Printer vulnerabilities

Printer vulnerabilities pose data security questions

The recent reports on HP printer vulnerabilities brought into focus the IT peripheral security on the main stream. It is reported one in every four HP LaserJet printers is still vulnerable to hacking, being infected with malware and then potentially bursting into flames because people do not bother to update the firmware. Earlier, at vulnerability was discovered in the hard-coded admin account of Samsung and some Dell printers that could be remotely exploited as a backdoor. Some time ago, Printer manufacturer Xerox has issued a security patch for several models of its WorkCentre multifunction devices in order to address a critical buffer overflow vulnerability.

Like any other devices, network printers could potentially be an IT nightmare. Printers can be a source of a company’s most timely information, says Gartner Group Research vice president Ken Weilerstein. And that proprietary information resides within the printer long after it’s been reproduced. Some of this data will fall under legal protections for personal data. Other data will merit protection because it is proprietary.

Security has not been taken seriously for printers and photocopiers despite the fact that they have been “vulnerable to hack” for years and increasingly becoming smarter and connected to the Internet. Multiple attacks are possible now including gaining access to sensitive data for corporate espionage or identity theft, transmission of fake and misleading print jobs & faxes, eavesdropping on network traffic, launching a denial of service (DoS) attack, remotely tampering printer’s settings & making unauthorized changes to the configuration and so on. Attacks against printers, although believed to be mostly theoretical, are not unheard of. Most of the current day printers are already full-blown computers with some flavor of OS (VxWorks, LynxOS, Nucleus, Linux), embedded Java VM, Web-server Ethernet WiFi, hard disk, fax board, mailboxes and interact with (potentially have access to) RFID badges of employees/users, smart/swipe cards, fingerprints, PINs, LDAP/domain passwords etc !!!

Controls?

Understand the vulnerabilities printers and photocopiers pose to your company’s information security. Have a security policy in place. Ensure proper patching and configuration of these devices. Ask few simple questions while reviewing the printer security:

  • Are all default settings are changed and all passwords turned on and unused protocols turned off?
  • Do unauthorized individuals have access to your sensitive data?
  • Do you have a printer access policy is in place and implemented properly?
  • Are sensitive documents and data remaining in your printer’s memory? If yes, who can access that?
  • Do all employees have unlimited access to all printing technology? Is there a need to know/access policy in place to control uncontrolled and unmonitored device usage?
  • Are sensitive documents frequently printed and then left unattended at devices? What is the time lag between printing and collecting?
  • Is there a job-level tracking policy to know what is being printed and a process to review the same?
  • Whether the security features of printers were considered before purchase?
  • Are hard drives were removed and retained when the printer is serviced or disposed?

In addition, the network security review also should keep the printers in consideration to ensure proper security features like encryption is in place.

Advertisements

Popular office phones vulnerable to eavesdropping

Popular office phones vulnerable to eavesdropping hack, Columbia university researchers say

High-tech telephones common on many workplace desks can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered. The exploit targets the Cisco Unified IP Phone 7900 series, which feature color LCDs and internet connectivity. Discovered by doctoral candidate Ang Cui and computer science professor Salvatore Solfo — both from Columbia University — the hack can be applied to phones so long as the perpetrator has physical access to the device. Cui showed that the hack can easily be injected through the phone’s local serial port. Not only can the exploit allow the perpetrator to monitor any phone calls made from the device, but it can also turn on the phone’s microphone feature, allowing the perpetrator to hear anything within reach of the phone, as well as stream that audio over a network.

Read on the repost and discover how safe are the office communications we are relying on and how a hack turns our regular office phone into a bugging device, making all our workplace fears come true.

Columbia University
This small gadget can be attached to a single Cisco IP phone and turn an entire company’s network into a sophisticated bugging device within seconds, researchers say.
High-tech telephones common on many workplace desks in the U.S. can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered.
The hack, demonstrated for NBC News, allows the researchers to turn on a telephone’s microphone and listen in on conversations from anywhere around the globe. The only requirement, they say, is an Internet connection.
Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo, who discovered the flaw while working on a grant from the U.S. Defense Department, say they can remotely order a hacked telephone to do anything they want and use software to hide their tracks.  For example, they said they could turn on a webcam on a phone equipped with one or instruct the phone’s LED light to stay dark when the phone’s microphone has been turned on, so an eavesdropping subject wouldn’t be alerted that their phone has been hacked.
The flaw involves software running on Cisco’s popular Internet Protocol telephones. Cisco acknowledged the flaw in a statement to NBC News, but wouldn’t say how many of its phones were impacted. In a blog post earlier this year, the company — the leading IP phone maker, with about one-third of the market — said it had just surpassed 50 million in phone sales. 
In a vulnerability announcement sent to paying customers in December, Cisco listed 15 phone models impacted by the problem. 
“You can imagine the implications of this,” Stolfo said of the vulnerability. “Anything that is said behind closed doors isn’t private, no matter how sensitive the conversation is. There is no privacy. How can you conduct business like that?”
Cisco’s statement indicated that the company is working on a fix, and the firm told NBC News that it planned to issue a security bulletin next week. But Stolfo said he is “very worried about the speed with which Cisco is handling this.”
In a demonstration of the phone hack at the Chaos Communications Conference Dec. 29 in Germany, Cui showed examples of Cisco phones being used in government and military applications, though he noted there is no way to know if those phones were vulnerable to the attack.
“On the dark side, these phones are sold worldwide,” Stolfo said. “Any government that would like to peer into the private lives of citizens could use this. This is a great opportunity to create a low-cost surveillance system that is already deployed. It’s a monitoring infrastructure that’s free, when you turn these into listening posts.”
The research was conducted under a grant from the Defense Advanced Research Projects Agency (DARPA), an arm of the Defense Department devoted to computer security, and conducted at the Computer Science Department of Columbia University’s School of Engineering and Applied Science.The same lab caused a global stir in 2011 when it published a hack of Hewlett Packard printers.
“We consider this to be much more dangerous than the printer hack,” Stolfo said, “because of what you can do with the phone.”
In a demonstration conducted last week for NBC News, Cui showed how a small device pre-loaded with software and plugged into a port on the Cisco phone could rewrite the IP phone’s software within seconds. In the scenario he described, a would be hacker would need to access a phone for only a few moments – a phone on a secretary’s desk, for example – to conduct the attack.
The Columbia lab focuses on so-called “embedded devices” — computer chips in non-PC gadgets, such as televisions, thermostats or telephones. Increasingly, all these gadgets are networked and connected to the Internet, and therefore can be hacked remotely.
“These phones are really general purpose computers jammed into a plastic case that makes you think it’s a phone,” Cui said. “Just because it doesn’t have a keyboard doesn’t make it less of a computer.”
Cisco’s IP phones — and other models that use the same chipset — are open to attack because they routinely connect to a central server looking for updated instructions, according to Cui.  That creates an avenue for a hacker to insert rogue code, he said.
The phones run a proprietary adaptation of the popular Unix operating system called CNU, but any programmer familiar with Unix could write code for the phone and tell it to perform any function, Cui said.
“The phones are listening to a network waiting for a command. They are actively saying, ‘Does anybody have any code for me to run?’” said Stofo. 
In an initial statement to NBC News, Cisco said that all Cisco IP phones “feature a hard-wired light that will alert the user whenever the microphone is active,” meaning it would warn any users that their phone’s microphone had been turned on.  But the Columbia researchers dispute that, and showed NBC News a hacked phone that showed no evidence the microphone had been activated while they were eavesdropping on a conversation. 
“There is no hard-wired light,” Cui said. “Everything is controlled by the software.”
After viewing Cui’s demonstration in Germany, Cisco issued an updated statement to NBC News backing away from its disagreement on the LED light issue, saying it “wasn’t directly relevant.”
But the researchers and Cisco still disagree about potential methods of attack.
Cisco said hackers would generally need physical access to a telephone in order to begin an attack, with rare exceptions.
“(Remote attack would require) the combination of authenticated remote access and non-default device settings,” Cisco said. “No default account exists for remote authentication and devices configured for remote access must use administrator-configured credentials.”
Stolfo said, however, that a hacker would need physical access to only a single phone on the network — a receptionist’s phone, for example, or a phone at the home or a remote worker — to gain access to a company’s entire phone network.
But he also maintained that there are multiple scenarios that would allow for a remote attack.
Escalation would be one way: An outsider could trick a worker into clicking on a virus-laden email attachment, infect the worker’s computer and then use that computer to attack a phone from inside a company’s network, he said.  But the researchers say other flaws exist that would allow the phone to be attacked directly from outside the company.
“It also works the other way,” Cui added. “You could attack the network, and then attack a single person’s phone. Say, the CEO, at home.”
Officials at DARPA said they couldn’t comment on specific research, but praised Columbia’s work generally.
“DARPA’s program is concerned … with exploring what kinds of vulnerabilities are present in current systems so that we can determine architectural principles that will rule out such vulnerabilities in future systems,” Dr. Howard Shrobe, DARPA Program Manager, said in a statement. “Computers often are at the core of many devices that most people do not think of as computers  (e.g.  phones, printers, power meters, cars and airplanes, for example) but which inherited the vulnerabilities of their embedded computer components.  These devices have enormous impact in our everyday lives and in our critical infrastructures and are therefore a core concern.”
Stolfo said it was critical to come forward with the Cisco flaw now because the company isn’t working fast enough to fix it.
“What we’re doing is trying to alert the manufacturer to not provide the opportunity to hackers to break into our phones,” he said. “What we’re asking them to do is like asking automakers to put seatbelts into cars to save lives.” 
The researchers have not released their attack code, so would-be criminals cannot simply copy their work and attack Cisco phone systems today, and there is no evidence that a hacker has exploited this vulnerability in the real world. They do believe others will successfully — and independently — duplicate their research, however, placing Cisco is in a race with hackers, and Cui thinks it’s possible that has already happened.
“I’d be surprised if someone else hasn’t already done this,” Cui said.

BYOD: Make it Secure !

BYOD Challenges can be handled through right policies

Bring your own device(BYOD) is a revolution happening at the user end and taken the infrastructure out of the control of ‘Information managers’. While the debate is going on whether or not BYOD policies save organizations money or cost them, it is slowly emerging that these policies increase complexity while decreasing direct control over information resources. Information security suddenly becomes a prime challenge as the devices now owned by the individuals & used for personal information purposes and the segregation & privacy of work information posing difficult practical problems. A robust BYOD policy coupled with an effective strategy can, to a reasonable extent, help restore the control and ensure a smooth transition to the inevitable BYOD revolution.

A strong framework of information security and a supporting policy guidelines are absolutely critical to ensure a smooth transition. The issue becomes more critical in the absence of a clear regulation and require an ironclad policy that is enforced rigorously. Typical tasks that are expected to include in the policy are clearly defined information classification, access policy rules from personal devices, user profiling, locking on security devices/OS, loss of device protection and data recovery methods and also have provisions for remote wipe and remote application management capabilities, the right to confiscate and search devices and the right to dictate which applications are allowed and prohibited. For example, IBM banned access to Apple’s Siri application as well as access to Dropbox, for company-managed devices.

In the extremely nebulous legal landscape, it is highly imperative that these policies should be cleared through the legal team to make sure that language is adequate and that it will work in all applicable jurisdictions. From a legal perspective, it is mandatory to review all licenses for cloud-based applications to ensure that data is handled responsibly in those environments. Review of these agreements should follow the same review and approval process that would be normally used when considering outsourcing partnerships.

The security framework need to answer questions like heavy weight or light security; security at server level or client level; security at device level, application level or information level, and so on. Other issues that cannot be overlooked are like bandwidth, software licenses, data plans etc. Similarly, users’ concerns like confiscating their devices and accessing the personal information need to addressed. Providing a method to secure copies of personal information, as well as a way to protect other pieces of private information (e.g., nonwork text messages, email and instant message logs) will go a long way toward easing those concerns.

Issues arising out of people using unmanned devices (eg.a user does not wish to participate in the officially sanctioned BYOD programme) may represent even greater risk to businesses than those people willingly agreeing to follow the rules.

While an in place, alysts and experts caution the organizations on the importance of having a strong BYOD policy the fact is that many organizations do not pay enough attention to this key fact and simply add a few lines to their existing wireless policy in an attempt to cover their bases. While it’s highly recommended that the BYOD strategy be in line with the corporate mobility strategy, just tweaking the mobility policy to accommodate BYOD is not enough. A separate policy that covers all possible aspects of BYOD is a basic necessity.

A policy is only as good as the people who follow it. Implementing a pilot and revisiting policy guidelines help to understand the ever evolving challenges. Further, policy-making needs to be treated as an evolving process and not a one time exercise to meet routene compliace or adherence to company policies. It is also important to build policies by implementing technical controls like mobile application management (MAM) and mobile device management (MDM) applications. Where possible, enforcing device encryption and passwords will help reduce associated technical risks. Improving access management requirements, such as by mandating two-step or two-factor authentication, can further help reduce the risk of a lost device immediately leading to a data breach.