Отправлено: 22.01.16 02:26. Заголовок: АНБ и AMX

Если кому интересно

http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html?m=1

 Отправлено: 22.01.16 08:17. Заголовок: В Crestron тоже може..

В Crestron тоже может быть.
Возможно и то, что это практика производителей, неофициальная, а может и обязательное правило. на всякий случай, учитывая места где
чаще всего устанавливается такое железо.

 Отправлено: 22.01.16 10:44. Заголовок: Ради справедливости ..

Ради справедливости нужно также ознакомиться с мнением вендора:

Dear Valued AMX Partner,
A number of stories have run today about an independent security firm’s identification of certain potential security vulnerabilities in AMX systems. Unfortunately, these stories are confusing, and we would like to clarify a number of the issues that have been discussed.
First and foremost, we are not aware of any breaches of any of our systems.“Black widow” was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. This is the update released in December (see below).
“1MB@tMaN” was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The “1MB@tMaN” internal system device capability also was not related to nor a replacement for the “Black Widow” diagnostic login. The only connection was the fact that our software update that eliminated “Black Widow” also provided an update to the “1MB@tMaN” internal capability that eliminated this name.
The firmware update, NX v1.4.65 is applicable to products and systems incorporating the NetLinx NX Control platform and was released on Dec 22, 2015. It is available on AMX.com. This issue has been addressed in legacy NI series by Hotfix v. 4.1.419 and is available from AMX Technical Support.
We take security very seriously and that is why we are continuously testing our own systems and capabilities and developing more sophisticated updates.
If you have any questions, please don’t hesitate to contact your local representative or AMX Technical Support.

Sincerely,
Kevin Morrison
Senior Vice President, Enterprise Solutions
HARMAN Professional

 Отправлено: 23.01.16 13:34. Заголовок: Ответ - типичный ПиА..

Ответ - типичный ПиАр. Читает кто-то и думает, действительно, чего мы волновались - только вот фишка в том, что используя логины можно было заходить по SSH
так что детский пиарный ответ - да было, мы заделали (лучше спрятали) дыру, теперь все ОК :-)