Printers Are the Invisible Security Risk on Your Network

squirrel

The days of printers as simple unsophisticated devices are long gone. Today’s printers are specialized computers that have their own processors, RAM and storage. They also have easy setups and internal web pages for adjusting settings and updating firmware. The printer manufacture’s goal is to make their devices faster, more versatile and more user-friendly to set up and use.

Unfortunately, printer security has not kept up with these advances. When printers were dumb devices, the worst that could happen was an unauthorized person seeing a print job sent to the wrong printer. Now a printer can leak confidential information and provide hackers with a route into your network.

Printers Can Allow Data Out

The security risks printers pose don’t end when you get rid of them. Many printers have internal hard drives or flash memory that can store recently printed documents. Some store the information in unencrypted formats that are easy to retrieve. When a company or consumer sells, retires or recycles a printer they often neglect to clear out this storage area.

printer_input_output

Printers can allow data out as well as in

This is not a hypothetical risk. In 2010 CBS News purchased four used photocopy machines at random and used freely-available recovery software on their hard drives. A printer security expert uncovered everything from copied checks and patient medical records to design plans for a building near the World Trade Center.

Printers Can Allow Hackers In

Printers can also be a vulnerable point on your network. A white hat hacker named Michael Jordan demonstrated security vulnerabilities on a Canon Pixma MG6450 by getting it to run the 90s computer game Doom on its LCD screen. He showed off the hack at security conference 44Con in London earlier this month.

The Pixma is a line of all-in-one printer/scanner/fax machines popular with home users and small businesses. He used the Pixma’s unsecured web interface and lax encryption to install hacked firmware and control the printer over the Internet.

Getting a printer to run an old video game might seem like a curiosity, but the stunt was just to put a humorous spin on a very real problem. Jordan stated after uploading the hacked firmware, he could have used the printer as a gateway to attack other devices on the network instead. Since the Pixma also has an integrated scanner, a savvy hacker could have used the flaw to have it send them a copy of any image scanned without the user knowing.

Canon has released a firmware update for the Pixma line aimed at closing the security loophole, but other printers also have web interfaces and may be vulnerable to similar tactics.

Few people think of a printer as a security risk, but you should treat your printers with the same care as any other network-connected device.

Printers Are the Invisible Security Risk on Your Network
How worried are you about your printer's security?

Sources:

http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/

http://www.theguardian.com/technology/2014/sep/15/hackers-doom-printer-canon-security

Gmail Account Hack Shows Why Strong Passwords Are a Must

Gmail

On September 9th a hacker published a list of 5 million Gmail accounts with associated passwords. The passwords may not have been the password for the account in question, and there’s no telling how old the passwords are or where they originally came from. For example, if the account came from the LinkedIn hack from a couple of years ago the data might be the Gmail address on the user’s account and the LinkedIn password.

When the breach was announced, Google tested the Gmail/password combination and found only 1-2% were still valid. Even though the passwords may not be useful for Gmail, there’s still a risk. People frequently reuse passwords on different sites across the web. According to Symantec, a typical user has 26 password-protected accounts, but only 5 passwords.

Have a unique password for all of your important sites. If one site gets hacked, the hacker may test your login information on other sites. For example, if you use a password on a forum, don’t reuse that same password for your primary email address.

Create strong passwords. A good password should contain at least 12 characters and have a mix of numbers, symbols and uppercase and lowercase letters.

Do not select passwords or security questions that someone might be able to guess by following your social media accounts such as your mother’s maiden name, your pet’s or children’s names or your school.

Don’t substitute symbols or numbers for word. P@$$w0rd is an example of a weak password that might appear strong at first glance. Acronyms or word combinations make good passwords that are easy to remember.

Change your sensitive passwords regularly. Most people don’t change their passwords often enough. Change passwords on sites storing sensitive information at least once every 3-6 months.

Think you’ll have trouble remembering all these new passwords? Download a password management utility that stores your passwords in an encrypted file. There are password managers for every platform of PC, tablet and smartphone.

Enable two-factor authentication for sites and services that store sensitive information such as your bank, your cloud storage, your email and online retailers that keep your credit or debit card on file. Two-factor authentication requires you enter your password and another verification step such as a PIN texted to your cell phone.

Limit the number of password login attempts. Some sites allow you to set a maximum number of tries before your account is locked. Enable this feature if the site offers it.

Unfortunately there are no foolproof solution to password security. If someone who has the skills wants to get in, they will. Just like in the real world, security is about making your car or password as difficult to steal as possible to break into so a thief moves on to an easier target.

Home Depot Admits to Potentially Massive Data Breach

home_depot

It wasn’t that long ago consumers were apprehensive about the risks of buying online. With the recent rash of retailers falling victim to point-of-sale malware, the tables may have turned. Last week Home Depot confirmed a potentially massive data breach and officially joined the ranks of Target, Neiman Marcus, P.F. Chang’s, Goodwill and other retailers that have been hit.

Signs indicate the hackers responsible for the attack belong to the same group that hit Target last year. Even the malware they used is a variant of the virus used against Target.

The Home Depot hack could go back as far as April, when security experts and financial institutions first linked stolen credit card data to compromised accounts of users who had made purchases from the chain.

This breach has the potential to touch even more consumers than the attack on Target. The Target breach affected 40 million cards. The number of cards affected by the Home Depot breach is unknown, but the home improvement giant is larger than Target and has more locations. Home Depot operates 2,266 stores and their systems could have been compromised for up to four months during the busiest season for the home improvement market. In comparison, Target has 1,795 stores and their breach lasted just 21 days

Home Depot is facing additional criticism because it appears they either ignored or were oblivious to the problem. The story was broken not by the company itself, but by security blogger Brian Krebs. Home Depot is already facing lawsuits from customers and financial institutions. The government has also gotten in on the action, with two Senators asking the Federal Trade Commission to probe the retailer’s systems and five states starting their own investigations.

Credit cards have not changed much in 50 years

Credit cards have not changed much in 50 years

The major challenge facing retailers is existing payment card technology itself. Credit cards have not changed much since they were introduced in the 1960s. They still use a magnetic strip that stores data in unencrypted format. There are more secure technologies available, but the retail and payment card industry have been dragging their feet due to costs. The newer cards contain an imbedded microchip so they’re more expensive to manufacture, and retailers must make expensive upgrades to their hardware.

Another issue for large is the sheer size of their networks. There are many vulnerability points, from unsuspecting employees who fall for a phishing attempt to logins used by vendors and suppliers. Once a hacker finds their way in, they can use lax permissions to move through the network, infecting vulnerable machines and gaining access to other stores. The Target breach was traced back to a single location.

While the exact details in the Home Depot breach are not yet clear, it’s unlikely the company will be the last victim. Hackers are undoubtedly working on the next generation of point-of-sale malware.

Learn more about the biggest retail hacking scandals in cyber security expert, Scott Schober’s Retail Sector Security Report. Download the PDF HERE.

Leaked Nude Photos Expose Cloud Security Risks

BVS CEO & Cyber Security Expert, Scott Schober provides security details on Inside Edition

Last week’s leak of confidential celebrity photos has focused renewed public attention on the security risks of storing data in the cloud. The photos were originally posted on a seedy Internet site by an anonymous user, then reposted to other disreputable sites. Some of the victimized celebrities released said the images were authentic but deleted a long time ago, others stated theirs were faked.

The original poster claimed the photos were taken from hacked iCloud accounts. A few simple account changes could have kept the victims’ accounts safe. Today we’ll look at what users can do to protect their cloud data.

Limit Login Attempts

It’s common for banks and other high-security web sites to lock user accounts after a few tries. If someone fails to enter the correct password, after 5 to 10 attempts the account locks and the user must call to have the account reset or wait a specific period of time before they can try again. Some sites make you turn on the feature and control the maximum number of attempts. Check the settings on your account and contact support if you have concerns.

exceeded_attempts

In this case, iCloud did not have a limit on the number of attempts. Hackers could use readily-available software to try an unlimited number of passwords. Since the nude photo story broke, Apple has patched this vulnerability, but hackers can still use this vulnerability at many sites holding confidential information.

Enable Two-Factor Authentication

Many hacks occur when the victim’s email account is compromised. The hacker can find sites where the victim might be a member by reading old messages, then go to the site and request a password reset. If a site uses single-factor authentication by email, the hacker can then reset the victim’s passwords and access their accounts on those sites.

Two-Factor-Authentication

Many cloud-based services and secure sites offer two-factor authentication. For example, when a user requests a password change, the service may send an authentication email to their address and text a security code to their cell phone. Two-factor authentication is more secure, because a hacker would need access to both the victim’s email and their cell phone.

Two-factor authentication adds an extra step to the process, so some sites offer it as an option. Users must enable it manually. iCloud had it as an option, but at the time the pictures were released it was not enabled by default.

Select Secure Security Questions

When a user sets up their account, the site may ask them to pick a security question in case they forget their password. Common questions include “What high school did you attend?” or “What was the name of your first pet?” If everyone in the user’s social network knows they went to Riverdale High and their first pet was Fluffy, the user should select a different question. Better yet, create unique passwords or gibberish answers to the questions. This will ensure no one but you will ever be able to get past this security checkpoint. Just be sure to remember or note your answers somewhere for future reference.

Deleted Doesn’t Mean Gone

Just like deleting a file from a computer doesn’t remove it from the hard drive, deleting a picture from a phone doesn’t necessarily mean it’s gone forever. With many cloud services, the device will automatically upload pictures and deleting them off the device may not delete them from the cloud. Another potential source of concern is the server backups. Some companies store backups for years, and hackers could access those backups if they’re not adequately protected.

Ultimately, keeping sensitive data and photos private is up to both the user and the company running the service. For the moment, it’s best to remember online security is not absolute. If you want to keep data private, keep it offline.

Cloud Privacy
How concerned are you about your private photos and data getting out there?

‘Backoff’ Retail Malware Threat Even Worse than Expected

Backoff Malware

Just a few weeks ago the Department of Homeland Security issued a warning to retailers about Backoff, the point-of-sale malware responsible for the massive payment card security breach at Target during last year’s holiday season. The initial report indicated up to 600 retailers were affected, but on August 22nd the DHS issued another advisory that stated the scale is much larger. The Secret Service estimated over 1,000 businesses of all sizes have been victimized by variants of Backoff.

Backoff Basics

The days of the simple mechanical cash register are long gone for all but the smallest retailers. The registers most retailers use are actually Windows computers running point-of-sale (POS) software. They are networked and connected to the Internet so they can verify payment cards and checks. Like any computer, they are vulnerable to attack by malicious software and hackers.

The Backoff malware takes advantage of a vulnerability in the process used to read and validate payment cards. The customer’s information is stored in unencrypted format on a magnetic strip on the back of the card. When a customer swipes their card at checkout, the card reader transmits the data to the computer. The POS software will then encrypt the information and send it to the payment card processing company for verification.

Backoff can read the POS computer’s physical memory and record the payment card data before it is encrypted. It uses its own encryption on the data and sends it to servers the hackers can access. The hackers either sell the data to other criminals through black market channels or use it to make purchases themselves.

Moving Payment Cards Forward

There is little consumers can do to protect themselves at the moment except pay with cash or checks. These payment methods are more costly for retailers to handle and come with their own complications.

The only solution is to move away from magnetic strip cards and toward other methods of payment. Companies are experimenting with digital wallets and other smartphone-based payment systems, but they have yet to see widespread acceptance.

EMV

Europay-Mastercard-Visa system, or EMV payment data is encrypted and stored on a microchip.

The system that’s most like the payment cards consumers are already familiar with is the Europay-Mastercard-Visa system, or EMV. It uses the same plastic cards, except the payment data is encrypted and stored on a microchip. The credit card industry has set a deadline for retailers to move to EMV cards by the end of 2015, but the equipment required is expensive. A retailer could pay up to $1,000 per register, leading many to drag their feet due to the cost.

The cost of a security breach is much higher. Target estimated costs associated with the breach had reached $148 million in the second quarter of 2014. The cost of the damage to the company’s reputation, brand and corporate image is harder to calculate. Unless more retailers want to follow in Target’s footsteps, they must leave magnetic payment cards behind.

Follow every major phase of the Target retail security breach along with my insights. Download my RETAIL SECTOR PDF for all the major retail security stories in 2013 and 2014.

'Backoff' Retail Malware Threat
How worried are you about the 'Backoff' malware threat?

Is Your E-ZPass Spying on You?

E-ZPass

E-ZPass is a type of RFID device called an electronic toll collector (ETC). Instead of waiting in line at the toll booth while the driver ahead of you searches for loose change, you simply drive on through. A wireless transponder activates the ETC, reads the ID number and the transportation department debits your account. ETCs are currently available in 22 states, with more adding them every year. They’re popular and certainly convenient, but are they a threat to the user’s privacy? Most ETCs don’t give the user any indication when they’re being read, and at least one state has admitted to using ETCs for other purposes.

New York E-ZPasses Are Milked for Information

Last year a hardware hacker in New York going by the handle ‘Puking Monkey’ wired up his E-ZPass to trigger a signal light and mooing toy cow. The E-ZPass draws 8uA of power while at rest, but 0.3mA while being read. When the draw increased, the LEDs would light up and the cow would moo. He found multiple sites in and around NYC where the E-ZPass transponder was being read but there were no tolls.

Screen Shot 2014-08-25 at 9.48.23 AM

ETCs are placed throughout many major cities

When the media contacted the New York Department of Transportation, a spokesperson claimed the data was used to provide real-time traffic information, estimate travel times and reduce congestion. According to the E-ZPass Interagency Group, which oversees ETCs in 15 states, New York is the only state that has been using the passes outside of collecting tolls. It’s worth noting that some states have their own ETC systems and might also be using them to track motorists without their knowledge.

ETC Users Will Soon Be Able Rest Easy

Puking Monkey had to open his E-ZPass and do the wiring himself, but most ETC users don’t have the technical know-how to create their own alarm system. In many states, the user doesn’t own the ETC device and must return it if they leave the program.

Detect-A-Pass

BVS’ Detect-A-Pass keeps security conscious drivers in the know

But security-conscious ETC users will soon be able to purchase an off-the-shelf solution from BVS. We’re working on a new product that will let them know when their ETC is transmitting, without making alterations to the hardware.

Contact sales@bvsystems.com for more information.

Source:

http://m.authorstream.com/presentation/pukingmonkey-1903125-road-less-surreptitiously-traveled/ (E-ZPass info starts on page 84)

Car Remote Key Fobs Prove Vulnerable to Hackers

car_hackWATCH VIDEO HERE

Remote door locks are a convenience to the driver, but they could also offer thieves a convenient way to break in. When you press a button on your car’s key fob, it uses radio waves to send a series of codes to a receiver inside the vehicle. If the codes match, the car accepts the input. The problem is criminals could use off-the-shelf equipment to crack the codes and unlock the vehicle.

Silvo Cesare at Black Hat Conference

Silvo Cesare at Black Hat Security Conference

At the Black Hat Security Conference earlier this month Australian security researcher Silvo Cesare showed a video demonstrating the security flaw, unlocking his girlfriend’s car in just a few minutes. The hack disables the alarm and leaves no evidence for police, and the victim’s key fob will still function after a few repeated presses. Most victims would probably assume the battery in the fob is simply going dead.

While he’s only tried the hack on one car, automakers tend to use the same parts and technology across different models, meaning other cars are probably carrying the same vulnerability. While Cesare would not share the specific make and model, the video does show the car and a variant of the vehicle was sold in North America.

Cesare’s method does have some drawbacks that limits its appeal to thieves. Remote key fobs have used rolling codes that change every time the user presses the button since the 1990s, and the process of cracking the active code can take up to two hours. However, cars spend most of their time parked and idle. If the car sits overnight in a driveway or deserted parking lot, a thief would have ample time to break in.

Cesare used a software-defined radio to capture and transmit the wireless signals, a device that can send and receive wireless signals on a wide range of frequencies. Along with a laptop and an inexpensive amplifier and antenna, the equipment cost approximately $1,000.

Thieves who simply want to take a car or steal something inside will probably opt for simpler and more direct methods like a slim jim or the old smash and grab. In some cases criminals might want to commit a crime using a method that doesn’t leave evidence for the victim to find, such as wiring a car bomb or attaching a GPS tracking device.

Car thieves might already be using similar technology. Last year CNN reported police were stumped by a rash of car thefts caught on tape showing thieves using mysterious black boxes to unlock the vehicles. We’re not sure if these devices use the same technique as Cesare, but as prices fall the equipment he used will become more available to criminals.

Source:

http://www.cnn.com/video/data/2.0/video/us/2013/06/21/newday-pkg-lah-high-tech-car-theft.cnn.html

5 Security Tips To Stay Safe From Russian Hackers

Russian Hackers

On August 5th the New York Times announced the largest known theft of online login credentials. A group of Russian cyber criminals has amassed stolen usernames and passwords from over 1.2 billion accounts and 524 million email addresses. The data was uncovered in an 18-month investigation by a Milwaukee-based company called Hold Security. According to their report, the criminals got the information from over 420,000 sites of all sizes, many of which remain vulnerable.

Here are five things you can do to help ensure your information stays safe in the future.

1. Don’t use the same login information on multiple sites.

So far it appears the hackers have only used the stolen credentials to send spam on social media sites, but people often use the same usernames and passwords on other sites. According to the Internet security firm Symantec, the average user has 26 password-protected accounts but only five passwords. If you use the same login credentials on your bank’s web site or at online retailers that store credit card information it’s like leaving the front door of your house wide open.

2. Protect your email password.

Email is so commonplace, we almost forget about it. But criminals can use your email account to wreak all sorts of havoc. If you’ve ever received an email from your bank or clicked at “forgot password” link on another site and forgotten to delete the message, anyone with access to your email account will know how you have an account on that site. Criminals can also glean personal information they can use to commit identity theft from your email account. Treat your email password as you would any high-security account.

3. Practice secure password policy.

Choose passwords that are difficult to crack. Do not use passwords based on personal information such as a child or pet’s name, your birthday or the school you attended. In today’s online world of social media, this information may not be as private as you might think. Choose a password that is at least 12 characters long and has a mix of numbers, symbols and uppercase and lowercase letters.

Symantec also found 38% would rather clean a toilet than make a new password, but secure passwords don’t have to be difficult to create and remember. Acronyms of phrases make excellent passwords that stay with you.

4. Change your passwords often.

Many of us are guilty of not changing our passwords often enough. Remember, there are many security breaches that go unnoticed or unreported. Make it a practice to update all your passwords at least every six months.

5. Be wary of follow-up scams.

Hackers often use compromised email and social media accounts to commit phishing scams, since people are more likely to open an email attachment or click a link in a message sent from a trusted source. Never open a link or email attachment you weren’t expecting, even if it supposedly came from someone you know.

Homeland Security Warns of Retail Malware Threat

Hacked!

As banks and financial institutions have become harder to break into, cyber criminals have increasingly turned to targeting retail operations. According to an advisory issued last week by the DHS, the malware family known as Backoff has been identified in three forensic investigations of large-scale Point-of-Sale (POS) data breaches.

The malware reads credit and debit card information from the infected computer’s memory, before it can be encrypted for verification. Backoff attaches itself to an essential Windows executable file and is very difficult to detect. The report indicated it is almost undetectable by current virus definitions.

While the antivirus software companies work on a solution, here are a few things you can do to keep Backoff away from your business.

Disable or remove remote desktop applications

Backoff targets computers running programs like Apple Remote Desktop, Chrome Remote Desktop and Splashtop 2. If your IT staff needs to use these programs for troubleshooting or updates, have them disable or remove the programs when they are finished. Leaving them installed and active lays out the red carpet for data thieves.

Monitor outside connections coming into your network

Once the criminals find a vulnerable system, they usually attempt to break in using brute force. They use automated software to try common usernames and passwords until they hit a match. Monitor your network traffic for unfamiliar IP addresses and unusually high numbers of external connections or login attempts.

password

Require strong passwords for all accounts

Weak passwords are easy to crack. Strong passwords should be at least 12 characters and have a mix of uppercase and lowercase letters, symbols and numbers. Some systems use two passwords, the user’s normal password and a single-use password sent via another route such as text messaging.

Educate your users about email security

Don’t forget many security breaches start with simple phishing scams. Caution your users not to click on any email link or attachment they weren’t expecting, even if it’s from someone they trust. If they receive a suspicious email, have them contact the source directly to make sure it’s legitimate.

lock

Safeguard your point-of-sale computers

Your POS computers should have their own network isolated from other computers, and they should only run software directly related to POS functions. The criminals responsible for the Target data breach last November stole their login credentials from an HVAC subcontractor that had also done work for other large retailers. Businesses often give HVAC companies network access to monitor heating and cooling equipment. Since the POS machines ran off the same network, the criminals were able to access them and install their malware.

What’s next?

Now that Backoff has been discovered, it’s certain antivirus software companies are hard at work on finding ways to neutralize it so it won’t remain undetectable for long. But retailers shouldn’t be lulled into a false sense of security. Malware developers aren’t standing still either, and there are always new threats on the horizon.

Top 4 Security Drawbacks of BYOD

BYOD

BYOD Security Concerns

Many organizations have allowed or encouraged employees to use their own smartphones and tablets on the job. The process is called bring your own device, or BYOD. It’s popular with workers and saves the employer money on equipment costs. However, BYOD has drawbacks that concern security experts.

Last week the Information Security Community on LinkedIn and Internet security firm Vectra Networks released the results of their second annual BYOD & Mobile Security Study. The study involved polling more than 1,100 IT security experts on their top BYOD security concerns.

1. Loss of Company or Client Data

The biggest fear of any IT security professional is losing confidential data. Smartphones and tablets are basically handheld computers and malicious individuals can use them to steal information and cause damage to your corporate systems.

2. Unauthorized Access to Company Data and Systems

With workers bringing their own equipment, the process of administration and granting access is more complex. In addition to workers, the company may also have clients and contractors that need access using their own devices.

3. Mobile Malware

mobile malware

Viruses, worms and Trojans aren’t limited to computers anymore. The open structure of the Android operating system and the lax screening policy on the Google Play Store makes it a prime target for malware programmers. Antivirus and Internet security developer Symantec has called Android a “malware magnet.”[1] Apple maintains a tighter control on iOS apps, but the iPhone and iPad are not immune from malware either.

4. Installed Apps with Security Flaws or Suspect Permissions

Even if an app isn’t outright malware, it can have built-in security flaws. In April 2014, Fiberlink released the results of a survey of BYOD users that found 83% had 10 to over 100 apps installed on their devices.[2]

It’s highly likely that many of these apps have not been tested for security and compatibility with the employer’s systems. Apps that use advertising to generate revenue often use third-party mobile ad services that add another layer of potential security problems. Many apps have permissions that allow them to share information that may be sensitive with the developer. For example, a game or social media app the user installed on impulse could share the user’s contact list or call history.

Even if your company has not embraced BOYD, it still needs to address the use of personal mobile devices. The BYOD & Mobile Security Study found 21% of organizations that have no BYOD support acknowledge employees are using their own devices for work-related tasks anyway.

[1] http://www.cbronline.com/news/security/symantec-google-android-is-a-malware-magnet-4324588

[2] https://blog.cloudsecurityalliance.org/2014/07/21/survey-finds-byod-devices-cluttered-with-mobile-apps/