Raising the Bar for Printer Security
HP Canada recently hosted a Printer Security tech day for a
small number of participants that they considered influencers. Recognizing my contributions
to both the Atlantic Security Conference (AtlSecCon) and the Halifax Area
Security Klatch (HASK) I was fortunate enough to be included as one of the seven
attendees.
After it was identified that some of my friends and peers would
also be attending I agreed to participate without hesitation. A free lunch and some
time to catch up over drinks with friends sounded like a great idea, besides Mississauga
in early February what could go wrong right? Well after a few flight delays for
some we were all welcomed to the HP Canada offices located in Mississauga.
Having worked in the office equipment industry very early in
my career (yes, I was “The Copier repair guy”) I must admit I was not expecting
to learn anything new, boy was I mistaken. To HP’s credit they were completely
transparent and after a few presentations a clear security narrative started to
emerge for the protection of Devices, Data and Documents.
Understanding the Threat
Printers ship with default passwords and may store Active
Directory credentials for authentication via LDAP to send scanned/printed documents
to file shares. Printers are inherently insecure and can also often be coaxed
into providing LM hashes. One of my go to reference books is “The Hacker
Playbook 2” by Peter Kim, in it the author identifies printers as an attractive
target to gain a foothold into a network before moving laterally and
penetrating even deeper.
How big is the problem?
Shodan.io is a search engine that enables the user to easily
find internet connected devices like webcams, routers and of course printers. Recent
search results indicate that there are a significant number of internet
connected printers with the most common service available being http. Any
authentication via (http) for the web management interface of these devices is likely
basic authentication and can easily be bypassed, but hey, default passwords are
likely to work... right…
What can we do about it?
We have to change the way we think about these
devices, having large compute and storage resources, a web interface and access
to and/or copies of your most sensitive data needs to be considered when
discussing printers. Simply put, as these devices become more sophisticated,
vulnerabilities increase. As Information Security and Cybersecurity
practitioners we must include and consider printers as endpoints and apply risk
management practices accordingly.
Covering Your Assets – Practical Advice
Protecting the Endpoint
·
Harden devices leveraging best practices such as
disabling unused protocols, closing unused ports and changing any default
passwords.
·
Control access to print device settings and
functions with administrative controls.
·
Include security feature requirements in the
procurement process, like centralized security policy management and the
ability to insure only authorized firmware and software can be installed and executed.
Protecting the Data
·
Leverage encryption to insure print job data is
protected while in transit and while at rest.
·
Require user authentication to access the device
and its features.
·
Asset management lifecycle must include secure
destruction practices to insure removal/erasure of data before recycling old
products.
·
Leverage secure printing solutions to enable
printing from mobile devices
Protecting the Documents
·
Store print jobs until the user authenticates at
the device before printing (pull printing).
·
Use secure input trays to protect sensitive
media like checks and prescriptions
·
For regular printing of sensitive information
consider moving printers to a controlled access area
·
Enable anti-counterfeiting solutions such as
security toner to prevent the alteration and tampering of sensitive documents.
Some Internet History and an Infamous Guest speaker
After a day of talks and interaction with various HP professionals
it was a surprise and a pleasure to meet Michael Calce. Mafiaboy, Calce’s
hacker handle was responsible for a number of highly publicized distributed
denial of service attacks (DDoS) against large commercial websites including
Dell, CNN, eBay and Yahoo! In 1999 and 2000.
Early in my information security career I had the
opportunity to attend a local High Tech Crime Investigation Association (HTCIA)
conference in Halifax. The keynote was from one of the FBI’s lead investigators
handling the “Mafiaboy” DDoS case. During this presentation they profiled
Mafiaboy and portrayed him as a hardened criminal fitting every hacker
stereotype available.
Meeting Michael was an opportunity to hear his side of the story and what those events were like for him at fifteen years old. He openly communicated
that he has since reformed and he now serves as Chairman of the Security Advisory
Board for HP. Welcome to the blue team Michael, as defenders we are glad to have
you.
#HP #PrintSecurity
Many thanks to HP Canada for including me.
Learn more
about HP’s Secure Printing Solutions