Story 2014-06-20

Synology NAS Remotely Hacked To Mine $620K In DogeCoin

by
Anonymous Coward
in security on (#3PA)
story imageFrom ThreatPost via Soylent-not-a-food-trademark-infringing-site, a single criminal hacker planted trojans on Synology NAS units around the world and managed to use the little boxes to mine $620,000 worth of "DogeCoin", the cuter version of the BitCoin "virtual currency".

This, much more than the SuperMicro vulnerability, tells me I'm living in strange new times indeed. A home network-storage appliance used over the Internet to create wealth out of nothing but electricity running some decryption code. These are concepts that just didn't even exist a short time ago.

Had the hacker been just a little more conservative in resource utilization, the scheme may have gone undiscovered for much longer. The jig was up only after Synology users complained about performance to tech support! (Clearly, no one, anywhere, ever checks their router and firewall logs for unusual destinations).

I find this interesting as I had just been reading Ars Technica's new writeup of DIY NAS solutions as alternatives to the expensive fixed purpose NAS devices (some interesting alternatives mentioned in the comments there).

Elon Musk + Stephen Hawking + CBC = robot revolution

by
in ask on (#3P9)
story imageCBC News is looking out for your health and safety, by combining unrelated quotes by Stephen Hawking and Elon Musk, adding a Terminator image, and making sure you are well warned of the impending robot revolution. Here it is:
Two leading voices in the world of science and technology warn that robots equipped with artificial intelligence could be leading humanity down a dangerous path.

Elon Musk, the billionaire founder of SpaceX and Tesla motors, told a pair of CNBC reporters that he thought robots were "dangerous."

"There have been movies about this, you know, like Terminator."

Despite his reservations, Musk himself has recently invested in an artificial intelligence company.
The first strike by the robots would be, naturally, to cripple humanity by operating on human unborn in the womb. That's a bad thing, no a good thing, no wait, now I'm confused.

Exploiting bug in Supermicro hardware is as easy as connecting to port 49152.

by
Anonymous Coward
in security on (#3P8)
story imageIf you're running a server on Supermicro hardware, you're operating with your pants down. That's the conclusion by security firms who warn exploiting bug in Supermicro hardware is as easy as connecting to port 49152. There are very likely at least 32,000 servers broadcast admin passwords.

Over at CARI.net security researchers explain:
On 11/7/2013, after reading a couple articles on the problems in IPMI by Rapid7's HD Moore (linked at the end), I discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152.

If you take a look at the /nv directory, you will find the file IPMIdevicedesc.xml file; a file which was already known to be downloaded via the aforementioned port. You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface (reference link at the bottom of this article). This is not the only file that is vulnerable to this.
Read more here.