Tag Archive for HP

| June 12, 2014
Comments Off on Server Management Security Hole

Server Management Security Hole

Server Management Security HoleDan Farmer, security researcher and creator of the SATAN vulnerability scanner, teamed up with HD Moore, chief research officer at Rapid7 and lead architect of the Metasploit penetration testing framework found 230,000 publicly accessible Out-Of-Band management interfaces on the Internet. Many of these systems were running software that dates back to 2001.

Out-Of-Band server management

Out-Of-Band (OOB) managementAccording to PCWorld, the Out-Of-Band (OOB) management interfaces expose servers to the Internet through microcontrollers embedded into the motherboard that run independently of the main OS and provide monitoring and administration functions. These microcontrollers are called Baseboard Management Controllers (BMCs). BMC’s are part of the Intelligent Platform Management Interface (IPMI), a standardized interface made up of a variety of sensors and controllers that allow administrators to manage servers remotely when they’re shut down or unresponsive, but are still connected to the power supply.

BMCs are embedded systems that have their own firmware—usually based on Linux. It’s an OS-agnostic and pervasive protocol. Initially developed by Intel (INTC), Dell (DELL), HP (HPQ), and other large equipment manufacturers. It was designed to help manage OOB or Lights-Out communication.

Rebranded by OEM manufacturers

Lights-Out communicationPure IPMI is usually implemented as a network service that runs on UDP port 623. It can either piggyback on the server’s network port or may use a dedicated Ethernet port. Vendors take IPMI as a base and add on a variety of services like mail, SNMP, and Web GUIs, and then rebrand the new package:

  • Dell has iDRAC,
  • Hewlett Packard iLO,
  • IBM (IBM) IMM2

It’s also used as the engine for higher-level protocols. Some of the protocols are put out by the DMTF (WBEM, CIM, etc.) the OpenStack Foundation, and others. IPMI is particularly popular for large-scale provisioning, roll-outs, remote troubleshooting, and console access according to the research paper.

Parasitic oversight

complete control and oversight on of the serverThe parasitic BMC has near-complete control and oversight of the server it rides upon. It can control the server’s including its memory, networking, and storage media. It can not be truly turned off. Instead, it runs continuously unless the power cord is completely pulled. An owner may only temporarily disable outside interaction unless you take a hammer to the motherboard.

Security researchers have warned in the past that most IPMI implementations suffer from architectural insecurities and other vulnerabilities/ These can be exploited to gain administrative access to BMCs. If attackers control the BMC they can mount attacks against the server’s OS as well as other servers from the same management group.

Dan Farmer stated in his recent paper Sold Down the River (PDF).

For over a decade major server manufacturers have harmed their customers by shipping servers that are vulnerable by default, with a management protocol that is insecure by design, and with little to no documentation about how to make things better … These vendors have not only gone out of their way to make their offerings difficult to understand or audit but also neglected to supply any substantial defense tools or helpful security controls.

Old BMC software

Remote managementMr. Farmer and Mr. Moore ran scans on the Internet in May 2014 and identified 230,000 publicly accessible BMCs. A deeper analysis of the at-risk systems revealed:

  • 46.8% of them were running IPMI version 1.5, which dates back to 2001,
  • 53.2% were running IPMI version 2.0, which was released in 2004.

The researchers reported that nearly all the systems running IPMI v1.5 were configured so that all accounts could be logged into without authentication. … you can login to pretty much any older IPMI system without an account or a password.” Mr. Farmer explains this set-up can grant an attacker privileged access, “… in most cases, they grant administrative access, and even when they don’t the mere ability to execute any kind of commands without authentication is a bad thing.

architectural insecurities that can be exploitedThe team found that IPMI v.2.0, which includes cryptographic protection has its own security issues. For example, the first cipher option, known as cipher zero, provides no authentication, integrity, or confidentiality protection, Farmer said. A valid user name is required for logging in, without a password. The researcher found that around 60% of the publicly accessible BMCs running IPMI version 2 had this vulnerability.

Server management issues in IPMI 2.0

Another serious issue introduced by IPMI 2.0 stems from its RAKP key-exchange protocol that’s used when negotiating secure connections. The protocol allows an anonymous user to obtain password hashes associated with any accounts on the BMC, as long as the account names are known.

“This is an astonishingly bad design, because it allows an attacker to grab your password’s hash and do offline password cracking with as many resources as desired to throw at the problem,” Farmer said.

The analysis showed that 83% of the identified BMCs were vulnerable to this issue. A test with brute-force password guessing application John the Ripper, using a modest 4.7 million-word dictionary successfully cracked 30% of the BMC passwords. Farmer calculated that between 72.8 and 92.5% depending on password cracking success rate, of BMCs running IPMI 2.0 had authentication issues and were vulnerable to unauthorized access.

Canary in the coal mine

While a quarter of a million BMCs is only a tiny sliver of the total computing power in the world, it’s still an important indicator as a kind of canary in the coal mine,” Mr. Farmer warns. He predicts that BMCs behind corporate firewalls share the same issues. He said. “While management systems are often not directly assailable from the outside they’re often left open once the outer thin hard candy shell of an organization is breached.

The research paper includes recommendations for server administrators on how to mitigate some of the identified issues and better secure their BMCs. But the researcher concludes that ultimately the problem of insecure IPMI implementations will linger on for a long time. Mr. Farmer concludes with a rant:

Many of these problems would have been easy to fix if the IPMI protocol had undergone a serious security review or if the developers of modern BMCs had spent a little more effort in hardening their products and giving their customers the tools to secure their servers … At this point, it is far too late to effect meaningful change. The sheer number of servers that include a vulnerable BMC will guarantee that IPMI vulnerabilities and insecure configurations will continue to be a problem for years to come.

rb-
They told us so, about a year ago.

Defense-in-depth, block UDP port 623 at the perimeter – yes all of them, on the end-points, you are using personal firewalls?

Disable or remove the default vendor user names and pick a strong UID and PWD

Least privilege, the researchers warn that anyone who has administrative privileges on a BMC’s server has administrative control over it and may disable or enable IPMI, add or remove accounts, change the IP address, etc., etc.–all without any authentication to the BMC.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| August 15, 2013
Comments Off on Printer Ink Costs More Than Gasoline

Printer Ink Costs More Than Gasoline

Printer Ink Costs More Than GasolineAnyone who has ever shopped for a replacement ink cartridge knows they’re not cheap. In fact, printer ink is more expensive per gallon than gasoline or the blood running through your veins. This infographic from InkJet Willy examines the truth about the high cost of ink cartridges, and reveals their unfortunate impact on the environment.

Printer Ink Injustice Infographic

rb-

I always try to get my customers to drop Inkjet printers from their fleet. Many times it seems like a hopeless battleConsumers Reports says that InkJet ink can cost up to $75.00 a gallon. They recommend Brother printers as the most efficient inkjet printers. Sorry HP.

Do your customers understand that printer ink costs 25x more than a gallon of gas? 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedIn, Facebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| April 30, 2013
Comments Off on 400 Gbps Ethernet Coming

400 Gbps Ethernet Coming

400 Gbps Ethernet ComingThe Institute of Electrical and Electronics Engineers (IEEE), launched an IEEE 802.3 “Standard for Ethernet” study group to explore the development of a 400 Gbps Ethernet standard. The new standard will look to efficiently support an ever-increasing, exponential network bandwidth growth. Ethernet which is celebrating its 40th anniversary this year is defined by the IEEE 802.3 standard. Ethernet is a pervasive standard, driven by the ever-growing needs of the local area, access, and metropolitan area networks around the world.

Expanded reliance on Ethernet

IEEE logoBeyond traditional networks, Help Net Security reports that new application like industrial and automotive networking are expanding their reliance on Ethernet. To better address the needs of these areas, the IEEE 802.3 Ethernet standard is constantly evolving and expanding. John D’Ambrosia is the chief Ethernet evangelist, CTO office, Dell, and chair of the new IEEE 802.3 400 Gbps Ethernet Study Group. He says Ethernet must evolve. “Traffic is growing everywhere … and it’s critical that we move now to create a plan for the Ethernet ecosystem to evolve beyond today’s capabilities, in order to accommodate the burgeoning bandwidth tsunami.

In August 2012, IEEE forecasted that networks will need to support 58% compound annual growth rates (CAGRs) on average. The growth will be griven by simultaneous increases in users, access methodologies, access rates, and services (such as video on demand and social media). IEEE report that networks would need to support capacity requirements of 1 terabit per second (Tbps) in 2015. That number grows to 10 Tbps by 2020 if current trends continue. Alan Weckel, vice president of enterprise and data center market research at Dell’Oro Group said in the article, “Ethernet is an arena of constant innovation, driven by the market demand for support of new ever-increasing bandwidth speeds, as well as new protocols, applications, and media types.

Standards-based networking

EthernetStandards-based networking has worked so far and will be needed as 400 Gbps Ethernet evolves. Mr. Weckel adds, “Global bandwidth requirements are continuing to grow exponentially … Standards-based solutions are integral to maintaining business growth across the Ethernet ecosystem.

David Law, chair of the IEEE 802.3 Ethernet Working Group and distinguished engineer with HP Networking explains in the article, “An IEEE 802.3 study group is formed when there is interest in developing a request to initiate an IEEE 802.3 Ethernet standards-development project.

IEEE 802.3Dell’s D’Ambrosia told Wireless Design Magazine that a host of new technologies and applications have proliferated in the marketplace since the most recent speed jump to 100 Gb/s Ethernet was ratified in 2010. He reminded NetworkWorld that “The iPhone didn’t exist when we started 100G.” Mr. D’Ambrosia concludes that the impact has been felt throughout the Ethernet ecosystem. Data centers, for example, where Ethernet is the primary interconnect technology, are at the center of the bandwidth storm. Pressure is intensifying from all directions:

  • Outside the data center, driven by increasing numbers of users armed with more devices capable of ever-increasing bandwidth consumption;
  • Within the data center, driven by more and faster storage and server technologies, and
  • Across data centers, driven by new applications, new databases, and new architectures.
Related article:

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| February 2, 2013
Comments Off on Acer Halts eMachines

Acer Halts eMachines

Acer Halts eMachinesTaiwanese PC maker Acer confirmed to ChinaTechNews.com that the company has terminated the operations of its eMachines brand, which was gained during the company’s 2007 $710 million acquisition of GatewayGateway acquired eMachines in 2004 for $30 million, and Packard Bell in 2007.

emachne logoThe termination of the operation of the eMachines brand is in line with the streamlining policy announced at the end of 2011 by J.T. Wang, chairman of Acer (ACEIY) The company will continue to carry out brand integration and the entire process is expected to be completed in three years. Reportedly, Acer will continue to invest in post-PC Gateway and Packard Bell products to sell “a variety of devices that would have been thought of as beyond the PC in the past,” Lisa Emard, an Acer spokeswoman, said in an email to PCWorld.

Acer was the fourth-largest PC vendor behind HP (HPQ), Lenovo (LNVGY) and Dell (DELL). They have shipped around 7 million units, in FY 2012, a drop of 28.2% compared year over year reports PCWorld.

rb-

eMachines, the ultimate throw-away machine, has fallen victim to the iPad. I had an eMachines for a while at the turn of the century, and yes it survived Y2K. Do you think it matters that Acer stopped selling eMachines?

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| January 10, 2013
Comments Off on Patent Trolls Going After Users

Patent Trolls Going After Users

Patent Trolls Going After UsersPatent trolls have changed their tactics by going after users according to TechEye. Patent trolls have realized that taking on big companies with large legal teams is a risky prospect so they have started looking for softer targets. Ars Technica is reporting the case of Steven Vicinanza and BlueWave, who received a letter ordering him to pay $1,000 per employee for a license for some “distributed computer architecture” patents.

demanding money with legal menacesThe blog says the troll in question, “Project Paperless LLC.” claims to have a patent covering the ability to scan documents to e-mail and was demanding money with legal menaces. If BlueWave paid, the troll would have collected $130,000. BlueWave was not the only company the troll went after. Lots of other small and medium companies were being hit.

Steven Hill, a partner at Hill, Kertscher & Wharton, an Atlanta law firm represented Project Paperless. The attorney told Mr. Vicinanza that if you hook up a scanner and e-mail a PDF document the company’s patent covers that process. In other words, any company that used office equipment would have to pay up.

fight and beat the troll in courtIn this case, Mr. Vicinanza decided to fight and beat the troll in court. Despite the victory, TechEye says Project Paperless patents claims are continuing to appear. The troll claims were passed to a network of shell companies. Ars found that the patent threats are going out under at least ten differently named LLCs.

These outfits are sending out hundreds of copies of the same demand letter to small businesses from New Hampshire to Minnesota. The article says the troll’s royalty demands range from $900 to $1,200 per employee.

Ars Technica reports that Project Paperless has four patents and one patent application it asserts, all linked to an inventor named Laurence C. Klein. “It was a lot of what I’d call gobbledygook,” said BlueWave’s Vicinanza. “Just jargon and terms strung together—it’s really literally nonsensical.

t was a lot of what I’d call gobbledygookArs provides links to the asserted patents, numbers 6,185,590, 6,771,381, 7,477,410 and 7,986,426. AdzPro also notes it has an additional patent application filed in July 2011 that hasn’t yet resulted in a patent. Ars states that the patents may have been useless from a technologist’s perspective, but fighting them off in court would be no small matter. The problem is that it often costs more in legal costs for small businesses to fight the trolls than it does to pay up and make them go away.

Mr. Vicinanza spent $5,000 on a prior art search and sent the results to the Project Paperless lawyers. He filed a third-party complaint against four of the companies that actually made the scanners, Xerox (XRX) Canon (CAJ), HP (HPQ), and Brother (6448). That could have compelled the manufacturers to get involved in the case.

In the end, Hill dropped its lawsuit against BlueWave and went away and the case never came to court. However, Ars points out a detailed website called “Stop Project Paperless,” with information about the patents and links to the Hill, Kertscher, and Wharton law firm.

case never came to courtTechEye concludes that if a firm wants to make a lot of money from a dubious patent, it is better to sue users than the companies which make products that use it. If Apple wanted to kill off Samsung’s business all it would have to do is sue every Android user. Most of them would never go to court and pay whatever Apple demands. That particular scenario is unlikely, but it does show where the antics of patent trolls are headed.

rb-

The politicians tried to work on the problem with the SHIELD Act which I covered here, but that apparently went nowhere. After all, they are too busy driving us all off the fiscal cliff.

Maybe it was top troll Apple that stopped the law from getting a full House vote, Apple is now the biggest patent troll of them all.

So more proof that Patent Trolls Cost the US $29 Billion which I covered earlier.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
« Older Entries   Recent Entries »