I am not sure that I should be telling you this, but your network is a sitting duck for a break-in that is both so elegant and potentially dangerous.
All you need is your Web browser and some basic knowledge, and while I have put a few things together in this post, it didn’t take me more than a few minutes of research to do it. This exploit can easily pass through your firewalls, it can get around your most sophisticated intrusion prevention systems, and once someone is inside your network, they can operate in full view of your anyone, avoiding the scrutiny of even the savviest network administrator.
How so, you might ask? Go to Google and type in the following text in the search field, and you’ll see an example of what I am talking about:
What is going on here? Simple. Your print servers (among other devices that are connected to your network) have built-in Web and other servers that can be used to launch an attack on your network. Many of these print servers have been long forgotten about by anyone in IT. They operate from a position of trust inside your network—they have to, otherwise no one would get anything printed out on them. And if you click on any of the retrieved pages in our search above, you will be transported instantly to print servers that are sitting ducks for hackers to take over. I managed to connect to ones in China and Germany, and see that some are needing toner or paper, for example.
Yes, it will take a bit more work to install some rogue application, and yes, just Googling them isn’t really an exploit, but you should have gotten a chill up your back as I did when I first started thinking about this situation.
And print servers aren’t the only sitting ducks, just the easiest to explain. How many other IP-connected devices are running on your network that have been long since installed and forgotten about? Web cameras? Industrial equipment? Fax servers? Scanners? These last two could be even more trouble, because they come with phone lines to the outside world that a hacker could use for further exploits.
As the number of these networked devices increases, the situation is only going to get worse. So what can you do to stop these sorts of attacks? First off, take the time to first locate all these forgotten servers. Do a regular scan of what active IPs are out on your network, and see if you can associate all of them with known users. Start doing the research on the unreconized IP addresses.
Second, scan for traffic on port 9100, this is often the port used by print servers and it is an easy way to track down the servers that you have forgotten. Finally, take some time to read through this documentation from HP (if you have HP servers) or something similar from your vendor:
Those of you that have additional commentary, I would love to hear from you, please post your suggestions and I will share them.
This column also ran in Baseline Magazine’s Web edition this week.