Wednesday, February 15, 2017

HP printer security FUD highlights everything that's wrong with infosec

I'll start this post by saying I half expect to get a cease and desist over it.  If that happens, know that HP doesn't stand by their marketing and is using lawyers to silence those who would challenge them.

HP kicked off RSA with a big push on printer security.  I stopped by the booth and they have a few people standing around (customers and employees).  I asked (seriously, not trolling) what the sales pitch is.  I said I'd like to hear the technical side. I say "I'm an infosec consultant, what real world examples of printer exploitation can HP share with me that will get my clients serious about printer security?"  The obvious sales lady passes me off to one of two engineers at the booth.  The other engineer is already talking to someone.  The other engineer (the one not talking to me) says to the guy he's talking to:
You have to take print security seriously. Did you know that Stuxnet attacked the print spooler?
Now this is some USDA Grade A FUD.  First, Stuxnet didn't attack printers at all.  The print spooler? Sure. On Windows. If a tag line for your printer security campaign is a vulnerability patched in 2010 (MS10-061) on something that isn't even your platform, well, bravo.  I'd like to induct this salesperson/engineer into the snake oil hall of fame (or ninth circle of hell, I'm actually not picky here).

Before I can interrupt "Mr Stuxnet" my engineer starts talking to me.  I ask him the same question I asked the "sales only" person at the booth.  He says:
Did you hear about the tens of thousands of printers hacked in the last few weeks? It's been all over the news.
Um yeah (he's talking about this), but those were printers directly connected to the Internet. I'm not concerned about that, or Weev, spewing garbage to my printers.  I ask about the narrative they seem to be suggesting where the printer is used to compromise the rest of the network.  Can your printer really be used to compromise the rest of the network? Have you ever seen it?  Do you have a single case, even without naming the victim, that you can point to?

*Note: I don't need anyone to cite a talk at *CON where someone did a PoC.  I'm talking real world.

It turns out the answer is no.  The HP engineer says that they have responded to dozens of networks (later throws out the number 60) and says that in two of them they've found printer firmware that "had a different checksum from ours."  He won't commit to saying it was modified, just repeats that "well, the checksum was different." I'm intrigued, tell me more.  He says that they suspect it would have been nation state since these networks were known to have been hacked by nation state actors in the past.  Okay, cool. Since you found this "modified" firmware, you certainly reverse engineered it, right?  Well, yes they did, but "unfortunately HP Labs is very secretive" and is "unlikely to share anything they find."  And this was like four years ago and I haven't heard anything back so lets move on.

Wait, WUT?! You found firmware that wasn't yours loaded onto printers four years ago, sent if for reversing and you got nothing back?  This is the sort of thing that literally screams "take my money" and you have no information on it.  Okay, I think I see what you found: nothing.

When pressed for more examples of printer exploits, we got stuff like "Do you know what can be done with PCL and PostScript?" Yes actually, which is why you're really not scaring me.  Again, show me examples of this happening in the wild. Do you have document hashes in VirusTotal that show demonstrations of attackers doing this stuff?  My clients want to focus on real threats, not hypothetical ones.

Luckily I didn't pay attention to the video playing in the HP booth while I was there.  When I came back to my hotel room I actually watched this vile piece of filth.

WARNING: you'll never get this six minutes of your life back.

This video features tag lines like "nothing is safe" and "There are hundreds of millions of business printers in the world.  Only 2% of them are safe."  This is FUD to the nth degree.  The fact that Christian Slater, who stars in Mr. Robot, is hacking the printers is designed to give it a more realistic bent.  But it's not realistic.  How did Slater get on the wireless network to pwn these printers?  And were they configured with default credentials?  And how did he just happen to have firmware for these specific models.  And why FFS were the printers not checking a digital signature on the firmware.  So many questions...

And this all made me mad until Twitter user Jason Testart told me that HP was sending electronic marketing material to executives (likely CIOs) to get them to invest in printer security.  Then I was just furious.

According to Jason, that thing in the middle is a cell phone screen that plays marketing material (presumably the Christian Slater video?).  In today's digital age, it is environmentally irresponsible to create such waste in advertising materials.  Cell phone screens?  Really?  I'm sure this is flashy and I'm sure people look at it before throwing it away.  But I'm a little outraged at the waste - especially when used to spew such deceptive FUD.

Real Security
Securing your printing environments isn't hard.  If you need help, contact me at Rendition Infosec and I'll be happy to help you.  But I'll save you all sorts of money up front and tell you that it involves basics like not connecting your printer directly to the Internet, not exposing unnecessary services (turn off LDAP on your multi function device if you don't use it), and change default credentials on your print devices that have a web interface.  Turn off wifi if you don't use it (you shouldn't be using wifi for your printer, honestly).  Then back this all up with network monitoring.  Find your printer beaconing to China?  Isolate it from the rest of the network, then call someone who can reverse engineer the printer implant.  While you're at it, hunt the rest of your network.  The attackers didn't just compromise the printer.

Closing Thoughts
In closing, things like this make me sad to be in infosec.  I know that I'm not making much of a dent here raging on how dumb this printer security push is (in the overall scheme of things).  But please don't make my efforts in vain.  Your CIO probably got a cardboard encrusted cell phone screen from HP.  Talk to them.  Tell your CIO this is FUD. Tell them you probably need to invest money in basic infosec blocking and tackling.  Then feel good about changing the world for the better.

Thursday, February 9, 2017

Some Q&A about the law of Cyber Warfare

I am not a lawyer. I don't even play one on TV. But a group of lawyers did get together to try to decode the laws of many nations apply to cyber warfare.  The Tallinn 2.0 manual is the output of this effort.

Some of the lawyers in this group got together yesterday to have a panel and answer questions.  They try to answer questions such as "is this an act of war" and the law of peacetime cyber operations.  The text is dense and probably requires a law degree to completely comprehend, but the Q&A session linked here was pretty good for background noise while driving.

Wednesday, February 8, 2017

Get ready for more mandatory training!

If you work at DHS (and honestly, probably anywhere in .gov) you should brace yourself for more mandatory training.  H.R. 666 (yes, I immediately noticed the irony of that number) has passed the house and is heading to the Senate.  It would require that Homeland Security develop awareness programs (read more mandatory annual training) to help users spot insiders.  The bill of course does much more than that.

I'm particularly impressed by these two items.  If the legislation passes the Senate, (G) will ensure that by law the Insider Threat Program is informed about current technology and trends.  This is much better than relying on your adviser's BS in IT from ten years ago to steer decisions (sadly, this isn't a hypothetical).

I also like section (H) where metrics are required.  As we regularly tell Rendition Infosec customers, metrics are critically important to ensuring program success.  Of course some customers hate metrics, and we get it.  They aren't sexy (downright boring in many cases), but they are critical.  Effectiveness for an insider program will be difficult to measure, so it will be really interesting to see what metrics DHS selects for the program. 

Friday, February 3, 2017

Why you should care about CVE-2017-0016 (new SMBv3 0-day)

I've seen a few people talking on social media about how CVE-2017-0016 is just not a big deal.  They correctly point out that it can't trigger Remote Code Execution (RCE) and can only be used for Denial of Service (DoS).  Both of these are correct.  More than a few people have made the mistake of saying something to the effect of "if you have SMB listening on the Internet, you have all sorts of other problems."

But those making the latter statement don't understand the vulnerability.  Unlike many previous SMB vulnerabilities like MS-08-067 (used by Conficker) that would require a host to be listening on SMB ports (TCP 139 and TCP 445) to be exploited,  this vulnerability requires that the vulnerable host be able to talk to an attacker on these ports.  So SMB need not be exposed to the Internet in a traditional sense for a host to be exploited.  If an attacker can get a user (or an automated process) to visit a malicious link over SMB, the exploit will be successful and the machine will crash.

What do you need to do?
Microsoft has not yet made a patch available.  However, there is a publicly available PoC script so attackers can cause mischief today with no work on their part.  You need to ensure that your networks don't allow TCP 139 or TCP 445 outbound.  Due to the SMB worms of the past, most residential ISPs block TCP 139 and TCP 445.  Most business ISP connections do not.

There are tons of reasons to not allow TCP 139 and TCP 445 outbound.  They are too numerous to mention here and there's no reason to repeat them here.  If you want to test your network, I set up a test before Badlock last year.  The instructions for running it are here.  You really should make sure you block SMB outbound from your network, anything less is a ticking time bomb.  When we audit small business networks at Rendition Infosec, we see SMB allowed outbound with a surprising regularity.