No, this is NOT HP's latest printer...

So, remember a few weeks back, when the tech press got really silly, warning us that hackers could set our HP printers on fire remotely?  Well, it turns out that there was a security story about HP printers, but the press really missed the boat on what was actually important.  At the 28th Chaos Communications Congress (held in Berlin last week), the Columbia University researchers whose work was totally misconstrued by the press presented their work.  No, hackers cannot set your printer on fire – but they can install malware on hundreds of millions HP printers shipped since 2005, either by connecting to the printer and replacing its normal firmware with evil firmware or by getting one of your users to print out a specially crafted document which also carries their nefarious code.  Once this hack is done, your printer will become a silent (but deadly) bridgehead into your network.

UPDATE:  Here’s a list of all of the printers affected by this vulnerability.

The researchers had two demos.  In the first, they caused the infected printer to silently send a copy of every document it printed to an attacker’s printer out on the Internet.  Demo two had the infected printer acting looking for internal systems vulnerable to a Windows XP exploit and then acting as a relay for the attacker to control them from outside the firewall.  This was pretty scary stuff… let’s say I send a crafted document purporting to contain a 50% off coupon for a local restaurant to your users… how many times (and on how many printers) would this get printed?

This hack is made possible by the fact that some HP printers allow their firmware to be updated without any authentication or digital signature and that all of the code within the printer runs as a super user.  It also points out the need for anti malware protections for embedded devices like printers, routers and the like.  The guys at Columbia are working on a project to do this.

As an aside, these same researchers scanned the Internet for accessible HP printers – they found over 75,000 of them, located at private companies, governments, educational institutions and in other places.  Infecting just a small percentage of these systems would provide someone with a very stealthy botnet that would be extremely difficult to remove.  The researchers feel that it may be possible for the attackers to install their code permanently, so that the only ways to get rid of the infection would be by replacing (soldered on surface mount) hardware components or trashing the printer altogether,

So… what to do?

First, update your HP printers’ firmware to the latest (December 2011 or later) firmware version, which can be found over on the HP support website.  The new drivers require printer firmware updates to be digitally signed by HP.

Next, make sure that your printers cannot be accessed from the Internet.  For most of my readers, I don’t think this will be an issue, but you never know… scan your Internet facing IPs for port 9100, which is used to submit print jobs and firmware updates to HP printers.

Third, limit where your printers can send traffic to… is there any good reason to allow a printer outbound access to the Internet?  Not that I can think of.  Putting printers on an isolated VLAN which can ONLY talk to the print server limits the damage that can be done using this attack.  Of course you really need to make sure that your print servers are patched and properly isolated as well – and when eas the last time you took a look at your print servers?

We’ve all got some work to do, people but more importantly, we need to look at embedded systems like printers, routers, access points, and the like in a new way – as potential malware targets with the computing power to take down our networks and no antivirus protection.  I can just about guarantee that the bad guys will be researching this in 2012 – it is just too juicy a target to ignore.

If you are a security pro or are responsible for printers in your organization, I’d recommend spending an hour watching the video of this presentation to get the full story.

Happy New Year, all.

oops - wrong Java!

I hate Java.  Not the country or the beverage, but the programming language.  Actually, not so much the language, but the way that it is used and distributed to PC and Mac users.  A recent report from Microsoft stated that between one third and one half of the malware that they saw between 3Q 2010 and 2Q 2011 was written in Java.  Java is a natural target for malware writers – it is cross platform and is installed on just about every computer used to connect to the Internet.  Java is a force multiplier for the bad guys.   Like any other software, the Java Runtime Environment (JRE), which allows Java applets to run on your computer, has its share of security flaws which are then exploited by attackers.  Recently, one “pernicious” Java exploit which had only been available for purchase in the “computer underground” was made available in the Metasploit toolkit, which allows less skilled attackers to use it to craft their attacks.

If you are reading this on a computer that you own personally, stop right now and make sure that you are running the latest version of Java and other browser plugins on your system – Qualys has a nice site which does this for you automatically.  Go ahead, I’ll wait…

In enterprises, upgrading Java is not as easy as it would seem.  Many applications used by business were written with a particular version of Java in mind and they will stop working if you do the “right thing” and upgrade the JRE.  As a result, many organizations are stuck with old and vulnerable versions of Java running on their systems.

There are solutions to this problem, involving installation of the new Java Runtime Engine along side the old one and then playing with the PATH or JAVA_HOME environment variables to tell Java which version of the JRE to invoke.  I’m going to be doing some research on this and will post the results.

In the mean time, a plea to applet developers… please make your software compatible with the newer, safer versions of Java.  Let’s close down malware writers’ access via this particular hole.

The CTF contestants were given the task of collecting as many pieces of information (“flags”) as they could from one of 14 targeted companies, across multiple industry sectors. In phase one of the contest, contestants were given 2 weeks to conduct open source research on their quarry using the web, social media, Google and the like. Phase two of the contest took place at Defcon, where contestants made phone calls to their targets and tried to “social engineer” ( bamboozle) unsuspecting employees into revealing information which could help an attacker plot her nefarious strategy.

If you are responsible for security at your organization, you really need to read the full report; it is chock full of great information which you can use to enhance the critical human element of your security programs.

Here are a few tidbits which stood out for me:

In all cases where the attacker asked an employee to visit a URL, the employee ended up doing so, even if they were resistant at first. The attacker could use this behavior in a number of ways. First, they would be able to query the system to determine what versions of software are installed to inform later attacks. They could direct the employee to a “drive by download” site which attempts to exploit vulnerabilities to install malware on the system. They could get an idea of what type of web filtering was in place – if the company did not block access to social media sites, these might be used to leverage later attacks. And if the attacker was smart and persuasive, she could get the employee to download and run software on their system.

Much of the information sought by the attackers could be gathered without contacting the target company.   Information which was freely available on the web, or mistakenly made available through defects in policy or system configuration was a treasure trove for contestants. Here are some of the prizes found during the open source research phase:

• Employee personal blogs with corporate information posted to them
• Employee resumes which listed technical or organizational information of use than attacker
• Photographs which depicted employee badge designs, names of vendors, access control and CCTV systems in use, other technology in use, or layouts of facilities, amongst others.
• Some organizations even had employee lists, with titles, email addresses and phone numbers available on the web – these are pure gold for the Social Engineer.

None of the organizations seemed to have provided employees with a script for dealing with callers asking strange questions.   In the absence of instructions, many employees fell back on their customer service training and innate desire to “help” and played in to the hands of the attacker.   A simple “let me get my manager on the line” script could have stopped many of these attacks.

There is a lot more great information in this report… Read it and share it with your external facing employees today.

Are you still reading my blathering? Get reading!

Heeeeeere's malware!

The latest edition of Microsoft’s Security Intelligence Report provides some interesting analysis as to how computers get infected with malware. Microsoft’s dataset is pretty large, comprising some 600 million computers equipped with Microsoft’s Malicious Software Removal Tool (MSRT) which reports details of malware infections back to the mother ship in Redmond. The numbers hold some important lessons for security professionals.

Don’t get your knickers in a twist about zero day exploits. While the press loves a good zero day story, only 0.12% of the infections seen by Microsoft used unpatched vulnerabilities. Zero day vulnerabilities are valuable commodities which attackers will not waste on run of the mill cyberattacks. Don’t center your anti malware program on the latest zero day vulnerability of the week.

Vulnerabilities are sooo last year – your users are the weakest link.  Only about 6% of malware infections seen by Microsoft were the result of vulnerability exploitation.  In contrast, almost half of all malware infections in the study required the user to take an action (clicking a link, running a program, opening an attachment, etc.) in order for the infection to be successful.   In most cases, no vulnerability was used – the user simply gave the malware permission to run.  Spending some time and effort edumacating your users to be skeptical and think before they click that link or open that attachment has the potential to significantly reduce your malware attack surface.

You still need to keep software up to date.  Testing and installing patches from Microsoft and other vendors will protect your systems from the 7% of attacks which use exploits to worm their way in (get it?) to your systems.  This is a small portion of the malware threat, but once you get patching and updating to be part of your normal automated business processes, it is a low touch, low cost addition to your malware defenses.

Filtering and monitoring your outbound web traffic is a must – if malware is unable to download code, connect to command and control servers or exfiltrate data, the threat it poses is greatly reduced.  Keep your filter lists up to date with the latest known malware URLs – the subscription fees are a small price to pay for preventing access to the malweb in the first place.

Monitoring your network traffic, proxy logs, and changes to the services running on your hosts for strange patterns can pay off big time.  Since we can’t count on signatures to find every type of malware you may encounter, look for strange behavior for the early warning signs.

I found Microsoft’s analysis of the malware problem to be pretty interesting and I am looking forward to reviewing the rest of the Security Intelligence Report for nuggets of wisdom – I’ll post more soon!

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash

Most users (and many IT folks) don’t really think too much about these “helper” programs, even though they are installed on almost all workstations in our environments.  This makes sense, as users almost never run these programs knowingly – they get executed in the background when web pages are visited or documents are viewed.   Users do get reminders when new updates are available, but how often do your users take the time to let the updates install and reboot their systems?  Rolling these updates out is a pain in the nether regions, but the payoff (protection against 80% plus of the most commonly used attack vectors) is high.  Buy your IT guys and gals a beer and get this terrible trio on your periodic update schedule.  And remember to let users know when they need to update their personal systems…

I think this really hits the password problem on the head.  With the advent of inexpensive GPU assisted password cracking, as well as more intelligence on the part of the (human) password crackers, the old school password rules of “must have a capital letter, a small letter, a number, and (maybe) a special character” are becoming woefully outdated.  And yes, they are hard to remember.  And most importantly, they make users hate the InfoSec people.  Do they ever bring us home baked brownies as a reward for our password rules?  Nope.

As I tend to always take advice from comic strips when making important decisions, I really like the four dictionary word idea.  The math seems to work and it certainly seems to be easier on the user.  However, the infrastructure for implementing such a scheme in the systems where it would count (primarily Microsoft Active Directory) would have to exist in order for this to be workable.  I hope that Microsoft and others who did better than me in math take a long hard look at this as a potential solution to password problems.