Security holes in server management technology create hacking opportunities almost on par with direct physical access, claims Metasploit creator HD Moore. The issue arises from security shortcomings involving baseboard management controllers (a type of embedded computer used to provide out-of-band monitoring for desktops and …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 4th July 2013 06:48 GMT patters

iLOs and iDRACs should be on a management VLAN, vulnerable or not.

1 0
1. Thursday 4th July 2013 09:30 GMT JohnG
  
  "iLOs and iDRACs should be on a management VLAN, vulnerable or not."
  
  Yes but the snag is all the other things that get connected to management VLANs by people who should know better and who have been repeatedly warned of the risks.
  
  1 0
Thursday 4th July 2013 09:11 GMT Anonymous Coward 15

VLANs, change the default passwords, and the same goes for all your managed networking kit even if you only use it as a dumb switch.

2 0
1. Thursday 4th July 2013 15:56 GMT Yet Another Anonymous coward
  
  Until you discover years later that there is also a fixed admin account and the password, which you can't change, is "cisco"
  
  1 0
Thursday 4th July 2013 12:51 GMT KierO

"Yes but the snag is all the other things that get connected to management VLANs by people who should know better and who have been repeatedly warned of the risks."

You mean IT Managers right?

3 0
Thursday 4th July 2013 14:18 GMT Anonymous Coward

Most people don't understand network security. They use one VLAN for everything, probably use a /24 subnet and just plug and play. It works, but is ripe for abuse.

1 0
Thursday 4th July 2013 19:47 GMT John Smith 19

Devs need to start thinking remote management -> data link -> encryption

Not as an afterthought.

0 0
1. Friday 5th July 2013 08:41 GMT Anonymous Coward
  
  Re: Devs need to start thinking remote management -> data link -> encryption
  
  I'd seriously point that finger elsewhere. If it's an afterthought, then it was never a baseline requirement as it was in all the projects where I was lead, manager, then CIO. And then there's the disquieting little problem of the lack of security training, no funds for security training, and no experience in applying the training. Having someone come in after the fact, say the CSO/CISO (if they even exist) yelling at the devs for not requiring secure programming technologies is far too late and accomplishes nothing but some security theatre.
  
  Up until some of the suits get hauled off to prison for shoddy products that kill people as a result of poor security, nothing will change. "The prospect of being hanged in a fortnight concentrates the mind wonderfully," to probably mangle a quote, is the sad and sorry truth. In IT, out of IT, in military, government, and business, if I screwed up, well the results would not have been at all fun. How about some personal accountability? We do it with almost any other product?
  
  1 0