Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We currently have a poll running about printer security, and the results so far .. well, aren't looking all that hot. So here's a little primer:
1. Most office printers aren't just printers anymore. So-called MFPs (Multi-function printers) have taken over, and they contain permanent storage (a hard drive, usually), a fax modem, etc
2. Printer default configurations invariably suck. Even nowadays, they often come with SNMP active, and read/write communities set to public/private, silly default passwords, and have lots of unnecessary protocols and ports active.
3. The PJL interface on HP printers, for example, allows access to stored content. These are both stored print and fax jobs. Yes, you can pull stored jobs off the printers, over the network, without anyone noticing. This often even includes confidential print jobs that are protected with a PIN.The hacking tools to do so were released five, six years ago (google Hijetter, for example) but amazingly enough still work just fine in way too many environments.
4. Most printer vendors by now support a setting that allows to reliably erase print job spool files from the disk once the print job has been completed. But the default setting is to just delete the file, which means that recent print jobs and faxes can be easily recovered by forensic means. If your printer is one of these, and you sell it for second-hand use, don't be surprised if you end up in the news.


The bottom line being:

get an inventory of your MFPs if you don't have one
come up with a config template that changes all default passwords, disables unnecessary protocols and services, and turns on secure erase for stale information on the MFPs hard drive
apply the template to all printers in the inventory
repeat

You can get away with not managing old simple printers that have no permanent storage. But not managing MFPs will likely come back to bite you one day.


If you have printer security horror stories or printer configuration tips, please share in the comments below, or via our contact form. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. Federal Communications Commission approved AT&T's US$1.9 billion purchase of spectrum from Qualcomm on Thursday, allowing the carrier to salvage one ambitious deal to acquire more spectrum, after shooting down its planned merger with T-Mobile USA.
 
phpMyAdmin '$host' Variable HTML Injection Vulnerability
 
Google promised to pay Mozilla almost $300 million annually to keep its search engine as the default in Firefox, according to a report today on AllThingsD, a blog operated by the publisher of the Wall Street Journal.
 
The U.S. Federal Communications Commission has approved the first database of unlicensed wireless spectrum that can be used by new so-called white spaces devices.
 
Unbound Multiple Denial of Service Vulnerabilities
 
Oracle's $1.5 billion purchase of cloud software vendor RightNow Technologies took another step forward as a vast majority of RightNow shareholders approved the deal.
 
KingView 'HistoryServer.exe' Heap Based Buffer Overflow Vulnerability
 
In 2011, the IT outsourcing industry was marked by smaller deals, leery customers, profit-squeezed IT service providers and a lot of cloud computing talk. Much of that could continue next year, but as our 12 predictions for 2012 indicate, you can expect some new IT outsourcing developments--maybe even a few firsts.
 
Wibu-Systems CodeMeter License Server Directory Traversal Vulnerability
 
Oracle's US$1.5 billion purchase of cloud software vendor RightNow Technologies took another step forward on Thursday as a vast majority of RightNow shareholders approved the deal.
 
There was a considerable amount of activity in the data center/cloud switching fabric arena in 2011. That is expected to continue in 2012, along with real world implementations of the next-generation IT technologies.
 
A day after it shipped Firefox 9, Mozilla quickly released an update after backing out a bug fix that was causing some Mac, Linux and Windows browsers to crash.
 
Joining its fellow social-networking companies in the public release of internal code, LinkedIn has opened sourced software obtained in October with its acquisition of the IndexTank search-engine software provider.
 
A group of U.S. representatives has asked the Internet Corporation for Assigned Names and Numbers to delay its plan to begin rolling out new generic top-level domains in early 2012.
 
The changes Samsung Electronics has made to its Galaxy Tab 10.1 are enough so that it is no longer a copy of Apple's iPad, a judge at the district court in Düsseldorf, Germany, said on Thursday.
 
This was the year that IPv6 garnered major headlines, but 2012 is expected to be the year when the next-generation Internet protocol gets widely deployed by U.S. carriers and enterprises.
 
Akamai Technologies has acquired Cotendo is a bid to become better at speeding up enterprise cloud and mobile traffic, the companies said on Thursday.
 
Jacob E. Goldman, a founder of the Palo Alto Research Center that developed breakthrough computing innovations such as the graphical user interface and ethernet networks, died on Tuesday. He was 90.
 
In an exclusive interview, Polycom CEO Andrew Miller talks about the impact of mobility on the visual communications market and about Polycom's move to the cloud. Insider (registration required)
 
EBay has purchased German vendor BillSafe to complement its PayPal online payment system, the company announced Thursday. Terms were not disclosed.
 
Spear phishing attacks via China were likely what led to the lengthy U.S. Chamber of Commerce breach, experts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Amazon Web Services has introduced Elastic Network Interfaces, which are attached to instances in a private cloud to allow for more flexibility when configuring the system.
 
The sleek smartphone's Windows Phone 7.5 'Mango' OS has real appeal, but it can't work in most businesses
 
As budgets are locked in for 2012 it's time to aggressively expand server virtualization, and for those who have been held back by cost, to consider virtual desktops.
 
LexisNexis has worked for more than a decade to develop a large scale system for Big Data manipulation, and it believes that it has produced something that's better and more mature than the better known Hadoop technology.
 
Research In Motion said Wednesday that the popular game Angry Birds is available on the PlayBook, though not yet on BlackBerry phones which run a different operating system.
 

GovInfoSecurity.com

Infosec Careers: The New Demands
GovInfoSecurity.com
... difficult for many instructors who aren't following this carefully to keep up with it. FIELD: Do you see these as oversights in the education curriculum or just something that we need to address as the threats evolve? Infosec Careers : The New Demands.

and more »
 
After more than two years of trying, the City of Los Angeles has abandoned plans to migrate its police department to Google's hosted email and office application platform saying the service cannot meet certain FBI security requirements.
 

Posted by InfoSec News on Dec 22

http://www.guardian.co.uk/world/richard-adams-blog/2011/dec/20/piers-morgan-cnn-leveson-inquiry

By Richard Adams
guardian.co.uk
20 December 2011

If CNN wants an incisive big-name interviewer, it should consider hiring
Robert Jay QC, who put Piers Morgan through a far tougher interview than
Morgan has managed on his primetime show on CNN.

When CNN signed Morgan to replace the venerable Larry King as its
primetime interviewer, "they...
 

Posted by InfoSec News on Dec 22

http://www.washingtontimes.com/news/2011/dec/20/hackers-post-cops-personal-data-online/

By Shaun Waterman
The Washington Times
December 20, 2011

Computer hackers are avenging the Occupy movement by exposing the
personal information of police officers who evicted protesters and
threatening family-values advocates who led a boycott of an American
Muslim television show.

In three Internet postings last week, hackers from the loose online...
 

Posted by InfoSec News on Dec 22

http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232300939/u-s-chamber-of-commerce-hit-by-chinese-cyberspies.html

By Kelly Jackson Higgins
Dark Reading
Dec 21, 2011

The latest casualty in China's alleged cyberespionage campaign against
U.S. interests? The U.S. Chamber of Commerce.

Information on the Chamber's 3 million members representing most of the
top companies in the U.S. was potentially exposed...
 

Posted by InfoSec News on Dec 22

http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars

By Sean Gallagher
Ars Technica
December 21, 2011

For thousands of customers of Subway restaurants around the US over the
past few years, paying for their $5 footlong sub was a ticket to having
their credit card data stolen. In a scheme dating back at least to 2008,
a band of Romanian hackers is alleged to have stolen payment...
 

Posted by InfoSec News on Dec 22

http://www.csoonline.com/article/696930/will-kim-jong-un-be-for-cyberwarfare-what-his-dad-was-for-nukes-

By Taylor Armerding
CSO
December 21, 2011

The death of North Korean dictator Kim Jong Il has understandably set
neighboring South Korea and other countries in the region on edge. But
should it put the western world on high alert as well, for possible
cyberattacks?

Two cyber security experts have different views on the matter.

There is...
 
In yet another case of vendors gone [email protected] (Billy Rios) dropped an interesting post yesterday well worthy of ISC Diary reader scrutiny. Slashdot and Twitter are buzzing andJohannes' ISC StormCast for today discusses the issue as well.
In case you missed it, in May 2011 Billy responsibly reportedan authentication bypass flaw for Siemens SIMATIC systems. Long story short (read the article for yourself), said flaw could lead to gaining remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world. Yet, according to Siemens there are no open issues regarding authentication bypass bugs.
Hmm...forgive me in advance for shamelessly repeating Billy's use of the classic yet irresistible pop culture reference, but this does indeed appear to be a case of these aren't the vulns you're looking for.
On December 9th, ICS-CERT issued an alert warning control system owners and operators of control system Internet accessibility discovery via SHODAN to locate Internet facing control systems. One need only execute the Shodan query mentioned in Billy's post to grasp the issue.
Control system owners might consider, as LostCluster commented on Slashdot, losing the remote. Web access to control systems? As Forrest said, I'm not a smart man, but if I've done my math correctly at least four of the SANS 20 Critical Security Controls should give pause regarding remote (web) access to control systems. Or is it five? :-)
For Siemens and other vendors, please remember that coordinated disclosure is a two-way process. Researcher finds bug, researcher reports bug, vendor acknowledges report, vendor takes some time to fix bug (yes, sometimes a long time), vendor releases fix, everyone is happy. Yet, as it seems in this case, recalling another pithy and apropos modern analogy, it appears that what we've got here is a failure to communicate.
All humor and witty repartee aside, the implications are simple. Life and death potentially hangs in the balance between coordinated disclosure and timely repair of control system vulnerabilities. And you can quote me on that.
What say you? Comments welcome.
UPDATE 12/22/11
From Siemens:
Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities.

Russ McRee

@holisticinfosec




(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status