Upload
educause
View
4
Download
1
Embed Size (px)
DESCRIPTION
Once upon a time in a northern Midwest institution, a printer activated, a piece of paper printed out, and the "printer troll" was born. Thus begins the story of "securing the printer." Departmental printers, both multifunction and single use, are prevalent on campuses. Many of these printers are set up by the vendor and receive no management or support from IT or the vendor. A recent vulnerability scan demonstrated just how unsecure these printers were. NDSU embarked on a printer remediation project that affected departments and hundreds of printers. Follow NDSU's story of printer remediation, training, and education. OUTCOMES: Get a plan of action and project outline and steps for finding, identifying, and remediating insecure networked printers * Hear our project experiences, stories, lessons learned, statistics, and success metrics * Learn about our plans for next steps and future auditing and testing for insecure devices on the campus network http://www.educause.edu/events/security-professionals-conference/2014/printer-wars-revenge-printer-troll
Citation preview
About NDSU
• Morril Land Grant University founded March 8, 1890
• 102 undergraduate majors, 170 undergraduate degree programs, 81 master’s degree programs, and 47 doctoral degree programs of study
About NDSU
• Campuses– Main Campus – Over 100 separate buildings– Downtown Campus – 3 very large renovated
historic buildings– Extension Offices and Research Centers – In
all but two counties of North Dakota– Recent Acquisition of a Nursing School in
Bismarck – still finding out what is there
About NDSU
• Spring 2013 Enrollment ~ 14000• FTE ~ 2600
NDSU’s Physical Infrastructure• Open Network
– External facing network (79 Subnets)• Open to the Internet.
– Internal facing network (79 Subnets)• Open to the University System and some State Wide
entities.– Firewalled Network
• Used by some departments for regulatory compliance– Server Room Network
• Used for server to server communication (i.e. Backup)
NDSU’s IT Infrastructure
Supported Departments
Distributed IT
Independent Departments
A little History• 2004 – ND ITD (Information Technology Department)
• SNMP Scan – Found a majority of printers on the University System network that had SNMP set to “public”
• 2008 – Foundstone• 175 insecure devices recognized as Printers
How did the Printer Problem really come to light?
• Nessus Scan– Removed the safe scan
• See how much paper would be wasted– LaserJet M 602
• 3 sheets– Nessus Findings
• FTP Open• Telnet Open• Web Page default Username and Password• SNMP Community Name set to Public
How did the Printer Problem really come to light?
• Brought this to the attention of superiors– We have Nessus, “scan the entire network”
– Work out alternative solution
Is this really a problem?
• 2008 - NDSU dropped support for printers for cost savings.
• Currently a department requests a DNS name for the printer they purchased and that name is granted within our naming scheme and that name is added to an install script.
• Printer Plugged into the Network.
Is this really a problem?
Is this really a problem?
Is this really a problem?
• Shawn Merdinger– Printer Attack: Script Kiddie
• Discover Internet-facing .edu printers via Shodan (or scanning)
• Convert child pornography image to PJL printable format
• One line of code via TOR. Script, loop, rinse 'n repeat. Reap Lulz. – 'cat kp.img | nc xxx.xxx.xxx.xxx 9100' (plenty of other ways, too!)
Problem
• Results– Printer is now federal/state crime scene
(connected PCs are also suspect)– Hostile work environment class action lawsuit
(HR, employee fallout)– Press, Press...and moar Press (and all the
incorrect stories as a bonus)
Is this really a problem?
Methodology – Step by Step1. Tools – What are we going to use?2. Locating devices – How wide spread is the problem?3. Policies and Procedures – Shouldn’t we have covered
this somewhere?4. Identification and Notification – How do we let them
know their Printers look so bad?5. Reactions – How could we have been so wrong about
how the population would react?6. Interesting Problems – It did What?7. First follow up scan – Is it working?
Tools
• Tools Used:– Angry IP scanner (GPLv2)
– NMAP (GNU GPL)
– Putty (GNU GPL)
– WinSCP (GNU GPL)
– Microsoft Excel (campus agreement)
– Student Employee
Angry IP Scanner
• Finding what is on the network.
• Angry IP Scanner– http://angryip.org/w/Home
Angry IP Scanner
• Finding what is on the network.
NMAP
• Command Used:
• Results Achieved:
Findings
• What did we find?– External Network – outward facing
• 3,526 active hosts (June 2013)• 67 recognizable printers • 4858 active hosts (February 2014)• 138 recognizable printers
– Internal Network – not routable to the internet• 1885 active hosts (June 2013)• 509 recognizable printers• 2194 active hosts (February 2014)• 551 recognizable printers
How bad is it?
• Human solution for finding the vulnerabilities in the printers– Didn’t want to be responsible for:
• Crashing Printers• Reams of wasted paper• Default user names and passwords
Student Employee
• What did he do?– Opened a browser to IP or Host name
• Tried to log in using defaults– Used Putty to Telnet into the IP or Hostname
• Port 23– Tried an anonymous FTP connection with
WinSCP• Port 21• Anonymous Login selected
Findings
• What did we find? (June)– External Network – 67 Printers
• 20 With anonymous FTP Logins – 30%• 20 Default User/Admin Account – 30%• 9 Telnet Logins – 13%
Findings
• What did we find? (June)– Internal Network – 509 Printers
• 177 With anonymous FTP Logins – 35%• 219 Default User/Admin Account – 43%• 156 Telnet Logins – 31%
Procedure and Policies
• Review of existing policies and procedures.– Did we have any?– Why are they not being followed?– Should we make new?– How do we make our
clients follow newprocedures and policies?
Policies and Procedures
• What we found in our review:– Vague policies – NDUS 1901.2, NDSU 158.
• No documented procedures.– No procedures meant that few people knew
what should have been done.– Started new procedures right away.– Isn’t getting client buy in the most difficult task
anyway.
Identification and Notification
• DNS Names include department, for the most part.
• Some, no clue, who they belonged to
E-Mails
• Constructed emails to identified groups.– IP Address– DNS Name– Vulnerabilities found– Directions for cleanup
• We worked with ourCommunications Officer and the Help Desk.
• Sent out the emails and we waited:
Reactions
• Calm and collected• Were able to
configure devices with no problems
• Glad to help
• Panicked upon contact from the security office
• Needed us to help them through securing
• Were Grateful.
Some Problems
• Printers no longer printing:– Disabled port 9100 – Disabled SNMP– Client needed reconfiguration
• Stop the print spooler• Delete all jobs in C:\Windows\system32\spool• Restart spooler• Delete all IP ports• Delete all Printers• Restart computer• Setup Printers
Some Problems
• Older printers did not have a web-based configuration– Older Java
• Did not have any of the sections needed to configure
– Configuration through Telnet• set-password – Changes default password• ftp-config:0 – Disables FTP• set-cmnty-name: <newname> - Changes default SNMP • Idle-timeout: 5 – Sets short timeout for telnet
Follow Up Scan
Findings
• What did we find? (February)– External Network – 135 Printers
• 62 With anonymous FTP Logins – 46%• 68 Default User/Admin Account – 50%• 34 Telnet Logins – 25%
Findings
• What did we find? (February)– Internal Network – 579 Printers
• 185 With anonymous FTP Logins – 32%• 210 Default User/Admin Account – 36%• 73 Telnet Logins – 13%
SO WHAT HAPPENED
1. School was in session during the second scan.
2. Improved the process for finding printers.3. Rouges, people buying printers and just
plugging them in to the network.
Open SSH / Heartbleed
• The Internet of Devices• Open SSH is free• Printers possibly vulnerable?
Heartbleed?
• What did we do?– RenISAC made a python script available.– Wrote a script to iterate through our subnets.
• Findings?– Zero printers found that were vulnerable.
• However, found all kinds of other devices that had SSL open and that needs some investigation.