Click here to receive your FREE subscription to Campus Technology
News
Printer Vulnerability Exposed by Indiana U Security Engineer
4/8/2008
Security engineers in the Information Technology Security Office (ITSO) at Indiana University were at a loss when a user described a network-connected multifunctional printer that was acting strangely--even printing spam e-mail messages onto paper.While investigating the printer problem, Nate Johnson, Indiana U's lead security engineer, took a chance and tested the printer for vulnerability to a File Transfer Protocol (FTP) Bounce Attack, a method used by malicious computer hackers to relay a network scan through another device, essentially covering their tracks online.
Johnson's hunch paid off, and with the maneuver, he discovered a security risk in a widely used family of Canon printers.
ITSO provides active security analysis, development, education, and guidance related to Indiana U's information assets and IT environment.
Johnson and ITSO recently published the vulnerability, having already alerted Canon to the problem. UISO has published four disclosures in the last two years.
Johnson's test--a common tactic for security professionals hoping to find holes in network security--revealed a vulnerability in the network configuration of certain printers and other devices in the Canon imageRUNNER series. These multifunctional printers are the size of a traditional copying machine and include network access that can leave them open to misuse if not properly configured. Hackers can exploit the device's Internet connection and treat it as a proxy from which to attack other sources, while concealing their own location.
"I stumbled across the security vulnerability," said Johnson. "The customer was having a problem with a printer, and on a whim I tested it. Hopefully, now that we have published the risk, people and businesses with these devices will take another look at their inventory."
Workarounds to the vulnerability include disabling FTP printing, setting up a username and password challenge to protect FTP printing or having a Canon service technician install a firmware update. A report posted on the campus' security office site states, "Additionally, best practices suggest that access controls and network firewall policies be put into place to only allow connections from trusted machines and networks."
According to Canon, the FTP command isn't used for printing from the printer driver. It only affects those imageRUNNER machines that have the FTP print setting on.
To view the detailed alert reported by UISO, visit https://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack.
To view the alert from Canon, visit http://www.usa.canon.com/html/security/office_security.html.
Dian Schaffhauser is a writer who covers technology and business. Send your higher education technology news to her at dian@dischaffhauser.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Georgia Tech Helps Develop Web-based Tool To Improve Blood Supply
The Georgia Tech College of Computing, working in partnership with the Centers for Disease Control and Prevention, has developed a Web-based tool for tracking blood safety. The program is expected to help developing countries improve the adequacy and safety of their national blood supplies through better monitoring and evaluation.
- Mississippi State Implements Reflex Virtual Management Center
Mississippi State University has implemented Reflex VMC (Virtual Management Center) from Reflex Systems. The application allows IT administrators to monitor a virtual infrastructure and enforce business and IT policies.
- Stanford Law School Launches IP Litigation Clearinghouse
The Law, Science & Technology Program at Stanford Law School has launched the Intellectual Property Litigation Clearinghouse (IPLC), an online database that offers comprehensive information about intellectual property (IP) disputes within the United States.
- Texas A&M Health Science Center Adopts Banner Administrative Management
The Texas A&M Health Science Center has selected the Banner Unified Digital Campus (UDC) from Sungard Higher Education to help unify its geographically-dispersed community and to enhance and expand services and communications to its growing student enrollment.
- NCCC: Data Cleansing Key To Managing Growth
Community colleges are in a good spot in some ways during the economic downturn, as tight family budgets drive up the appeal of the community college option. But along with the rest of higher education, most community colleges also face shrinking IT budgets and tighter resources. That makes it that much harder to handle the growing enrollment numbers that some community colleges are seeing.
- Finjan: Layoffs Could Drive IT People To Become Cyber-Criminals
Security vendor Finjan predicts that the current economic downturn could herald a sharp rise in cybercrime during 2009--driven by the rise in the number of IT people being laid off. According to a report from the company's Malicious Code Research Center (MCRC), more unemployed IT personnel will be tempted to seek "new and easy income by purchasing and using crimeware toolkits that are sold by professional hackers."
