Author Topic: A Gift for the Hackers - Documentary (Read 18285 times)

Renegade · « **on:** January 08, 2013, 10:03 PM »

This is a pretty good documentary that I'm sure will interest a few people here:

http://www.youtube.c...9D99D1BF&index=1

It talks about accessing printers & scanners remotely from the Internet. It gets pretty scary pretty quickly.

Stoic Joker · « **Reply #1 on:** January 09, 2013, 07:03 AM »

Don't have time to watch the vid now but...

It talks about accessing printers & scanners remotely from the Internet. It gets pretty scary pretty quickly.
-Renegade (January 08, 2013, 10:03 PM)

I've had concerns about this stuff for a while now... (Should be fun to see how right I was/am.)

Carol Haynes · « **Reply #2 on:** January 09, 2013, 07:46 AM »

WOW that is seriously scary!!!!!

Well worth a watch.

Deozaan · « **Reply #3 on:** January 09, 2013, 08:45 AM »

Thanks for sharing. Was interesting to see.

Stoic Joker · « **Reply #4 on:** January 09, 2013, 12:22 PM »

Yep...

...That's what I was afraid of.

@Renegade - Any idea where this video originated/how one could find some of the research details for this project?

40hz · « **Reply #5 on:** January 09, 2013, 01:47 PM »

I'm glad to see that as I have had a long running battle with some fellow network techs over web-enabled devices. I was accused of being an encryption and VPN fanboy when I went ballistic over ePrint the first time I saw it. I'm constantly warning clients about this sort of thing and the risk it presents. Ditto for poorly secured webcams put in server or hub rooms and other high security areas.

Thx for the links to this. And thanks to KRO and the European agencies and businesses who discussed this issue with them in a rational and non-defensive manner. Had this investigation been conducted in the USA, a flurry of threats, lawsuits and possibly arrest warrants would have ensued - likely with the result this video would never have seen the light of day.

Screenshot from 2013-01-09 14:44:37.png

P.S. Somebody please tell this dweeb (who works for HP Netherlands) that his was one of the lamest comments ever made by anybody speaking on behalf of HP. (And that's saying something.) $:-\$

Stoic Joker · « **Reply #6 on:** January 09, 2013, 02:09 PM »

I went ballistic over ePrint the first time I saw it. I'm constantly warning clients about this sort of thing and the risk it presents.
-40hz (January 09, 2013, 01:47 PM)

I grilled the HP rep (at one of their tech shows) for an hour about that when it first came out. It works via passive polling, so the printer just checks its own Email address via the HP cloud server (which is where your print jobs are actually sent (eek!)). so over all it (ePrint) isn't really that bad.

Now the (personal cloud) WebScan feature the video was picking at - Holy crap! - Who's dumbassed idea was this feature?? Why would anyone need to remotely scan anything?? The document would need to be manually loaded by someone who could just as easily have email the %&$^ thing to you instead of pull-scanning it across town with some silly gadget. That's just daft!

It most likely requires/leverages UPnP which is another insanely dangerous idea that I immediately disable on sight.

P.S. Somebody please tell this dweeb (who works for HP Netherlands) that his was one of the lamest comments ever made by anybody speaking on behalf of HP.
-40hz (January 09, 2013, 01:47 PM)

That's just freakin' shameful ain't it? His car analogy was equally stupid if you really think about it as well.

40hz · « **Reply #7 on:** January 09, 2013, 02:29 PM »

I went ballistic over ePrint the first time I saw it. I'm constantly warning clients about this sort of thing and the risk it presents.
-40hz (January 09, 2013, 01:47 PM)

I grilled the HP rep (at one of their tech shows) for an hour about that when it first came out. It works via passive polling, so the printer just checks its own Email address via the HP cloud server (which is where your print jobs are actually sent (eek!)). so over all it (ePrint) isn't really that bad.
-Stoic Joker (January 09, 2013, 02:09 PM)

Yeah, it was "explained" that way to me too, and I wasn't all that concerned at that point. Just annoyed. What I really took issue with was what it represented since I figured it was just the tip of the iceberg if it went over well on the consumer level. The concerns with Ricoh over their big networked scanners were a lot more serious since about half my clients use those. I still have to argue with clients about why they really needed to put up with the "hassle" of using passwords on those. Especially when the big boss's assistant keeps bitching about having to enter a 4-dgit PIN ("It's soooo hard to remember those things!") to scan or make a copy - which is much the same thing on these devices. Even worse is fighting with them about why they really do want to require a PIN in order to directly e-mail something from one of these puppies.

It most likely requires/leverages UPnP which is another insanely dangerous idea that I immediately disable on sight.
-Stoic Joker (January 09, 2013, 02:09 PM)

+1. Don't even get me going on that bit of software engineering brilliance.

Renegade · « **Reply #8 on:** January 09, 2013, 05:18 PM »

@Renegade - Any idea where this video originated/how one could find some of the research details for this project?
-Stoic Joker (January 09, 2013, 12:22 PM)

I think it's originally from a Dutch TV station. I'm not sure if they'd put out their research details as they're rather dangerous and open to abuse. You could probably find some by searching on "hp printer remote exploit".

Had this investigation been conducted in the USA, a flurry of threats, lawsuits and possibly arrest warrants would have ensued - likely with the result this video would never have seen the light of day.
-40hz (January 09, 2013, 01:47 PM)

Thing there is, with IOmega (EMC), the European offices stonewalled them, but the US office actually responded. That was just one case in there though. A lot of companies stonewalled them. HP was much more forthcoming than some others.

But yeah, these kinds of things tend to get tanked fairly regularly.

Stoic Joker · « **Reply #9 on:** January 09, 2013, 05:35 PM »

The concerns with Ricoh over their big networked scanners were a lot more serious since about half my clients use those.
-40hz (January 09, 2013, 02:29 PM)

Yeah, that one had me a bit puzzled actually. What is Ricoh doing...running IPP via DMZ?? Why are these things even on the public surface of the network in the first place? They don't need to be for any reason I can think of. None of the (currently business sheik...) Digital Sending Services require this kind of exposure...so why are they getting it?

Seriously - I seldom deal with Ricoh much (HP/Xerox/Toshiba/Lexmark, yes constantly) - I'm hoping you've actually seen one of these insanity rigs and can tell me how badly they're exposing what.

On a side note: It seems that from what I've seen, about 90% of the companies that have one of those huge assed comercial copiers don't really need anything nearly that big. Does that track with your area also...or do companies tend to run large(r/ish) in your part of the country?

Stoic Joker · « **Reply #10 on:** January 09, 2013, 05:38 PM »

You could probably find some by searching on "hp printer remote exploit".
-Renegade (January 09, 2013, 05:18 PM)

Dude, seriously ... What makes you thing I don't already spend half my typical day doing that search already..?

Renegade · « **Reply #11 on:** January 09, 2013, 05:47 PM »

You could probably find some by searching on "hp printer remote exploit".
-Renegade (January 09, 2013, 05:18 PM)

Dude, seriously ... What makes you thing I don't already spend half my typical day doing that search already..?

-Stoic Joker (January 09, 2013, 05:38 PM)

Hahahah! Nope! I already figured that you knew that - it was a joke for you, and just banter for everyone else.

superboyac · « **Reply #12 on:** January 09, 2013, 05:48 PM »

I went ballistic over ePrint the first time I saw it. I'm constantly warning clients about this sort of thing and the risk it presents.
-40hz (January 09, 2013, 01:47 PM)

I grilled the HP rep (at one of their tech shows) for an hour about that when it first came out. It works via passive polling, so the printer just checks its own Email address via the HP cloud server (which is where your print jobs are actually sent (eek!)). so over all it (ePrint) isn't really that bad.
-Stoic Joker (January 09, 2013, 02:09 PM)

Yeah, it was "explained" that way to me too, and I wasn't all that concerned at that point. Just annoyed. What I really took issue with was what it represented since I figured it was just the tip of the iceberg if it went over well on the consumer level. The concerns with Ricoh over their big networked scanners were a lot more serious since about half my clients use those. I still have to argue with clients about why they really needed to put up with the "hassle" of using passwords on those. Especially when the big boss's assistant keeps bitching about having to enter a 4-dgit PIN ("It's soooo hard to remember those things!") to scan or make a copy - which is much the same thing on these devices. Even worse is fighting with them about why they really do want to require a PIN in order to directly e-mail something from one of these puppies.

It most likely requires/leverages UPnP which is another insanely dangerous idea that I immediately disable on sight.
-Stoic Joker (January 09, 2013, 02:09 PM)

+1. Don't even get me going on that bit of software engineering brilliance.

-40hz (January 09, 2013, 02:29 PM)

are you saying it's not a good idea to enable upnp on residential routers?

Stoic Joker · « **Reply #13 on:** January 09, 2013, 05:54 PM »

are you saying it's not a good idea to enable upnp on residential routers?
-superboyac (January 09, 2013, 05:48 PM)

Dear god man, please add a smiley, sarcasm tag, or something to that.. (you're scaring the hell outta me)

superboyac · « **Reply #14 on:** January 09, 2013, 06:02 PM »

are you saying it's not a good idea to enable upnp on residential routers?
-superboyac (January 09, 2013, 05:48 PM)

Dear god man, please add a smiley, sarcasm tag, or something to that.. (you're scaring the hell outta me)

-Stoic Joker (January 09, 2013, 05:54 PM)

I'll take that as a no.

SeraphimLabs · « **Reply #15 on:** January 09, 2013, 06:13 PM »

Maybe my brilliant idea of custom fabricating an aluminum desk with 5U of 19" rackspace builtin is actually a really good idea, and I should look into producing more of them to sell. So far the prototype of it is coming along nicely- it'll have 5U 4post rackspace, below that for tower style systems and UPS units, and the rest of it is all shelves for small devices and DVD cases.

Cause then I can put a junky old 1U server bought for a song into one of the slots and use it as a router via iptables. Nothing gets in or out without my permission, none of that uPNP madness, and if I want to remote control something I can SSH the firewall for a secure connection from anywhere.

I've known about web accessed printing for some time. It's hardly a new feature in the business model equipment, and is handy in larger environments to be able to print something directly to the desk of the CEO instead of having to fumble around with secretaries and scheduling appointments.

But for SOHO use, remote printing is of limited use outside of normal LAN printing over a wifi, and remote scan is outright insane.

I'd rather have people emailing me stuff to print at my choosing, because being able to remotely access print and scan features is almost guaranteeed to attract malicious and ad driven uses. As it is fax machines with published numbers get regular unsolicited messages. Imagine if they can scan a document you left on the scanner first, and then after a few such scans sell your info to advertisers to remotely print ads with.

40hz · « **Reply #16 on:** January 09, 2013, 08:19 PM »

Seriously - I seldom deal with Ricoh much (HP/Xerox/Toshiba/Lexmark, yes constantly) - I'm hoping you've actually seen one of these insanity rigs and can tell me how badly they're exposing what.

-Stoic Joker (January 09, 2013, 05:35 PM)

I deal with their Aficio line a lot. They've since fixed the issues I was aware of with their current crop. But the old machines were very open. Current security spec for this group of products is as follows:

Standard DataOverwriteSecurity Unit (DOSS) Type I – Security feature that overwrites latent data on the system’s hard drive after copy, scan, fax and print jobs.

Standard HDD Encryption Unit Type A – This function encrypts the system’s hard drive using 256 bits (AES) to protect against data theft.

Other Security Features – SNMP v3 and Data Encryption (password/address book); Locked (Secure) Print; User Codes; Basic Authentication; WPA (Wi-Fi Protect Access Support); IPsec Communication; Windows/LDAP/Kerberos Authentication; 802.1x Wired Authentication; SSL Communication; SSL over SMTP; S/MIME; Network Protocol On/Off; IP Filtering (Access Control) and more

Allowing for Kerboros authentication along with the "dead data" auto-overwrite and HD encryption eliminated most of my concerns. But it does have a full doc server, web interface, and allows FTP so I'm sure you could do something stupid to leave holes open. There's plenty of resources available for a hacker to work with. Plus it has a scan to direct email feature I'm still not happy about. Way too easy to slip a confidential document out of an office with few being any the wiser unless they're religious about checking logs. Just slip it in between a a few regular copy or scan jobs and put it back in the files when you're done. A fax transmission is fairly easy to trace. But dumping something in a temporary email account makes it available for pickup anywhere on the globe.

Tinman57 · « **Reply #17 on:** January 10, 2013, 08:37 AM »

I grilled the HP rep (at one of their tech shows) for an hour about that when it first came out. It works via passive polling, so the printer just checks its own Email address via the HP cloud server (which is where your print jobs are actually sent (eek!)). so over all it (ePrint) isn't really that bad.
-Stoic Joker (January 09, 2013, 02:09 PM)

That is until it checks it's mail and finds mail with code in it to open up your system to them...

superboyac · « **Reply #18 on:** January 10, 2013, 08:47 AM »

Man, you guys sure know a lot about this stuff. Now I feel inadequate

.

Tinman57 · « **Reply #19 on:** January 10, 2013, 09:07 AM »

Man, you guys sure know a lot about this stuff. Now I feel inadequate .
-superboyac (January 10, 2013, 08:47 AM)

I only know just enough to be dangerous.

Stoic Joker · « **Reply #20 on:** January 10, 2013, 12:13 PM »

Allowing for Kerboros authentication along with the "dead data" auto-overwrite and HD encryption eliminated most of my concerns. But it does have a full doc server, web interface, and allows FTP so I'm sure you could do something stupid to leave holes open. There's plenty of resources available for a hacker to work with. Plus it has a scan to direct email feature I'm still not happy about. Way too easy to slip a confidential document out of an office with few being any the wiser unless they're religious about checking logs. Just slip it in between a a few regular copy or scan jobs and put it back in the files when you're done. A fax transmission is fairly easy to trace. But dumping something in a temporary email account makes it available for pickup anywhere on the globe.
-40hz (January 09, 2013, 08:19 PM)

Sure all of the Multi Function Printers these days have a Swiss Army Knife load of protocols and possibilities for connecting to internal systems. But why would anyone in they're right mind expose any of these on the external surface of the network (internet - for those not familiar with the other term)? That's just completely insane! And by the sound of the video, the was something they were effecting with/by a default install ... I just can't get my head around it.

40hz · « **Reply #21 on:** January 10, 2013, 12:54 PM »

^It's the way it gets marketed. It's presented as all "feature" with no risk or responsibility attached. It also hearkens back to a more naive mindset. Much like Microsoft being so blissfully unwilling to acknowledge WAN when they designed their early network software. I think they really only considered physical wires running in secure buildings with everybody connected to a totally isolated Windows network under a domain controller.

That "problem" actually permeates our entire network topology. It was designed in a more innocent time. Security has since been mostly bolted and slathered on rather than integrated into the core design with most systems. As a result we have layers and layers of abstraction all passing datagrams back and forth. It's ultimately a house of cards. And all that complexity leaves plenty of back corners for people to get in and do their funny business.

Unfortunately, there's also the practical issues of "ease of accessibility" vs "secure computing." The two don't have to be mutually exclusive. But most people can't be bothered, so one or the other usually becomes the rule - with the preference almost universally choosing whats "easy" over whats secure.

What's really needed is for us to...ahhh screw it!...never mind. We can only work with what we're given and try to do the best we can. $:-\$

40hz · « **Reply #22 on:** January 10, 2013, 12:59 PM »

Man, you guys sure know a lot about this stuff. Now I feel inadequate .
-superboyac (January 10, 2013, 08:47 AM)

Don't be. Nobody is an 'expert' on system security these days unless it's their full-time job. There's just too much going on and far too much to know to do it part-time any more. I'm sure I'd be much happier, and sleep better most nights, if I didn't know what relatively little I do know about this topic.

Stoic Joker · « **Reply #23 on:** January 10, 2013, 03:47 PM »

^It's the way it gets marketed. It's presented as all "feature" with no risk or responsibility attached. It also hearkens back to a more naive mindset. Much like Microsoft being so blissfully unwilling to acknowledge WAN when they designed their early network software ...
-40hz (January 10, 2013, 12:54 PM)

Wow! a NetBEUI crack?

(Last seen in the XP install CD's Tools folder) ...That's kind of Dark (ages) Humor isn't it?

I get the state of the industry stuff ... I was more looking for what service(s) were the Ricoh's most likely to be exposing to the web. Because in a larger - actually needs a device that size - network there should be an IT staff that had to also be guilty of conjuring up this dangerous configuration.

...and yes I am looking for ideas on where to go poking around at some of the live web carnage ... as it is actually part of my job. (e.g. I made the brass watch the video ... and now they want me to (um...) explore it in depth.)

Stoic Joker · « **Reply #24 on:** January 10, 2013, 03:49 PM »

Man, you guys sure know a lot about this stuff. Now I feel inadequate .
-superboyac (January 10, 2013, 08:47 AM)

Don't be. Nobody is an 'expert' on system security these days unless it's their full-time job. There's just too much going on and far too much to know to do it part-time any more. I'm sure I'd be much happier, and sleep better most nights, if I didn't know what relatively little I do know about this topic.
-40hz (January 10, 2013, 12:59 PM)

+1 - I too occasionally yearn for blissful ignorance.