HP Admits Selling Infected Flash-Floppy Drives 110
bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin.
Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space.
A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois.
Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."
Strange (as insider activity?) (Score:4, Insightful)
If you are going to get your malcode onto this, why do something old and crufty when you could do something new.
IIRC, this is used for BIOS updating as well as windows driver schlepping. So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way.
Software on these drives? Use Linux to format. (Score:4, Insightful)
Corporate Response Missing (Score:4, Insightful)
Who made them? What country? What are HP QCs? (Score:5, Insightful)
Re:In case anyone wonders (Score:5, Insightful)
Someone's going to reply "blah blah chain of supply blah blah limited liability" but (back in my day) a manufacturer was liable for tainted/poisoned product that originated at the manufacturer. Everyone should be able to demonstrate that a product works before selling it.
Coincidence? (Score:4, Insightful)
Now I see this story about HP accidentally selling branded keys with worms pre-installed. Darn, selling malware is so sucky, especially when you sell it to your favorite customers, for example server customers.
Any chance not just Hannaford, but other HP customers are nailed by this?
The takeaway from this episode, for those of you who aren't quite getting this:
- When you buy a USB key, be sure your machine(s) have functional antivirus and antispyware running,and it's updated.
- Look around for instructions on keeping stuff like USB keys from autorunning. Make it so.
- Format that rascal USB key immediately. Immediately. IMMEDIATELY.
- Don't buy USB keys cause they have cool software preloaded. Pointless to CHOOSE to risk infection. make the manufacturers pay for this by avoiding/refusing this crap. Just sell me a simple key, ok? Sheesh...
And trust no one and no thing.
Amazing, is all I can say. And yes, I wonder if these were manufactured and loaded in China. Bet they are.
We are in so much trouble. Mark my words, soon, 'Made in China' will really mean 'Pwned by China'. If ti doesn't already.
Re:Coincidence? (Score:3, Insightful)
Surprisingly, much of the software Hannaford settled on using is jut plain Windows. They did use some Sun for certain things, but the store servers were almost all Windows.
I'm unaware of any settlement software available for *nix. There must be some, but I haven't look so hard for it. And Hannaford isn't unique in the industry for using Windows.
It wasn't long ago that Blockbuster used Alpha-based servers at the stores, running customized SCO SysV. nasty, but it worked really well. Sadly, Alpha CPUs are hard to come by, and I bet they have moved to Windows. But that environment would move to Lunix very well. Other businesses need to build the entire Linux infrastructure, from development environments to remote management. Windows makes it too easy.
And the bottom line here is that the malware got inside the firewall. Most likely, IMHO, via a support tech either browsing or on media, obviously. And they were certified PCI-compliant. Darn.
Frankly, I suspect even a Linux server system could be pwned. I've had to scrape out some very tough trojans from my servers over the years. It ain't easy. 80% of the time I reinstalled clean. Why bother.
While we're talking naïvety (Score:4, Insightful)
From the summary:
I think it's also pretty naïve to assume that it is a targeted attack, as such an assumption shifts the blame enormously. While a targeted attack is arguably more dangerous and more worrisome for a certain group of people, such an attack could happen at any number of stages of fabrication, so the fabrication process itself isn't to blame. Reversely, if a random infection makes it to a device sold as a server accessory, that puts both fabrication and quality assurance at fault, the former allowing the infection, the latter for not detecting it. If that's what happens to enterprise products, one has to wonder how much crud gets through in consumer stuff.