Printer Hacking, Again

December 23, 2011

At the beginning of this month, I posted a note here  about a security vulnerability that had been discovered in the firmware update process for HP laser printers.   Even though the company disputed some of the findings, the key lesson was clear: printers, along with many other devices, now contain sufficient computing capacity that they can be attack targets in their own right.

Daniel Wesemann, one of the volunteer handlers at the SANS Internet Storm Center [ISC], has a new diary post on printer security.  As he points out again, many modern printers are much more capable devices than the “dumb” printers many of us grew used to.

Most office printers aren’t just printers anymore. So-called MFPs (Multi-function printers) have taken over, and they contain permanent storage (a hard drive, usually), a fax modem, etc

Many of these devices retain copies of recent print and fax jobs, and have interfaces that can be used to retrieve copies of those jobs over the network; and the devices often come with the usual sorts of insecure default configurations, unnecessary protocols enables, and stupid default passwords.

As Wesemann points out, the ISC is currently conducting an informal poll of its readers on printer security, asking the question: Do you monitor or otherwise secure your printers in your environment?   At the time I’m writing this, there have been ~500 replies.  About 57% of the respondents answered “NO” — not a particularly encouraging result for the security minded.

This is not entirely surprising.  As I’ve remarked before, the basic problem is that many people still don’t think of these devices as requiring any sort of security attention.  Often, if the subject is raised, they will think of potential threats as being someone sending a garbage print job that uses up all their paper or toner.  That these machines are small computers that can also produce output on paper has not yet shown up on many user’s radar.

The ISC article also has some sensible suggestions for securing the printers in your environment.

MIT Researchers Introduce CryptDB

December 22, 2011

I’ve written here before about the concept of homomorphic encryption, a technique that allows encrypted data to be processed to get an encrypted result; when the result is decrypted, it will be the same as would be obtained using unencrypted data from the beginning.  Craig Gentry, of IBM, published a mathematical proof of the concept in 2009, and some trial implementations have been built.  Although there is considerable interest in the concept, to date the very large performance penalty associated with the technique has been a problem.

According to a report at Forbes, a team at MIT has come up with a clever shortcut, called CryptDB,  that produces similar results for some applications, with a much smaller performance penalty.

CryptDB, a piece of database software the researchers presented in a paper  at the Symposium on Operating System Principles in October, allows users to send queries to an encrypted set of data and get almost any answer they need from it without ever decrypting the stored information, a trick that keeps the info safe from hackers, accidental loss and even snooping administrators.

The paper is available here [PDF].

The MIT group had two key insights.  The first was that, although a fully general homomorphic encryption algorithm was very complex, there were existing algorithms that had similar properties for particular operations.  (For example, a method called Paillier encryption allows addition of the encrypted data.)  The second insight was that standard SQL queries do not require all that many types of operations.   Their approach was to try to find a collection of algorithms that, taken together, would allow the necessary operations to be performed.

“The insight we had, the cool idea, is that SQL queries in a database are composed of relatively few types of operations: equal to, less than, summing up, sorting,” says MIT professor of software technology Nickolai Zeldovich. “For each operation, we were able to find an encryption scheme that is quite efficient at computing on encrypted data.”

The CryptDB approach “wraps” the data with layers of encryption, each of which allows different kinds of operations to be performed on the encrypted data.  Depending on the processing to be performed, different layers of encryption are removed, but the data is never fully decrypted.  Not surprisingly, this does not provide perfect security.

CryptDB has its limits, the MIT researchers warn–no square roots, for one example. And while the data is never completely decrypted, it does “leak” information about the underlying data when enough outer layers of encryption are removed, revealing attributes like which data points are equal to each other.

Still, the method does provide some significant protection, and its limitations did not seem to have too severe an impact on a sample of real data base queries.  Further work will certainly be needed to delineate what can and can’t be done with the CryptDB approach, but it does seem to be the most practical method for processing encrypted data developed so far.

Mozilla Releases Thunderbird 9.0

December 21, 2011

Along with the new Firefox 9.0 release, Mozilla has also released version 9.0 of its Thunderbird E-mail client, for Mac OS X, Windows, and Linux.  The new version includes the same updated Gecko rendering engine as Firefox 9.0,  and also incorporates a number of changes, including:

  • New opt-in system for users to send performance and usability data back to Mozilla to improve future versions of Thunderbird (A similar facility has been included in Firefox since earlier this year.)
  • Additional support for Personas in the compose and address book windows
  • Better keyboard handling for attachments
  • Several user interface fixes and improvements

It also includes fixes for six security vulnerabilities, one of which is rated Critical.  Further information is in the Release Notes.

You can obtain the new version via the built-in update mechanism, or you can download a complete installation package, in a variety of (human) languages.

Mozilla Releases Firefox 9.0

December 20, 2011

The folks at Mozilla have released a new major version, 9.0, of their Firefox browser for Mac OS X, Windows, and Linux.  The new version incorporates a new version of the JavaScript engine, which uses Type Inference; this should produce some significant improvements in JavaScript performance.  Other changes include:

There are also user interface improvements for Mac OS X Lion, and six security fixes, four of which are rated Critical.  More information is available in the Release Notes.

You can obtain the new version via the built-in update mechanism (Help / About Firefox / Check for Updates), or you can download a complete installation package, in a variety of (human) languages.

Update Wednesday, 21 December, 20:28 EST

The WebMonkey site has a review article discussing the changes in Firefox 9.0.

CITP Seeks Visitors for 2012-2013

December 18, 2011

I have mentioned the Center for Information Technology Policy [CITP] at Princeton University, and its Freedom to Tinker blog, several times in posts here.  As it does each year, CITP has invited applications for visiting fellows and post-doctoral students.

The Center for Information Technology Policy is an interdisciplinary research center at Princeton University that studies the intersection of digital technologies and society. Each academic year, CITP issues a call for visiting fellows and postdoctoral researchers. Applications for the 2012-2013 academic year are due by February 1st, 2012.

CITP seeks candidates for Fellows positions from academia, industry, government, and civil society.

The Fellowship Application page at the CITP site has more detailed information.

New Standards Proposed for Certificate Authorities

December 17, 2011

I’ve written here before about the role that Certificate Authorities [CAs] play in supplying credentials used for secure Internet connections via the SSL/TLS protocols, which create an encrypted connection between the user’s browser and the server.  Unfortunately, the existing infrastructure of CAs has its weaknesses, as exemplified by the DigiNotar hack, which involved the creation of a large number of bogus certificates, and ultimately led to DigiNotar’s loss of accreditation.   We have also seen stolen certificates used to generate digital signatures used to sign malicious software.    This has put the browser vendors in an uncomfortable position, since they must decide which CAs should be trusted by default, and led Mozilla to call for an audit of CAs.

Now, according to an article at Security Week, an industry group of CAs and browser vendors, the CA/Browser Forum, has published a new standard for CAs issuing SSL/TLS certificates.

In light of this, the CA/Browser Forum, an organization of leading CAs and other software vendors, has released the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates,” an industry-wide baseline standard for the operation of CAs issuing SSL/TLS digital certificates natively trusted by the browser.

The group is requesting browser and OS vendors to require compliance with the new standards as a condition of acceptance of the CAs’ certificates trusted by their software.  The standards, which can be downloaded here [PDF], are an attempt to codify existing best practice in a number of areas.

… the Baseline Requirements are based on best practices from across the SSL/TLS sector and touch on a number of subjects, such as the verification of identity, certificate content and profiles, CA security and revocation mechanisms. The requirements become effective July 1, 2012, and will continue to evolve to address new risks and threats.

The Forum has also requested the development of audit standards to verify compliance with the new requirements.

It is not realistic to expect that this, or any similar step, will completely block exploits against CAs.  Still, it does seem to be a worthwhile improvement, and indicates that the industry is paying attention.

Adobe Releases Critical Patch for Acrobat, Reader

December 16, 2011

As expected. Adobe today released a Critical security bulletin [APSB11-30], and patch, for its Reader and Acrobat on Windows, versions 9.x.  This bulletin addresses the recently discovered memory corruption vulnerability [CVE-2011-2462], as well as another flaw [CVE-2011-4369].   It appears that these vulnerabilities are being exploited currently in targeted attacks, via malicious PDF documents.

According to Adobe, the threat is less for Acrobat X and Reader X on Windows (with Protected Mode / Protected View), as well as for versions on Mac OS X and UNIX.  Patches for these versions are to be released in Adobe’s normal quarterly update, scheduled for January 10, 2012.

If you have Reader or Acrobat 9.x installed on your Windows system, I recommend that you upgrade to the new version 9.4.7  as soon as you conveniently can.  Because this software is so widely used, it is an attractive target for the Bad Guys.  You can get the new version via the built-in update mechanism (Help / Check for Updates), or you can download the updates for Reader here, and Acrobat here.  Note that these are packages to update your existing installation, not full installs.

%d bloggers like this: