BMC Vulnerability Exposes Admin Password of 32,000 Servers in Plaintext on the Internet

A Flaw has been discovered in the motherboards manufactured by the server manufacturer Supermicro, has left more than 30,000 servers vulnerable to hackers that could allow them to remotely compromise the management interface of unpatched servers.

The vulnerability actually resides in the Baseboard Management Controller (BMC) in the WPCM450 line of chips incorporated into the motherboards. Security Researcher at CARInet Security Incident Response Team, discovered that Baseboard Management Controller (BMC) of Supermicro motherboards contain a binary file that stores remote login passwords in clear text and the file is available for download simply by connecting to the specific port, 49152.
Baseboard Management Controller (BMC) is the central part of the microcontroller that resides on server motherboard or in the chassis of a blade server or telecom platform. The BMC links to a main processor and other onboard elements via a simple serial bus.
Baseboard management controllers are part of the Intelligent Platform Management Interface (IPMI) protocol, which defines communication protocols and a server administrator can access the BMC by using an IPMI-compliant management application loaded on a computer or via a web interface via port 49152.
In order to compromise vulnerable servers, an attacker can perform Internet scanning on port 49152 to identify exploitable servers and can download remote login passwords which is stored in a binary file location “GET /PSBlock” of the motherboard in clear plain text.
When recently an Internet scan is performed on the Shodan, a specialized search engine for finding embedded systems, approximately 31,964 machines were found still vulnerable, a count that doesn’t include the vulnerable systems installed on virtual environment used in shared hosting services.
This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market,” wrote Zachary Wikholm, a senior security engineer with the CARInet Security Incident Response Team.
An analysis of the passwords available for download also indicates that thousands of the passwords are really easily guessable or the default ones.

It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3,296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was ‘password.’

He also found that lot of systems are running older versions of the Linux kernel. According to Shodan search, approximately 23,380 of the total hosts are running the 2.4.31.x kernel, another 112,883 are running the 2.4.30.x kernel, and 710,046 systems are running the 2.4.19.x kernel.
The vulnerable 84 firmwares are listed here and server administrators are advised to apply available patches from vendors. In order to apply patches, you need to flash the device with new firmware update. For quick and temporary fix, administrators can disable all universal plug and play processes and their related children processes using secure shell connection to a vulnerable devices.

Report: Chinese phone comes preloaded with spyware

BERLIN (AP) — A cheap brand of Chinese-made smartphones carried by major online retailers comes preinstalled with espionage software, a German security firm said Tuesday.

G Data Software said it found malicious code hidden deep in the propriety software of the Star N9500 when it ordered the handset from a website late last month. The find is the latest in a series of incidents where smartphones have appeared preloaded with malicious software.

G Data spokesman Thorsten Urbanski said his firm bought the phone after getting complaints about it from several customers. He said his team spent more than a week trying to trace the handset’s maker without success.

“The manufacturer is not mentioned,” he said. “Not in the phone, not in the documentation, nothing else.”

The Associated Press found the phone for sale on several major retail websites, offered by an array of companies listed in Shenzhen, in southern China. It could not immediately find a reference to the phone’s manufacturer.

G Data said the spyware it found on the N9500 could allow a hacker to steal personal data, place rogue calls, or turn on the phone’s camera and microphone. G Data said the stolen information was sent to a server in China.

Bjoern Rupp, chief executive of the Berlin-based mobile security consultancy firm GSMK, said such cases are more common than people think. Last fall, German cellphone service provider E-Plus found malicious software on some handsets delivered to customers of its Base brand.

“We have to assume that such incidents will increasingly occur, for different commercial and other reasons,” said Rupp.

 

Sumber: http://finance.yahoo.com/news/report-chinese-phone-comes-preloaded-spyware-153543708–finance.html

REVEALED: GCHQ’s BEYOND TOP SECRET Middle Eastern INTERNET SPY BASE

Exclusive Above-top-secret details of Britain’s covert surveillance programme – including the location of a clandestine British base tapping undersea cables in the Middle East – have so far remained secret, despite being leaked by fugitive NSA sysadmin Edward Snowden. Government pressure has meant that some media organisations, despite being in possession of these facts, have declined to reveal them. Today, however, the Register publishes them in full.

The secret British spy base is part of a programme codenamed “CIRCUIT” and also referred to as Overseas Processing Centre 1 (OPC-1). It is located at Seeb, on the northern coast of Oman, where it taps in to various undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf. Seeb is one of a three site GCHQ network in Oman, at locations codenamed “TIMPANI”, “GUITAR” and “CLARINET”. TIMPANI, near the Strait of Hormuz, can monitor Iraqi communications. CLARINET, in the south of Oman, is strategically close to Yemen.

British national telco BT, referred to within GCHQ and the American NSA under the ultra-classified codename “REMEDY”, and Vodafone Cable (which owns the former Cable & Wireless company, aka “GERONTIC”) are the two top earners of secret GCHQ payments running into tens of millions of pounds annually.

Seeb Spy Base
The Seeb spy base. Not in your name? My dear boy, that’s the whole point

The actual locations of such codenamed “access points” into the worldwide cable backbone are classified 3 levels above Top Secret and labelled “Strap 3”. The true identities of the companies hidden behind codenames such as “REMEDY”, “GERONTIC”, “STREETCAR” or “PINNAGE” are classified one level below this, at “Strap 2”.

After these details were withheld, the government opted not to move against the Guardian newspaper last year for publishing above-top-secret information at the lower level designated “Strap 1”. This included details of the billion-pound interception storage system, Project TEMPORA, which were revealed in 2013 and which have triggered Parliamentary enquiries in Britain and Europe, and cases at the European Court of Human Rights. The Guardian was forced to destroy hard drives of leaked information to prevent political embarrassment over extensive commercial arrangements with these and other telecommunications companies who have secretly agreed to tap their own and their customers’ or partners’ overseas cables for the intelligence agency GCHQ. Intelligence chiefs also wished to conceal the identities of countries helping GCHQ and its US partner the NSA by sharing information or providing facilities.

According to documents revealed by Edward Snowden to journalists including Glenn Greenwald among others, the intelligence agency annually pays selected companies tens of millions of pounds to run secret teams which install hidden connections which copy customers’ data and messages to the spooks’ processing centres. The GCHQ-contracted companies also install optical fibre taps or “probes” into equipment belonging to other companies without their knowledge or consent. Within GCHQ, each company has a special section called a “Sensitive Relationship Team” or SRT.

BT and Vodafone/C&W also operate extensive long distance optical fibre communications networks throughout the UK, installed and paid for by GCHQ, NSA, or by a third and little known UK intelligence support organization called the National Technical Assistance Centre (NTAC).

Snowden’s leaks reveal that every time GCHQ wanted to tap a new international optical fibre cable, engineers from “REMEDY” (BT) would usually be called in to plan where the taps or “probe” would physically be connected to incoming optical fibre cables, and to agree how much BT should be paid. The spooks’ secret UK access network feeds Internet data from more than 18 submarine cables coming into different parts of Britain either direct to GCHQ in Cheltenham or to its remote processing station at Bude in Cornwall.

Among the cables specifically identified in one document as currently being intercepted or “on cover” are an Irish connection, Hibernia Atlantic, landing in Southport, and three European connections landing at Yarmouth, Dover, and Brighton.

Sending anything via a cable that lands in Britain? Or a country where the current ruler was put in by the SAS, maybe?

The majority of large cables come ashore in Cornwall, and have been connected directly to Bude. These include major connections such as FLAG (Fibre optic Link Around the Globe), two of whose cables have been intercepted. Because the FLAG interceptions had to be kept secret from the cables’ owners, one report states, the tapping connections were installed in an undisclosed UK location and “backhauled” to Bude, in the technical language of the communications industry.

Northern Oman - a good place to be if you find the cables into the Gulf interesting
Northern Oman – a good place to be if you find the cables into the Gulf interesting

Although GCHQ interception of overseas communications can be authorised by a general “external” tapping warrant, the wording of the law does not permit storage of every communication for examination, as GCHQ wished to do. In 2009, the spooks persuaded then Foreign Secretary David Miliband to sign a new warrant legalising what they wished to do. The terms of such warrants have never been published.

The special “external” warrants, issued under the Regulation of Investigatory Powers Act (RIPA), authorise the interception of all communications on specified international links. Miliband’s first 2009 warrant for TEMPORA authorised GCHQ to collect information about the “political intentions of foreign powers”, terrorism, proliferation, mercenaries and private military companies, and serious financial fraud.

Certificates attached to external interception warrants are re-issued every six months, and can be changed by ministers at will. GCHQ officials are then free to target anyone who is overseas or communicating from overseas without further checks or controls, if they think they fall within the terms of a current certificate.

The secret overseas internet monitoring centre, codenamed CIRCUIT, is at Seeb in the state of Oman. It is the latest of a series of secret collaborations with the autocratic Middle Eastern state, which has been ruled for 44 years by Sultan Qaboos bin Said, installed as head of state in a British-led and SAS-supported coup against his father. The Seeb centre was originally built in collaboration with the Omani government to monitor civil communications satellites orbiting above the Middle East. It has six large satellite dishes, forming part of the well-known and long running “ECHELON” intercept system run by the “Five Eyes” English-speaking (US/UK/Australia/Canada/New Zealand) intelligence agencies.

Seeb - handily located
Seeb – handily located

When GCHQ obtained government approval in 2009 to go ahead with its “Mastering the Internet” project, the Seeb base became the first of its global network of Internet tapping locations. Another centre, OPC-2, has been planned, according to documents leaked by Snowden.

The CIRCUIT installation at Seeb is regarded as particularly valuable by the British and Americans because it has direct access to nine submarine cables passing through the Gulf and entering the Red Sea. All of the messages and data passed back and forth on the cables is copied into giant computer storage “buffers”, and then sifted for data of special interest.

Information about Project TEMPORA and the Seeb facility was contained in 58,000 GCHQ documents which Snowden downloaded during 2012. Many of them came from an internal Wikipedia style information site called GC-Wiki. GCHQ feared the political consequences of revelations about its spying partners other than the United States and English speaking nations, according to knowledgeable sources.

Although information about the monitoring station at Seeb in its older ECHELON role has been available on the public Internet for several years, Cabinet Secretary Sir Jeremy Heywood was determined to prevent its new importance and cost becoming known.

It was this which lay behind the British government’s successful-until-today efforts to silence the Guardian and the rest of the media on the ultra-classified, beyond Top Secret specifics of Project TEMPORA – the places and names behind the codewords CIRCUIT, TIMPANI, CLARINET, REMEDY and GERONTIC. ®

Source: http://www.theregister.co.uk/2014/06/03/revealed_beyond_top_secret_british_intelligence_middleeast_internet_spy_base/