After talking about mobile phones as a threat to your organization we will today discuss yet another device widely in use and that too has the potential of being misused in a way that can compromise your organization. This device is generally seen as an innocent tool and few would consider any security implications that installing it might bring. I am talking about the printer.

Printers have advanced a lot in the last few years. Modern printers connect to your network to allow printing from anywhere, they come with additional functionality such as scanning, copying and faxing and they allow for comfortable configurations through web and ftp. However all this new functionality also opens the door for abuse.

Printer’s security

Just like any other device that connects to the network and allows remote access Printers have their own authentication system. Different systems might have different authentication starting from the web interface down to the ftp and telnet interface of your printer. Like any brand new device these come preset with their default login and password. In some cases the password is blank and users will not be asked to authenticate until this is set. If the printer in question is installed by a user other than the |IT system administrator it is a safe bet that these will not be changed or set. Would you expect a non-IT person to configure a password for the printer’s telnet server when it’s very likely s/he doesn’t even know what telnet is? Of course not, they will just be interested into getting the printer up and running as quickly as possible.

Printer security risks

What can a malicious hacker do when gaining access to a printer?

Surprisingly the answer to this question is, a lot. This is especially true if your printer faces the internet.

DDOS

The most obvious and basic risk is that the malicious person can print anything he wants remotely. Most modern network printers listen on port 9100 and anything that is dumped into that port gets printed without requiring any authentication. This means that if the printer is accessible from the internet and if there is no firewall rule to block that port anyone can start printing on your printer until it runs out of paper and toner/ink.

Capturing the password

When a password is set one is still not 100% safe. Some printers store this in the registry of any client accessing the printer but even worse some will happily send it over if you query their public community string SNMP data.  SNMP, Simple Network Management Protocol is aimed at helping configuration of network devices and allows for data exchange. Any SNMP client can communicate with a device using this protocol and as such anyone who has an SNMP client can request the printer to send over the public data it has and it has been reported that some printers will include the password with this data.

Even if that fails most printers do not encrypt the login and password and as such they can easily be sniffed out by anyone on the same network segment.

Stealing Information and Documents

Some printers especially multi function ones tend to contain large storage spaces and they tend to store printed documents as well as received and sent faxes in them. Some of these will allow anyone access to these document through simple ftp access. This means if either no password or just a default password is used a malicious hacker can easily copy these documents. If the printer doesn’t store documents it will surely keep a log of the user name and document name that printed it. This information can be useful in a number of ways to a malicious hacker. First and foremost it will likely indicate the name of the person who printed the document since it will likely relate to the user name. It will also give hints from the document name as to what department this person works in. Armed with this knowledge the malicious hacker has enough ammunition to try and execute an effective social engineering attack on the company. The document filenames themselves might be valuable to hackers and more often than not these are a sort of summary to the whole document and might in themselves be valuable pieces of information.

It gets a little worse when you take into consideration the people who are on the same local network. Any person on the same network segment can capture the network traffic to the printer. Printers are trusting devices, print jobs do not limit themselves to a specific printer and if a captured printing payload is dumped into another printer it will happily print it out. This means that a disgruntled employee on the same segment as your financial team will be able to potentially get access to sensitive information that should be only available to that financial team.

Bouncing

Network printers are just like a small pc with their own services running. It is known that it’s possible to bounce off a network printer. Bouncing is the act of using a machine / device as a gateway for an attack. Vulnerable Printers are generally used for ftp bounce attacks. Most printers can also be used as a scanning bounce, a practice known as idle scanning or zombie scanning. Both these attack allow an attacker to launch an attack to another target and make it look like the attack is originating from the bouncing target. Since printers do not generally hold detailed logs it might not be possible to follow any trail to the real attacker.

Protecting your Printer

In order to protect the precious data sent to the printer, the best thing to do would be to connect the printer directly to the machine via USB. Don’t put the printer on the network unless you really need to.  Connecting a printer directly on the internet is definitely to be avoided unless there is a really good reason for it and when this is unavoidable ensure that the printer is protected by a firewall which only allows access to the hosts that really need to use it.

Just like a PC a printer also needs to be up to date and scanned for vulnerabilities. Remember a printer is no different to a regular machine in most respects nowadays.  It can suffer from the same issues and vendors do issue updates to fix these issues.

Finally do not take the installation of printers lightly. Installation should be done by staff that knows how to set up the printer properly and securely. It is very easy to hook up a printer but this is not enough. Default Passwords need to be changed and access limited to the people allowed to use the printer.

Since printers are so cheap nowadays there is the risk that some employee who might not have direct access to a printer might decide to buy one and install it himself, therefore I would also suggest that periodic audits of the network are done so that administrators can also detect any possible rogue printers that get connected to the network.

Hacking Devices – Ensuring your printer is secure is a post from Talk Tech To Me, a tech blog for network administrators.

Some time ago I wrote an article about preventing virtual theft – theft of goods from a virtual world (such as a game) by compromising the machine from which you play the game – and loyal reader John Mello pointed out how it’s not only gamers who have to worry about virtual theft but also mobile phone users who are being increasingly targeted by malicious hackers.

The following series of articles will focus on a risk that is often neglected – having your company compromised through devices instead of its computers. In this first article we’ll focus on a device that is found in every company – the mobile phone.

Mobile Phones

Mobile phones are indeed an essential part of every worker’s life nowadays. With the improvement in technology mobile phones are now used as personal organizers and as such being used as a direct business tool that contains secrets that need to be closely guarded.  Every modern mobile phone nowadays includes Bluetooth. Bluetooth is a useful wireless connection protocol that enables your phone to connect to devices without any cables. Unfortunately a number of issues in Bluetooth enabled hackers to exploit some implementations. Tools are available that can do a range of things from harvesting information about the phone to stealing confidential information such as the phone book. It doesn’t end there either.

BlueBugging

How about going all out and turning a mobile phone into a 007 style gadget? In 2004, a German researcher named Herfurt discovered a bug in some Bluetooth implementation that, when exploited, allowed a PC to convince a vulnerable mobile phone that it is its legitimate wireless headset and thus give nearly total control of the phone to the program. This practice became known as BlueBugging and it provided some interesting options. For example, this exploit could be used to have a phone silently dial another phone effectively turning that phone into a mobile spying device, whereby the attacker could silently listen in on any conversation within reach of the phone. Other uses could be to set up call forwarding where calls intended for the victim are forwarded to the attacker. This can also be effectively used to steal money by having calls forwarded to premium numbers under the control of the attacker. The risk to the company here is that the victim’s mobile phone could be used to spy on meetings and steal the contact information of high profile clients / contacts.

Bluesnarfing

Another insidious risk is a practice called bluesnarfing. Bluesnarfing involves the use of Bluetooth to hack into a mobile phone and copy information; this varies from the address book to stored emails, photos and text messages. If the mobile phone is used for business related activities, contacts and text messages might include sensitive information that a company would not want compromised.

Social Engineering

High tech direct attacks on a mobile phone are not the only way to get access to sensitive information. Sometimes hackers target the phone company itself and convince an employee to give them access to the victim’s account. With some mobile phones storing information on the telecom company itself, this can be quite risky (as the very famous episode with Paris Hilton has shown). The Washington post article reports that the hack itself involved hackers phoning and using a social engineering attack on a sales rep of T-Mobile to give them the information needed to access Paris Hilton’s online storage and copy her pictures and contacts.

Physically tampering with the mobile phone

In cases where Bluetooth is not available and a social engineering attack on a telecom employee will not work, a malicious person has yet one last option available to him. There are spy applications for mobile phones that once installed lie there stealthily gathering information and uploading it whenever they have a chance (the mobile connects to an internet connection either via Wi-fi or GPRS). More advanced spy applications allow for access to the microphone, call interception and GPS location data. The only challenge for the attacker here would be to gain physical access to the mobile phone for around 3 minutes to install the spy application but after that he has access to all the mobile phone data from anywhere in the world.

How to protect oneself against such attacks

Bluetooth attacks can be mitigated by disabling Bluetooth if you do not really use it. If you use it for devices such as a hands free set then make sure you monitor and update your mobile firmware whenever a security update is released. Most of these attacks are generally patched when they go public but unfortunately not a lot of people update their mobile phone firmware because doing so generally wipes the mobile phone which can be a hassle for the customer.

Always keep your mobile phone with you. Leaving your mobile phone unattended can give a malicious person the time that he needs to compromise it. Don’t forget it only takes 3 minutes for a malicious person to compromise your phone and give him the ability to spy on you whenever he wants.

If your mobile phone stores information online at the telecom company site, keep in mind that your data is potentially at risk on two fronts, one of which you have no control over.

Hacking Devices – How to protect yourself from data theft is a post from Talk Tech To Me, a tech blog for network administrators.

In Figure 1, the Microsoft patch “Security Update for Microsoft Visual Studio 2008 (KB972221)” left behind a folder named D:\d707465963f1f97d0d9e8ad0d33066cd.

Figure 1 KB972221

These folders are temporary folders (e.g. uncompressed archives) created by the patch installation mechanism and deleted once a patch is successfully installed. If the patch installation does not finish (e.g. if the computer is restarted while installing the patch) these folders might remain on the file system.

Note: please be cautious when deleting folders. Do not delete folders that you are not certain that they are not needed anymore. Do not delete folders for patch installations that are currently running. Make sure that you have usable backups of the deleted folders before deleting them.

Administrators cannot delete these folders.

Figure 2 Deleting folder

This is because the owner of the folders is the user SYSTEM and the group Administrators does not have permissions to delete them.

Figure 3 Folder permissions

How can I Delete these Folders?

In order to delete these folders you need to change the owner of the folder to your current user and then you need to grant the necessary permissions to the new owner.

In order to do these changes you can use either Windows Explorer or the command line.

The commands to use from the command line are:

takeown /f <FolderName> /r /d y

icacls <FolderName><UserName>:F /t

E.g.

C:\>takeown /f D:\d707465963f1f97d0d9e8ad0d33066cd /r /d y

SUCCESS: The file (or folder): "D:\d707465963f1f97d0d9e8ad0d33066cd" now owned by user "PC\Administrator".

...

C:\>icacls D:\d707465963f1f97d0d9e8ad0d33066cd /grant administrator:F /t

processed file: D:\d707465963f1f97d0d9e8ad0d33066cd

Successfully processed x files; Failed processing 0 files

How to Delete Windows Patch Install Folders in Vista is a post from Talk Tech To Me, a tech blog for network administrators.

Federal authorities said the two men had left their jobs in 2004 and early 2005 but were still able to connect to their former employer’s network by using old passwords in 2006. Federal authorities are charging the pair with alleged intrusion charges and gaining access to proprietary information.

There is no doubt that such an incident should never have occurred had the company in question followed security best practice in terms of resignation or termination of employment for its employees (or making sure that passwords expire after a certain period of time?).

Security experts point out that the period between the date when the employee hands in his or her letter of resignation and the date when the employee leaves the company is crucial and immediate action is advised.

There are important steps that a company’s security team needs to take especially if the departing employee is a member of the security team or has access to critical systems or confidential information. All security arrangements must be changed to exclude the ex-employee from access to the building and to information systems thereby reducing the risk of data leakage or attempts to cause damage to the network.

These can be summarized as follows:

• Removing the person’s name from all security posts, email distribution groups
• Informing key personnel, especially those responsible for the physical security of the organization, that the individual is leaving the company and when.
• Retrieve any key code access cards, close and disable employee accounts and email accounts, keys or other access items. Change administrator passwords if employee is aware of them.
• Remove or change all passwords that employee may have to all secured systems, be they servers, workstations, databases, VPN access codes etc
• Inform other staff members including external parties that employee is no longer employed. This is critical for high-level employees.
• Ensure that the employee is not the only person to know passwords to critical systems (i.e. he or she is not a single point of failure and can hold the organization to ransom.)
• Monitor all systems accessed by the employee from the day of resignation to ensure that no data is copied from the network. Provide temporary access until the employee’s last day and then disable those accounts and permissions.

Although most employees leaving the company will not have any malicious intentions, those who are disgruntled or leaving to join a competitor may be tempted to steal information or equipment.

Taking appropriate and immediate action when an employee resigns or his role is terminated will ensure that security is not compromised. Cases similar to the one above may be rare but no organization should take the risk.

When employees bite back – Security in organizations is a post from Talk Tech To Me, a tech blog for network administrators.

Open source is great, you can learn a lot from looking at the source code of an application, you can even fix a bug here and there, or code in a feature you always wanted. And all for free…

What bothered me with this setup was the excessive amount of custom compiled subsystems to make them all perform in the desired way. To get the system working is a nice achievement, but to keep it running in production would be a nightmare. This is a bad security practice on a binary package based distro, let me explain why.

The applications compiled from source do not integrate with the package manager, and if they do (rpmbuild), it’s just a dirty trick, to compile and build a package to install it. Usually the package is just included in the inventory; versioning is broken, dependencies broken, updates broken…

The administrator would have to track changes to the custom compiled subsystems, pick out the worthwhile updates, and watch for security fixes, patch, compile, reconfigure and test the system while keeping good uptime. That’s not good and you don’t want to do that, unless you are some kind of masochist!

Instead let’s use the resources of the respective distros packaging team. That’s what we have package management for. Use it! Each of the top distros has a dedicated team to keep the packages up-to-date.

If your distro does not natively provide the package you desire, look for optional or 3rd party repositories. Usually your requirements are not that unique, and the application is already prepackaged in one of the optional repositories. There is a good chance that the repositories are maintained well enough, and you’ll have updates available when needed.

Next time when you decide to install something, think – is it also maintainable?

compiled from source = bad security practice is a post from Talk Tech To Me, a tech blog for network administrators.

So why do malicious people bother stealing online games credentials? The answer as always is Money.

Since the dawn of online gaming people have figured out that there is money to be made by selling virtual and actual goods ‘in game’ currency. As opposed to offline games, online games are generally slower to generate ‘‘in game’’ money for the players. ‘in game’s, money will also help players buy better equipment which will give them an edge over other players. This creates two needs that malicious people can exploit.

The first need is obviously for ‘in game’ money and then there is the need for premium virtual objects. Where there are needs one can be sure that there will be people selling items to satisfy those needs and here it’s no different. While selling / buying game items including ‘in game’ currency is generally prohibited by the EULAs of most, if not all, online games the practice is still widely used. A quick search on Google returns numerous sites that sell gold and/or items for World of Warcraft and other games. Prices are quite similar with the cheapest I found being $31.49 for 5000 World of Warcraft Gold coins whilst the most expensive site wanted $47.99 for that same amount of gold. Now the question is ‘what’s the worth of 5000 gold coins really?’Well for a new player who plays casually 5000 gold coins will mean a couple of months of gaming but this is just a very rough estimate. For veteran players these sites sell bundles of 100,000 gold coins at the cost of ~$600. And that’s not all.  It’s also possible to buy ‘in game’ items with prices for rare items going for +$1000 each. This all illustrates that even though we’re talking about games and items that do not really exist; they still have real world value which makes them worth stealing.

The people who are selling these items do not have magical ways to acquire them. In some cases bots are used to acquire these resources. Bots are a software program that take control of the game and perform tasks automatically without a player’s intervention. While they are great to generate gold while someone is busy either at work or doing something else, they are forbidden by the game EULAs as well. A court has also ruled against one such bot and this is the only court case I know off against such programs. Furthermore accounts using bots are sure to be banned if caught, so using bots to generate gold is not very efficient. This leaves one other option to obtain gold and items in mass quantities and efficiently – steal them off other players and the only way to do that is if someone gets access to that player’s account.

Another motivator for people to resort to stealing virtual items is that it is generally safer for them to steal virtual items than it is to steal money/items in the real world. Prosecution of people stealing virtual items is quite low if at all, while if one were to steal money from a bank one can be sure they will have the police looking for them almost immediately. This is not to say that stealing virtual items automatically makes a person safe, as this story illustrates – a guy killed another player for stealing his virtual sword after the police said they couldn’t do anything about it.

In conclusion, people who play online games invest both time and money in them and they too are assets that require protection. Security is not something that applies only to big companies, even a home user who uses his computer exclusively for gaming needs to secure his environment or risk losing everything virtual that they own. In short, the threats you need to defend against in your online game are not just enemies within the game but also malicious people in the real world who would love to get hold of your items the easy way.

Something to consider is that if someone has access to your account it means they have access to your credentials. If those same credentials are used elsewhere then that too is at risk. This is more so if those same credentials give access to systems inside your company IT infrastructure. Even though the risk might be low since the person who stole the credentials needs to link you to your workplace it still can be done. For this reason and more it is good practice to change all the passwords in the event that a password which gives access to multiple systems is compromised.

The usual tips apply here as well.

• Always ensure you are running an antivirus programme that is up to date.
• Do not visit dubious sites that might carry viruses or at least ensure that your web access is also scanned for possible viruses.
• Do not click on email attachments without knowing what they are, especially if they are executables – no matter who is sending them.
• Always ensure that your computer has the latest patches and is fully up to date.

It is also good to remember that your game credentials are likely to be a target for malicious people almost as much as bank credentials are. For this reason I would recommend that you try to use unique credentials for online games. Do not use the same login and password you use for your systems, emails and anything else.

How to prevent Virtual Theft is a post from Talk Tech To Me, a tech blog for network administrators.

The perfect internet monitoring solution for the SMB market, this new version of GFI WebMonitor will work in most networking environments and allows administrators to manage and control employee access to the Internet as well as provide a high level of security against web-borne threats.

GFI WebMonitor 2009™ offers IM control, virus scanning, the ability to block applications’ hidden downloads, hidden downloads monitoring, bandwidth monitoring and more.

GFI WebMonitor 2009™ is also available as a dedicated plug-in for Microsoft ISA Server.

Download your FREE trial here – http://www.gfi.com/pages/webmon-selection-download.asp

Check out the GFI WebMonitor 2009™ QuickVid.

The launch of GFI WebMonitor 2009™ was held in the GFI offices worldwide with Bob patrolling the area as he cordoned off the offices:

APAC Offices:

Malta Offices:

UK Offices:

Dundee Offices:

US Offices:

GFI WebMonitor 2009™ launches as stand-alone proxy version is a post from Talk Tech To Me, a tech blog for network administrators.

To cite a few examples, we have had over 1,000 partners attend our GFI MAX introductory webinars and partner sponsored events and the number of registrations to try out the software on a trial basis has rocketed. We have also featured in the leading Channel publications and scores of websites carried our press releases.

I feel this interest goes beyond pure curiosity but reflects the Channel’s genuine need for solutions that give Partners what they are looking for – complementary solutions that enable them to sell more and provide value added to their clients.

With GFI MAX we are offering the channel a fantastic opportunity to become managed service providers using a product that recently won the Business Solutions Magazine’s Best Channel Product 2009 Award. Recognized by the Channel as one of the best products on the market, this award validates our position when we say that GFI MAX is the best monitoring solution on the market, with the best reporting and the best value for the Channel.

I cannot but stress on the importance of value. A survey we carried out in June clearly showed that MSPs still find it hard to show customers value from managed services contracts. With GFI MAX, however, we have shown that an easy, affordable solution exists that can help MSPs to take better care of their clients at less cost.

With Katharion, we will be able to increase our solutions portfolio and to strengthen our commitment to our Channel partners worldwide. The Katharion solution, which we will be launching later this quarter, is another solution for the Channel to sell to both their existing customer base and new customers. Now they will be in a position to offer a hosted email filtering, anti-spam and anti-virus service.

Katharion now puts us in a position to give customers and the Channel the option to sell a hosted solution and a bevy of edge services that will only help them to improve sales, margins and profits. Ultimately, the Channel’s success is our success.

Our message is simple: We want to give our partners and clients the ability to maximize the strengths of both online and on-premise solutions. We are confident that our Hybrid approach (nearly all of our products will be available online or on-premise) is the best one for small and medium-sized businesses.

By combining our hybrid approach with a range of ‘edge services’ – aimed at providing defence-in-depth, business continuity and redundancy – we are giving the best possible solutions and infrastructure to partners and our customers. The hybrid approach will help them to improve the way they do business and the security of their network at minimal cost to them or the next for expensive changes to their set-up.

Overall, these acquisitions will allow GFI to continue developing its solutions portfolio and our ability to be an infrastructure provider for the small and medium-size business.

As I have had occasion to say over the past few weeks, these acquisitions are but the first step of our journey to provide the Channel and our customer install base with the option to choose between on-premise and on-line products or a combination of both.

Technology gives choice and I believe we, as vendors for small and medium sized businesses, should not restrict them into choosing either way. Giving them a hybrid delivery model, not only ensures that we are listening to and giving SMBs what they need but it also gives us a much wider market in which to grow and do business.

Our approach to managed services and Cloud computing is a work in progress and we are looking at new technologies and other companies that can help us offer our current on-premise solutions in the Cloud while contributing further to our growth and revenue.

This is an exciting phase in GFI’s history, so stay tuned for more developments in the coming weeks.

The way forward for GFI is a post from Talk Tech To Me, a tech blog for network administrators.

Security is all about identifying threats and provisioning for them before your enemy exploits that threat. There are so many vectors to take care of that it truly is a daunting task.

Input validation, perimeter control, user education, cryptography, physical security, access control; the list goes on and on. Each of these needs its own special considerations, things like: What validations am I going to put in place on my web application to protect my database backend? What kind of input must I discard to ensure stability? What attacks am I to expect?

There is one item though that is not generally seen in this list of concerns and that is search engines. There is awareness on the subject, there is even a term coined to describe the activity, ‘Google hacking’, but I still don’t really see it being taken seriously and not a lot of people know about it either.

In this article I will focus mainly on Google, because it is the most popular search engine and because it offers advanced functionality that helps people find what they want efficiently. That efficiency can be used by you and me but can also be used by someone who has less than good intentions.

How can search engines such as Google be a threat to security?

Well the answer to that is: In many ways.

Confidential information

The obvious threat is finding restricted information.  Google can search not only web pages but in some cases even text in certain supported Document files. These include:

• Adobe Portable Document Format (pdf)
• Adobe PostScript (ps)
• Lotus 1-2-3 (wk1, wk2, wk3, wk4, wk5, wki, wks, wku)
• Lotus WordPro (lwp)
• MacWrite (mw)
• Microsoft Excel (xls)
• Microsoft PowerPoint (ppt)
• Microsoft Word (doc)
• Microsoft Works (wks, wps, wdb)
• Microsoft Write (wri)
• Rich Text Format (rtf)
• Shockwave Flash (swf)
• Text (ans, txt)

This means that people can search for text in your files if they are available online using Google.  Malicious people might search for the phrase “social security number” and if there is a file on your site containing that term, it might be presented to that malicious person who can then download it.

Google the Super Computer

While I am sure that Google has lots of processing power in its infrastructure I am not referring to taking advantage of that power directly, but it is possible to use Google as a super computer of sorts. Let’s assume that one has an application which stores passwords as an md5 hash. Lots of applications do that and the reason is quite sound – if a password is somehow stolen it will be no big deal, because it is very computationally expensive to get the password back from an md5 hash right? It would take over a year to try breaking an 8 letter code right? WRONG. Well it would take over a year if you simply try to brute force it, but what if you search Google instead? Yes, that’s right, get an md5 hash and search it on Google. If it’s a dictionary word, chances are that you will get a hit!

I ran some tests and here are the results:

It should take roughly 300 days to guess “obscure” running a sequential brute force attack using only the English alphabet but including lower and upper case. Yet a simple search on Google returns an answer in less than a second. For a simple system an md5 hash of a password would generally be enough, figuring there is no data that might justify using years of computational power to crack, but with search engines you can just search for the answer in seconds. Even searching for the md5 of a random collection of letters such as AFVX, Google found a match. However the same was not true for longer random letter as well as phrases. Searches for md5s of complex random characters and phrases didn’t return any matches. Still keeping Google in mind and playing it safe, storing an md5 hash of a password is no longer enough, now we need to add a pinch of salt to the mix.

Aiding Malicious Hackers

Another hazard presented by search engines is granting the ability to malicious hackers to either find you or to attack you without any warning. An attack can present itself in one of two possibilities – you can either have been a target of opportunity or this was a targeted attack. In both cases a malicious hacker is able to use Google as one of his tools.

Target of Opportunity

Sometimes a hacker doesn’t have a particular target in mind, instead he has exploits and he wants to use those exploits to gain access to as many machines as possible. The first step is to identify the machines that have the vulnerabilities that he can exploit.  In pre-Google days, this step involved scanning the internet for the service that he intends to exploit and then trying to identify each version from the list this scanning would generate. This task would previously have taken a very long time to complete. Today, however, a simple search can get a list of targets within less than a second. Searching for: intitle:index.of “Apache/1.3.34 Server at” for example returns a huge list (3million+) of domains that are running apache 1.3.34 and also have directly listing enabled in some of their web folders.  Obviously it is not just Apache that can be found this way, its IIS, web applications, scripts and appliances even. Anything with a web front-end really, that might be indexed by Google. For example searching for: inurl:hp/device/this.LCDispatcher will return a number of web front-ends for HP Laserjet printers.

Please realize that if you try these searches they will return real live systems and printers that people and companies are using. Use these queries to test your own sites; be aware that accessing printers that you do not own might open you up to legal action. These examples are only provided to illustrate the point and the dangers, please do not misuse the knowledge.

Targeted attack

In the previous section we saw how Google can help a malicious hacker find a target of opportunity, but how can Google help a hacker who intends to target a specific person?

When a malicious hacker intends to infiltrate a specific target, the first step is to gather intelligence. An attacker needs to know what he can access about his target, he basically needs to catalogue every service, server and appliance that are accessible from his location (the internet). Previously he would have achieved this by scanning his target for open ports and fingerprint said ports which would work and still does today but this leaves behind a footprint. This footprint can be detected by firewalls and log analysers and can alert an administrator of someone scanning his network. This might give the administrator time to prepare and keep a close eye on his network. He could possibly be in a position to even track down the attacker. At best it will leave a trail back to the attacker even if he is unable to find a weakness to exploit and never acts on his intentions. However what if he does his finger printing using Google?

Using a search query like site:[domain] Google will list all the indexed pages on that site. In such results one might find, services running, servers, versions, scripts and even appliances. The attacker can then, without exposing himself, start to devise an attack plan without worrying whether the administrator of the target site is on to him. Additionally should he decide that he has no way he can penetrate his target he can safely give up without any consequences.

In conclusion, of course search engines are very useful in allowing us to find things easily and quickly. Unfortunately it also allows people with malicious intent to find things that they are interested in very easily as well. As such my suggestion is to keep search engines in mind when going through your security tasks, be they during development, system administration, web design or anything else that can be affected by a search engine. Don’t depend on security by obscurity as that obscurity might not be as obscure as you may imagine. Taking simple precautions can help a lot. It is possible to control where on your site Google will index and where it will ignore. There are a lot of resources that webmasters can use at: http://www.google.com/webmasters/ and http://www.google.com/support/webmasters/

It is also important to disable directory listings unless absolutely needed and when needed, it should be protected as well. Appliances such as printers should never be connected to the internet unless absolutely necessary and when they are make sure that they’re secure and cannot be accessed by everyone. Always remember that appliances can be used just as any other machine to get a foothold inside your network.

Finally I am curious as to your views on the subject – are search engines something you worry about? Do you think that search engines are a threat to the security of your system, but that maybe it’s a threat that’s mitigated through your normal routines and doesn’t really require any additional steps? Maybe you wouldn’t really consider them a threat at all?

I personally think that they’re a threat that may generally be overlooked, but perhaps it might be not a huge threat at the end of day since the steps to protect against it are ultimately best practices that should be followed in the first place.

Search Engines, Friend or Foe? is a post from Talk Tech To Me, a tech blog for network administrators.

Brian says that through his research and reports on cyber theft, SANS Technology Institute came up with a simple solution to the problem – use a DVD-based bootable operating system such as Knoppix.

I tend to fully agree. You see the problem is that once your system is infected with a Trojan it now becomes a ticking time bomb. The Trojan stays sitting there hidden in the background monitoring, waiting for you to access your online bank account. Once you do so, it does its thing. Depending on the Trojan it can either hijack your session and make its own transfer instead of yours, or, less sophisticated ones, will just email your credentials to the owner of the Trojan.

Online banking is obviously a great tool but unfortunately there is no foolproof way to be 100% safe except by using the bootable operating system solution. Banks obviously try their best. They employ a lot of effective measures, using two-factor authentications, restricting access based on your IP address and other schemes like these in order to protect their customers effectively. However each and every one of these security measures is useless if a Trojan just hijacks your session and changes it with its own transfers.

Needless to say to really be safe we want to be sure that there are no Trojans running when we’re doing our online banking; but how can we? Anti-virus solutions are a good resource; however, they can generally only detect known Trojans that are running in the wild. We could be infected with a custom made Trojan or the anti-virus in use might not yet have been updated to safeguard against the particular Trojan that I was infected with. So how can we be 100% safe?

My recommendation for a completely safe environment when conducting online banking is as follows (it is a bit cumbersome but I believe it is as secure as one can get and if you either make a lot of high value transactions or even if the account you interact with contains a lot of cash, it might be well worth the overhead).

Firstly set up a firewall exclusively for the machine doing the online banking and then connect to it the actual terminal that will be doing the banking. The firewall should block everything, both in or out, except for a pipe between it and the bank (the machine will be limited to connect only to our bank and nowhere else to remove the risk of Trojan infection due to some browser exploit). Secondly the machine should be always powered off and turned on only when it is necessary to interact with the bank. This is very important to ensure that no Trojan/viruses are running in memory. When the machine turns on it will boot our DVD/CD-based environment and we’ll use that to do our transactions. Finally ensure that there is no physical access to the machine except for the keyboard, mouse and CD/DVD drive. Ensure that it has no USB/FireWire/Hard drives installed and no network connectivity except to the firewall which in turn only allows access to the bank site.

This simple setup will protect us in a number of ways. Firstly the firewall will ensure that no one will use the terminal to browse sites which might have exploit code that could install a Trojan on our system. Running the system off a CD / DVD will ensure that our environment is never compromised, because even if a Trojan infects our system, it cannot modify any files or reload again on the next bootup. Finally if a Trojan does somehow manage to get in, keeping the machine switched off when not in use will ensure that any running Trojans which might infect our system (and they can only live in memory since our operating system is physically read only) will be wiped out. Additionally if everything really fails and we are infected with a Trojan that is running while we bank, the Trojan will not be able to call home or send the data anywhere. Obviously as I said in previous articles, one is never 100% safe; there is one possible scenario I can think of and that is that the bank itself, maybe through cross site scripting, ends up hosting the malware which manages to infect your machine through a browser exploit and is completely autonomous in that it can do transactions without needing to be connected to a command and control station. However I think this scenario is pretty remote.

If you want peace of mind and want to have the maximum level of security when interacting with the bank I think that this is in fact the best way to go about it. I would appreciate any thoughts you might have regarding such an approach or maybe something better! I understand that it might be a bit cumbersome to implement; however, I believe that it can be a very effective defense. Ultimately it’s surely more desirable to wait a couple of minutes for a system to boot than to end up with $500,000 less in your bank account!

Protecting against Money Theft is a post from Talk Tech To Me, a tech blog for network administrators.