Click here to receive your FREE subscription to Campus Technology
News
Printer Vulnerability Exposed by Indiana U Security Engineer
4/8/2008
Security engineers in the Information Technology Security Office (ITSO) at Indiana University were at a loss when a user described a network-connected multifunctional printer that was acting strangely--even printing spam e-mail messages onto paper.While investigating the printer problem, Nate Johnson, Indiana U's lead security engineer, took a chance and tested the printer for vulnerability to a File Transfer Protocol (FTP) Bounce Attack, a method used by malicious computer hackers to relay a network scan through another device, essentially covering their tracks online.
Johnson's hunch paid off, and with the maneuver, he discovered a security risk in a widely used family of Canon printers.
ITSO provides active security analysis, development, education, and guidance related to Indiana U's information assets and IT environment.
Johnson and ITSO recently published the vulnerability, having already alerted Canon to the problem. UISO has published four disclosures in the last two years.
Johnson's test--a common tactic for security professionals hoping to find holes in network security--revealed a vulnerability in the network configuration of certain printers and other devices in the Canon imageRUNNER series. These multifunctional printers are the size of a traditional copying machine and include network access that can leave them open to misuse if not properly configured. Hackers can exploit the device's Internet connection and treat it as a proxy from which to attack other sources, while concealing their own location.
"I stumbled across the security vulnerability," said Johnson. "The customer was having a problem with a printer, and on a whim I tested it. Hopefully, now that we have published the risk, people and businesses with these devices will take another look at their inventory."
Workarounds to the vulnerability include disabling FTP printing, setting up a username and password challenge to protect FTP printing or having a Canon service technician install a firmware update. A report posted on the campus' security office site states, "Additionally, best practices suggest that access controls and network firewall policies be put into place to only allow connections from trusted machines and networks."
According to Canon, the FTP command isn't used for printing from the printer driver. It only affects those imageRUNNER machines that have the FTP print setting on.
To view the detailed alert reported by UISO, visit https://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack.
To view the alert from Canon, visit http://www.usa.canon.com/html/security/office_security.html.
Dian Schaffhauser is a writer who covers technology and business. Send your higher education technology news to her at dian@dischaffhauser.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Digital Arts Alliance Adds Fordham U
The Digital Arts Alliance, a consortium led by the Pearson Foundation that promotes digital arts in K-12 education, is expanding its membership with the addition of Fordham University. This follows on the heels of three other organizations joining the group back in July--the National Education Association (NEA) Foundation, the Foundation for Investor Education, and Employers For Education Excellence (E3).
- Payment Card Security Toughens with DSS 1.2 Release
Opinions are mixed on what the new Payment Card Industry (PCI) DSS 1.2 standard will mean for security pros going forward. However, the mandate is clear: protect data.
- 6 Universities Join NASA Astrobiology Institute
Research teams from six universities have been selected by NASA to become members of its Astrobiology Institute with the aim of exploring the "origins, evolution, distribution, and future of life in the universe." Teams were each awarded five-year grants, averaging $7 million each, according to NASA.
- Amazon To Host Microsoft Solutions in the Cloud
Amazon announced Wednesday that it is conducting a private beta test of Microsoft's server products running on Amazon's hosted computing platform, which is called Amazon Elastic Compute Cloud (EC2). Amazon expects to offer companies the ability to run their applications on EC2 using Microsoft Windows Server or Microsoft SQL Server sometime in the fall, according to an announcement issued by the company.
- CRM Pushing into New Areas of Higher Ed
Implementing a customer relationship management (CRM) solution can require "difficult or even painful behavioral challenges" for administrators in higher education, according to Nicole Engelbert, a lead analyst with research and analysis firm Datamonitor. "It means re-orienting yourself to your students. That can be tough, so you need to be ready for that."
- Integrated Collaborative Environment Leverages Web 2.0
Here's a bit of trivia for your next high-tech happy hour: A "nog" (in addition to being a Christmas favorite) is a wooden block built into a masonry wall so that joinery structure can be nailed to it. For the founders of Piscataway, N.J.-based startup Bluenog this obscure bit of carpentry nomenclature was the perfect metaphor for an integrated software suite that includes a content management system (CMS), rich portal features and business intelligence (BI) capabilities.
