No, this is NOT HP's latest printer...

So, remember a few weeks back, when the tech press got really silly, warning us that hackers could set our HP printers on fire remotely?  Well, it turns out that there was a security story about HP printers, but the press really missed the boat on what was actually important.  At the 28th Chaos Communications Congress (held in Berlin last week), the Columbia University researchers whose work was totally misconstrued by the press presented their work.  No, hackers cannot set your printer on fire – but they can install malware on hundreds of millions HP printers shipped since 2005, either by connecting to the printer and replacing its normal firmware with evil firmware or by getting one of your users to print out a specially crafted document which also carries their nefarious code.  Once this hack is done, your printer will become a silent (but deadly) bridgehead into your network.

UPDATE:  Here’s a list of all of the printers affected by this vulnerability.

The researchers had two demos.  In the first, they caused the infected printer to silently send a copy of every document it printed to an attacker’s printer out on the Internet.  Demo two had the infected printer acting looking for internal systems vulnerable to a Windows XP exploit and then acting as a relay for the attacker to control them from outside the firewall.  This was pretty scary stuff… let’s say I send a crafted document purporting to contain a 50% off coupon for a local restaurant to your users… how many times (and on how many printers) would this get printed?

This hack is made possible by the fact that some HP printers allow their firmware to be updated without any authentication or digital signature and that all of the code within the printer runs as a super user.  It also points out the need for anti malware protections for embedded devices like printers, routers and the like.  The guys at Columbia are working on a project to do this.

As an aside, these same researchers scanned the Internet for accessible HP printers – they found over 75,000 of them, located at private companies, governments, educational institutions and in other places.  Infecting just a small percentage of these systems would provide someone with a very stealthy botnet that would be extremely difficult to remove.  The researchers feel that it may be possible for the attackers to install their code permanently, so that the only ways to get rid of the infection would be by replacing (soldered on surface mount) hardware components or trashing the printer altogether,

So… what to do?

First, update your HP printers’ firmware to the latest (December 2011 or later) firmware version, which can be found over on the HP support website.  The new drivers require printer firmware updates to be digitally signed by HP.

Next, make sure that your printers cannot be accessed from the Internet.  For most of my readers, I don’t think this will be an issue, but you never know… scan your Internet facing IPs for port 9100, which is used to submit print jobs and firmware updates to HP printers.

Third, limit where your printers can send traffic to… is there any good reason to allow a printer outbound access to the Internet?  Not that I can think of.  Putting printers on an isolated VLAN which can ONLY talk to the print server limits the damage that can be done using this attack.  Of course you really need to make sure that your print servers are patched and properly isolated as well – and when eas the last time you took a look at your print servers?

We’ve all got some work to do, people but more importantly, we need to look at embedded systems like printers, routers, access points, and the like in a new way – as potential malware targets with the computing power to take down our networks and no antivirus protection.  I can just about guarantee that the bad guys will be researching this in 2012 – it is just too juicy a target to ignore.

If you are a security pro or are responsible for printers in your organization, I’d recommend spending an hour watching the video of this presentation to get the full story.

Happy New Year, all.

OK… this story is a bit older than that movie… but it is even cooler – hacking 1903 style for the lulz!

Doesn't that look tasty...

When Microsoft comes out with an out of cycle security advisory (and during a holiday week, no less), you know something big is up.  This week’s bulletin highlights a denial of service attack and two privilege escalation vulnerabilities that affect web sites built on top of ASP.NET.   The most serious privilege escalation vulnerability could allow an attacker to execute commands on a system by sending specially crafted web requests.

The denial of service issue is related to a flaw in the way that ASP.NET (as well as PHP, Ruby and Java) handle the hash tables which are used to pass information from user web inputs to the web server.  By sending specially crafted requests to vulnerable web servers, it is possible to tie up all of their CPU resources and make them unavailable to legitimate users.  This attack was revealed at this past week’s Chaos Communications Congress in Berlin – you can watch the presentation here.

There is a very good technical description of the DoS problem and attack here.

The DoS flaw is also present in PHP, Python, some Java web frameworks, and Ruby.   Apache Tomcat 7.0.23 contains a workaround fix which limits the number of parameters accepted in a POST request.  PHP version 5.4.0 will include a workaround fix for this problem, but is not yet ready for production use.   Ruby version 1.9 and higher has a fix which solves the problem by randomizing the hash tables.

Given the recent ‘hacktivist’ activity we have been seeing, it would not surprise me if this attack was used against sites in the financial industry as well as in the public sector.  In any case, the Microsoft patch is a must for your web facing ASP.NET systems now.  The US-CERT’s vulnerability page for this issue is a good place to keep track of vendors’ responses as more platforms are found to be vulnerable.

The CTF contestants were given the task of collecting as many pieces of information (“flags”) as they could from one of 14 targeted companies, across multiple industry sectors. In phase one of the contest, contestants were given 2 weeks to conduct open source research on their quarry using the web, social media, Google and the like. Phase two of the contest took place at Defcon, where contestants made phone calls to their targets and tried to “social engineer” ( bamboozle) unsuspecting employees into revealing information which could help an attacker plot her nefarious strategy.

If you are responsible for security at your organization, you really need to read the full report; it is chock full of great information which you can use to enhance the critical human element of your security programs.

Here are a few tidbits which stood out for me:

In all cases where the attacker asked an employee to visit a URL, the employee ended up doing so, even if they were resistant at first. The attacker could use this behavior in a number of ways. First, they would be able to query the system to determine what versions of software are installed to inform later attacks. They could direct the employee to a “drive by download” site which attempts to exploit vulnerabilities to install malware on the system. They could get an idea of what type of web filtering was in place – if the company did not block access to social media sites, these might be used to leverage later attacks. And if the attacker was smart and persuasive, she could get the employee to download and run software on their system.

Much of the information sought by the attackers could be gathered without contacting the target company.   Information which was freely available on the web, or mistakenly made available through defects in policy or system configuration was a treasure trove for contestants. Here are some of the prizes found during the open source research phase:

• Employee personal blogs with corporate information posted to them
• Employee resumes which listed technical or organizational information of use than attacker
• Photographs which depicted employee badge designs, names of vendors, access control and CCTV systems in use, other technology in use, or layouts of facilities, amongst others.
• Some organizations even had employee lists, with titles, email addresses and phone numbers available on the web – these are pure gold for the Social Engineer.

None of the organizations seemed to have provided employees with a script for dealing with callers asking strange questions.   In the absence of instructions, many employees fell back on their customer service training and innate desire to “help” and played in to the hands of the attacker.   A simple “let me get my manager on the line” script could have stopped many of these attacks.

There is a lot more great information in this report… Read it and share it with your external facing employees today.

Are you still reading my blathering? Get reading!

“The Feb. 3 attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail,” according to the complaint filed against him, which asserted that the hack cost Shionogi about $300,000. That figure rose to $800,000 in later court documents.

Really, really basic controls broke down here… if someone with “destroy the network access” is upset enough to leave the company (especially in a crappy economy like we are in now) – show them the freaking door and cut all of their access before it hits them in the ass on the way out!  And don’t allow vital knowledge to accumulate in one person’s head, making them irreplaceable.  Finally, make sure that there are checks and balances in the termination process to insure that these steps are completed quickly and properly.  This is infosec 101, people!

The attack prevented investors from accessing corporate announcements made during the exchange’s mid-day break.  As a result, trading in companies who made such announcements (including such well known names as HSBC and Cathay Pacific) was suspended for the afternoon session.

The general take away from this incident is that attackers look for “low hanging fruit” when choosing their targets.  I am sure that the HK Exchange’s back end systems are protected by many layers of firewalls, intrusion detection systems and other technology.  The public web site is, well, public and is thus by necessity much more exposed to attack – and an easier target.

The lesson?   There really is no such thing as a non critical system these days… every system needs to be designed as if there are hoards of attackers just waiting to pounce… stay paranoid!

Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: “There’s no device known to mankind that will prevent people from being idiots.”

In Schneier’s view, the idiocy really rests with operating system manufacturers who allow their products to access untrusted USB devices with providing the user with any protection and that the users are simply doing the best that they can under the circumstances.  This is where I disagree.

While OS manufacturers should be doing a better job of securing their products against unknown USB devices, in the current situation users need to exercise extreme caution in what they stick into their computers’ USB ports.  Until we have better tools to mitigate this risk, users have to play an active role in protecting themselves and their organizations from USB borne threats.  There has been a lot of news coverage (and at least at my organization, security awareness training) to let people know about the risks of USB devices of uncertain provenance.  I happen to think that the people in my organization are smart (and good looking) enough to remember a few very basic security messages and behaviors needed to protect our systems and networks:

• Don’t open links or files from strangers
• Don’t open unexpected/strange links or files (that seem to be) from friends
• Don’t take USB candy from strangers

Yes, I know that application of these rules will not provide 100% protection from malware, but following them will definitely mitigate the risks involved, which is really the best we can hope for at this time.

So, Bruce, you are still my hero, but I think we need to hold our colleagues to a slightly higher standard in terms of their role in protecting our computers and networks.

Oh, and as for Mr. Rasch’s “idiot” comment, I think he was a bit rough on users in terms of his choice of language.  I would have said “boneheaded” or “Homer Simpson-like” instead.  This is why I am beloved at my workplace.

Sharing is for weenies. (This is why it is good that I have no kids)

From the department of things that should be common sense, but are not… it is not safe to put confidential data on cloud based file sharing sites like RapidShare, FileFactory and Easyshare.  Some researchers in Belgium did some poking around on these sites and the results are yet another that security through obscurity just doesn’t cut it.

What's the worst that could happen?

Spear phishing has been in the news quite a bit lately – it seems like just about all of the recent high profile hacks began with someone clicking on a link or opening a document.  Here’s a data point which seems to corroborate the innate sense of trust that leads people to do really stupid things. According to an entry in Bruce Schneier’s blog… in Istanbul, police dressed up as doctors, knocking on doors unannounced, were able to persuade 86% of subjects to take a pill.  And this is after a rash of crimes in which people who are not police did the same thing, using powerful sedatives to disable victims and ransack their homes.  My belief in knowledge of human psychology as the most powerful hacking tool remains strong.  Or maybe there is something in the water in Istanbul…

They Might Be Giants – Istanbul (Not Constantinople) from They Might Be Giants on Vimeo.