How can businesses assess and mitigate the security threat of
networked devices such as printers that have operating systems
which can continually re-infect networks with malware?
When we conduct a penetration test of a corporate
network, we typically find dozens of printers offering management
pages without passwords. This means that anyone on the network
could not only print to the machine, but also control it, change
the print settings and send faxes, writes Peter Wood, member of
the
ISACAConference Committee and founder
of First Base Technologies. Worse still, some malware can
affect unprotected printers, creating a nightmare for network
administrators.
In January 2007,
Computerworld reported that McCormick and Co. had been hit by
the Blaster worm which continued to re-infect the company's
network. It turned out that Blaster and some instances of the
Sasser worm were trying to spread from
infected networked printers. There has since been little
evidence of printer-based attacks spreading across large networks,
leaving printer security neglected in most organisations.
Security researchers have also demonstrated how to bypass
authentication, inject commands at the root level and create shell
code to take over printers. This presents the opportunity for all
sorts of attacks, including intercepting passwords, grabbing print
jobs and even to bridge from low-security areas to high-security
areas. All it takes is any remote code-execution vulnerability,
such as a buffer overflow or cross-site scripting weakness, to
spread a bot to the printer or use the printer as a launch pad for
other attacks.
As PCs and servers become more secure through tougher security
standards and best practices, attackers are likely to turn to
unprotected printers. Since network printers often have embedded
Windows operating systems, they interact with the network just like
any other Windows-based system.
To minimise the risk, organisations need to change default
passwords and enable encrypted management interfaces rather than
plain text web or telnet connections. They should also disable
unused services on printers, which typically come with everything
enabled out of the box.
Read more expert advice from the Computer Weekly Think Tank
>>