I was able today to complete an integration of Oracle DBMS plus Oracle Application Express (also known as ApEx) with my Open Source One Time Password (OTP) daemon. More, I was able to protect given ApEx applications through combining a Web Application Firewall (WAF) inside ApEx. This integration will enable customers to deliver secure misson-critical enterprise web applications. A paper will come soon… stay tuned!

A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3 modular storage array shipped to date.

Apparently a hidden user exists, that is built into the system and doesn’t show up in the user manager, and the password may not be able to be changed (unconfirmed), creating a perfect “backdoor” opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to. The hard coded user and password in the HP MSA2000 is set to an embarrassingly simple:

username: admin

password: !admin

Because the password can’t be changed or deleted, it creates another serious enterprise vulnerability. Similar vulnerabilities were recently discovered in Cisco Unified Video Conferencing products, where a linux shadow password file contained three hard-coded usernames and passwords.

More on the SecurityWeek website.