Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Security shortcomings on baseboard controllers open up holes in servers

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

July 4, 2013

On any given day, security flaws in server management technology create some hacking opportunities almost on par with direct physical access to servers, says Metasploit creator HD Moore.

The security problem arises from serious shortcomings involving baseboard management controllers, a type of embedded computer used to provide out-of-band monitoring for desktops and servers, which consists of technology installed on nearly all servers today.

To a lesser degree, the security issues also come the Intelligent Platform Management Interface (IPMI) protocol used by some system admins.

A potential hacker could be able to compromise a baseboard management controller (BMC), and should be able to compromise its parent server if he's knowledgeable.

Compromising a server would allow miscreants to copy data from any attached storage, make changes to the operating system, install a backdoor, capture credentials passing through the server, launch denial of service attacks, or simply wipe the hard drives clean, among many other things.

Attacks like that are easily possible according to Moore, Rapid7's chief research officer and creator of penetrating testing software Metasploit, because vulnerable services are accessible across the internet.

Various research by Moore discovered that around 308,000 IPMI-enabled BMCs were exposed on the web, and the list appears to be growing quite rapidly.

Approximately 195,000 of these devices only support IPMI 1.5, which doesn't provide any form of encryption. Another 113,000 of those devices support IPMI v2.0, which suffers from serious design flaws as well.

For instance, 53,000 IPMI v.2.0 systems are vulnerable to password bypass attacks because they rely upon a weak cipher suite. Passive scans by Moore separately discovered that about 35,000 Supermicro BMCs expose an exploitable Universal Plug and Play (UPnP) service.

The security shortcomings under discussion are well beyond the capability of script-kiddies and could only be abused by a very skilled and experienced hacker.

But even then, it would be wise for system admins and data center managers to listen to the warning in Moore's research.

A blog post by Moore provides recommendations on how enterprises and hosting providers can mitigate the security risk of having their servers hacked into.

A lot of this comes down to fairly basic elements-- firewalling vulnerable services, disabling the vulnerable Cipher 0 cryptosuite and using complex and secure passwords.

Supermicro system users should apply an updated firmware image as well. Previous research by Moore earlier this year revealed that everything from medical systems to traffic light boxes is wide open to hackers thanks to a lack of authentication checks.

The flawed utilization of the Universal Plug and Play (UPnP) protocol meant that anything up to 50 million of devices are insecure, Rapid 7 warned back in January 2013.

In other internet security news

Hewlett Packard left a very serious security vulnerability in its StoreOnce SAN solution-- a hard-coded administrator account in its management software.

According to blog site Technion, several weeks of contact initiatives with HP's Software Security Response Team have failed to elicit a response, so the poster decided to go public.

“My last three weekly requests for an update have gone ignored,” Technion writes. It's a simple and all-too-depressing scenario: during product development, someone creates a vendor admin account because nobody wants to waste time with password recovery, and the account stays in the product because nobody remembers to remove it.

It certainly looks like an accident: while Technion didn't post the password that the HP Support account uses, he posted the SHA1 hash of it, and H. Online writes, “The password is just seven characters long and draws on a ten-year old meme”, suggesting that someone's already brute-forced it more than once.

As Technion writes “This hash is out there and it can't be taken away. Someone will crack it, and they will do so very soon.”

And this isn't the first time that HP has been bitten by secret backdoors. In 2010, its StorageWorks P-2000 G3 MSA was found to have a similar undocumented account. The company's advisory at that time was that the admin account password could be changed by users through the command line interface.

It's not yet known whether the StoreOnce admin account can be similarly secured, however, and this is troubling.

We sought comment from HP in Europe, Australia and the U.S., and will update this story if a response is received. As of this morning, we are still waiting.

In other internet security news

There's a new kid on the block and not too many people have heard of him yet, except some people in the internet security segment of the industry.

It's called 'WebRTC' and it may very well sound like yet another Internet acronym, but what it promises to bring to web browsers could simply be the death knell for those eternal plugins. And WebRTC is now available with the latest version of Mozilla's Firefox.

WebRTC is a new protocol and it stands for Web Real-Time Communications. Following the recent introduction of the protocol to Google's Chrome browser, today's update to Firefox makes it the second browser to support the plugin-free protocol.

Ask just about any internet security expert and he or she will tell you that browser plugins are generally one of the most abused software when it comes to internet security issues.

The debut of WebRTC in Firefox version 22 is quite a big deal, and some have been waiting for it for many months already.

"Browser plugins are the single largest source of internet security problems and of various stability issues that we see," said Johnathan Nightingale, Mozilla's vice-president of engineering for Firefox.

WebRTC is planned for Firefox for Android, which also updated today, but it has yet to be added to the mobile browser.

On its surface, WebRTC sounds a bit like Skype. It lets you conduct voice and video calling one browser to another via its PeerConnection component, but it also lets you transfer data directly between two browsers, thanks to a component called DataChannels. These were both added in today's new stable version of Firefox.

"Actually, how is it different from Skype misses the point of it," said Nightingale, who nearly bounced with enthusiasm in his seat while talking about WebRTC. "It's a lot bigger than that. It's eight million developers who have access to the Web camera, or one of those audio remix tools, online."

Also enabled in the new Firefox browser is ASM.js, a Mozilla patent to improve the speed of JavaScript to the point where it almost loads as fast as native code.

"ASM.js plus is fast," said Nightingale. So fast, he explained, that developers at the gaming company Epic were "jumping up and down," he said.

During a quick demonstration of ASM.js last month, we saw the code powering a first-person shooter that appeared to render in Firefox nearly as smoothly as native code on a console.

Other changes in Firefox for desktops include better WebGL performance thanks to asynchronous canvas updates, which means that your browser will use your hardware's graphics chip more efficiently. There's also better memory management when loading images.

There's also support for the Web Notifications API, which will let Web updates appear in browser tabs. And, last but not least is adding a download progress indicator to the Dock icon on Macs.

Firefox for Android v. 22 doesn't yet have WebRTC or ASM.js support, although eventually both will come to the mobile browser, Nightingale added.

Tuesday's update to Android Firefox does include the WebGL improvements, the Web Notifications API, and smaller Android tablets will now see the tablet version of the interface, as opposed to the phone version.

For now, it's still not clear yet how or even if the browser differentiates between phones or tablets, though.

In other internet security news

Edward Snowden, the NSA whistleblower against the U.S. government, left Hong Kong for Moscow this morning, challenging several attempts by the United States to extradite him back to the U.S. under espionage charges.

According to a few unconfirmed reports, Snowden has already left Hong Kong yesterday, went to Russia, stayed there for a few hours and is now on his way to Cuba. There's no question that he's on the run, but there's still conflicting reports that he might still be in Russia as of this morning.

In a statement issued this morning, the Hong Kong government confirmed that Snowden had left the country on "his own volition for a third country through a lawful and normal channel".

According to the statement, Hong Kong had no legal basis to stop him from leaving the country, as "documents provided by the U.S. government didn't fully comply with Hong Kong's laws".

And to complicate matters even more, Hong Kong has formally requested clarification on "earlier reports about the hacking of computer systems in Hong Kong by U.S. government agencies."

"The Hong Kong government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong," the message read.

On Friday June 21st, the U.S. Department of Justice (DoJ) formally charged Snowden with spying against the United States government.

Snowden, a former security contractor, leaked the existence of The PRISM Project to The Guardian Newspaper and The Washington Post, which published several details of this NSA secret surveillance program two weeks ago.

The U.S. government had also asked Hong Kong to issue a provisional arrest warrant for Snowden, the Hong Kong Special Administrative Region said in a statement. But HKSAR officials said there were issues with the request.

Hong Kong's lack of intervention came after Snowden told the Souh China Morning Post that U.S. intelligence agents have been hacking computer networks in Hong Kong and mainland China for years.

Hong Kong said it wanted to have some words with the United States about that. "The HKSAR government has formally written to the U.S. government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by U.S. government agencies," Hong Kong officials said in the same statement.

U.S. federal prosecutors have charged Snowden with theft of government property, unauthorized communication of national defense information, and willful communication of classified communications intelligence to an unauthorized person or group of people.

The latter two allegations amount to espionage under the federal Espionage Act. News of Snowden's departure followed a day of intense speculation over whether Hong Kong would extradite him back to the United States.

Hong Kong Executive Council member Regina Ip said authorities could arrest Snowden if his actions qualify as criminal under Hong Kong law, China's state-run Xinhua news agency reported earlier Sunday. The executive council decides on policy matters for Hong Kong, a special administrative region of China.

But if the charges against him were deemed to be political in nature, the 30-year-old would not be extradited, Ip told the Xinhua News Agency.

Snowden has admitted in several interviews that he was the source behind the leaking of classified U.S. government documents about the NSA's surveillance programs. Those leaks were the basis of reports in Britain's Guardian newspaper and The Washington Post two weeks ago. The Guardian revealed Snowden's identify at his request.

The documents revealed the existence of programs that collect records of domestic telephone calls in the United States and monitor the Internet activity of overseas residents.

The revelation of the leaks rocked the White House and U.S. intelligence community, raising questions about secret operations of the NSA and whether the agency was infringing on American civil liberties or not.

President Obama, top legislators and U.S. national security officials defend the surveillance programs as necessary to combat global terrorism and argue that some privacy must be sacrificed in a balanced approach.

Last week, Snowden threw a curve at GCHQ, the U.K.'s counterpart to the NSA, when he exposed massive data leaks by the security agency.

In other internet security news

A nasty IT oversight released hundreds of photos of suspected criminals on the web. But it got a lot worse when the details of the British citizens who reported them over the internet got published as well.

The Facewatch website, which allows police and businesses in Britain to upload and share evidence of alleged petty crimes, was left wide open thanks to a nasty web server misconfiguration.

The error allowed anyone to easily access a huge trove of CCTV footage, including images and information about companies that sign up to the service.

We were able to look through about 4,250 records containing photos and videos of suspects dating back to March 2011.

We saw shoplifters stealing various merchandise from department stores, a man waving a long stick inside a check cashing service outlet, and people looking rather suspicious in some packed pubs presumably just before a crime took place.

Some of the images even had names on them, which would be legally problematic for the site's owner (s) if those pictured turned out to be innocent.

We also saw long lists of stores around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any potential criminal wishing to intimidate a witness or cause some kind of revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of various betting offices.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Rapid 7.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.