Deb Radcliff in last week’s Computerworld writes about exploits to networked printers that can propagate Bad Stuff across your enterprise.

As networked printers become more network-capable, and as network attachments become cheaper and proliferate for homes and small businesses, this is becoming a bigger issue. And while this isn’t news to many security researchers, it may be to others and worth spending some time making sure you aren’t vulnerable.

Printers now run their own Web servers to keep track of their supplies and page counts, and even have hot links from these pages to directly order supplies. When I first started keeping track of these things in the early 1990s, it seemed like a good idea to have the built-in Web server, a way to easily manage your printer across the network.

Now I am not so sure, especially as the number of exploits for networked printers continues to mount, at least according to Symantec’s statistics. Clearly, this hasn’t gone unnoticed in the hacker community either.

A quick check of SecurityFocus.com with a search on say, Xerox, and you’ll find dozens of exploits that come up. Now to be fair, Xerox has issued patches for many of these and most of the ones shown are years old. But still.

If you have a networked printer, check to make sure your have upgraded its firmware to the current version. Most of the major printer manufacturers have ways to do mass upgrades of their fleet, such as using HP’s Web JetAdmin tool. And if you have ways to turn off services that you don’t need on the printer, do so now.

My latest article for Tom’s Hardware about what the channel needs to know about Windows Vista include these main points on why Vista can be more compelling than XP for the channel

• VARs can tie in a hardware upgrade at the same time
• VARs can get more profit from Vista machines since they will require more RAM and graphics horsepower
• VARs can differentiate themselves in terms of service and support for Vista over earlier Windows OSs

I talk about what the real stats on recommended configurations should be and other issues in the article here.

Take a look at Paul English’s gethuman.com database. I don’t think there is anyone that hasn’t been frustrated by an automated customer support system. This will help navigate those dark waters, and get you to a human being as quickly as possible.

My next project for Information Security magazine is to test a bunch of Unified Threat Management appliances (UTMs) out at the Stanford University network lab this spring. UTMs combine a variety of security services such as anti-virus, firewalls, intrusion detection, and VPNs. I am still working up a test plan and criteria, as well as selecting the five products that will be part of the test. While I am doing my research, I came across an excellent document by Joel Snyder about things to consider in evaluating these products for large-scale enterprise needs. Joel is an insightful and no-nonsense kinda guy that has been around the networking block a few times. Here is an excerpt from his paper:

To support UTM in large networks, though, products must meet a very different set of requirements that set them apart from SMB-focused UTM firewalls.  By going further in the areas of performance, network integration, support for  consolidation, platform extensibility and flexibility, and management, UTM vendors can meet the needs of enterprise network managers. 

You can download a copy of his paper here.

Planning on getting digital voice? You can save a lot of dough on your calls and get plenty of features too. There are lots of choices these days, and more confusion than ever. The three basic types of service providers include the local cable company, a specialty digital voice provider (like Sun Rocket, Vonage, Packet8, AT&T’s CallVantage and Verizon’s VoiceWing), or something that works with the Skype software division of eBay. Let’s go through some of the decisions about what kind of digital voice service to get.

Decision #1: Are you a cable TV customer?

The first choice you will have to make is whether to go with the cable TV company for your phone needs. If you are a current customer, they offer discounts for adding a digital voice line. You will need to replace your current cable box with something that supports the digital voice, and a cable technician can also wire this into your phone wiring as well.

Most of the cable companies only offer a single digital voice plan, so depending on what your calling patterns are you might do better elsewhere. For example, if you don’t make many long distance calls but make lots of international calls, or if you want multiple local numbers. But, you have a single bill to pay for both cable and phone communications, so that is appealing for some people.

If you want additional calling features that aren’t part of the cable digital voice plans. Then you should consider one of the digital voice specialty providers, such as Vonage and AT&T CallVantage.

Decision #2: Do you make many international calls?

All of the providers offer tremendous discounts on international calls, that is, calls outside of North America. These calls can cost just pennies per minute.
Some of the providers, such as Packet8, offer unlimited international calling if you subscribe to their higher monthly service plan. Others have higher per-month plans that include a certain allotment of minutes for international calls, or unlimited minutes but just to particular countries. It pays to do some comparison shopping.

Decision #3: Do you want to make calls from your existing home phone(s)?

The cable digital voice plans and the voice specialty providers like Vonage all work with your existing home phones. Sometimes you have to purchase this adapter box, sometimes there are rebates on it for signing up for an annual service plan. The adapter box also needs to be connected to your high-speed Internet modem, usually via an Ethernet cable.

If keeping your existing telephones isn’t important, or if you are planning on keeping your existing landline home phone and want to supplement it with a digital voice as a second or third line, then you can consider one of two other possibilities that work with the Skype software network.

There are two broad categories of Skype-related digital phone products. One is software that runs on your computer (ether Macintosh or Windows computers are supported) and for this to work your computer needs a separate headset that has both earpiece and microphone. While you can use these products and play the audio through your PC’s speakers, the microphone will pick up the sound and the call quality will suffer. Headsets can be purchased for about $50 at many retail stores.

The downside of this method is that your computer must be on to receive calls. You can make use of Skype’s forwarding service if you still use your existing landline, and Skype does include voice mail as part of its calling plan.

Calls to other Skype users are free, and Skype sells service to all North American phones for $15 a year if you sign up in the next couple of weeks.

If you don’t want to use your computer and want something that resembles a phone to make Skype calls, you have a variety of choices, with more vendors announcing products all the time. These work in several different ways: some are phones that work off your wireless home network, or any wireless network that you can pick up with the phone. Belkin makes one of these phones as an example for about $175. You will need to purchase service from Skype.

Another choice is to buy Netgear’s SPH200h phone. This is a cordless phone (working off its own wireless network and base station similar to other cordless phones) and  works with both landline and Skype calls, and is reviewed here.

If you go this route, you have to balance the monthly savings with the initial purchase price of the hardware. They are all cheaper to operate but cost more up front, and may take some work to configure.

Other computer software vendors are jumping into the digital phone arena, and some such as Yahoo and Microsoft are adding digital voice features to their instant messaging products. Expect to see lots of products in this area.

Decision #4: Do you need more than one digital voice line?

If you like digital voice so much that you want more than one line, or if you have chatty teens that still like to talk on the phone and not use Instant Messaging, then you might want to consider one of the higher-priced plans from Verizon VoiceWing and AT&T CallVantage that offer a second line as part of their monthly service package.

I have been a Vonage customer for several years now, and use it for my business line. This is one of the reasons why I still have a 310 area code even though I live in St. Louis. I have been generally happy with the service and recommend digital voice for anyone that wants to take control over their phone calls.

Online fraud has become big business, threatening customer confidence in e-commerce in general and banking transactions in particular. While that should be sufficient motivation to strengthen fraud detection/prevention programs, new federal guidelines have given security managers leverage to implement the technologies and processes they need to protect their business.

In this story for Information Security magazine, I talk about various solutions that can be used by enterprises to combat fraud, including some innovative multi-factor authentication methods and other screening tools.

There are dozens of products that claim to solve the endpoint security problem by making sure laptops and other endpoints are virus-free and otherwise secure before allowing them onto the network. These appliances work with standards being developed by Microsoft, Cisco Systems, Juniper Networks, and others to assess PC health and provide some form of remediation and network protection.

But before you install a call box at your door, you need to first understand how endpoint security products complement and extend your security infrastructure. Here are four key questions; answering them will help you choose a product best suited for your organization:

• What security infrastructure do you have in place already, such as firewalls, intrusion prevention, and authentication servers?
• What on your network are you really protecting?
• What will be your desktop deployment strategy?
• Do you have non-PC endpoints to manage?

You can read more in this article entitled, “Who’s There?”for Information Security magazine. (registration req.)

A new study by the Pew Internet Life folks about teens using social networking sites shows that more girls have profiles and are more active than boys. This is perhaps the one place on the Internet where the odds finally favor the geeky guys. (Where was this stuff when I was growing up and first typing in BASIC programs on PDP-11s? Sigh.) Sadly, only a small percentage say they use these sites to flirt. This may just be reluctance on the part of the surveyed population to tell the truth.

Also interesting to note is that of the teens that use these sites, a big majority have restricted access to their profiles, going against the generally accepted wisdom that these sites are a stalker’s paradise.

As part of my work testing SSL VPNs, I wrote a tip for SearchSecurity.com on how to configure the F5 Firepass and Juniper SSL VPNs for handling endpoint health assessment that ran in January 2007. I take you through the process of these two VPNs and show how you can set up their rudimentary endpoint health checking routines.

An article by John Markoff in Sunday’s New York Times about the growing popularity of botnet attacks is worth taking a closer look. (You may need to register to view the article)

Botnets, for those of you still not aware of them, are collections of computers that have been compromised by bad guys. They happen by inserting a malicious piece of software on someone’s PC without their knowledge, what is called a rootkit. This software allows someone else to control this collection of computers, and often for ill-gotten gain. I laud the Times for actually printing a sidebar that tells its readers what they can do to try to prevent their PC from being compromised.

Markoff touches on rootkits briefly in his piece, and is the subject of a paper I wrote for the Trusted Computing Group that you can find here.

Rootkits were first developed in the 1990s for Unix computers, then became infamous for Windows PCs in 2005 when Sony Music used them in numerous music CDs to prevent users from making digital copies. Now they are quite common and basic prototypes are found on several Web sites that can be used by even inexperienced programmers to develop the most virulent rootkits.

What makes rootkits so insidious is that they are hard to detect and harder still to remove without doing a wholesale operating system re-installation or re-imaging of a computer’s hard drive. They are designed to hide from normal view of the operating system, since they modify the operating system itself. They can disguise themselves as ordinary operating system utilities, replacing the file and process viewing commands with their own code, or modify the most basic parts of the operating system to conceal their presence. Most of them are designed to survive reboots of the PC, and can live undetected on a system for months.

Some of the nastier rootkits include key logging programs that will record username/passwords typed into a particular machine and send this information to a central repository that can be used to compromise or steal sensitive data.

A new breed of infections employ virtualization techniques similar to those used by EMC’s VMware and Microsoft Virtual Server 2005. By silently creating a virtual environment in which the normal operating system runs, the rootkit gains access to all data processed by that operating system while evading detection. Under these circumstances, a rootkit can run a clean copy of the OS and still get access to all the confidential data.

There are a series of rootkit detection and removal tools, such as Microsoft’s own Malicious Software Removal, Sophos Anti-Rootkit, PrevX, Tripwire, UnHackMe and F-Secure’s Blacklight. However, using any of these tools requires anyone to be vigilant and spend a lot of time pro-actively doing regular hard disk scans, along with spending time interpreting the results of these scans and deleting the offending compromised files. In some cases, you will have to compare the current state of your system with results from booting a known clean copy of their OS from a special CD, which is cumbersome at best.

And even PCs running their own firewall software are at risk, since infections can be transmitted by browsing dangerous Web pages or by sending files via Instant Messenger applications, or even by inserting a music CD into their systems, as Sony has so aptly demonstrated. It is a tough world out there, sadly.

Corporate IT staffs have one solution at present to stop rootkits from taking over their PCs. It is a combination of a special hardware chip that is present inside many new computers called the Trusted Platform Module (TPM), along with software from Wave Systems of Lee, Mass. called Embassy Endpoint Enforcer. The TPM isn’t found in older computers, and the Wave Systems software is the only one shipping that really takes advantage of it at the moment, although other software is in the works. I realize that this doesn’t help home PC users fight rootkits either.

Microsoft’s new Windows Vista operating system includes a feature called BitLocker that provides hard drive encryption. The key for the encryption can be stored on the TPM, making it easy and secure to use. This doesn’t do anything for rootkits, but at least it shows that software developers are getting on board with the TPM.

In the meantime, follow at least some of the suggestions in the Times.