Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

HP has a serious security flaw in its StoreOnce SAN solution

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 26, 2013

Hewlett Packard left a very serious security vulnerability in its StoreOnce SAN solution-- a hard-coded administrator account in its management software.

According to blog site Technion, several weeks of contact initiatives with HP's Software Security Response Team have failed to elicit a response, so the poster decided to go public.

“My last three weekly requests for an update have gone ignored,” Technion writes. It's a simple and all-too-depressing scenario: during product development, someone creates a vendor admin account because nobody wants to waste time with password recovery, and the account stays in the product because nobody remembers to remove it.

It certainly looks like an accident: while Technion didn't post the password that the HP Support account uses, he posted the SHA1 hash of it, and H. Online writes, “The password is just seven characters long and draws on a ten-year old meme”, suggesting that someone's already brute-forced it more than once.

As Technion writes “This hash is out there and it can't be taken away. Someone will crack it, and they will do so very soon.”

And this isn't the first time that HP has been bitten by secret backdoors. In 2010, its StorageWorks P-2000 G3 MSA was found to have a similar undocumented account. The company's advisory at that time was that the admin account password could be changed by users through the command line interface.

It's not yet known whether the StoreOnce admin account can be similarly secured, however, and this is troubling.

We sought comment from HP in Europe, Australia and the U.S., and will update this story if a response is received. As of this morning, we are still waiting.

In other internet security news

There's a new kid on the block and not too many people have heard of him yet, except some people in the internet security segment of the industry.

It's called 'WebRTC' and it may very well sound like yet another Internet acronym, but what it promises to bring to web browsers could simply be the death knell for those eternal plugins. And WebRTC is now available with the latest version of Mozilla's Firefox.

WebRTC is a new protocol and it stands for Web Real-Time Communications. Following the recent introduction of the protocol to Google's Chrome browser, today's update to Firefox makes it the second browser to support the plugin-free protocol.

Ask just about any internet security expert and he or she will tell you that browser plugins are generally one of the most abused software when it comes to internet security issues.

The debut of WebRTC in Firefox version 22 is quite a big deal, and some have been waiting for it for many months already.

"Browser plugins are the single largest source of internet security problems and of various stability issues that we see," said Johnathan Nightingale, Mozilla's vice-president of engineering for Firefox.

WebRTC is planned for Firefox for Android, which also updated today, but it has yet to be added to the mobile browser.

On its surface, WebRTC sounds a bit like Skype. It lets you conduct voice and video calling one browser to another via its PeerConnection component, but it also lets you transfer data directly between two browsers, thanks to a component called DataChannels. These were both added in today's new stable version of Firefox.

"Actually, how is it different from Skype misses the point of it," said Nightingale, who nearly bounced with enthusiasm in his seat while talking about WebRTC. "It's a lot bigger than that. It's eight million developers who have access to the Web camera, or one of those audio remix tools, online."

Also enabled in the new Firefox browser is ASM.js, a Mozilla patent to improve the speed of JavaScript to the point where it almost loads as fast as native code.

"ASM.js plus is fast," said Nightingale. So fast, he explained, that developers at the gaming company Epic were "jumping up and down," he said.

During a quick demonstration of ASM.js last month, we saw the code powering a first-person shooter that appeared to render in Firefox nearly as smoothly as native code on a console.

Other changes in Firefox for desktops include better WebGL performance thanks to asynchronous canvas updates, which means that your browser will use your hardware's graphics chip more efficiently. There's also better memory management when loading images.

There's also support for the Web Notifications API, which will let Web updates appear in browser tabs. And, last but not least is adding a download progress indicator to the Dock icon on Macs.

Firefox for Android v. 22 doesn't yet have WebRTC or ASM.js support, although eventually both will come to the mobile browser, Nightingale added.

Tuesday's update to Android Firefox does include the WebGL improvements, the Web Notifications API, and smaller Android tablets will now see the tablet version of the interface, as opposed to the phone version.

For now, it's still not clear yet how or even if the browser differentiates between phones or tablets, though.

In other internet security news

Edward Snowden, the NSA whistleblower against the U.S. government, left Hong Kong for Moscow this morning, challenging several attempts by the United States to extradite him back to the U.S. under espionage charges.

According to a few unconfirmed reports, Snowden has already left Hong Kong yesterday, went to Russia, stayed there for a few hours and is now on his way to Cuba. There's no question that he's on the run, but there's still conflicting reports that he might still be in Russia as of this morning.

In a statement issued this morning, the Hong Kong government confirmed that Snowden had left the country on "his own volition for a third country through a lawful and normal channel".

According to the statement, Hong Kong had no legal basis to stop him from leaving the country, as "documents provided by the U.S. government didn't fully comply with Hong Kong's laws".

And to complicate matters even more, Hong Kong has formally requested clarification on "earlier reports about the hacking of computer systems in Hong Kong by U.S. government agencies."

"The Hong Kong government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong," the message read.

On Friday June 21st, the U.S. Department of Justice (DoJ) formally charged Snowden with spying against the United States government.

Snowden, a former security contractor, leaked the existence of The PRISM Project to The Guardian Newspaper and The Washington Post, which published several details of this NSA secret surveillance program two weeks ago.

The U.S. government had also asked Hong Kong to issue a provisional arrest warrant for Snowden, the Hong Kong Special Administrative Region said in a statement. But HKSAR officials said there were issues with the request.

Hong Kong's lack of intervention came after Snowden told the Souh China Morning Post that U.S. intelligence agents have been hacking computer networks in Hong Kong and mainland China for years.

Hong Kong said it wanted to have some words with the United States about that. "The HKSAR government has formally written to the U.S. government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by U.S. government agencies," Hong Kong officials said in the same statement.

U.S. federal prosecutors have charged Snowden with theft of government property, unauthorized communication of national defense information, and willful communication of classified communications intelligence to an unauthorized person or group of people.

The latter two allegations amount to espionage under the federal Espionage Act. News of Snowden's departure followed a day of intense speculation over whether Hong Kong would extradite him back to the United States.

Hong Kong Executive Council member Regina Ip said authorities could arrest Snowden if his actions qualify as criminal under Hong Kong law, China's state-run Xinhua news agency reported earlier Sunday. The executive council decides on policy matters for Hong Kong, a special administrative region of China.

But if the charges against him were deemed to be political in nature, the 30-year-old would not be extradited, Ip told the Xinhua News Agency.

Snowden has admitted in several interviews that he was the source behind the leaking of classified U.S. government documents about the NSA's surveillance programs. Those leaks were the basis of reports in Britain's Guardian newspaper and The Washington Post two weeks ago. The Guardian revealed Snowden's identify at his request.

The documents revealed the existence of programs that collect records of domestic telephone calls in the United States and monitor the Internet activity of overseas residents.

The revelation of the leaks rocked the White House and U.S. intelligence community, raising questions about secret operations of the NSA and whether the agency was infringing on American civil liberties or not.

President Obama, top legislators and U.S. national security officials defend the surveillance programs as necessary to combat global terrorism and argue that some privacy must be sacrificed in a balanced approach.

Last week, Snowden threw a curve at GCHQ, the U.K.'s counterpart to the NSA, when he exposed massive data leaks by the security agency.

In other internet security news

A nasty IT oversight released hundreds of photos of suspected criminals on the web. But it got a lot worse when the details of the British citizens who reported them over the internet got published as well.

The Facewatch website, which allows police and businesses in Britain to upload and share evidence of alleged petty crimes, was left wide open thanks to a nasty web server misconfiguration.

The error allowed anyone to easily access a huge trove of CCTV footage, including images and information about companies that sign up to the service.

We were able to look through about 4,250 records containing photos and videos of suspects dating back to March 2011.

We saw shoplifters stealing various merchandise from department stores, a man waving a long stick inside a check cashing service outlet, and people looking rather suspicious in some packed pubs presumably just before a crime took place.

Some of the images even had names on them, which would be legally problematic for the site's owner (s) if those pictured turned out to be innocent.

We also saw long lists of stores around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any potential criminal wishing to intimidate a witness or cause some kind of revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of various betting offices.

Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court. Publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or it could simply ruin their reputation for a very long time.

Blighty's privacy watchdog - the Office of the Information Commissioner - told us it was beginning inquiries that could lead to a formal investigation.

A spokesman said-- “We have recently been made aware of a possible data breach which appears to involve the Facewatch website. We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

The website boasts it was declared "secured by design" by a police-run body that recognises products or businesses that meet the "Police Preferred Specification" on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.

But now with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.

Worse-- you didn't have to be a small time thief or an expert hacker to get into the sensitive files. All that was required was changing "http" to "https" in the website's address and all the information was there to be accessed.

Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting redirects to but this didn't happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find a lot of website code, databases of users and various folders packed with hundreds of images.

We were told about the security flow by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, we found and it gave us full read-only access to Facewatch's file tree.

We reported the security flaw to Facewatch, which closed the hole immediately. The organization's chairman told us the "accessible code was related to a previous version" of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crimes to contact those who reported a crime on their behalf."

The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety".

He continued-- "We have undertaken some strong penetration testing to ensure that the data stored in the Facewatch systems is very secure and we can confirm that all personal data is secure and that our systems are safe. The URL to which you referred us has been closed as this is no longer in use."

No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.

The chairman added that some 63,000 people have downloaded Facewatch's smartphone app and its images have been viewed nine million times. As far as allowing officers and authorizeed people to upload files, Facewatch authorizes British citizens to use their mobile phones to view CCTV still shots and other images of people wanted for questioning by the police.

Facewatch's Gordon claimed that some of the images we found on the server were part of that public mug-shot gallery.

"Some residual photos of individuals that the police would like to contact in relation to certain reported crimes were in fact available. Those images had been made available to see if members of the public would be able to help with their identification," Gordon added.

In other internet security news

According to a new study from the University of Erlangen in Germany, Apple's iPhone devices being used as Wi-Fi hotspots are open to hacker's attacks because of weak security protocols in the automatic password generation system Apple has in place.

Called "Usability vs. Security-- The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots," the paper reveals that the seemingly random password iOS generates for hotspots is very simple to hack into.

It consists of only four to six characters followed by a four-digit number string. As a test, the team downloaded a 52,500-word dictionary from an open source version of Scrabble, added number-generating code, and cracked the iOS password system every time, although the team points out it isn't suggesting Apple used the same dictionary.

Using an AMD Radeon HD 6990 GPU, the average time to crack was just 59 minutes. So the team then reverse-engineered the iOS word list used for password generation, using "static and dynamic analysis," tools like GNU Debugger, and by manually going through the ARM disassembly of the relevant iOS frameworks.

They discovered that Apple uses English-language words of between four and six letters from a dictionary made by Lernout & Hauspie Speech Products.

"Only 1,842 different entries of that dictionary are taken into consideration," the paper states. "Consequently, any default password used within an arbitrary iOS mobile hotspot, is based on one of these 1,842 different words. This fact reduced the search space of our initial brute force attack by more than 96 percent and thus increased the overall cracking speed significantly."

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Technion.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.