Printer Pranks
We currently have a poll running about printer security, and the results so far .. well, aren't looking all that hot. So here's a little primer:
1. Most office printers aren't just printers anymore. So-called MFPs (Multi-function printers) have taken over, and they contain permanent storage (a hard drive, usually), a fax modem, etc
2. Printer default configurations invariably suck. Even nowadays, they often come with SNMP active, and read/write communities set to public/private, silly default passwords, and have lots of unnecessary protocols and ports active.
3. The PJL interface on HP printers, for example, allows access to stored content. These are both stored print and fax jobs. Yes, you can pull stored jobs off the printers, over the network, without anyone noticing. This often even includes confidential print jobs that are "protected" with a PIN. The "hacking" tools to do so were released five, six years ago (google "Hijetter", for example) but amazingly enough still work just fine in way too many environments.
4. Most printer vendors by now support a setting that allows to reliably erase print job spool files from the disk once the print job has been completed. But the default setting is to just delete the file, which means that recent print jobs and faxes can be easily recovered by forensic means. If your printer is one of these, and you sell it for second-hand use, don't be surprised if you end up in the news.
The bottom line being:
- get an inventory of your MFPs if you don't have one
- come up with a config template that changes all default passwords, disables unnecessary protocols and services, and turns on "secure erase" for stale information on the MFPs hard drive
- apply the template to all printers in the inventory
- repeat
You can get away with "not managing" old simple printers that have no permanent storage. But not managing MFPs will likely come back to bite you one day.
If you have printer security horror stories or printer configuration tips, please share in the comments below, or via our contact form.
Comments
Granted, it wasn't the BEST option, but lacking vendor support against said vulnerability AND only ONE hardened server facing said vlan, it was a sufficient solution, pending a better one.
Of course, said vlan didn't know what OUR network or internet looked like, but one layer beats NO layer.
Wzrd1
Dec 23rd 2011
1 decade ago
boonedox
Dec 23rd 2011
1 decade ago
CB
Dec 23rd 2011
1 decade ago
Our weekly Nessus scan would cause them to crash so hard they needed to be unplugged from the wall to be rebooted. They had no logging so Xerox had no clue what the cause could be so they replaced them with a different model that didn't run NT 4 and life was good.
While this was going on, the local Xerox security guy, the one who told me "TS, the contract is already signed" was a speaker at the local InfraGard chapter meeting. He was extolling the virtues of how secure their printers were; no doubt he was also a sales type. So I raised my hand and went over our experience in front of the group. He said I should contact him after the meeting and then left without talking to me.
JJ
Dec 23rd 2011
1 decade ago