Wed Oct 30 00:01:33 2024
EVENTS
 FREE
SOFTWARE
INSTITUTE

POLITICS
JOBS
MEMBERS'
CORNER

MAILING
LIST

NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2017-08-01

HANGOUT

2024-10-30 | 2024-09-30 | 2024-08-30 | 2024-07-30 | 2024-06-30 | 2024-05-30 | 2024-04-30 | 2024-03-30 | 2024-02-29 | 2024-01-29 | 2023-12-29 | 2023-11-29 | 2023-10-29 | 2023-09-29 | 2023-08-29 | 2023-07-29 | 2023-06-29 | 2023-05-29 | 2023-04-29 | 2023-03-29 | 2023-02-28 | 2023-01-28 | 2022-12-28 | 2022-11-28 | 2022-10-28 | 2022-09-28 | 2022-08-28 | 2022-07-28 | 2022-06-28 | 2022-05-28 | 2022-04-28 | 2022-03-28 | 2022-02-28 | 2022-01-28 | 2021-12-28 | 2021-11-28 | 2021-10-28 | 2021-09-28 | 2021-08-28 | 2021-07-28 | 2021-06-28 | 2021-05-28 | 2021-04-28 | 2021-03-28 | 2021-02-28 | 2021-01-28 | 2020-12-28 | 2020-11-28 | 2020-10-28 | 2020-09-28 | 2020-08-28 | 2020-07-28 | 2020-06-28 | 2020-05-28 | 2020-04-28 | 2020-03-28 | 2020-02-28 | 2020-01-28 | 2019-12-28 | 2019-11-28 | 2019-10-28 | 2019-09-28 | 2019-08-28 | 2019-07-28 | 2019-06-28 | 2019-05-28 | 2019-04-28 | 2019-03-28 | 2019-02-28 | 2019-01-28 | 2018-12-28 | 2018-11-28 | 2018-10-28 | 2018-09-28 | 2018-08-28 | 2018-07-28 | 2018-06-28 | 2018-05-28 | 2018-04-28 | 2018-03-28 | 2018-02-28 | 2018-01-28 | 2017-12-28 | 2017-11-28 | 2017-10-28 | 2017-09-28 | 2017-08-28 | 2017-07-28 | 2017-06-28 | 2017-05-28 | 2017-04-28 | 2017-03-28 | 2017-02-28 | 2017-01-28 | 2016-12-28 | 2016-11-28 | 2016-10-28 | 2016-09-28 | 2016-08-28 | 2016-07-28 | 2016-06-28 | 2016-05-28 | 2016-04-28 | 2016-03-28 | 2016-02-28 | 2016-01-28 | 2015-12-28 | 2015-11-28 | 2015-10-28 | 2015-09-28 | 2015-08-28 | 2015-07-28 | 2015-06-28 | 2015-05-28 | 2015-04-28 | 2015-03-28 | 2015-02-28 | 2015-01-28 | 2014-12-28 | 2014-11-28 | 2014-10-28 | 2014-09-28 | 2014-08-28 | 2014-07-28 | 2014-06-28 | 2014-05-28 | 2014-04-28 | 2014-03-28 | 2014-02-28 | 2014-01-28 | 2013-12-28 | 2013-11-28 | 2013-10-28 | 2013-09-28 | 2013-08-28 | 2013-07-28 | 2013-06-28 | 2013-05-28 | 2013-04-28 | 2013-03-28 | 2013-02-28 | 2013-01-28 | 2012-12-28 | 2012-11-28 | 2012-10-28 | 2012-09-28 | 2012-08-28 | 2012-07-28 | 2012-06-28 | 2012-05-28 | 2012-04-28 | 2012-03-28 | 2012-02-28 | 2012-01-28 | 2011-12-28 | 2011-11-28 | 2011-10-28 | 2011-09-28 | 2011-08-28 | 2011-07-28 | 2011-06-28 | 2011-05-28 | 2011-04-28 | 2011-03-28 | 2011-02-28 | 2011-01-28 | 2010-12-28 | 2010-11-28 | 2010-10-28 | 2010-09-28 | 2010-08-28 | 2010-07-28 | 2010-06-28 | 2010-05-28 | 2010-04-28 | 2010-03-28 | 2010-02-28 | 2010-01-28 | 2009-12-28 | 2009-11-28 | 2009-10-28 | 2009-09-28 | 2009-08-28 | 2009-07-28 | 2009-06-28 | 2009-05-28 | 2009-04-28 | 2009-03-28 | 2009-02-28 | 2009-01-28 | 2008-12-28 | 2008-11-28 | 2008-10-28 | 2008-09-28 | 2008-08-28 | 2008-07-28 | 2008-06-28 | 2008-05-28 | 2008-04-28 | 2008-03-28 | 2008-02-28 | 2008-01-28 | 2007-12-28 | 2007-11-28 | 2007-10-28 | 2007-09-28 | 2007-08-28 | 2007-07-28 | 2007-06-28 | 2007-05-28 | 2007-04-28 | 2007-03-28 | 2007-02-28 | 2007-01-28 | 2006-12-28 | 2006-11-28 | 2006-10-28 | 2006-09-28 | 2006-08-28 | 2006-07-28 | 2006-06-28 | 2006-05-28 | 2006-04-28 | 2006-03-28 | 2006-02-28 | 2006-01-28 | 2005-12-28 | 2005-11-28 | 2005-10-28 | 2005-09-28 | 2005-08-28 | 2005-07-28 | 2005-06-28 | 2005-05-28 | 2005-04-28 | 2005-03-28 | 2005-02-28 | 2005-01-28 | 2004-12-28 | 2004-11-28 | 2004-10-28 | 2004-09-28 | 2004-08-28 | 2004-07-28 | 2004-06-28 | 2004-05-28 | 2004-04-28 | 2004-03-28 | 2004-02-28 | 2004-01-28 | 2003-12-28 | 2003-11-28 | 2003-10-28 | 2003-09-28 | 2003-08-28 | 2003-07-28 | 2003-06-28 | 2003-05-28 | 2003-04-28 | 2003-03-28 | 2003-02-28 | 2003-01-28 | 2002-12-28 | 2002-11-28 | 2002-10-28 | 2002-09-28 | 2002-08-28 | 2002-07-28 | 2002-06-28 | 2002-05-28 | 2002-04-28 | 2002-03-28 | 2002-02-28 | 2002-01-28 | 2001-12-28 | 2001-11-28 | 2001-10-28 | 2001-09-28 | 2001-08-28 | 2001-07-28 | 2001-06-28 | 2001-05-28 | 2001-04-28 | 2001-03-28 | 2001-02-28 | 2001-01-28 | 2000-12-28 | 2000-11-28 | 2000-10-28 | 2000-09-28 | 2000-08-28 | 2000-07-28 | 2000-06-28 | 2000-05-28 | 2000-04-28 | 2000-03-28 | 2000-02-28 | 2000-01-28 | 1999-12-28

Key: Value:

Key: Value:

MESSAGE
DATE 2017-08-06
FROM Ruben Safir
SUBJECT Subject: [Hangout - NYLXS] printer attacks
https://www.pcmag.com/news/355256/your-printer-can-steal-and-deface-your-documents

Its not good to have devices in your house that connect to the "cloud"


Your Printer Can Steal and Deface Your Documents
Because of weaknesses in decades-old protocols, printers can become a
spy and a vandal lurking in your home or office.

Max Eddy Icon
By Max Eddy
July 28, 2017 12:43PM EST

Black Hat

LAS VEGAS—Printers have been part of the modern home and office for
decades, despite numerous attempts to go "paperless." But at the Black
Hat conference here, Jens Müller of Ruhr University Bochum reminded
attendees that just because something is ubiquitous doesn't mean it
should be trusted.

Black Hat Bug ArtMüller first reminded the crowd how far printer
technology had come, displaying a photo of an old dot-matrix printer and
sleek, new laser printer. But despite the powerful capabilities of
today's printers, there "still tends to produce a paper jam," he said.

Add the ability to access the printer via USB, local network, or over
the internet, and you have the recipe for a devastating attack. In fact,
security researchers have warned for years that connected devices like
printers, routers, and even VoIP phones could be used as beachheads for
an attacker. The phone might not be very useful for an attacker, but
perhaps they could use it to pivot to your secure network.

Müller found enough within the humble printer to keep him busy without
trying to escalate an attack. The problem, he said, are the printing
protocols that translate the files on your computer into something the
printer can put to paper. One such protocol—aptly named the Printer Job
Language—was developed in the early 90s by HP, and it can make permanent
changes to the printer, not just the current print job. Another, called
PostScript, was developed by Adobe and was originally intended for
document exchange. It's been largely replaced by the PDF, but is still
heavily used in laser printers. These two languages make up the backbone
of Müller's attacks.

The key point about these printer languages is that the printers
executed code written in these languages that is contained within print
jobs. "There's no separation between administrative functionality and
documents being printed," he explained. "You have data and code over the
same channel, and that's always a bad idea."
The 4 Horsemen of the Printocalypse

Müller noted that the initial work on the weaknesses inside printer
protocols was done some 15 years ago, and is still an issue today. By
studying the standards that outline PostScript and PJL, Müller found
four classes of attack: Denial of service; protection bypass; print job
manipulation; and information disclosure.

The denial of service attack was the simplest. PostScript, Müller
reminded the crowd, is a programming language and an attacker can use
all the tools contained therein. By sending a print job that contained a
single line of PosctScript code, Müller set the printer into an infinite
loop, preventing others from using it. A more advanced attack, he said,
could use the same command to continually write to the printer's memory
until it became exhausted.

In a protection bypass attack, Müller considered a scenario whereby a
savvy administrator placed password protection on all vulnerable
services and devices, including network printers. On some HP printers,
Müller found that a single line of PJL code sent in a normal print job
could reset the device to factory settings. This would remove the
password assigned by the administrator and leave the device vulnerable.

To manipulate print jobs, Müller used the unusual facet of PostScript
where a change made with one print job could be made permanent and
affect all future print jobs. In this case, Müller used the overlay
command to place a Black Hat logo over any document that emerged from
the printer. He encouraged the crowd to get creative. For example, "you
could introduce misspellings in the print job for certain users you
don't like!"

Black Hat 2017

For an information disclosure attack, Müller found that it was possible
to induce a printer to store print jobs in its local memory for
retrieval by the attacker at a later date. He admitted that, in
practice, this was very difficult because it required the attacker to
find memory available in the printer in the first place. That said, it
took only a single command to induce the printer to save its print jobs,
and just one more to retrieve it.

Müller took this attack one step further by imagining a scenario in
which the target printer is behind a firewall that prevents an attacker
from receiving information back from a network printer. By using port
9100 on the printer, and some clever work to trick the network into
thinking a privileged HTTP server was running inside the firewall,
Müller found that it was indeed possible to retrieve print jobs.

Notably, printers aren't the only platforms that execute PostScript
code. Google Cloud Print, a service that lets you send print jobs from
your phone to network printers, executes PostScript code as it converts
files to PDFs for printing. Dropbox does the same thing with certain
files. In these cases, Müller embedded a command to receive information
about the file structure within these services and found that they were
indeed executed. However, both Dropbox and Google Cloud Print use
isolation techniques that prevent anything useful from being obtained by
this attack.

Black Hat 2017

The same problem, however, could exist wherever PostScript files are
processed. A site administrator might not think this affects them, but
if your site lets users upload a user picture, or creates thumbnails
from uploaded images, the potential for attack is there, Müller pointed out.
The Scope of the Problem

A cursory search of Shodan, a favorite search engine of hackers that
finds devices connected to the internet, returned some 34,800
printers—but that's much lower than the actual number, according to
Müller. The point is, though, there are a lot of printers connected to
the web.

And that doesn't include vulnerable printers that aren't connected to
the internet. "Is your department's copy room always locked?" he asked
the crowd. "Are your conference printers really never, never
unattended?" he asked, more emphatically, as a picture of Black Hat
registration area flashed on the screen, its dozen laser printers very
noticeably unattended.

As to how widespread the vulnerabilities are, Müller and his team picked
over 20 different printers from eight different manufacturers. Results
were mixed, with some attacks working on whole lines of printers and
others failing in odd places. The problem, he stressed, is that the
vulnerabilities are in the languages and those are widespread.
Related

Researchers Reveal Secrets of SHA-1 Hash Collision
Researchers Reveal Secrets of SHA-1 Hash Collision

"In the long-term actually we need to get rid of insecure printer
languages," said Müller, but that's a long-term solution, he conceded.

In the short term, he advised sandboxing network printers into a
separate VLAN that is only reachable through a hardened (and he
emphasized "hardened") print server. Printer vendors need to "consider
undoing some insecure decisions," and browser vendors could block port 9100.

And, of course, "always keep the copy room locked."
Up Arrow

--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://www.nylxs.com/mailman/listinfo/hangout

  1. 2017-08-02 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] bitcoin chaos
  2. 2017-08-03 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] age discrimination in IT
  3. 2017-08-04 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] the tip of the precipice.
  4. 2017-08-04 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Chinese world wide surveillance through drone
  5. 2017-08-04 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] smartphones and the death of teen rebellions
  6. 2017-08-04 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Education System is all but dead
  7. 2017-08-05 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] MTA
  8. 2017-08-05 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] MTA
  9. 2017-08-05 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] MTA
  10. 2017-08-06 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] SMS through Linux
  11. 2017-08-06 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] SMS through Linux
  12. 2017-08-06 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] Education System is all but dead
  13. 2017-08-04 Paul Robert Marino <prmarino1-at-gmail.com> Re: [Hangout - NYLXS] Education System is all but dead
  14. 2017-08-06 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] printer attacks
  15. 2017-08-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Mail Server set ups
  16. 2017-08-07 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #315 - *Welcome to TPCiA - The Perl
  17. 2017-08-07 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Holographs you can touch and more
  18. 2017-08-07 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] MTA Crisis
  19. 2017-08-07 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Drug Price Kickbacks to insurance companies makes
  20. 2017-08-07 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Movie of the Week
  21. 2017-08-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] MTA Crisis
  22. 2017-08-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] MTA Crisis
  23. 2017-08-09 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Aaron Schwartz
  24. 2017-08-10 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] hangout at KR
  25. 2017-08-08 Poel Group Staffing <jobs-at-poelcareers.com> Re: [Hangout - NYLXS] a suitable position
  26. 2017-08-10 NCPA eCommunications <ncpa.ecommunications-at-ncpanet.org> Subject: [Hangout - NYLXS] NCPA's qAM: Generic Drug Prices Are Down,
  27. 2017-08-13 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Language theory
  28. 2017-08-13 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] computational palaeobiology
  29. 2017-08-14 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #316 - Winter, er CPAN Day,
  30. 2017-08-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] North Korean Economy doing fine, thank you..
  31. 2017-08-15 NYOUG <execdir-at-nyoug.org> Subject: [Hangout - NYLXS] Upcoming Events for Oracle Professionals
  32. 2017-08-15 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Surveillance State and another reason to have
  33. 2017-08-15 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] unsupervised-learning
  34. 2017-08-15 From: "Yi Qian, IEEE ICC'18 TPC Chair" <noreply-at-comsoc.org> Subject: [Hangout - NYLXS] IEEE ICC'18 Tutorial Proposals due 15 September
  35. 2017-08-16 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Cewllphone Hardware development
  36. 2017-08-16 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] Cewllphone Hardware development
  37. 2017-08-17 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] How to get a road approved
  38. 2017-08-17 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Iphones and You
  39. 2017-08-18 Ruben Safir <ruben.safir-at-my.liu.edu> Subject: [Hangout - NYLXS] =?utf-8?q?Fwd=3A_News_from_Hackster=2Eio_?=
  40. 2017-08-21 Ruben Safir <ruben.safir-at-my.liu.edu> Subject: [Hangout - NYLXS] Fwd: We found the name "Duck Donald" mentioned in
  41. 2017-08-22 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Movie of the Week
  42. 2017-08-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Free Movies at the WTC
  43. 2017-08-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Jobs and Networking
  44. 2017-08-22 James E Keenan <jkeenan-at-pobox.com> Subject: [Hangout - NYLXS] Social meeting at d.b.a. next Tuesday, August 29
  45. 2017-08-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] One of the best reviews of Packet switching I've
  46. 2017-08-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] facebook crap
  47. 2017-08-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] jobs
  48. 2017-08-23 From: "S." <sman356-at-yahoo.com> Re: [Hangout - NYLXS] facebook crap
  49. 2017-08-23 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] jobs | | I see nothing about authorization to
  50. 2017-08-23 From: "S." <sman356-at-yahoo.com> Subject: [Hangout - NYLXS] jobs | | I see nothing about authorization to
  51. 2017-08-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] betty sue got married
  52. 2017-08-25 mrbrklyn <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] betty sue got married
  53. 2017-08-24 IEEE Engineering in Medicine and Biology Society <noreply-at-embs.org> Subject: [Hangout - NYLXS] Your EMB Weekly Newsletter is HERE!
  54. 2017-08-26 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Trying to read the wanted adds
  55. 2017-08-28 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #318 - Developer Weekly - First
  56. 2017-08-28 From: "S." <sman356-at-yahoo.com> Subject: [Hangout - NYLXS] Arm pain: gadolinium
  57. 2017-08-28 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] Arm pain: gadolinium
  58. 2017-08-29 From: "Mancini, Sabin (DFS)" <Sabin.Mancini-at-dfs.ny.gov> Re: [Hangout - NYLXS] Trying to read the wanted adds | | |
  59. 2017-08-29 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] Trying to read the wanted adds | | |
  60. 2017-08-29 From: "Mancini, Sabin (DFS)" <Sabin.Mancini-at-dfs.ny.gov> Re: [Hangout - NYLXS] Trying to read the wanted adds | | | Like
  61. 2017-08-29 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] Trying to read the wanted adds | | | Like
  62. 2017-08-29 From: "Mancini, Sabin (DFS)" <Sabin.Mancini-at-dfs.ny.gov> Re: [Hangout - NYLXS] Trying to read the wanted adds | | |
  63. 2017-08-29 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] Trying to read the wanted adds | | |
  64. 2017-08-29 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] Trying to read the wanted adds | | |
  65. 2017-08-30 From: "S." <sman356-at-yahoo.com> Re: [Hangout - NYLXS] Trying to read the wanted adds | | |
  66. 2017-08-30 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] Trying to read the wanted adds | | |
  67. 2017-08-30 From: "S." <sman356-at-yahoo.com> Re: [Hangout - NYLXS] NYS | NYC jobs
  68. 2017-08-30 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout - NYLXS] NYS | NYC jobs

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!