Not-So-Secure-Print

welcome thanks guys take it away y'all can hear me oh we're good yeah oh yeah so so first things first it's good to actually see people in the room when I was looking at the schedule there's a lot of really really good talks and I felt a little amateur she was like we're the ones doing the printer talk like who gives a [ __ ] about printers really but that was that was one of the reasons we wanted to do this regardless of what your opinions are about the best brand of phone or the best operating system or the best anything printers are that one thing we can all unite behind and be like these things suck so we're gonna

add a whole bunch of pile to that sock and secondly on a serious note like printers are a part of all of us all of our environments we all have and we use them act as a multifunction printer just on floor to outside this building after you see our talk you're gonna walk by that and be like rekt so that's kind of our intro here so so how we got to doing this Oh Frick back in like February someone I work with canceled a meeting which meant I suddenly had an hour of free time which was quite rare and I had to do a whole bunch of paperwork and I ended up printing something and and we

use this this this thing it's called secure print where you you have a pin right you know one two three four or whatever is your debit card the same thing and and when you send your print job to the printer the printer doesn't automatically print it if you use the care frame the printer holds on to it until you enter your your PIN then it releases it and if you're gonna use a product that has the word secure in the title and you give someone on my team an hour free time we're gonna have quite a bit of fun with it so we're going to talk today about some practical attacks against printers there's there's no

there's no theory today everything we're talking about we've done you can do it too sometimes it's a matter of just spending 60 bucks on the internet and having a go with it but a real quick intro if you want to learn more about the bullet points just find me later I'm not gonna go through it but I do want to highlight the bottom one here a total total plug to the home team Nate alumni as well graduated from the computer network admin course back in 2008 honestly it was a great course it taught me so much stuff it humbled me like crazy I went into that course being like I know everything about computers and a

week later I was like you know jack-shit about computers and I'm also on the base advisory program what is the base Advisory Group council membership whatever its its industry advisors who advise innate on the course of some of their projects and sorry this is my very first presentation so just bear with me thank you I appreciate that [Applause] so I'm Zoe I work at secured net solutions we're a small local company based out of Calgary it's just sometimes likes to throw stuff in the xx slack and I'm like cool a puzzle I've also doesn't work with Brenneman's Internet of Dawn's project where he did some security auditing on internet connected sex toys so that's what DVDs

are I don't have any C's yet but she also check out that talk tomorrow afternoon he's doing a whole talk on a bunch of things and that is in there and allegedly I could fit 16 marshmallows in my mouth I there's no video or photo evidence and I don't know how that is because we all have smartphones and when someone says hold my beer I'm going o get my phone first you know make sure I get this on if anybody actually has 16 marshmallows fine because there's something we need to settle together and also I will be leaving right after this talk so all right so here's how we got here or the quick agenda for today we'll

just do a little bit of discussion get everyone on the same page about around printers and what our general knowledge is encrypt all the things that we know encryption is important uh-huh we're gonna show you guys what happens when you don't encrypt or print jobs which I would bet very many of you are not doing and then we're going to show you what happens when you encrypt them very very poorly and we come in and start decrypting your [ __ ] and then we're gonna show you why you want to encrypt it string riously goes DDoS that's a whole section about how your multifunction printers can do stuff because stealing domain creds that's we're gonna focus on stealing domain

creds but really we could title that just stealing credentials for all sorts of services using printers and then the good news is we do have solutions for all of this this is not one of those talks so we're just gonna like you know mic drop walk away and cause panic in the streets this stuff is actually quite simple to prevent it's just from my experience and Zoe's experience people just aren't doing this so that's okay and then the last thing I do have I was told I have to put this slide in here for my employer I and one particular vendor that we used was just if you're gonna throw us under the bus do so politely it's not a vendor

bash at all this is the intent of this this presentation is to build each other up and not put each other down we're here to show you guys some interesting issues with printers and the whole point of this talk is I know for a fact there's one person in this audience because they told me earlier their boss said to them yeah you can go to b-side Edmonton under one condition and that's that you bring something back practical from that conference that we can do in our environment so this talk do you know who you are in this talks right for you because this this that's that's what this is this is this is practical stuff

you can write this down and be like hey we should probably look at our printers because there's some fun stuff there what else did I have here that was it so just a little bit audience participation I hate audience participation so I'm gonna force all you to do it sanity check just raise your hand if you've ever successfully cancelled a print job who's actually done it a few of you okay anything I think you're all liars I mean there was one time there was one time where I almost managed it where I thought I cancelled a print job and like a week later my power blipped and that cheeky little printer just fired out that job from a week ago and

trying to go to your therapist to talk about how your printer is gas lighting you just it's a little bit it's a little bit weird she just says step away from the machines and which is just good life advice in general I think in our industry but the opinion that being able to cancel a print jobs a superpower and if you only have one superpower like you could have got flight invincibility you know you've got the ability to cancel a print job so that really sucks and how many of you know what PC load letter means and how many of you know that from office space or the actual documentation apparently it's print carriage load

letter paper they could have just said yeah how many of you raise your hand if someone has changed your multifunction printer display to something inappropriate on April Fool's Day that actually happened okay yeah one person who we can be related together I don't drink whatever this actually happened couple years ago you can find out online there was someone out there either you show down or they scan the entire Internet and they found a couple thousand IP addresses with public direct ports open and the early mornings of April Fool's Day and we were all sleeping they ran a script that change the where it worked they display to something like you've been hacked sort or something and I came

into work and someone was like oh my gosh someone got into a printer and I was awesome and how many of your multi functions have actually DDoS European Counter Strike servers I see yeah well that's that's a whole portion of the talk later so so one thing that I want to talk about is is four steps to guarantee failure a lot of what we've looked at when it came to these printers is there is this common theme in the last six months talking to people fixing stuff and it was to summarize that it was this it was oh that doesn't work the way we thought it did or oh that's that wasn't configured the way we thought it

was configured and and what I've learned so I work very large enterprise people departments teams vendors contracts people there's a lot of people involved in decision making going basically from like like conception to actual influence and operates and you guys remember the telephone game dare played as a kid we're like you know they they'd stick in a group and one person would would say something like a guppy in a shark tank and then the person would whisper it and they'd whisper it and then the last person would have to say what they heard and it would be something like a puppy in the park stinks I got that from the internet right and the point is it's

like it's like each person kind of hears something i says something a little differently and then over time it changes and um I actually had a co-worker telling me Billy can we do that all the time we call it water falling and I was like that's actually really funny but here's here's what we learned with with one one particular vendor they literally gave like they gave me step one and I was like I'm gonna run with this so engineering comes up with a feature and they say we have this new feature to solve problem X it does not solve problem wires that it just solves problem X and then they gave it to marketing no offense to the

marketing folks and marketing says you know we're first to market for feature X attend this webinar to learn about X Y and learn all about future Y if you spend like 20 seconds on LinkedIn step two you see all over the place and then the customer goes hey this webinar just show how to solve problem wise we have said all over the place we should attend the webinar and then step 4 happen so they by feature X they accidentally use it to to solve problems that and everything's right with the world until Zoe night come knocking with our fun little tools and and no that's not what happened so we have three examples for today that we want to show you guys

there's a lot of stuff we could have talked about with multifunction prints acuity but just time constraints and whatnot we we focused on these ones so we're going to show you guys a complete reversing of one particular secure print implementation we're going to talk about SNMP management and and how you can abuse a hell out of that with printers and then we're going to talk about we call the scan to folder that's kind of where we look at at actually abusing like stealing stealing credentials and what-have-you so real quick does anybody anybody here you secure print you know pins to to printer stuff or do you just print and it shows up on the printer and you hope

someone else doesn't have it so if you use if you don't use secure print this is what it is it's it's a feature you can enable in any modern print driver that's when you print it asks you what what do you want your a pin or eight one two three four it sends out along with the print job when you get to the printer you it will not release the preferred job until you enter your actual pin the problem is that it has the word secure in it and what it's not it's not secure there is absolutely nothing secure about secure prints at all and Zoey and I are going to demonstrate this so what we did is we

captured a print job as a whole bunch of them and and we started looking at what exactly is in a secure print enabled pin job on the wire and it's always going to take it from here so here's a small sample from just one print job that we that we captured so we have lots of really interesting information like we know the program that issued the print job so we know it's word we've got Spaulding's username which is quite handy because if you you can find out username format for an enterprise if you get one the computer name excels your

if you see like sovereign and defiant okay and but the the big one is job password that's the one that stood up to me so yeah the job password looks a little bit short for a password so and one of the other things is you can also I believe in your enter in your environment you found in one of your packet captures you found like the someone printing with you yeah I was I was capturing something with some with their permission and and what they actually had as a user name was was their last name dot admin I was like oh no and I didn't know what user name they were using on how we know your

administrative naming convention so if you can get a foothold in an environment where you can just start start ripping out print jobs which is really easy to do I'll show you that there is an absolute wealth of information in these packets that can help you a numerate and like when it comes to pen testing like enumeration is the biggest thing so I love all that data so we we worked with some of the pins we entered a few pins to see what the the job has would look like so for the pin four three two one we got 44 58 5654 an odd size that's for sure each character each pin number so pins can actually be alphanumeric they

don't need to be just numeric just for simplicity sakes they are just numeric here so we have a pin of so four four we have 44 so we tried doing our reverse so instead of doing four three two one we did one two three four we didn't get something that looked like a substitution cipher so we can rule that out and we also notice that the job pass where it grows the exact same length dependent that's dependent on the length of the pin so we know if there's a 20 character job password it's a 10 character pin if it's a 10 character job password it's a 5 character pin that doesn't sound like any sort of good

encryption that I've heard of but I'm not a cryptographer so I had a gut feeling that it had something to do with his or but how do I figure it out well I did the first couple by hand but then I got lazy because I'm very lazy so I dug into the android apk so I've done a little bit of stuff before mostly working with renders songs project and the great thing about Android apks is they're basically jars so Java jar files and because they're byte code we can you compile them really easily I am not Josh I cannot stare at assembly day in and day out and I just I see assembly and I just nope out of

their like not for me so in an android apk you quite often have if any of your standard file archive on our cut file unzip e things winrar that you'll see a few different files like libraries asset files but there's one main one main one and that is the classes.dex and that is like the that's where all the nice stuff live that's like the white stuff in an Oreo you can just throw away everything else because really like your taste in Oreo is objectively incorrect and I can save it but we'll do that later those marshmallows so yeah lots of tools the nice thing too is because it's just straight jab there's tons of Java tools out there that will

be compiled these quests lets classes about Dex files and when you do that you get nice little class files and it looks very similar to the source it's not exactly the source but it's good enough and the nice thing is that like nobody strips or office gates these Android files these apk files there has been one instance and that was in one of renders projects after we recommend it to them to run it through an obfuscator and when I see the obvious kind of stuff I'm just like nah I'm I'm off hours I'm too lazy for that so it's a good way to get rid of lazy researchers yeah so one of the key things just with um with the Android

apks and stuff that is if if you're if your device like your your windows-based laptop can do the exact same thing but your Android based phone can do find the apk that that's doing it and rip it out what happened in this case is is the print drivers for the vendor that we were using that was on here they also make an Android print driver and when we were like well hey hold on a second we're pretty sure we can figure out you know how the securin thing is working yeah there's feature parity there so we'll say if you have feature parity between an Android device and and your your regular operating systems or something look at the apks because

you're gonna learn a lot about how things actually work yes I mean you basically get the source silence and so once you have the D files you compiled you can load them up into your favorite IDE and search for keywords like password and here we have the two files that the that I handled the encryption of the pin into into the password so we're gonna look at job password class and here we see the encryption string they use which is actually the same as what I I found doing it by hand so that's just a confirmation that it's soaring with PK de pke you know repeating which is great seed and a little bit below we see the actual

method for converting the pin into the job password so the carrot there right in the middle right before that long string is a for the programmers people who don't program which I don't really program that much so that's the zuhr function so we know that it's as or and it's storing the pin and not seen there is about 25 lines of code where they're actually taking the hex representation and converting it to doing some type juggling into a string to give us the hex that we see the XML so now that we know how the function works we can go ahead and python script and i will not show you the code because I am like a

modern-day Medusa except instead of turning people to stone developers just cry uncontrollably when they see my Python code and I don't want to inflict that on people so but we can also show that we can take a pin convert it into the job password format and then take the job pass reformat and recover the pin from that but what can we do with these pins now that we've recovered them a whole bunch of stuff so so at this point we've done our print job we've captured it we've realized in the wire there's an interesting little value that says that says you know password we have a Python file that we can decrypt all those pins so if you can get a foothold

and you can just copy every user capturing everybody's print jobs about that pin value run it to the Python file we have what can you do with the pin and the first one totally obvious now you just go walk to that printer you enter the pin you grab their job and you walk away I've learned I don't know if this is a common thing but I've learned that people will like I kid you not they will print on a Monday and they won't print their job up until Friday they'll print on a Friday and they'll expect it to somehow be there on a Monday I print my stuff and I walk right there and I get

it so your your time window to grab the job now that you have their pin is interesting but the reality is is when we learn to do this I kind of just casually walk down my department ask people is like hey do you secure print yeah is your PIN the same as your debit card or credit card PIN and and no one straight up was like yes but yeah and and yeah so pin verification systems are very common now right even if you call your bank or whatever what's the pin on the counter I want two three four and it's not my pencil right but but the point is now not only do we have a

method of just grabbing their print off on the printer but we have a way of figuring building a database of very common pins and spoiler alert one two three four is a very common in but one thing I wanted to point out is that very top one I know about this so when when we started changing the pins and then reprinting the same job and looking it was on the packet capture we learned an interesting thing and that was that nothing else changes in the package the only thing that changed was that password value which was interesting because we were all inter the assumption but that somehow that password it's doing that's got to do more it's got to

be it's got to have some influence on on that that print job it's got to be encrypting or something yeah it doesn't that secure print pin is there no other reason than just to release the job so we look a little closer and we realized that what else is in the packet standard print job this one was like like six thousand packets of ripping it or putting it together you've got all the metadata which got your PIN and then you have this this is basically it's just a PCL encoded print job that's all that's there I mean it might sound like a no-brainer but that's that's all that's in it so the point here is that if

you've achieved a foothold in an environment which is really easy to do we'll show you in the next set of slides where you can rip out people's print jobs and grab their pins you don't you need to decrypt their PIN anymore and go run to the printer and print it you can decrypt the print and hang on to it for you no other use but you can just grab the entire print job right off the wire use an off-the-shelf PCL 6 decoder and just view it right here on your laptop so whatever you're printing whether it's out of no financial information HR discipline letters that I get I mean you know these things like that someone else could easily have it

and you have absolutely no way of knowing that they've done that and then um at this point we decided to actually tell somebody about this we're like hey look at this thing that we could do we don't know what the risk is we care maybe someone carry someone doesn't care really the question was how much do you care that we can we can do this and in the first conference call that we had a really interesting comment was made and what we said is they say well how are you capturing the print jobs and we said oh we're just running a peak up on our firewalls because the firewall sat between my workstation and the printer

and we were doing that because it was convenient like we managed maintaining the entire firewall environment so why would we build something new just log on run a TCP dump let me dump it and one person had said they said oh oh okay well so for someone to actually do this then they would need to hack to this firewall and hack this firewall in hack this firewall and hack this firewall and get to this firewall and that's really hard to do so this isn't a non-issue or this is a non-issue and well no not at all um we were we were using the firewalls because it was convenient but the point is if you can get physical access to a

printer that's all that's all you need physical access to a printer get to that physical wire and you you can start doing this very very easily and one of the greatest places to find physical multifunction MFDs is at any reception desk how often have you walked into an organization even here at ebbets in downtown and you've got the reception desk person sitting there what's behind them freaking multifunction printer so there's only now we're kind of talking and looking at this and saying like how what could we do to actually you know just just realistically you know walk into an environment you know that we know absolutely nothing about and started numerating it and the answer was

BAM that multifunction printer so our first idea was to buy Raspberry Pi with a whole bunch of adapters you don't need a whole bunch of adapters just need to the reason we bought a whole bunch can't read spec sheet they bought all the wrong ones but we finally found this little guy so we have one right here if you want to see it later this is a hack five packets world so this is man in the middle for 60 bucks us convert to Canadia and ship it up your hundred dollars under bucks anyone here can buy this device and they're amazing a little larger than a toonie so it works with battery packs like this is this is the

power to do USB power plug in we all have those on our phones if you don't have a battery pack what you do is you come to the U of A campus you find the people that are doing this in a circle and they're playing pokemon go you love them because they have like 600 battery packs don't even have to pay for one shameless plug if you play pokemon go come to the U of A it is the most dense pokey Center something like in the province so people come to the University just a play pokemon go and it has three modes be kept dump DNS rewrite in VPN you can actually put this on a

wire you configure it to rewrite all people's DNS traffic everything going through there we use it for pcap dome and then we said hey why don't we actually do it so we built a I have it here someone said looks like a bomb it's not a bomb standard besides Las Vegas speaker gift from a couple years ago just a standard battery pack USB cable I this is the bottom I flipped it over the green thing means it's booting up and it's right here if you want to see it so completely portable fully automated just it's actually powered on right now I intentionally cover the light so you can't see that if you were to plug this

into anything on campus there's a multifunction printer right over there it'll just start ripping that all the print jobs copies everything we'll see everything we want to see so you walk into that environment you say hey I'm you know the IT guy here to fix your printer you reach over you plug her in and you're good to go so you notice anything odd about this printer other than the fact that it's a printer no right this is standard printer floor one I know some like co-workers in here you probably have printed on this thing a few times and our vendor and I I'm sorry vendor reports to me at the U of A and we were

like hey let's let's take some pictures for this for this shot but if you reach behind it there it is we just plug it in now we took this for the the presentation we weren't actually ripping out jobs here but the funniest thing I kid you not we had two co-workers walk by us my server team and they see like like I'm reaching over my butts in here and her vendors like and there was his camera trying to get the light on to make a nice photo and they they know our jobs and they just like is there a security issue with the printer you know like they're God's gift call me and and we really yeah actually

I mean you get that you walk through the hall light everyone's like oh secure my kids are like we do more than that but anywho so that's that's ripping apart secure print ripping apart unencrypted environments under bucks you eyes cause some stuff so we're gonna switch it here okay so when communities not your friend Thomas Matthews this morning plug a check YAG sex a I wasn't gonna plug it but if you plugged it I'll plug it so it's just a local community started a couple years ago I think we had almost 200 numbers a few days ago if you're five militant group communities awesome it's fantastic if someone like me can get off my butt on a Sunday afternoon

and go to white Ave and meet people anybody can do it I remember my wife was like wait you're doing what now like you're voluntarily leaving the house to go to Y tab of all places to meet people you've never met before in a bar like that is so out of character for me and I was there for like five hours I'm like babe I found this group of people they're amazing there's a roomful you guys so community is fantastic unless it's SNMP community then it's absolutely terrible so if you don't know what SNMP is it stands for a simple network management protocol and you can do a lot of stuff with SNMP and Printers so it's

mostly used you know in large environments or small environments whether you're on printers or network devices just for for monitoring reporting sending commands and when you're at the U of A and you've got like five six hundred print or something ridiculous okay you know you don't want to send a person to every single printer every day because they're gonna hate their lives and and pull stats on it so we use SNMP to ask the printer questions things like what are your toner levels what are your pin trays how many people printed this and it reports back so that way when someone shows up and manages the printers they can go okay these three printers need magenta toner

I'll do that takk toner I'll do that but point is there's a really really really really loose security feature there under really loose security feature well call it a password it's called the community string but it's a password and if that is not if what you're sending in your packet is not what's configured on the device it'll drop it which is the intended perfect or purpose but if it's not like the default so you know you buy a router from Best Buy and it's not the default password SNMP is the same thing a lot of these devices come shipped with defaults the word is literally public or private and then as of like last week

shown an had over 45,000 devices on it if you don't know showdown is it's a giant internet search engine for ports and protocols with SNMP listeners so that's what it is that's how it works but let's abuse the hell out of it so DDoS attacks have you know I would say have had a resurgence in the last five years I'm sure if you go out to the this wander booth the sponsors there they'll tell you all about DDoS attacks and how their technology stopped and whatnot but one of the things that enables DDoS attacks nowadays is something called UDP amplification so this is an entire talk in itself I have a whole talk just on ntp amplification

because it's awesome awesome if you're not the guy receiving the packets and it sucks but TLDR UDP amplification is this it's when you send a really really really small request to a device and it generates an abnormal abnormally but a relatively much larger response in fact and we talk about it in terms of ratio so this is NTP not SNMP I think SNMP depending on what you're doing can be like 1 to 35 or what and larger but enemy like 1 is 600 which means that if you send if you spoof a packet first of all UDP you can spoof like crazy because there's there's no connection orientation there but with UDP you send a spoofed address the spoofed address is

your your ultimate victim you send it to all these printers and you ask the printer a really small question that's gonna generate a massive reply you make sure you use public or private is your community string because odds are they haven't changed it and what its gonna do it's gonna be like yeah this is awesome and it's gonna generate that reply send it back and then you end up with a target victim somewhere that's gonna get flooded so with a ratio of 1 to 600 one megabit per second requests data and generate about 600 megabits per second over play they got which is maybe not the biggest thing in terms of scale throw some zeros on them we start having

problems so this is why I think CloudFlare was saying that they're mitigating like terabit per second plastic DDoS tax now and if not like people are generating a terabit here and throwing it there now they using like gigabit per second of traffic to generate 600 going this way so the net result is rip everything so how this applies to printers we actually had this it happened a couple years ago came into work and there's a company called nuclear fallout it's a popularized it was their European hosted Counter Strike servers they host a lot of the competitive schemes on battlefield servers and whatnot and we started getting emails from them very quickly that we're like hey all these IP

addresses on your network are ddossing are our environments and it's all SNMP garbage and when we look very like their printers like what the hell and that was kind of how we got tipped off to this and so this is not a do slide this is a don't do slide so if anyone's taking a picture of this there's like this is that practical thing Michael talked about we do this not this slide this is going to cause you a bad day so if you don't change your community strings if you expose your listeners to the Internet and then just go about your day someone else is gonna find out quite quickly and good chance your printers

are gonna start ddossing the hell out of the planet because that's just what happens on we didn't literally get 500 tickets and then that actually caught us three months with the work working with some vendors and some people to actually go and change the easiest thing to do was just block SNMP at the campus perimeter many of you guys probably like why don't you do that initially and just politics we can do that now but at the time much more difficult and and that's it so that's that's basically how we blow things out of the water with printers okay now I'm gonna talk about how well we've talked about how printers are one way as we talk to the printers

but we can also make the printers talk back to us as multi-functions as in the name they can do several different things like scanning and the scanning functions of multifunction printers they have their own whole happy ecosystem now if there's a drop box for scan through Dropbox and whatnot but the ones we're gonna talk about is scan to folder and quite often they are misconfigured therefore for on the attacker front so when we scan to folder what often that printer has to have credentials to be able to write to whatever folder it wants to do or wants to write too now you can make users enter their credentials to do it so that it has authorization Troi to

that folder but a lot of IT people are either lazy or more likely under worked I mean understaffed overworked and so they may throw high privileged accounts on there such as domain admin accounts so that they can write to any folder willy nilly don't have to worry about any issues this is a problem though because if we control that printer and that printer controls high value credentials yeah oh yeah by the way the packet Scrolls they run responder and they can catch these authentic ation attempts right out of the box they're fantastic yeah we can we can basically control those creds so using something like responder we can set up an SMB relay server using responder that's

pretty much my go-to as a pen tester it basically attempts to intercept any it's a man-in-the-middle tool where it attempts to intercept any sort of authentication attempts and captures that hash you can also go a little more advanced and relay that authentication to tap attempt so you don't even have to crack the password if you do get a hash like that you can then just take it offline and crack it with hash cat I hope your printer passwords are strong because I have actually gotten da from a pen test here in town from a multifunction printer that was very loud and had a very weak very very weak password and this sort of authentication shenanigans is like standard operating

procedure for most pen testers I think I think it's relatively low noise so yeah also we don't even necessarily have a box on the network to be able to relay that to I can have a responder server set up somewhere on the internet like maybe on AWS and I don't know how many organizations here our egress filtering port 445 but I would highly recommend it because tons from a pen testers point of view SMB and getting SMB hashes are there there's tons of ways we do it like through fishing through all sorts of like that so yeah watch out for that I just realize I've been drinking out of those water bottles so oh cool I trust

you I'm not saying if you're not sacred we're good all right all right so so moving forward using feature X to solve for L of X instead of problems why is that so we don't pretty going to time this timer says 40 minutes already okay crazy okay so let's let's actually fix this stuff the good news is is most of this is relatively simple and straightforward to fix if you're not doing a lot of what's in the next slides maybe start doing them so do the power of the internet we're gonna start using memes to guide us through this part here so you can break this into three areas physical attacks remote attacks and man-in-the-middle attacks first one

being threatening physical attacks common scenarios if you get physical attack it's game over and and that's true your screwdriver becomes the biggest threat at that point if a person is just gonna rip you know undo the thing and rip your your hard drive out you've got some problems so disk encryption modern ninety FPS tracking all of them support full-blown disk encryption pre-boot security so if someone were to actually take the drive out they can't get anything on it I know of one a very competent organization here in the city who actually tested that they took it out they sent it away to one of those fancy data recovery place pay the thousands of dollars and

they really we can't do anything with this perfect so if you're not doing football and disk encryption just turn it on secondly disk over eights a little different so disk encryption is great for for pre-boot but once the system is booted and turned on and everything is working correctly there's a lot of other attacks you can do against you know data running in memory some of our network attacks disk over rate is what happens you can configure that and you can actually tell your printers you know on a schedule every day week month just purge free space and purge memory earlier I mentioned how people print on Fridays and picked them up on Mondays the reason I know that is we had an

environment where we actually turned on disk overwrite over the weekend and we didn't tell anybody and they and a bunch of people came and we're like where's my print job and we were like wait I sent it on Friday it's Monday morning it's not there anymore because like every Sunday we we're over wrote things so that's a simple communication stage you just be like well that's what happens they'll pick it up on Friday and for some reason also spot checks might sound absolutely stupid but if you know just get some steps on your step counter because you're trying to win the departmental you know health competition or something walk around environment spy checks honestly goodness

just just look look and see what you can find if you find one of these you've probably got an issue we we get it at work not not common but it is happy my team will get tickets from people all over campus who are just like hey I noticed this odd thing and odd thing is some random thing plugged into a wall some of the most interesting stuff we've been involved in has been so I would just be I'm like that shouldn't be there and try to put them somewhere that isn't a public space I mean maybe maybe not that's up to you guys preventing remote attacks so this is so snmpv3 is actually a thing the whole I

deal with with community stirrings I'm pretty sure that's a v2 thing v3 is a much better version of the protocol printer supported use that instead and all these issues kind of go away CLS any management interfaces this one I always find fascinating you buy a printer you set it up the first thing they do is they enable they enable encryption on the management interface because heaven forbid someone intercept the password that we use to manage the printer and then they don't care about the actual data being sent to the printer well that's all that's all plain text and whatnot but do it anyways obviously strong passwords um printers actually have firewalls access control that's built right onto them you

can say only these addresses can manage we were good to go CA certs unicast of risk path forwarding that's not something you do on your printer you do that on your routers if it supports it so I don't want people to spend the next six days being like I don't implement unitized RPF my printer that's a router thing but it's used for ante spoofing there's different versions but like a strict version of it the rotor wash you check it gets a packet from an interface and a check to through outing table and it basically says if I did not receive that packet on the same interface that I would send the response I would have drop it

works really well for a teaspoon if your large enterprise asymmetric routing might cause some problems so do your research first don't just be like Michael set up these slides to turn this on turn it on and watch your network completely die but it is it is definitely something to look at it and the last thing your friending then ITM so basically how to make these things not work anymore there's three things you can do in order of what I would say paranoia so a lot of modern print now have encrypted print set right up into them actual encrypted print not secure buona be print and in the implementation we were looking at what it does is it still leaves all the

metadata plaintext that will still leave but you can still recover password prints or whatever the pass codes out of them but what it will do is it will actually encourage the PCL 6 data itself so that's that's how much how much risk you want to accept I would definitely recommend doing that because it makes it makes it grabbing the actual print job itself much harder I think perhaps in the future that was something we're gonna look at that maybe next year a year before will be like the next one TLS print you can just do straight up wrap all your traffic in and the last one is IPSec you can do IPSec I've never actually seen an environment set it up

the vendor we worked with was like we we only know of one vendor in the state it would say you can take who actually does full-blown IPSec for all their their print environments because you can do with an occasion as well so just one more thing as well I forgot to mention before instead of having them scan to scan to folder and whatnot you scan to email that way you don't have to have any creds on there except for maybe a little level email account and you have to worry about writing to any folders and that's just locked so a whole whole huge huge thing right but that's still valid point and then the other the other

to add on to that too was a lot of people what they'll do is they'll they'll they'll hard code the creds into the printer just for usability but really you can also talk to your users and have them enter their credentials and you want to store anything so that's that's kind of we have that's the presentation I do want to say special thanks to two people well first to Kirk Kirk is here he's the guy with the shorts on today probably the only person with a short sign so Kirk Kirk reports me at University he's on our team Kirk actually played a huge role in this and wasn't just the Mike and Zoey show was a

Mike Kirk and Zoey try show but Kirk didn't wanna present so well well well point to oh because we know how much you love the spotlight being on you and then to the rest of you thanks thanks for attending hopefully this was interesting and informative yeah it's printers but we tried to make it a little bit interesting and we'll oh one so open up the Q&A in a second if you need to get a hold of us that's how you can get a hold of us yeah email me at the University say what you want to say there's always on Twitter I'm not linked and the egg sex stuff if you're not in if you're not any

eggs I cannot join great um that's probably the best way to get ahold of me for like not University stuff is just a DM on there so talk to lots of people we can hook you up with that