HP's Backdoor | TechSNAP 116 | Jupiter Broadcasting

HP’s Backdoor | TechSNAP 116

Opera’s code signing certificate gets compromised, resulting in malware getting push out via their automatic update system.

Plus the backdoor that ships in some high-end HP products, your questions, and much much more.

On this week’s TechSNAP!

Use our code tech249 to score .COM for $2.49!

On June 19th Opera uncovered, halted and contained a targeted attack on their internal network infrastructure.
There is no evidence of any user data being compromised.
The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware.
This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.
It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.

University of Illinois at Chicago has developed ‘CloudSweeper’
Connects to your gmail account via oauth and scans all of your email
Finds which accounts you have connected to your gmail
If an attacker were to compromise your gmail account, they could reset the passwords for and gain control over all of these accounts
The service uses an index of the value of these accounts from various underground forums
Tells you how much your gmail account would be worth to an attacker
Finds services such as: Amazon, Apple, Groupon, Hulu, Newegg, Paypal, Skype, UPlay and Yahoo
Optionally, it can also scan your email for plain text passwords in emails
If found, CloudSweeper can connect to gmail via imap and edit these emails, either removing the password entirely (redacting), or encrypting it (replacing it with an encrypted string), Then provides you with a decryption key (a long string of text, or a QRcode for simplicity)
If you ever need to decrypt the password, you return to CloudSweeper and scan the QRCode
Krebs on Naming and Shaming Plain Text Passwords
PlainTextOffenders.com
PasswordFail.com – Browser extension to warn you before you sign up

HP announced that their D2D/StoreOnce deduplication backup products contained a flaw
It seems there is an undocumented support user, named ‘HPSupport’, with a fixed 7 character password
That means that if a person were to brute force that password, they would have SSH access to every StoreOnce device deployed around the world
It just so happens, that is what someone has done, and they have even been helpful enough to provide the SHA1 hash of the password, so with a little effort, everyone else can brute force the password too
HP will release a patch to disable this account on July 7th
“In the interim, customers who wish to disable the backdoor can contact HP support for assistance on this,” the advisory noted. “HP support personnel will provide the assistance to manually disable the HPSupport user account.”
Full Disclosure researcher
HP Said: “HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix.”
In December 2010, a similar problem was exposed with some HP NAS devices