HP Admits Selling Infected Flash-Floppy Drives 110
bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin.
Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space.
A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois.
Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."
Re:Security improvements (Score:3, Interesting)
Re:In case anyone wonders (Score:4, Interesting)
Because it makes the thing useful when you're not installing windows.
Re:In case anyone wonders (Score:4, Interesting)
Because... (Score:5, Interesting)
(Where do you think recalled Dell batteries went?)
Anonymous for a reason.
Advisory's recommendion is braindead (Score:5, Interesting)
From the advisory:
Does HP actually think that a potentially worm-infected server should be a/v scanned and (possibly) cleaned, and that's the end of it? That's beyond dumb; any production server so exposed requires a bare-metal rebuild. In the absence of a tripwire-esque delta, you have no understanding of the state of the server installation after undergoing an infect/clean cycle, and there's no way that box should be left in production in that state.
This is an ugly situation (Score:4, Interesting)
They should have clean and isolated systems in place for development and manufacture that isn't connected to the public internet in any way. Furthermore, anything that reaches the public should first be inspected through tight QA standards. The public expects that of high profile manufacturers... worse, the public presumes high QA standards.
This takes me back to a point I was attempting to make in another discussion about the differences that often exist between public expectations and what a company actually delivers. Often times the public never notices the difference, but some times, those differences slap people in the face rather rudely at inopportune times.
I'm not sure when it started to become more common practice to move away from fulfilling public consumer expectations occurred. But the public consumer isn't aware that this shift has occurred yet. But evidence of the quiet shift has been placed in every EULA as far back as anyone can remember that contains disclaimers that their product is suitable for any purpose at all. The laws of some countries and states of the U.S. do not permit the enforcement of some of these disclaimers, but it never stops them from trying to put it past the consumer just the same. But the ugly reality is that 'legal standards' trump quality standards every day that appears on the calendar.
Where's the factory? (Score:4, Interesting)
Perhaps it's a test run.
china... (Score:3, Interesting)
Re:Software on these drives? Use Linux to format. (Score:2, Interesting)
All you have to do is throw in the human element. The first factory worker that plugs his ipod or flash drive full of music into the computer he is using to test/verify/format these devices you are finished.
I've worked as a technician in an electronics manufacturer, the human element is a huge one to contend with.
Re:Coincidence? (Score:1, Interesting)
So when your laptop is at home, you go on the internet, get infected. Then you dial into the VPN or bring your laptop back to work.
HP also has a culture of keeping bad news quiet. Got to find the leakers! Who let that information out to the public?!?
I personally witnessed a major worm outbreak at HP some years ago. Of course, it was never disclosed publicly.
People who think that the government is inefficient have never worked for a Fortune 50 company.