Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
HP Security

HP Admits Selling Infected Flash-Floppy Drives 110

Posted by CmdrTaco from the yeah-oops-sorry-our-bad dept.
bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space. A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois. Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."
This discussion has been archived. No new comments can be posted.

HP Admits Selling Infected Flash-Floppy Drives More

HP Admits Selling Infected Flash-Floppy Drives

Comments Filter:

  • Re:Security improvements (Score:3, Interesting)

    by Raineer ( 1002750 ) on Wednesday April 09, 2008 @11:13AM (#23013194)
    Totally agree, good thoughts. I still don't like their response that it is "obviously a targeted attack", how the hell does an attack start at the FACTORY?

  • Re:In case anyone wonders (Score:4, Interesting)

    by Qzukk ( 229616 ) on Wednesday April 09, 2008 @11:21AM (#23013282) Journal
    But why would I want a flash drive built into it also

    Because it makes the thing useful when you're not installing windows.

  • Re:In case anyone wonders (Score:4, Interesting)

    by initialE ( 758110 ) on Wednesday April 09, 2008 @11:25AM (#23013350)
    What you were probably seeing was an emulation layer provided by your motherboard. HP has that even in it's lower end servers now, except that they use it to provide virtual floppies over the network, through their ILO interface. Also handy for doing remote shutdowns and startups. The idea must not have caught on, that's why they're selling these.

  • Because... (Score:5, Interesting)

    by Anonymous Coward on Wednesday April 09, 2008 @11:44AM (#23013606)
    HP's recall supply chain will dump the recalled product to shady asset recovery firms and it will just end up on Ebay and not destroyed.

    (Where do you think recalled Dell batteries went?)

    Anonymous for a reason.

  • Advisory's recommendion is braindead (Score:5, Interesting)

    by vic-traill ( 1038742 ) on Wednesday April 09, 2008 @11:49AM (#23013676)

    From the advisory:

    If the optional HP USB Floppy Drive Key has been used in an environment without current (up-to-date) anti-virus software then the W32.Fakerecy or W32.SillyFDC virus may have spread to any mapped drives on the server. In this case HP recommends that the server and mapped drives are scanned with current (up-to-date) anti-virus software.

    Does HP actually think that a potentially worm-infected server should be a/v scanned and (possibly) cleaned, and that's the end of it? That's beyond dumb; any production server so exposed requires a bare-metal rebuild. In the absence of a tripwire-esque delta, you have no understanding of the state of the server installation after undergoing an infect/clean cycle, and there's no way that box should be left in production in that state.

  • This is an ugly situation (Score:4, Interesting)

    by erroneus ( 253617 ) on Wednesday April 09, 2008 @11:54AM (#23013742) Homepage
    But it is not without precedent. I have heard of device driver floppies and CDs shipping with viruses and the like in the past... as long ago as 10 or more years in fact. The sad thing isn't that it happens. The sad thing is how telling it is of their product QA standards.

    They should have clean and isolated systems in place for development and manufacture that isn't connected to the public internet in any way. Furthermore, anything that reaches the public should first be inspected through tight QA standards. The public expects that of high profile manufacturers... worse, the public presumes high QA standards.

    This takes me back to a point I was attempting to make in another discussion about the differences that often exist between public expectations and what a company actually delivers. Often times the public never notices the difference, but some times, those differences slap people in the face rather rudely at inopportune times.

    I'm not sure when it started to become more common practice to move away from fulfilling public consumer expectations occurred. But the public consumer isn't aware that this shift has occurred yet. But evidence of the quiet shift has been placed in every EULA as far back as anyone can remember that contains disclaimers that their product is suitable for any purpose at all. The laws of some countries and states of the U.S. do not permit the enforcement of some of these disclaimers, but it never stops them from trying to put it past the consumer just the same. But the ugly reality is that 'legal standards' trump quality standards every day that appears on the calendar.

  • Where's the factory? (Score:4, Interesting)

    by absurdist ( 758409 ) on Wednesday April 09, 2008 @12:12PM (#23013958)
    China?

    Perhaps it's a test run.

  • china... (Score:3, Interesting)

    by hesaigo999ca ( 786966 ) on Wednesday April 09, 2008 @12:29PM (#23014142) Homepage Journal
    Its simple , the infection happened when they outsourced to China to build the flash drives, and do not have a quality control set in the middle as it arrives into our country without delivering directly to store warehouses...problem and i speak from experience with the textiles importing industry based out of china, is that when you have no quality control in place to review this stuff, such as a drive verificator that you would plug all drives into before sending out, and letting that be in the hands of the Chinese, who are at the root of the cyber attack problem against the states right now, is that they could be putting anything on those drives and we don't check...

  • Re:Software on these drives? Use Linux to format. (Score:2, Interesting)

    by Pascoea ( 968200 ) on Wednesday April 09, 2008 @01:06PM (#23014532)
    This can only happen if they are using web connected and unsecured Windows machines to format them.

    All you have to do is throw in the human element. The first factory worker that plugs his ipod or flash drive full of music into the computer he is using to test/verify/format these devices you are finished.

    I've worked as a technician in an electronics manufacturer, the human element is a huge one to contend with.

  • Re:Coincidence? (Score:1, Interesting)

    by Anonymous Coward on Wednesday April 09, 2008 @04:26PM (#23016914)
    HP has a really big internal network. HP has a lot of people who take their work laptops home and dial VPN into the HP network.
    So when your laptop is at home, you go on the internet, get infected. Then you dial into the VPN or bring your laptop back to work.
    HP also has a culture of keeping bad news quiet. Got to find the leakers! Who let that information out to the public?!?

    I personally witnessed a major worm outbreak at HP some years ago. Of course, it was never disclosed publicly.

    People who think that the government is inefficient have never worked for a Fortune 50 company.

Slashdot Top Deals

Receiving a million dollars tax free will make you feel better than being flat broke and having a stomach ache. -- Dolph Sharp, "I'm O.K., You're Not So Hot"

Close