Printer Wars: Revenge of the Printer Troll (233373224)

About NDSU

• Morril Land Grant University founded March 8, 1890

• 102 undergraduate majors, 170 undergraduate degree programs, 81 master’s degree programs, and 47 doctoral degree programs of study

About NDSU

• Campuses– Main Campus – Over 100 separate buildings– Downtown Campus – 3 very large renovated

historic buildings– Extension Offices and Research Centers – In

all but two counties of North Dakota– Recent Acquisition of a Nursing School in

Bismarck – still finding out what is there

About NDSU

• Spring 2013 Enrollment ~ 14000• FTE ~ 2600

NDSU’s Physical Infrastructure• Open Network

– External facing network (79 Subnets)• Open to the Internet.

– Internal facing network (79 Subnets)• Open to the University System and some State Wide

entities.– Firewalled Network

• Used by some departments for regulatory compliance– Server Room Network

• Used for server to server communication (i.e. Backup)

NDSU’s IT Infrastructure

Supported Departments

Distributed IT

Independent Departments

A little History• 2004 – ND ITD (Information Technology Department)

• SNMP Scan – Found a majority of printers on the University System network that had SNMP set to “public”

• 2008 – Foundstone• 175 insecure devices recognized as Printers

How did the Printer Problem really come to light?

• Nessus Scan– Removed the safe scan

• See how much paper would be wasted– LaserJet M 602

• 3 sheets– Nessus Findings

• FTP Open• Telnet Open• Web Page default Username and Password• SNMP Community Name set to Public

How did the Printer Problem really come to light?

• Brought this to the attention of superiors– We have Nessus, “scan the entire network”

– Work out alternative solution

Is this really a problem?

• 2008 - NDSU dropped support for printers for cost savings.

• Currently a department requests a DNS name for the printer they purchased and that name is granted within our naming scheme and that name is added to an install script.

• Printer Plugged into the Network.

Is this really a problem?

Is this really a problem?

Is this really a problem?

• Shawn Merdinger– Printer Attack: Script Kiddie

• Discover Internet-facing .edu printers via Shodan (or scanning)

• Convert child pornography image to PJL printable format

• One line of code via TOR. Script, loop, rinse 'n repeat. Reap Lulz. – 'cat kp.img | nc xxx.xxx.xxx.xxx 9100' (plenty of other ways, too!)

Problem

• Results– Printer is now federal/state crime scene

(connected PCs are also suspect)– Hostile work environment class action lawsuit

(HR, employee fallout)– Press, Press...and moar Press (and all the

incorrect stories as a bonus)

Is this really a problem?

Methodology – Step by Step1. Tools – What are we going to use?2. Locating devices – How wide spread is the problem?3. Policies and Procedures – Shouldn’t we have covered

this somewhere?4. Identification and Notification – How do we let them

know their Printers look so bad?5. Reactions – How could we have been so wrong about

how the population would react?6. Interesting Problems – It did What?7. First follow up scan – Is it working?

Tools

• Tools Used:– Angry IP scanner (GPLv2)

– NMAP (GNU GPL)

– Putty (GNU GPL)

– WinSCP (GNU GPL)

– Microsoft Excel (campus agreement)

– Student Employee

Angry IP Scanner

• Finding what is on the network.

• Angry IP Scanner– http://angryip.org/w/Home

Angry IP Scanner

• Finding what is on the network.

NMAP

• Command Used:

• Results Achieved:

Findings

• What did we find?– External Network – outward facing

• 3,526 active hosts (June 2013)• 67 recognizable printers • 4858 active hosts (February 2014)• 138 recognizable printers

– Internal Network – not routable to the internet• 1885 active hosts (June 2013)• 509 recognizable printers• 2194 active hosts (February 2014)• 551 recognizable printers

How bad is it?

• Human solution for finding the vulnerabilities in the printers– Didn’t want to be responsible for:

• Crashing Printers• Reams of wasted paper• Default user names and passwords

Student Employee

• What did he do?– Opened a browser to IP or Host name

• Tried to log in using defaults– Used Putty to Telnet into the IP or Hostname

• Port 23– Tried an anonymous FTP connection with

WinSCP• Port 21• Anonymous Login selected

Findings

• What did we find? (June)– External Network – 67 Printers

• 20 With anonymous FTP Logins – 30%• 20 Default User/Admin Account – 30%• 9 Telnet Logins – 13%

Findings

• What did we find? (June)– Internal Network – 509 Printers

• 177 With anonymous FTP Logins – 35%• 219 Default User/Admin Account – 43%• 156 Telnet Logins – 31%

Procedure and Policies

• Review of existing policies and procedures.– Did we have any?– Why are they not being followed?– Should we make new?– How do we make our

clients follow newprocedures and policies?

Policies and Procedures

• What we found in our review:– Vague policies – NDUS 1901.2, NDSU 158.

• No documented procedures.– No procedures meant that few people knew

what should have been done.– Started new procedures right away.– Isn’t getting client buy in the most difficult task

anyway.

Identification and Notification

• DNS Names include department, for the most part.

• Some, no clue, who they belonged to

E-Mails

• Constructed emails to identified groups.– IP Address– DNS Name– Vulnerabilities found– Directions for cleanup

• We worked with ourCommunications Officer and the Help Desk.

• Sent out the emails and we waited:

Reactions

• Calm and collected• Were able to

configure devices with no problems

• Glad to help

• Panicked upon contact from the security office

• Needed us to help them through securing

• Were Grateful.

Some Problems

• Printers no longer printing:– Disabled port 9100 – Disabled SNMP– Client needed reconfiguration

• Stop the print spooler• Delete all jobs in C:\Windows\system32\spool• Restart spooler• Delete all IP ports• Delete all Printers• Restart computer• Setup Printers

Some Problems

• Older printers did not have a web-based configuration– Older Java

• Did not have any of the sections needed to configure

– Configuration through Telnet• set-password – Changes default password• ftp-config:0 – Disables FTP• set-cmnty-name: <newname> - Changes default SNMP • Idle-timeout: 5 – Sets short timeout for telnet

Follow Up Scan

Findings

• What did we find? (February)– External Network – 135 Printers

• 62 With anonymous FTP Logins – 46%• 68 Default User/Admin Account – 50%• 34 Telnet Logins – 25%

Findings

• What did we find? (February)– Internal Network – 579 Printers

• 185 With anonymous FTP Logins – 32%• 210 Default User/Admin Account – 36%• 73 Telnet Logins – 13%

SO WHAT HAPPENED

1. School was in session during the second scan.

2. Improved the process for finding printers.3. Rouges, people buying printers and just

plugging them in to the network.

Open SSH / Heartbleed

• The Internet of Devices• Open SSH is free• Printers possibly vulnerable?

Heartbleed?

• What did we do?– RenISAC made a python script available.– Wrote a script to iterate through our subnets.

• Findings?– Zero printers found that were vulnerable.

• However, found all kinds of other devices that had SSL open and that needs some investigation.

Questions?

Theresa Semmens – theresa.semmens@ndsu.edu

Jeff Gimbel – jeff.gimbel@ndsu.edu