undefined | Better HN

0 pointstechnion5y ago0 comments

I did a job where I was given access to a server in the form of a set of credentials for an HPE iLO, which was accessible over the Internet. From there, we could use the remote console to logon as root.

HPE iLO doesn't support MFA or any form of public key authentication, and its security history is much worse than SSH. It requires several ports open and the old version they had required Java plugins on desktops and all sorts of nonsense. Using it outside of emergency repairs is a terrible experience due to console refresh lag and the fact you can't copy + paste.

The reason I had to do this insecure and annoying process is that a PCI assessor had told them it would be a hard fail to have port 22 open on the Internet, but this would apparently be fine.

0 comments

function_seven5y ago

I don't know... I mean, maybe the security posture is to annoy the hackers into giving up?

("This thing requires a Java applet and is slow as hell. Screw it, let's just pwn the bank across the street")

I'll call it Security by Inconvenience.

tjalfi5y ago

That reminds me of a post[0] on alt.sysadmin.recovery.

The hackers were annoyed by the compromised machine so they installed security updates and did other system administration tasks.

[0] https://groups.google.com/g/alt.sysadmin.recovery/c/ITd7OlMr...

tinus_hn5y ago

Amusing but today there’s two kinds of hackers: people who manually run a campaign like in your story and the endless hordes of bots that automatically exploit systems to turn them into botnet slaves or cryptolocker hostages.

You can’t inconvenience a bot.

krylon5y ago

I vaguely recall some kind of malware that upon infecting a system scanned the system for other malware and removed/disabled it. The motives were far from pure, obviously. (Although there also was a case, I think, of a piece of malware specifically created to ensure "infected" system had up to date AV software and were up to date update-wise. We sure live in strange times.)

catmanjan5y ago

That's why your security solution should include a mix of every known technology, hackers need to know everything from COBOL to rust

exikyut5y ago

Such strategies are remarkably effective, and maybe arguably describes all security in a nutshell.

Every time I notice an obscure feature in a Google product or service and go "hm, I wonder if that could be exploited", I then always go "...meh, it'll take too long and require too much concentration to figure it out."

viraptor5y ago

No, not at scale. You may be discouraged, but there's someone who will have lots of fun breaking that specific feature.

See for example @jonasLyk who spent the last half a year (?) trying to abuse almost only the alternative streams and junction folders in windows.

1 more reply

nix235y ago

The new Ilo has a "HTML5" and Java console. But 3 wrong passwords and your blocked for 10 minutes (by default).

Spooky235y ago

PCI QSAs are notorious for being complete jackasses. You have to be very careful about vetting them. That isn’t the dumbest thing I’ve heard like that!

icedchai5y ago

Too annoying. I would’ve shut off SSH for the “assessment” then moved it to a different port after.

867-53095y ago

SSH doesn't have to be on port 22. you can leave an empty honeypot on port 22 and run SSH on whichever port you like

j / k navigate · click thread line to collapse