth, it is important not to gloat. But, having said that, it is Silverlake's 25th birthday, and it seems appropriate to keep score."

1
0
Gold badge
Happy

Re: Allison Park userid pw

"it was a joke..... funny ha ha......btw..and i know you know this I really hate being called anything but Allison. Maty"

He does come across as a bit humour impaired at the best of times. I also thought of that old Blackadder line about "Still worshipping God, eh Melchett? Last time I heard he was worshipping me, woof"

Probably best to include the Joke icon.

0
0
Silver badge
Happy

Re: Allison Park Re: Allison Park userid pw

Seriously, and you accuse me of no sense of humour?

"..... it is Silverlake's 25th birthday, and it seems appropriate to keep score." AS/400? LOL, that's like a terminal cancer victim laughing at the misfortune of others. BTW, you did notice how Linux and UNiX is eating into that AS/400 base?

0
0
This topic is closed for new posts.

Forums