back to article HP StoreOnce has undocumented backdoor

HP is being accused of leaving a serious security vulnerability in its StoreOnce SAN system: a hard-coded administrator account in its management software. According to this blog post published under the handle Technion, weeks of contact with HP's Software Security Response Team have failed to elicit a response, so the poster …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Paris Hilton

    >“The password is just seven characters long and draws on a ten-year old meme”

    Rick Astley strikes again. The password is obviously "rikroll".

    Paris - because I'm never gonna give her up, never gonna let her down...

    1. Captain DaFt
      WTF?

      Launch all zig. For great justice!

      The first thing that sprang to mind when I read the article was: "AYBABTU"

    2. Anonymous Coward
      Anonymous Coward

      Nah: It's gotta be "lolcats"

  2. Anonymous Coward
    Anonymous Coward

    If it's an unseeded SHA-1 hash...

    ...it'll be cracked in absolutely no-time if the password is just 7 characters long.

    My graphics card can crack unseeded 8 character (a-zA-Z0-9) SHA-1 passwords under a day.

    1. Anonymous Coward
      Anonymous Coward

      Re: If it's an unseeded SHA-1 hash...

      Curiosity got the better of me and since I’m not at home with my GPU’s on hand to crack SHA-1’s I decided to Google the hash.

      Didn't take long indeed.

  3. Brad Ackerman
    Coat

    Backdoor in a SAN?

    That would make it "StoreTwice". Or possibly "WipeOnce", depending on exactly what the attacker has in mind.

    My coat's the one with pockets full of evil hardware.

  4. Ken Y-N
    Facepalm

    SANS reverse hash calculator

    Here:

    https://isc.sans.edu/tools/reversehash.html

    18 of the last 20 hashes solved at the time of writing are of the hash in question...

    1. Best Before:

      Re: SANS reverse hash calculator

      That's a cracking (excuse the pun) website, add another hash to that list.

    2. Potemkine Silver badge
      Facepalm

      Re: SANS reverse hash calculator

      Why did I look up? Now I've got that song stuck in my head again :doh:

      1. Anonymous Coward
        Anonymous Coward

        Re: SANS reverse hash calculator

        Why did I look up?

        Because as everybody knows Badger loves . . . mashed potatoes! He makes them into shapes and eats them every-day! Bodger and Badger, Bodger and Badger. La, la , la ...

  5. PeterGriffin
    Coat

    Mushroom MUSHROOM!

    Almost forgot this gem:

    (may be NSFW - not the video - but the comments)

    http://www.youtube.com/watch?v=EIyixC9NsLI

  6. Alain

    So what?

    So many people don't change the default passwords anyway, by fear of losing it. Ask any EMC engineer how many Clariions on customer sites still have the default admin password...

    1. Anonymous Coward
      Anonymous Coward

      Re: So what?

      Because there is a difference between user stupidity and vendor incompetance.

    2. Anonymous Coward
      Anonymous Coward

      Re: So what?

      So it'd be nice to be allowed the choice.

  7. Anonymous Coward
    Anonymous Coward

    From the blog :

    There's no excuse for hating your users this much.

    Says it all, really.

  8. IO-IO
    Happy

    Hack once?

  9. Matt Bryant Silver badge
    Facepalm

    "Undocumented"?

    The MSA claim was male dog genitalia so, not having a Storeonce unit to look at, I went to have a look at the manuals on the hp public website. Took me five minutes of browsing to find out that the hpsupport account is discussed in the Storeonce B6000 user manuals (HP StoreOnce B6000 Series Backup System Maintenance &Service Guide, August 2012). It also has an hp internal link (page 13) to the website hp field engineers have to go to for the time-limited password generation tool for use after the password has been reset from the factory default at installation, which suggests to me that Technion has a unit where the install engineer did not reset the factory default password upon installation. Just like the MSA admin account non-story he goes on about. No wonder hp have been ignoring him.

    The first moral of the story is only let accredited people that know what they are doing install your stuff. The second moral is don't rush to declare a "built-in back door" without doing at least five minutes of browsing.

    1. John Smith 19 Gold badge
      Unhappy

      Re: "Undocumented"?

      "The first moral of the story is only let accredited people that know what they are doing install your stuff. The second moral is don't rush to declare a "built-in back door" without doing at least five minutes of browsing."

      Wrong.

      The first moral of this story is don't develop an installation process that requires such an account in the first place. If it's a brand new fresh-out-the-box product it should have no fixed accounts and part of the config should be to set up the first account (probably through the mfg's website).

      That might make theft a bit easier to track as well.

      1. Matt Bryant Silver badge
        Facepalm

        Re: "Undocumented"?

        "....The first moral of this story is don't develop an installation process that requires such an account ...." Like Technion, you need to RTFM, it's not an installation account it's a general servicing account for use by field engineers for doing stuff under the bonnet.

        "......If it's a brand new fresh-out-the-box product it should have no fixed accounts....." Really? So Windows Server shouldn't come with any default accounts like Administrator? Just looking around my office I have Brocade and CiSCO switches, all which come with default installation accounts, several storage devices ditto. Do you actually touch hardware?

        My advice is, if you have a Storeonce unit (or any appliance) that you don't know if the defaults have been reset then check it. If you're unsure how to do it for a Storeonce (and it may be an hp engineer only task, I don't know), then call the support line.

        1. This post has been deleted by its author

          1. Matt Bryant Silver badge
            FAIL

            Re: BlueGreen Re: "Undocumented"?

            Ooh, look, my very own sheeple stalking me! The fun question is what happens to a sheeple when it gets too far from the flock? Wandering into an actual technical thread must have been such a strain for ickle BlueGreen.....

            1. BlueGreen

              Re: BlueGreen "Undocumented"?

              You neither replied to any of my points in my other post, because you are cannot do so without looking stupid, nor the above point about you not understanding the basics of windows server security. Perhaps technical threads aren't your strength either?

              Instead, more matt bryant zero content condescension. MBZCC for short, henceforth.

              1. Matt Bryant Silver badge
                FAIL

                Re: BlueGreen Re: BlueGreen "Undocumented"?

                "You neither replied to any of my points in my other post...." Your post has been answered and your errors exposed, please go back and learn your mistakes like a good little sheep.

                ".....because you are cannot do so without looking stupid....." LOL! You are actually stalking and frothing in a completely unrelated thread and want to say I look stupid! Have you dropped more acid?!?!?!? Serioulsy, you need to go seek professional help.

        2. Anonymous Coward
          Anonymous Coward

          @Matt Bryant - Re: "Undocumented"?

          Cool down, Matt! Cisco switches and routers have no default installation account. As you were saying, do you actually touch this kind of hardware ?

          1. Matt Bryant Silver badge
            Happy

            Re: @Matt Bryant - "Undocumented"?

            "....Cisco switches and routers have no default installation account...." They do, it just comes with NO PASSWORD by default! When you do the initial setup on something like a 3750 you just put in the IP 10.0.0.1 and go straight into the settings where you put in the management port IP address, gateway, etc. I have known users that did not then go to the "Advanced" and put a password in for telnet access, which effectively leaves you with an admin login via http with no password protection at all!

            http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp43320

            IIRC, the bigger CISCO switches like the 7000 series do have a default login account on the CP which you have to set a password on at installation, but this is kinda pointless considering the fall-back CMP (which can grab console control from the CP) has no password on its default login!

            So, yes, you are right, CISCO devices actually have WORSE security.

  10. taxman

    HP StoreOnce has undocumented backdoor

    Well I think we can all agree that there isn't now - whichever way you look at it.

  11. Anonymous Coward
    Anonymous Coward

    The Post Office is going to be busy...

    Thanks!!

  12. Anonymous Coward
    Anonymous Coward

    Well well well

    It took less than 100 ms to crack the password with is : badg3r5

    Not a secure imho!

  13. los

    addressed in latest code

    http://www.securityweek.com/hp-confirms-backdoor-storeonce-backup-product-line

  14. Allison Park

    userid pw

    I heard the userid was admin and password sys1 not sure why so boring I would have expected userid matt and password bryant

    1. Matt Bryant Silver badge
      Facepalm

      Re: Allison Park Re: userid pw

      "I heard the userid was admin...." Alli, you do nothing to help yourself convince others that you should be listened to when your information sources are so frequently plain wrong. Maybe you shoul dstop using rumours to base your technical arguments on? The userid is hpsupport, as pointed out in the blog and this thread. Do please try and keep up!

      1. Allison Park
        Paris Hilton

        Re: Allison Park userid pw

        it was a joke..... funny ha ha......btw..and i know you know this I really hate being called anything but Allison. Maty

        sad but true HP killing HP3000 and now VMS is no joke....if you want to be serious :-D

        as someone recently said....

        "As I said last week when reporting that Hewlett-Packard has decided not to port the latest OpenVMS 8.4 release to the current "Poulson" Itanium 9500 processors from Intel and has basically sunsetted the hardware platform on the older Itanium 9300-based Integrity servers that are several years long in the tooth, it is important not to gloat. But, having said that, it is Silverlake's 25th birthday, and it seems appropriate to keep score."

        1. John Smith 19 Gold badge
          Happy

          Re: Allison Park userid pw

          "it was a joke..... funny ha ha......btw..and i know you know this I really hate being called anything but Allison. Maty"

          He does come across as a bit humour impaired at the best of times. I also thought of that old Blackadder line about "Still worshipping God, eh Melchett? Last time I heard he was worshipping me, woof"

          Probably best to include the Joke icon.

        2. Matt Bryant Silver badge
          Happy

          Re: Allison Park Re: Allison Park userid pw

          Seriously, and you accuse me of no sense of humour?

          "..... it is Silverlake's 25th birthday, and it seems appropriate to keep score." AS/400? LOL, that's like a terminal cancer victim laughing at the misfortune of others. BTW, you did notice how Linux and UNiX is eating into that AS/400 base?

This topic is closed for new posts.

Other stories you might like