Security News
HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned. Nicky Bloor, founder of Cognitous Cyber Security, reports that an HP Inc programmer appears to have set up an insecure user account in a database within HP Device Manager.
A security researcher discovered multiple vulnerabilities in HP Support Assistant, a utility pre-installed on all HP computers sold after October 2012. While there are mitigations in place, HP Support Assistant is insecure by design, the researcher says.
HP announced its commitment to driving more stringent industry standards for printer security. As part of this effort, HP has joined the Buyers Lab Security Validation Testing program for MFPs and printers.
Eclypsium said on Monday that, despite years of warnings from experts - and examples of rare in-the-wild attacks, such as the NSA's hard drive implant - devices continue to accept unsigned firmware. The infosec biz said a miscreant able to alter the firmware on a system - such as by intercepting or vandalizing firmware downloads, or meddling with a device using malware or as a rogue user - can do so to insert backdoors and spyware undetected, due to the lack of cryptographic checks and validations of the low-level software.
Eclypsium said on Monday that, despite years of warnings from experts - and examples of rare in-the-wild attacks, such as the NSA's hard drive implant - devices continue to accept unsigned firmware. The infosec biz said a miscreant able to alter the firmware on a system - such as by intercepting or vandalizing firmware downloads, or meddling with a device using malware or as a rogue user - can do so to insert backdoors and spyware undetected, due to the lack of cryptographic checks and validations of the low-level software.
TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing. Eclypsium researchers analyzed a Lenovo ThinkPad X1 Carbon 6th Gen laptop, which contains two vulnerable firmware mechanisms: Touchpad firmware and TrackPoint firmware.
Vulnerabilities in Dell and HP laptops could allow an attacker to access information and gain kernel privileges via the devices' Direct Memory Access capability. "This can allow an attacker to execute kernel code on the system, insert a wide variety of kernel implants and perform a host of additional activity such as spawning system shells or removing password requirements."
3 out of 4 Americans check out other people's screens, and read unclaimed docs on office printer trays.
After being notified on July 4, HP waited four months before releasing a security advisory.
Researchers at SafeBreach, a company that specializes in simulating breaches and attacks, discovered this summer that HP’s Touchpoint Analytics service is affected by a potentially serious...