Slashdot Mirror
Exposed HP LaserJet Printers Offer Anonymous FTP To the Public (csoonline.com)
itwbennett writes: In a blog post on Monday, security researcher Chris Vickery outlined the risks associated with networked HP LaserJet printers, which have been made available to the public by the organizations hosting them. 'There are a few free, open source pieces of software that can be used to upload and interact with HP printer hard drives over port 9100. After uploading to a printer, the file can be accessed by ... any web browser... It doesn't take much creativity to realize that even highly illegal materials could be stored this way,' Vickery wrote. CSO's Steve Ragan picked up the thread: A quick search on Shodan to confirm Vickery's findings returned thousands of results.
(*sarcasm*) No. Everything must be internet enabled! We are in the age of the Internet of Things. You probably don't even use "apps," do you? I bet you compile your own code, too. You are a Luddite. Get off my lawn! (*sarcasm*)
You have no excuse to have a printer exposed to the greater web.
As a UMN (note how high they are on the list counting the exposed printers) alumni, I probably know more about their network setup than most. The default stance there has always been that every device on the network is given an IP (either dynamically or statically) that is fully resolvable to the world. They started with all of 128.101.*.* and then added 134.84.*.* and something else as well. It didn't seem like they would run out of addresses any time soon so they just kept handing them out; students, staff, faculty, janitors, etc.
Now networked printers are cheap and easy to use. Cubicle dwellers who don't want to share can buy their own without much difficulty and put it on the network ... because they can. I would bet half the printers on there are connected to the wireless, which also hands out fully resolvable IP addresses. How are you going to talk Fred in accounting into not doing it when not doing it is so much more difficult than doing it? He's going to bring his MacBook to work and back every day, he wants his wireless color laserjet when he gets there. Good luck convincing him to spend the extra 1.6 seconds every day disconnecting and reconnecting a USB cable instead of printing over the network ... he could be using those 1.6 seconds to read more facebook.
In summary, you won't get the printers off the exposed part of the network, not when the network is configured the way it is and the employees can add devices to it so easily.
Honestly, never underestimate just how terrible security is or can be ... between vendors which leave stuff vulnerable for years, or mis-configurations, things which have never been patched, or things which seemed like a good idea at the time ... the internet is a hideous mess of things which are appalling but nonetheless happen every day.
Either because nobody cares, or nobody has the money to care, or management comes down on the side of "easy" instead of "correct".
I think most of us would be shocked/depressed/angry to realize just how much stuff is hanging outside of any firewall or NAT whatsoever.
The people are likely to be secure are paranoid, diligent, a little crazed, and likely have others telling them to "relax, it's not a big deal". Never underestimate how often someone says "dear god, we can't do this" only to be overruled by someone who doesn't see it as a threat ... it happens all the damned time.
The people who get overruled just need to cover their asses so if it happens they can say "told you so". This has been true for years.
I'm betting tons of people around here can give you horror stories about loudly warning about this kind of stuff only to be told to shut up and do it.
Lost at C:>. Found at C.
If you are thinking of storing illegal things this way, remember that the FBI can take over the server, keep it running, and then track it back to you.
The "server" will be someone ELSE's laser printer, and you'll probably be accessing it via a VPN, or Tails and Tor, so it's not a problem (for you).