Tag Archive for Dell

Is Toshiba Screwed?

http://www.toshiba.com/tai/The tortuous auction of Toshiba’s coveted NAND chip fab has finally started to wrap up. You would think that after over nine months of bidding and 2 trillion yen ($17.7 billion) the victors would like to gloat. A win of that size would be celebrated, but nooo….

The winning partners lead by venture capitalist Bain Capital and Apple can’t even agree on when to hold a presser to announce their purchase. The consortium had planned a presser for 09-28-2017, which was abruptly cancelled just minutes before it was due to begin according to reports. Reuters reports that “…the consortium could not form a consensus on whether to brief media.”

PangeaOne wrinkle may be that Apple (AAPL) has demanded new terms on its chip supply for the new iPhones. In addition to Apple, Bain’s consortium “Pangea” includes Japan’s Hoya Corporation, South Korea’s SK Hynix, and U.S. investors Kingston Technology (KINS), Seagate Technology (STX) and Dell Technologies Capital.- all of which want access to NAND technology.

Under the deal, Toshiba will have 40.2 percent of voting rights in the chip unit and Hoya will own 9.9 percent. The four U.S. tech firms will not have voting rights.

Western DigitalBesides internal strife, the sale also faces legal challenges from Western Digital (WDC), Toshiba’s chip venture partner and rejected suitor, which is seeking an injunction to block any deal that does not have its consent.

Western Digital, one of world’s leading makers of hard disk drives, paid some $16 billion last year to acquire SanDisk, Toshiba’s chip joint venture partner since 2000. It sees chips as a key pillar of growth and is desperate to keep the business out of the hands of rival chip makers.

Bain has also announced that it plans to take Pangea public by 2020.

Server Management Security Hole

Server Management Security HoleDan Farmer, security researcher and creator of the SATAN vulnerability scanner, teamed up with HD Moore, chief research officer at Rapid7 and lead architect of the Metasploit penetration testing framework found 230,000 publicly accessible Out-Of-Band management interfaces on the Internet. Many of these systems were running software which dates back to 2001.

Remote managementAccording to PCWorld, the Out-Of-Band (OOB) management interfaces expose servers to the Internet through microcontrollers embedded into the motherboard that run independently of the main OS and provide monitoring and administration functions. These microcontrollers are called Baseboard Management Controllers (BMCs). BMC’s are part of the Intelligent Platform Management Interface (IPMI), a standardized interface made up of a variety of sensors and controllers that allow administrators to manage servers remotely when they’re shut down or unresponsive, but are still connected to the power supply.

BMCs are embedded systems that have their own firmware—usually based on Linux. It’s an OS-agnostic and pervasive protocol. Initially developed by Intel (INTC), Dell (DELL), HP (HPQ), and other large vendor manufacturers, it was designed to help manage OOB or Lights-Out communication.

Compaq serverPure IPMI is usually implemented as a network service that runs on UDP port 623 and can either piggyback on the server’s network port or may use a dedicated Ethernet port. Vendors take IPMI as a base and add on a variety of services like mail, SNMP, and Web GUIs, and then rebrand the new package:

  • Dell has iDRAC,
  • Hewlett Packard iLO,
  • IBM (IBM) IMM2

It’s also used as the engine for higher-level protocols such as those put out by the DMTF (WBEM, CIM, etc.) the OpenStack Foundation, and others. IPMI is particularly popular for large-scale provisioning, roll-outs, remote troubleshooting, console access, and the like according to the research paper.

The parasitic BMC has near-complete control and oversight on of the server it rides upon, including its memory, networking, and storage media, and cannot be truly turned off; instead it runs continuously unless the power cord is completely pulled – an owner may only temporarily disable outside interaction unless you take a hammer to the motherboard.

Security researchers have warned in the past that most IPMI implementations suffer from architectural insecurities and other vulnerabilities that can be exploited to gain administrative access to BMCs. If attackers control the BMC they can mount attacks against the server’s OS as well as other servers from the same management group.

Dan Farmer stated in his recent paper Sold Down the River (PDF).

For over a decade major server manufacturers have harmed their customers by shipping servers that are vulnerable by default, with a management protocol that is insecure by design, and with little to no documentation about how to make things better … These vendors have not only gone out of their way to make their offerings difficult to understand or audit but also neglected to supply any substantial defense tools or helpful security controls

Mr. Farmer and Mr. Moore ran scans on the Internet in May 2014 and identified 230,000 publicly accessible BMCs. Deeper analysis of the at risk systems revealed:

  • 46.8 percent of them were running IPMI version 1.5, which dates back to 2001,
  • 53.2 percent were running IPMI version 2.0, which was released in 2004.

Server problemsThe researchers reported that nearly all the systems running IPMI v1.5 were configured so that all accounts could be logged into without authentication, “… you can login to pretty much any older IPMI system without an account or a password.” Mr.. Farmer explains this set-up can grant an attacker privileged access, “… in most cases they grant administrative access, and even when they don’t the mere ability to execute any kind of commands without authentication is a bad thing.”

The team found that IPMI v.2.0, which includes cryptographic protection has it own security issues. For example, the first cipher option, known cipher zero, provides no authentication, integrity or confidentiality protection, Farmer said. A valid user name is required for logging in, without a password. The researcher found that around 60 percent of the publicly accessible BMCs running IPMI version 2 had this vulnerability.

Another serious issue introduced by IPMI 2.0 stems from its RAKP key-exchange protocol that’s used when negotiating secure connections. The protocol allows an anonymous user to obtain password hashes associated with any accounts on the BMC, as long as the account names are known.

“This is an astonishingly bad design, because it allows an attacker to grab your password’s hash and do offline password cracking with as many resources as desired to throw at the problem,” Farmer said.

The analysis showed that 83 percent of the identified BMCs were vulnerable to this issue and a test with brute-force password guessing application John the Ripper, using a modest 4.7 million-word dictionary successfully cracked 30% of the BMC passwords.

Farmer calculated that between 72.8 and 92.5 percent, depending on password cracking success rate, of BMCs running IPMI 2.0 had authentication issues and were vulnerable to unauthorized access.

“While a quarter of a million BMCs is only a tiny sliver of the total computing power in the world, it’s still an important indicator as a kind of canary in the coalmine,” because BMCs that are behind corporate firewalls share the same issues, Farmer said. “While management systems are often not directly assailable from the outside they’re often left open once the outer thin hard candy shell of an organization is breached.”

The research paper includes some recommendations for server administrators on how to mitigate some of the identified issues and better secure their BMCs, but the researcher concludes that ultimately the problem of insecure IPMI implementations will linger on for a long time. Mr. Farmer concludes with a rant:

Many of these problems would have been easy to fix if the IPMI protocol had undergone a serious security review or if the developers of modern BMCs had spent a little more effort in hardening their products and giving their customers the tools to secure their servers … At this point, it is far too late to effect meaningful change. The sheer number of servers that include a vulnerable BMC will guarantee that IPMI vulnerabilities and insecure configurations will continue to be a problem for years to come.

rb-
They told us so, about a year ago.

Defense in-depth, block UDP port 623 at the perimeter – yes all of them, on the end-points, you are using personal firewalls?

Disable or remove the default vendor user names and pick a strong UID and PWD

Least privilege, the researchers warn that anyone who has administrative privileges on a BMC’s server has administrative control over it and may disable or enable IPMI, add or remove accounts, change the IP address, etc., etc.–all without any authentication to the BMC.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

400 Gbps Ethernet Coming

IEEE to explore 400 Gb/s EthernetThe Institute of Electrical and Electronics Engineers (IEEE), launched an IEEE 802.3 “Standard for Ethernet” study group to explore development of a 400 Gbps Ethernet standard to efficiently support ever-increasing, exponential network bandwidth growth. Ethernet which is celebrating its 40th anniversary this year, is defined by the IEEE 802.3 standard. Ethernet is a globally pervasive standard, driven by the ever-growing needs of local area, access and metropolitan area networks around the world.

IEEEBeyond traditional networks, Help Net Security reports that new application like industrial and automotive networking are expanding their reliance on Ethernet. To better address the needs of these areas, the IEEE 802.3 Ethernet standard is constantly evolving and expanding. John D’Ambrosia, chair of the new IEEE 802.3 400 Gbps Ethernet Study Group and chief Ethernet evangelist, CTO office, Dell, says Ethernet must evolve. “Traffic is growing everywhere … and it’s critical that we move now to create a plan for the Ethernet ecosystem to evolve beyond today’s capabilities, in order to accommodate the burgeoning bandwidth tsunami.”

In August 2012, the IEEE forecasted that networks will need to support 58 percent compound annual growth rates (CAGRs) on average. Driven by simultaneous increases in users, access methodologies, access rates and services (such as video on demand and social media), they report that networks would need to support capacity requirements of 1 terabit per second in 2015 and 10 terabit per second by 2020 if current trends continue. Alan Weckel, vice president enterprise and data center market research at Dell’Oro Group said in the article, “Ethernet is an arena of constant innovation, driven by the market demand for support of new ever-increasing bandwidth speeds, as well as new protocols, applications and media types.”

Standards based networkingStandards based networking has worked so far and will be needed as 400 Gbps Ethernet evolves. Mr. Weckel adds, “Global bandwidth requirements are continuing to grow exponentially … Standards-based solutions are integral to maintaining business growth across the Ethernet ecosystem,”

David Law, chair of the IEEE 802.3 Ethernet Working Group and distinguished engineer with HP Networking explains in the article, “An IEEE 802.3 study group is formed when there is interest in developing a request to initiate an IEEE 802.3 Ethernet standards-development project.”

CheetahDell’s D’Ambrosia, told Wireless Design Magazine that a host of new technologies and applications have proliferated in the marketplace since the most recent speed jump to 100 Gb/s Ethernet was ratified in 2010. He reminded NetworkWorld that “The iPhone didn’t exist when we started 100G” Ethernet. Mr.D’Ambrosia concludes that the impact has been felt throughout the Ethernet ecosystem. Data centers, for example, where Ethernet is the primary interconnect technology, are at the center of the bandwidth storm. Pressure is intensifying from all directions:

  • More demand from outside the data center, driven by increasing numbers of users armed with more devices capable of ever-increasing bandwidth consumption;
  • More demand from within the data center, driven by more and faster storage and server technologies, and
  • More demand across data centers, driven by new applications, new databases and new architectures.

 

Acer Halts eMachines

Acer Halts eMachinesTaiwanese PC maker Acer confirmed to ChinaTechNews.com that the company has terminated the operations of its eMachines brand, which was gained during the company’s 2007 $710 million acquisition of GatewayGateway acquired eMachines in 2004 for $30 million, and Packard Bell in 2007.

eMachinesThe termination of the operation of eMachines brand is in line with the streamlining policy announced at the end of 2011 by J.T. Wang, chairman of Acer (ACEIY) The company will continue to carry out brand integration and the entire process is expected to be completed in three years. Reportedly, Acer will continue to invest in post-PC Gateway and Packard Bell products to sell “a variety of devices that would have been thought of as beyond the PC in the past,” Lisa Emard, an Acer spokeswoman, said in an email to PCWorld.

Acer was the fourth largest PC vendor behind HP (HPQ), Lenovo (LNVGY) and Dell (DELL), with shipments of around 7 million units, a drop of 28.2 percent compared year over year reports PCWorld.

rb-

eMachines, the ultimate throw-away machine, has fallen victim of the iPad. I had an eMachines for a while at the turn of the century, and yes it survived Y2K. Do you think it matters that Acer stopped selling eMachines?

 

BYOD

90% of Employees Use Personal Devices for Work

Bring Your Own Device manA survey by DELL Kace (DELL) found IT managers feel they lack the necessary tools to properly manage personal devices. In the study IT managers revealed they are unable to effectively protect corporate data and intellectual property as well as ensure compliance. Help Net Security says key survey findings include:

  • 87 percent of companies have employees that use a personal device for work including laptops, smartphones and tablet computers.
  • 82 percent citing their concerns about the use of personal devices for business use
  • 64 percent revealed they are not confident that they know of all personal devices being used for business purposes
  • 62 percent specifically concerned about network security breaches
  • 60 percent reported a greater demand for support of Mac OS X since the introduction of the Apple (AAPL) iPad and iPhone
  • 59 percent reported their personal devices have created the need to support multiple operating systems (OS’s).
  • 32 percent revealed employees use unauthorized personal devices and applications to connect to their network

On the governance side:

  • 88 percent said they believe it is important to have a policy in place to support personal devices, and another 62 percent revealed their organization lacks the necessary tools to manage personal devices.

“It’s absolutely essential that IT teams deploy a strategy that provides end-to-end management capabilities on a variety of operating systems to effectively protect networks and address the consumerization and personalization of IT,” said Rob Meinhardt, general manager and co-founder for Dell KACE.

Security Monitoring for BYOD Environments

Network SecurityUnlike other BYOD security solutions that force organizations to install software on every new device, Lancope’s StealthWatch System provides security for any device entering the network, without having to install more software on the device or deploy expensive probes. Help Net Security reports that StealthWatch performs behavioral analysis on flow data from existing infrastructure to deliver end-to-end visibility and security across an organization’s entire network.

Net flow data already exists in network infrastructure devices to monitor network and host activity. Since net flow is already in most network equipment, it provides a cost-effective tool for monitoring mobile devices. The article says flow-based monitoring can uncover external attacks like botnets, worms, viruses or APTs, as well as internal risks such as network misuse, policy violations and data leakage. It can also be leveraged for other efforts including regulatory compliance and capacity planning, and for ensuring high levels of network and mobile device performance.

Related articles

IT is Embracing BYOD

BYODCisco says that IT is accepting, and in some cases embracing, “bring your own device” (BYOD). Help Net Security reports that the networking giant found that some of the pros and cons associated with allowing employees to use their own mobile devices on their employers’ networks has become a reality in the enterprise.

The Cisco (CSCO) study BYOD and Virtualization (PDF) found most enterprises are now enabling BYOD.

  • 95% of responding firms permit employee-owned devices in some way in the workplace.
  • The average number of connected devices per knowledge worker will grow from 2.8 in 2012 to 3.3 by 2014.
  • 76% of IT leaders surveyed categorized BYOD as a positive for their companies, and challenging for IT.

The survey says employees are turning to BYOD because they want more control of their work experience:

  • 40% of respondents cited “device choice” as employees’ top BYOD priority (the ability to use their favorite device anywhere).
  • Employees’ second BYOD priority is the wish to do personal activities at work, and work activities during personal time.
  • Employees want to bring their own applications to work: 69% of respondents said that unapproved applications, especially social networks, cloud-based email, and instant messaging, are more prevalent today than two years ago.
  • Employees are willing to invest to improve their work experience. Cisco employees pay an average of $600 out-of-pocket for devices that will give them more control over their work experience the report says.

The article says these findings underscore that BYOD is here to stay, and managers are now acknowledging the need for a more holistic approach, one that is scalable and addresses mobility, security, virtualization and network policy management, to keep management costs in line while simultaneously providing optimal experiences where savings can be realized.

Ralph Bach has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.