I’m often astounded by how frequently company networks, with otherwise good security practices, completely neglect their network printers. Usually, they are simply installed and, as long as they work, nobody pays any attention to them until its time to reload the paper or replace the toner cartridge. But most of these printers are sitting ducks, ripe for any simple attack by even the most novice hacker.
Gone are the days of just toner and paper, now printers take on computer-like characteristics with internal storage, FTP uploading, SNMP, etc. Heck, some printers are loaded with vulnerable applications. Some have embedded Windows systems that are interfacing with the network. Yet, almost no risk management or oversight is used to protect the printers from attacks. At the very least, hackers can access classified information sent to the printer. At worst, they can be turned into remote-controlled bots and be used as a launching pad for further attacks.
Why am I bringing this up? We broke into a client’s external network through a printer. Yes, full network access because of a single printer.
I’ve seen printers used to catch passwords, change passwords, capture valuable documents, and grab print jobs. I once heard of college students who rerouted an exam print job to their dorm room printer so they could get an advanced copy of the exam. (Why didn’t I think of that!)
Conferences are showing examples of how easy it is to bypass authentication, inject commands at the root level, and create shell code to take over printers. By exploiting the printer’s Internet connection, hackers can use it as a proxy to attack other sources, while concealing their own location. Printers were one of the devices utilized in the Blaster worm that disabled systems at multiple offices at McCormick and Co. in a matter of hours.
Printers have hard drives that store extremely sensitive data about print jobs and who is issuing them so think about your printers like laptops. These hard drives are vulnerable to theft or can be read during a repair. It is recommended to clean hard drives weekly or at least monthly but that is much too frequent for printers. The best route to defend against pritner attacks is to create an image/standard configuration for printers just like you do for servers, workstations, and laptops. Try not to buy the cheapest printer available and go with a more business class or enterprise printer that will have more security features such as proper domain authentication. Lastly, LOG all prints. Yes, use a real print server such as one running Linux or Windows, and log when print jobs are submitted.
Updating passwords, cleaning hard drives, and checking network configurations of printers are among the considerations that should be clearly identified in a security policy and that applies to your pritners too!
April 1 has come and gone, and yet the world remains. April Fool’s Day, or Doomsday, if you believe the fear mongering hype, did not lead to worldwide disaster as many expected. But are we in the clear? Nope. Just because Conficker has not acted yet doesn’t mean it never will.
Since it was first detected in November of 2008, the Conficker worm spread like wildfire. Utilizing advanced malware techniques, the worm targeted Windows users who did not update with a patch Microsoft released in October. It even used removable media like USB drives to spread from PC to PC and through network shares by guessing usernames and passwords. Conficker is now the largest computer worm infection since SQL Slammer in 2003. Once infecting a PC, the worm simply waited until its activation date of April 1.
On April 1, the Conficker worm, which had infected its 3 to 15 million computers, started its daily task of contacting 500 websites from a randomly generated list of 50,000. The worm is looking for instructions on what to do next. Conficker-infected PCs could easily steal the identity of users or even erase data. But as of today, Conficker has not received instructions to do anything. At least, not yet.
So what was the point in creating Conficker if the creators aren’t going to use it? One possible scenario, and what I beleieve is the real reason, is that the worm is controlled by an organized crime syndicate in Asia, Eastern Europe, or South America. Having no use for the data obtainable by Conficker themselves, the crime syndicate may simply rent out control of the worm to the highest bidder.
But the scenario becomes even more exciting when you consider the Conficker Cabal meeting in secret and combining their efforts to thwart the worm. The alliance, spear-headed by Microsoft, includes Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, and many others. On February 13, the group announced a quarter million dollar bounty for information leading to the arrest and conviction of the Conficker creator.
It just goes to show you how important patching really is. The programming hole that allowed Conficker to propagate is inexcusable, but Microsoft did respond quickly with a patch as early as October but apparently no one could be bothered to deploy it.
As I contemplate purchasing a netbook (the HP Mini 2140 looks awesome) I saw a Computerworld.com article named a “Laptop Losers Hall of Shame” (http://www.computerworld.com.au/article/222142/laptop_losers_hall_shame) detailing the enormous security breaches that ensued when notebook computers were lost or stolen by employees of corporations, government agencies, or colleges. The hall of shame is both hilarious and frightening.
Smartphones are becoming the new laptops. ABI Research expects annual worldwide shipments of smartphones to exceed 334 million units by 2010, up from just more than 42 million units in 2005. With so many millions of devices carrying sensitive company data, it’s not hard to imagine what keeps security analysts up at night.
Mobile phones have evolved to a point where they equal the functionality of older notebook computers. I know that I can do pretty much every daily task I need too from my smartphone including RDPing or SSHing into servers. Like me and probably you, we use these smartphones to house critical information, such as notes, emails, and business contacts. If notebooks became such a huge security risk because they are portable, then smartphones are much worse. Brimming with insecure information, we carry these mobile devices with us at all times. For most of us, losing your mobile phone isn’t a possibility, it’s an inevitability. I have lost 2 phones with one being stolen in Vegas and the other being sucked into the ether somewhere.
Other than having more portability and ubiquity than notebooks, smartphones are also harder to control and manage because they are purchased by individual users and do double duty for work and personal use. Notebooks can be issued and centrally managed by the enterprise, but it cannot do the same for the mobile phones of every employee.
How can IT security professionals create a sound infrastructure to compensate for remote workers who are likely to be the unwitting bearers of major security threats?
As always, include the usage of mobile devices with company data in your security policy and create expectations for your company employees to follow.
Sprint had their data leaked by an employee. From the letter:
“It appears this employee may have provided customer information to a third party in violation of Sprint policy and state law. We have terminated this employee. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number, the answer to your security question, and the name of the authorized point of contact on your account.”
My question is, why did they even have access to the security question? Why can’t they type it in, and like password verification, have the system tell them if it matches? This would limit the amount of people who this info could be used against to only those that the employee spoke too.