Transcript Printer Wars 1 MB, Powerpoint Slides Uploaded

About NDSU
• Morril Land Grant University founded
March 8, 1890
• 102 undergraduate majors, 170
undergraduate degree programs, 81
master’s degree programs, and 47
doctoral degree programs of study
About NDSU
• Campuses
– Main Campus – Over 100 separate buildings
– Downtown Campus – 3 very large renovated
historic buildings
– Extension Offices and Research Centers – In
all but two counties of North Dakota
– Recent Acquisition of a Nursing School in
Bismarck – still finding out what is there
About NDSU
• Spring 2013 Enrollment ~ 14000
• FTE ~ 2600
NDSU’s Physical Infrastructure
• Open Network
– External facing network (79 Subnets)
• Open to the Internet.
– Internal facing network (79 Subnets)
• Open to the University System and some State Wide
entities.
– Firewalled Network
• Used by some departments for regulatory compliance
– Server Room Network
• Used for server to server communication (i.e. Backup)
NDSU’s IT Infrastructure
Supported Departments
Distributed IT
Independent Departments
A little History
• 2004 – ND ITD
(Information Technology Department)
• SNMP Scan – Found a majority of
printers on the University System
network that had SNMP set to
“public”
• 2008 – Foundstone
• 175 insecure devices recognized as Printers
How did the Printer Problem
really come to light?
• Nessus Scan
– Removed the safe scan
• See how much paper would be wasted
– LaserJet M 602
• 3 sheets
– Nessus Findings
•
•
•
•
FTP Open
Telnet Open
Web Page default Username and Password
SNMP Community Name set to Public
How did the Printer Problem
really come to light?
• Brought this to the attention of superiors
– We have Nessus, “scan the entire network”
– Work out alternative solution
Is this really a problem?
• 2008 - NDSU dropped support for printers
for cost savings.
• Currently a department requests a DNS
name for the printer they purchased and
that name is granted within our naming
scheme and that name is added to an
install script.
• Printer Plugged into the Network.
Is this really a problem?
Is this really a problem?
Is this really a problem?
• Shawn Merdinger
– Printer Attack: Script Kiddie
• Discover Internet-facing .edu printers via Shodan
(or scanning)
• Convert child pornography image to PJL printable
format
• One line of code via TOR. Script, loop, rinse 'n
repeat. Reap Lulz. – 'cat kp.img | nc
xxx.xxx.xxx.xxx 9100' (plenty of other ways, too!)
Problem
• Results
– Printer is now federal/state crime scene
(connected PCs are also suspect)
– Hostile work environment class action lawsuit
(HR, employee fallout)
– Press, Press...and moar Press (and all the
incorrect stories as a bonus)
Is this really a problem?
Methodology – Step by Step
1. Tools – What are we going to use?
2. Locating devices – How wide spread is the problem?
3. Policies and Procedures – Shouldn’t we have covered
this somewhere?
4. Identification and Notification – How do we let them
know their Printers look so bad?
5. Reactions – How could we have been so wrong about
how the population would react?
6. Interesting Problems – It did What?
7. First follow up scan – Is it working?
Tools
• Tools Used:
– Angry IP scanner (GPLv2)
– NMAP (GNU GPL)
– Putty (GNU GPL)
– WinSCP (GNU GPL)
– Microsoft Excel (campus agreement)
– Student Employee
Angry IP Scanner
• Finding what is on the network.
• Angry IP Scanner
– http://angryip.org/w/Home
Angry IP Scanner
• Finding what is on the network.
NMAP
• Command Used:
• Results Achieved:
Findings
• What did we find?
– External Network – outward facing
•
•
•
•
3,526 active hosts (June 2013)
67 recognizable printers
4858 active hosts (February 2014)
138 recognizable printers
– Internal Network – not routable to the internet
•
•
•
•
1885 active hosts (June 2013)
509 recognizable printers
2194 active hosts (February 2014)
551 recognizable printers
How bad is it?
• Human solution for finding the
vulnerabilities in the printers
– Didn’t want to be responsible for:
• Crashing Printers
• Reams of wasted paper
• Default user names and passwords
Student Employee
• What did he do?
– Opened a browser to IP or Host name
• Tried to log in using defaults
– Used Putty to Telnet into the IP or Hostname
• Port 23
– Tried an anonymous FTP connection with
WinSCP
• Port 21
• Anonymous Login selected
Findings
• What did we find? (June)
– External Network – 67 Printers
• 20 With anonymous FTP Logins – 30%
• 20 Default User/Admin Account – 30%
• 9 Telnet Logins – 13%
Findings
• What did we find? (June)
– Internal Network – 509 Printers
• 177 With anonymous FTP Logins – 35%
• 219 Default User/Admin Account – 43%
• 156 Telnet Logins – 31%
Procedure and Policies
• Review of existing policies and
procedures.
– Did we have any?
– Why are they not being followed?
– Should we make new?
– How do we make our
clients follow new
procedures and policies?
Policies and Procedures
• What we found in our review:
– Vague policies – NDUS 1901.2, NDSU 158.
• No documented procedures.
– No procedures meant that few people knew
what should have been done.
– Started new procedures right away.
– Isn’t getting client buy in the most difficult task
anyway.
Identification and Notification
• DNS Names include department, for the
most part.
• Some, no clue, who they belonged to
E-Mails
• Constructed emails to identified groups.
–
–
–
–
IP Address
DNS Name
Vulnerabilities found
Directions for cleanup
• We worked with our
Communications Officer
and the Help Desk.
• Sent out the emails and we waited:
Reactions
• Calm and collected
• Panicked upon
contact from the
• Were able to
security office
configure devices with
no problems
• Needed us to help
them through
• Glad to help
securing
• Were Grateful.
Some Problems
• Printers no longer printing:
– Disabled port 9100
– Disabled SNMP
– Client needed reconfiguration
•
•
•
•
•
•
•
Stop the print spooler
Delete all jobs in C:\Windows\system32\spool
Restart spooler
Delete all IP ports
Delete all Printers
Restart computer
Setup Printers
Some Problems
• Older printers did not have a web-based
configuration
– Older Java
• Did not have any of the sections needed to configure
– Configuration through Telnet
•
•
•
•
set-password – Changes default password
ftp-config:0 – Disables FTP
set-cmnty-name: <newname> - Changes default SNMP
Idle-timeout: 5 – Sets short timeout for telnet
Follow Up Scan
Findings
• What did we find? (February)
– External Network – 135 Printers
• 62 With anonymous FTP Logins – 46%
• 68 Default User/Admin Account – 50%
• 34 Telnet Logins – 25%
Findings
• What did we find? (February)
– Internal Network – 579 Printers
• 185 With anonymous FTP Logins – 32%
• 210 Default User/Admin Account – 36%
• 73 Telnet Logins – 13%
SO WHAT HAPPENED
1. School was in session during the second
scan.
2. Improved the process for finding printers.
3. Rouges, people buying printers and just
plugging them in to the network.
Open SSH / Heartbleed
• The Internet of Devices
• Open SSH is free
• Printers possibly vulnerable?
Heartbleed?
• What did we do?
– RenISAC made a python script available.
– Wrote a script to iterate through our subnets.
• Findings?
– Zero printers found that were vulnerable.
• However, found all kinds of other devices that had
SSL open and that needs some investigation.
Questions?
Theresa Semmens – [email protected]
Jeff Gimbel – [email protected]