HP Admits Selling Infected Flash-Floppy Drives 110
bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin.
Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space.
A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois.
Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."
In case anyone wonders (Score:5, Informative)
Security improvements (Score:5, Informative)
So where's the recall? (Score:5, Informative)
Here's the HP HP security notice. [hp.com] This was discovered in January/February, according to HP, but not announced by them until April.
Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.
Here are the part numbers:
They're still for sale on Amazon [amazon.com], for example.
In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.
What about BIOSes? (Score:1, Informative)
Re:Security improvements (Score:5, Informative)
Start --> Run --> gpedit.msc
Computer Configuration --> System --> Turn of Autoplay
Enable on all drives
You're right, this should be default, but at least there's a fix.
Re:In case anyone wonders (Score:5, Informative)
OK, I missed something. I don't know if anyone else did because it the summary wasn't clear to me.
This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive.
That's actually a very smart idea.
With that detail this this is not a real floppy drive of any kind, this all makes more sense. Question withdrawn.
Re:In case anyone wonders (Score:5, Informative)
Proliant diag. CDs don't recognize other drives... (Score:2, Informative)
Fortunately, we bitched enough to get better support and we don't run Windows so wouldn't be vulnerable to this particular problem.
I bring this up because there may be a number of people out there with Proliants who aquired these drives so that they can get data from HP diagnostics software
Re:Security improvements (Score:3, Informative)
In addition, it's nice to have the autorun. Having a dialog asking permission is a nice balance I find.
Only on WinPE 1.x (Score:3, Informative)
Not, of course, that that in any way absolves MS -- it's still shocking that floppies were sometimes needed for a server OS released a mere half decade ago! Although at least you could always install remotely over a network using RIS [wikipedia.org] or WDS and avoid the issue entirely, which is I suppose what most enterprises probably do anyway.
Re:Dear Smart People, (Score:5, Informative)
Re:Security improvements (Score:3, Informative)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
We're deploying that here to stop Autorun viruses that can start via just opening the drive (or right-clicking on Explore, etc.). Nasty things enabled by a Windows design flaw reminiscent of Outlook Express 4 opening attachments automatically.
Re:In case anyone wonders (Score:3, Informative)
You can do it without the HP keys, just use their software to prep the stick.
Re:Security improvements (Score:4, Informative)
But it's a server... (Score:2, Informative)
HP software is malware *anyway* (Score:5, Informative)
So I don't see what the big deal with shipping some more malware is. It's HP. *shrug*
Re:Where's the factory? (Score:3, Informative)
I've seen this kind of thing before (Score:3, Informative)
After digging into what happened it was found that the duplication house where our disks were being duplicated had a QC station where each one was tested to verify a good recording. The operator of that station faced a brain-numbing job; insert disk, hit enter, remove disk, repeat. Of course, that job was filled by the production manager's son - who filled in his free minutes by playing a "free" copy of a game that he got from "someone" on the QC machine.
We had to recall all the packages and ship free disinfecting software to everyone who had bought one; fun times. The duplication house (grudgingly) paid the cost of cleaning up the mess, then we found a different duplication house to use in the future. This time we checked their procedures out a little more closely before signing up.
Something like this is probably what happened to HP. The factory where those drives were made had some worms / viruses loose on their network and when the new drives were plugged in for testing / formatting the malware automatically copied itself over. This would happen after the format / test was complete; the operator wouldn't even know it happened.
Sloppy security practices at the factory was most likely the "source" of the problem. They weren't evil, just stupid. But for HP to know about this and wait for 3 months before letting their customers know - that's criminal. At least it should be...