The legacy of the insecure IoT: HP’s JetDirect

If you are looking to trace the origins of an insecure IoT, you might want to take a walk down memory lane back to October 1991. Back then HP developed the first network printer server called JetDirect. This took the form of an internal circuit card shown here that came in both Token Ring (remember those?) and Ethernet versions that fit inside the early monochrome laser printers. I believe those early printers cost around $2400, so there was some cost motivation to share them around the LAN. HP had been selling the first desktop laser printers for several years and this was the first time that any of them could be easily connected to a network. During the 1990s there were several versions of JetDirect cards created, including external print servers that could connect to any printer that had a parallel port. It wasn’t long before they were commonly used, not just for printing but numerous other hacking activities.

Why is this the origin story of the insecure IoT? Check out this post on SecurityFocus from May 2003. Way before ransomware was common, the post describes a major vulnerability in the JetDirect web-based admin utility. Some network admins knew when they first got these devices that they could be configured via two different protocols: web and telnet. The post shows that the telnet interface didn’t have any default password, and if you had to reset the device, you would return to this default setting. Thus began the insecure IoT. At the time, there was a lot of discussion about printer insecurity, not just about HP but any network-connected printer: check out this SANS white paper from 2003.

When we look at this material with a modern eye, some of the hacks mentioned here seem, well quaint. But some are significant, such as having a hacker hosting malicious webpages and scripts on your printer, as mentioned in this recent article here. One of the attractions for using network printers is that usually no one looks carefully at their operations, either through activity logs or intrusion systems. Another advantage is that they are always on and if they have issues get rebooted quickly so they can continue to serve print jobs.

Now we have millions of network-connected devices of all shapes and sizes, but still have sub-par programming where passwords, secure protocols and other practices are few and far between. Granted, laying all this at the feet of HP isn’t really fair: they didn’t anticipate how networks would be abused decades later. But it shows that hardware vendors often give security short shrift. Since those early days, HP hasn’t been just sitting around either: In 2015 they came out with ultra-secure printers that protect any BIOS tampering and have other controls such as built-in intrusion detection.

It is nice to see that the JetDirect product, which started the insecure IoT, brought about some solid innovation in the modern era with better printer security. It has come full circle, to be sure.

Security Intelligence blog: Protecting your staff when in co-working spaces

The number of innovative co-working spaces continues to rise around the world, and this doesn’t even include coffee shops, libraries and numerous other public places that offer free Wi-Fi. It’s important to consider the security implications of what these itinerant workers are doing. IT managers are challenged to keep their networks and data secure while encouraging remote workers to be productive, whether they’re dialing in from the local WeWork or reviewing emails at McDonald’s.

Here are some practical security considerations from my latest blog post for IBM’s SecurityIntelligence. 

Did the Russians hack our election?

I have watched the series of reports about the Russians trying to influence our election last fall with a mixture of disbelief and interest. I wanted to put together links to some of the better reporting, and also call out some of the sub-standard reporting to steer clear from.

Let’s start with what we know and what has been released to the general public. The best quality of information came from this report from Crowdstrike back in June. They were called in by the DNC to try to get to the bottom of the attacks on their network. This post has many details that point out indicators that two separate Russian state intelligence agencies had penetrated their networks over a long period of time. They entered via phished emails and then proceed to infect various PCs with a boatload of malware, most of which was very clever at avoiding detection. When you look at the Crowdstrike report, you can see why this malware was so difficult to pin down: you needed the experience and context of other attacks by these Russian state actors to see the similar patterns of compromise.

I assume that our government has this experience, but getting them to tell civilians in an unclassified report is another matter entirely. Still such a report was done by the FBI and Homeland Security recently, and it can be found here. Sadly, this report comes up lacking in several areas: it doesn’t tie any specific Russian sources to these attacks, it doesn’t help network defenders to prepare their own networks for future similar attacks, and it contains mostly high-level platitudes and security chestnuts that aren’t very unique or actionable.

The feds didn’t do themselves any favors here. I agree with Bruce Schneier’s assessment: “If the government is going to take public action against a cyberattack, it needs to make its evidence public. It’s one thing for the government to know who attacked it. It’s quite another for it to convince the public who attacked it.” He links to previous attacks such as Sony, OPM, and Estonia that took some effort to figure out the originating offenders.

Also not helping matters was when the Washington Post ran a story about the Russians hacking into a Vermont electric utility. They later corrected the piece, leading with the statement they “incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far.” Oops. The issue is that yes, one piece of malware, which can be purchased online from a variety of sources, was found on a laptop belonging to one employee of Burlington Electric. This laptop was a personal machine and not part of any operational function for the utility. The Intercept unpacks the Post story technically bit-by-bit so you can see the sloppy reporting and reactions forthwith.

Various security researchers have come out with similar negative reactions to the DHS/FBI report and the Post piece. Here are links to three of them:

So if you are a corporate IT manager, what needs to happen, going forward? First, you should re-read the Crowdstrike blog post from last June and make sure you – and your security staff — understand the various infection vectors used by the Russians. Next, you should take the time to ensure that your defenses actually will work against these vectors, and if not, what gear you need to put in place to make things more secure. Finally, you should not over-react to the general press stories about hacking attempts, without doing some careful investigation first. As a recent example, stories such as the US Customs computers going offline on Dec. 28th – which were originally attributed to a hacking attempt – turn out to be nothing more than a bad systems upgrade by their IT department.

FIR B2B #63: PRODUCT AND CORPORATE MARKETING: WHAT’S THE DIFF? WITH DENA BAUCKMAN

You won’t find many product marketers with advanced certifications in the technologies they market, but we found one. Our guest is Dena Bauckman, director of product marketing for email encryption provider Zix Corp. in Dallas. Dena has held similar titles at Sterling Commerce and BancTec.

Bauckman’s perspective on the interplay between product marketers, corporate marketers and product managers is distinctive. She stresses how all parties need to understand where each other is coming from and be tuned in to their needs and schedules.

You can listen to our 25 minute podcast here:

Network World review: Microsoft Windows Defender comes up short

Microsoft’s latest version of its anti-malware tool, Windows Defender, is a frustrating product to evaluate. Once you examine the product in more detail, you will see why we cannot recommend it for enterprise use. And that is the frustration of this product: Microsoft is trying to do the right thing and offers a tempting feast, but ultimately offers an incomplete meal that is tough to digest. It is hard to track, hard to configure, hard to remove and hard to manage in a typical enterprise environment.

It might be all the antivirus that a home user needs, but when it comes to the business world, you are better off with something else.

You can read the full review in Network World here.

My top security threats of 2016 in review

Since I began writing a series of newsletters for Inside Security in June, I have covered some of the most important data leaks or security threats each week. Here are my favorites:

Yahoo for the Big Kahuna award: Billions of emails served, thanks to Yahoo. The gift that keeps on giving, and also taking shareholder value too. My analysis and lots o’ links here.

In a class by itself is the Mirai botnet. Dyn’s analysis of the Krebs’ attack is here. Then more than 900,000 customers of German ISP Deutsche Telekom were knocked offline with new variant. It didn’t help matters that DT allowed the rest of the world to remotely manage these devices.

Schneider Electric gets the two times the charm award. Both Unity Pro and PanelShock utility software programs of theirs were compromised in a matter of days; both were attacks that could harm industrial control networks. This could be the return of Stuxnet. The published advisory is here.

The Australian Red Cross receives the bloodbath award. A million or so medical records of blood donors have, ahem, leaked. Gotta love those Aussies: “This is a seriously egregious cock-up,” said one researcher.

Three Mobile (UK) receives the can you hear me now award. Contact details of six million of its customers has been exposed, which are about two-thirds of their total. Hackers used an employee’s login credentials to gain entry.

The friends with benefits award goes to, naturally, the Friend Finder Network. They exposed more than 412 million accounts, including millions of supposedly deleted accounts, thanks to a local file inclusion flaw. Actually, this is their second such award: they were also breached in 2015.

DailyMotion and Weebly both share the password is ‘password’ award. DailyMotion had more than 80 million of their account IDs and passwords exposed. Only a fifth of these accounts had passwords and they were fortunately encrypted. The company admitted the breach in a blog post. Leaked Source obtained the data file. As for Weebly, they had more than 40 million accounts compromised earlier this year. Fortunately, their stolen passwords were stored using the strong hashing function BCrypt, making it difficult for hackers to initially obtain users’ actual passwords.

Payday awards. Criminals continue to figure out ways to make ATMs spit out their cash drawers. Two this year are notable: Alice (discovered recently by Trend Micro researchers) and Cobalt, where Group IB has named the organization behind the thefts. Both are very sophisticated attacks, and we should expect more in 2017.

The pixel perfect award goes to an attack called Steganos. Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners. This exploit has been around for several years. Its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. It hides parts of its code in the parameters that control the pixel colors used to display banner ads.

Vera Bradley stores receive the attention shoppers award. They notified customers of a credit card exploit, which affects customers paying by credit cards in their stores from July and September of this year. Card numbers and names were captured by malware found running in their data center. The company has 150 stores selling fashion merchandise.

Oops mom, no firewall award goes to a Finnish facilities manager. Thanks to no firewall and a DDoS-based DNS attack.  At least two housing blocks in the city of Lappeenranta were affected and confirmed by the facilities management company. Hackers gained remote access to the HVAC systems. Luckily, outdoor temperatures weren’t critical.

The award for security starts in the home goes to so many companies it is hard to pick just one, but let’s give the honor to the Ameriprise employee who had a home-based network storage device with no password whatsoever. The drive was synchronized with one in his office, allowing anyone to view sensitive client data. Expect more of these sorts of attacks as the line between home and work continues to disappear.

And the most zero days reported in the past year: Adobe Flash, of course. No week would be complete without one!

What were your favorite breaches of the past year?

FIR B2B Podcast: More on fake news and gaslighting

In our last podcast, we spoke about the rise of fake news. Turns out we have more to say on the topic, which has ballooned across mainstream media in the past couple of weeks. Paul talks about building brand loyalty and trust from his research. I mention this article in Teen Vogue of all places, where the reporter brings up the movie/play Gaslight and how our future president is using similar tactics to setup problems and then offer “solutions.” And we cite a column by Christina Farr who talks about how PR reps need to stop inserting themselves in the conversation when not requested or needed. You can listen to the podcast here:

Interview with IT Manager Paul Lanzi

Paul Lanzi is the COO and co-founder of Remediant, an IT security startup that has created a product to protect privileged accounts. Prior to this startup, he worked for many years as an IT manager in the biotech field, managing various engineering teams for Genetech and then Roche.

Back 11 years ago when he started at Genentech, the first security problem he helped tackle was dealing with managing multiple accounts. “Everyone had multiple accounts and multiple passwords, and we built our own home-grown system to consolidate these accounts, and make it easier for everyone to use a single username and password to get all of their work done. That actually improved security, since lessened the chance that someone would have to write down their multiple passwords somewhere — but it also made it easier to ensure that every employee had the right access to do their job.”

Of course, today we have both single sign-on products to federate identities, such as Okta and Ping Identity, and identity governance products such as Sailpoint and RSA Archer. But back then this was hard work.

Lanzi’s best security tool has been multi-factor authentication. “I turn it on wherever I can, it is truly one of the most under-appreciated tools around. While it isn’t perfect, this technology sits in that rare sweet spot between simplicity and security,” he said. In his present firm he uses a combination of Google Authenticator and Yubikey Nano devices for this purpose. “I am amazed at how much crypto they can cram into that Nano form factor,” he said, which is about the size of thumbnail (shown here).

A decade or so ago, Lanzi was involved in rolling out 110,000 iPads globally at Genentech/Roche. “At the time, it was the largest non-education deployment of iPads in the world, and we used the MobileIron’s MDM software to protect both our data at rest and in flight. Their MDM-based security capabilities gave us the ability to remotely wipe the fewer than 20 devices that were lost or misplaced each month. Its combined capabilities gave us assurance that when those devices were lost, the data on them was still secure. We could also enforce minimum OS version standards, to ensure that users were keeping them up to date with OS security updates.”

Genentech/Roche had a very unusual security staff, composed of folks from different departments. “We had separate teams for patching desktops, maintaining our network infrastructure, an IT Security policy writing group, an account provisioning engineering group for maintaining that piece, and an overall Security Architect as well. They contributed to an overall defense in depth because they were mutually supportive and worked together. That isn’t going to be possible in every enterprise, but we had terrific coverage across the various skills and potential threats areas. And given that we had personnel split across South San Francisco, Madrid and Basil, Switzerland, it was pretty impressive.”

How has security changed among his various employers over the years? “It really depends on the level of support at the executive level. At Genentech/Roche, we had executives who understood the risks and the investment needed to minimize the security risks. Other places were behind the curve and more focused on creating policies and lagged with their investment in security infrastructure. Part of the issue is that unlike in the retail or government sectors, biotech hasn’t had the big-news breaches to motivate organizations towards security improvements.”

Like what you are reading?

Subscribe to Inside Security!



How women were one of the first computers

Back in the 1940s and 1950s, computers were people, not machines. And one group of these human computers worked at a NASA research lab in southern Virginia. An upcoming movie, Hidden Figures, focuses on how three of these human computers helped with John Glenn’s historic first US orbital flight in 1962. As you probably know, Glenn died earlier this week at the ripe old age of 95.

I haven’t yet seen the movie — it will be out in a few weeks. But the underlying story is terrific. The three human computers turn out to be three black women mathematicians, including Katherine Johnson (shown above) who recently received the Congressional Freedom Medal.

One of the interesting historical notes was Glenn insisted that Johnson check the electronic computer’s calculations of his orbit, to make sure they were accurate. This was back when computers filled rooms and were slower than the CPUs that are found in the average smartphone nowadays.

Johnson continued to work at NASA until 1986 combining her math talent with electronic computer skills. Her calculations proved critical to the success of the Apollo Moon landing program and the start of the Space Shuttle program, according to this NASA writeup.

There are a lot more video interviews with both the actresses Octavia Spencer, Taraji Henson (who plays Johnson) and Janelle Monae (shown above) and the real people behind the story here at NextGov.

In addition to the movie, there is a book by Margot Lee Shetterly that just was published.Why did it take so long for this story to come out? Shetterly apparently learned about the achievements of these women computers from her father, who “casually mentioned it to her in an offhand comment,” according to Rudy Horne, a math professor at Morehouse College and a consultant to the movie production. Horne got involved because his college was used as a film location (the college campus is used to simulate the NASA Langley campus in southern Virginia where the story takes place), and the director wanted a real math professor to check his calculations. One of the wonderful coincidences is that the current NASA administrator and Horne himself are both African Americans.

Horne was brought on early in the production, before the script was finalized, to ensure that the math checked out. I called him and asked about his role. “In the beginning of the film, the young Johnson is shown solving a series of equations on a blackboard. They originally showed her solving a functional analysis problem, which is more of a college level math course. I suggested a set of quadratic equations, which would be more appropriate for a younger student.” Horne made several other suggestions for the sets and props to show other math formulas. When I asked him what his favorite math-themed movie was, he said, “Good Will Hunting got the math right and had very believable scenes that showed how math professors interact. I am glad that was a consultant to this movie, and it is great if it will inspire other students to study math and science.” As an undergrad math major, me too.

SecurityIntelligence blog: Avoiding Threat Management Rookie Mistakes

What do a Finnish HVAC company and a set of American car dealerships have in common? Both have been doing a poor job running their computer systems and, as a result, both experienced a series of four embarrassing threat management blunders.

In my latest post for IBM’s SecurityIntelligence blog, I describe these two incidents in more detail. They point out easily fixable threat management mistakes. As a result of weak security, several apartment buildings went without heat and millions of customers and employees of car dealerships had their data stolen. But both consequences are preventable, especially with the benefit of hindsight.