3 steps to total compromise – why Google’s 86,000 indexed printers should have your IT team jumping.

There’s been bit of coverage in the technology press about Google’s “Indexing” of tens of thousands of publicly available printers connected directly to the Internet. 

According to Darren Arnott, Principal Consultant with information security consultancy TrustedImpact, this means that two to three billion internet users can view the details about your printer’s configuration.

“So what, right?  Well, random hackers launching “printer attacks” to use up your company’s paper and printer toner is the least of your worries”.

Arnott provided evidence that showed that important information is easily readable and can be used to access and compromise a company’s network and its systems.  This means the company’s entire IT system – including its customer databases to its electronic files. 

While your printer will have a lot of useless information, it also has a small amount of very important information that’s useful to someone with a little technology insight or creativity. 

For example, Arnott found that anyone on the internet can see things on these printers including:

• Print job information including username and document name
• Stored documents that may have been printed or scanned and can be downloaded
• Network configuration information which may reveal internal network information such as authentication server names or other sensitive information (eg, “SNMP community strings”)
• Passwords

“Yes that’s right, passwords.  Many of these devices are typically configured to also connect to a company’s email and file systems.  It’s those connections that should be the grave concern for an organisation’s IT team.” 

Those connections are typically configured using ‘administrative web management interfaces’ that need set usernames and passwords to talk back and forth to the company’s internal IT systems. 

With access to this interface, on many printer models it’s a simple exercise to view these usernames and passwords. Quite often these are ‘privileged accounts’ that have full access to your internal network and IT systems. Once someone has access to your network and systems, they have access to your data. 

Arnott explained the three steps to compromise;

Step 1: Choose a target from the 86,000 devices and identify usernames and passwords,
Step 2: Identify the organisation the device is connected to, 
Step 3: Search for ‘VPN endpoints or webmail servers’ and use these credentials to gain a foothold into the company’s network”

“Our firm (TrustedImpact) has successfully used these types of usernames and passwords gathered from unprotected printers in technical security tests (aka Penetration Tests) to obtain elevated administrative access to a variety of company networks and sensitive data in order to help those organisations protect their systems from hackers.”

“Your IT team needs to remove those printers from direct access to the internet, or put solid passwords on them to protect from prying eyes.”

Why be worried?  If only one in a hundred internet users wanted to see your data, that’s still one very large number… in fact, it’s about the same size as every man, woman and child living in Australia. 

It’s inevitable that some of the data residing in your company’s systems would be worth money on the black cyber-market; such as customer credit card data or company bank account details (in fact, the list goes on).  And if it’s worth money to someone, you’re guaranteed that it will motivate some percentage of that two to three billion internet population to try to gather it.

Furthermore, if you’re the custodian of your customer’s sensitive data, you need to consider the value of this data to a malicious third party and keep you organisation from becoming one of the many ‘roadkill on the information superhighway’ like major companies such as Heartland, TJX, Epsilon, Fidelity, Global Payments, or Sony (and again, the list here goes on). 

The bottom line according to Arnott:  “All IT ‘management interfaces’ to your network or systems should not be accessible on the internet and if they must be for business reasons, they should be adequately secured using rigorous usernames and passwords.”

_____________________________________________________________________________________
Author:  Darren Arnott is a Principal Consultant with TrustedImpact, a specialised information security consultancy headquartered in Australia.  Follow us on twitter on @trustedimpact or visit us at www.trustedimpact.com.
 

Register or Login to continue

This article is only available for subscribers. Sign up now for free and get free access to premium content from ARN, CIO, CMO, and Computerworld.

Tags: TrustedImpact, Darren Arnott, indexing, Printers, Google, VPN endpoints, data privacy, hacking

Hackers try to blackmail plastic surgeon after stealing 500,000 patient records

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Trend Micro Mobile Security

Comprehensive enterprise protection for mobile devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.