Slashdot Mirror
Exposed HP LaserJet Printers Offer Anonymous FTP To the Public (csoonline.com)
itwbennett writes: In a blog post on Monday, security researcher Chris Vickery outlined the risks associated with networked HP LaserJet printers, which have been made available to the public by the organizations hosting them. 'There are a few free, open source pieces of software that can be used to upload and interact with HP printer hard drives over port 9100. After uploading to a printer, the file can be accessed by ... any web browser... It doesn't take much creativity to realize that even highly illegal materials could be stored this way,' Vickery wrote. CSO's Steve Ragan picked up the thread: A quick search on Shodan to confirm Vickery's findings returned thousands of results.
They want there bugs back. This issue has been haunting HP printers for decades.
ftp://ftp.hp.com/pub/networkin...
https://www.google.com/search?...
You have no excuse to have a printer exposed to the greater web.
Root cause my friend...HP has no excuse for running an FTP server on a printer.
(*sarcasm*) No. Everything must be internet enabled! We are in the age of the Internet of Things. You probably don't even use "apps," do you? I bet you compile your own code, too. You are a Luddite. Get off my lawn! (*sarcasm*)
But then how are they going to send copies of everything you print to the mothership/NSA/etc?
Seven puppies were harmed during the making of this post.
Yeah what's up with his search engine? After the first page you need to register? Fuck that.
Only the State obtains its revenue by coercion. - Murray Rothbard
You have no excuse to have a printer exposed to the greater web.
As a UMN (note how high they are on the list counting the exposed printers) alumni, I probably know more about their network setup than most. The default stance there has always been that every device on the network is given an IP (either dynamically or statically) that is fully resolvable to the world. They started with all of 128.101.*.* and then added 134.84.*.* and something else as well. It didn't seem like they would run out of addresses any time soon so they just kept handing them out; students, staff, faculty, janitors, etc.
Now networked printers are cheap and easy to use. Cubicle dwellers who don't want to share can buy their own without much difficulty and put it on the network ... because they can. I would bet half the printers on there are connected to the wireless, which also hands out fully resolvable IP addresses. How are you going to talk Fred in accounting into not doing it when not doing it is so much more difficult than doing it? He's going to bring his MacBook to work and back every day, he wants his wireless color laserjet when he gets there. Good luck convincing him to spend the extra 1.6 seconds every day disconnecting and reconnecting a USB cable instead of printing over the network ... he could be using those 1.6 seconds to read more facebook.
In summary, you won't get the printers off the exposed part of the network, not when the network is configured the way it is and the employees can add devices to it so easily.
Honestly, never underestimate just how terrible security is or can be ... between vendors which leave stuff vulnerable for years, or mis-configurations, things which have never been patched, or things which seemed like a good idea at the time ... the internet is a hideous mess of things which are appalling but nonetheless happen every day.
Either because nobody cares, or nobody has the money to care, or management comes down on the side of "easy" instead of "correct".
I think most of us would be shocked/depressed/angry to realize just how much stuff is hanging outside of any firewall or NAT whatsoever.
The people are likely to be secure are paranoid, diligent, a little crazed, and likely have others telling them to "relax, it's not a big deal". Never underestimate how often someone says "dear god, we can't do this" only to be overruled by someone who doesn't see it as a threat ... it happens all the damned time.
The people who get overruled just need to cover their asses so if it happens they can say "told you so". This has been true for years.
I'm betting tons of people around here can give you horror stories about loudly warning about this kind of stuff only to be told to shut up and do it.
Lost at C:>. Found at C.
More to the point, in an IPv6 world and in an IPv4 world that didn't run out of addresses, this is actually how it's supposed to work. Every device is supposed to have a valid routable address, and it's up to firewalling, not non-routable networks, to create security.
It's been quite some time since I played heavily with the settings on network printers, but there were a lot of options for how the network configuration could be set up. There were multiple protocols and options within each protocol including for things like management, web, and the like.
Makes me wonder if this current scare is simply a case of technical staff not doing their jobs and setting up the printers correctly, just leaving everything default. Who needs IPX or NetBEUI on their printers now anyway?
Do not look into laser with remaining eye.
Quite the opposite, I suspect the recent influx of news about Shodan is a concerted effort to get it shut down.
A couple weeks ago we had stories about this search engine let me find Hello Kitty's database full of children. Over the weekend we saw hit pieces about this search engine lets people spy on your sleeping kids. Today we have this search engine exposes FTP servers where people can store "highly illegal materials" (he isn't talking about your MP3 collection). Insecure webcams, insecure FTP servers, insecure databases, these have existed for years. In fact they've all been searchable by Shodan (and Google) for years. There's nothing new or newsworthy about it, but the articles keep coming, and they keep specifically mentioning Shodan.
Notice how these stories all have a think-of-the-children hysteria angle? Someone's trying *very hard* to equate the Shodan name with "this is a pedophile service and needs to be shut down."
TL;DR - NAT can suck it. :P
If you are thinking of storing illegal things this way, remember that the FBI can take over the server, keep it running, and then track it back to you.
The "server" will be someone ELSE's laser printer, and you'll probably be accessing it via a VPN, or Tails and Tor, so it's not a problem (for you).