Click here to receive your FREE subscription to Campus Technology
News
Printer Vulnerability Exposed by Indiana U Security Engineer
4/8/2008
Security engineers in the Information Technology Security Office (ITSO) at Indiana University were at a loss when a user described a network-connected multifunctional printer that was acting strangely--even printing spam e-mail messages onto paper.While investigating the printer problem, Nate Johnson, Indiana U's lead security engineer, took a chance and tested the printer for vulnerability to a File Transfer Protocol (FTP) Bounce Attack, a method used by malicious computer hackers to relay a network scan through another device, essentially covering their tracks online.
Johnson's hunch paid off, and with the maneuver, he discovered a security risk in a widely used family of Canon printers.
ITSO provides active security analysis, development, education, and guidance related to Indiana U's information assets and IT environment.
Johnson and ITSO recently published the vulnerability, having already alerted Canon to the problem. UISO has published four disclosures in the last two years.
Johnson's test--a common tactic for security professionals hoping to find holes in network security--revealed a vulnerability in the network configuration of certain printers and other devices in the Canon imageRUNNER series. These multifunctional printers are the size of a traditional copying machine and include network access that can leave them open to misuse if not properly configured. Hackers can exploit the device's Internet connection and treat it as a proxy from which to attack other sources, while concealing their own location.
"I stumbled across the security vulnerability," said Johnson. "The customer was having a problem with a printer, and on a whim I tested it. Hopefully, now that we have published the risk, people and businesses with these devices will take another look at their inventory."
Workarounds to the vulnerability include disabling FTP printing, setting up a username and password challenge to protect FTP printing or having a Canon service technician install a firmware update. A report posted on the campus' security office site states, "Additionally, best practices suggest that access controls and network firewall policies be put into place to only allow connections from trusted machines and networks."
According to Canon, the FTP command isn't used for printing from the printer driver. It only affects those imageRUNNER machines that have the FTP print setting on.
To view the detailed alert reported by UISO, visit https://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack.
To view the alert from Canon, visit http://www.usa.canon.com/html/security/office_security.html.
Dian Schaffhauser is a writer who covers technology and business. Send your higher education technology news to her at dian@dischaffhauser.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Fixed-Mobile Convergence: Dartmouth Beefs Up Cell Coverage, Cuts Costs
Problems with cell phone coverage aren't uncommon on college campuses. There are two main reasons: The beefy structure of historic buildings can block cellular reception within walls, and, on more remote campuses outside cities, signal coverage can be light.
- Thompson Rivers U Deploys Unified Digital Campus for ERP
Thompson Rivers University (TRU) in British Columbia has selected SunGard Higher Education's Banner Unified Digital Campus (UDC) to integrate its ERP systems.
- DV Kitchen Web Video Publishing System Released
DVcreators.net has released DV Kitchen, a new video encoding and publishing application for Mac OS X designed specifically for creating materials to be posted on the Web.
- NEC Debuts 4 Education Projectors
NEC this week debuted four new projectors targeted toward education applications, along with a new MultiSync LCD display. The new NP-series projectors are entry-level models started at $899 but are designed to provide high light output, support for closed captioning, and built-in networking capabilities.
- Security Researchers Uncover Spring Framework Vulnerability
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
- 3PAR Server Arrays Integrate Fat-to-Thin Processing
Utility storage provider 3PAR has announced the release of the 3PAR InServ T400 and T800 Storage Servers. The new hardware is built on the company's third-generation InSpire architecture, featuring the 3PAR Gen3 ASIC with integrated fat-to-thin processing.
