Your printer: An open door for hackers?

In 2003, a staff member at the Public Health Laboratory of the Ministry of Health and Long Term Care of the Province of Ontario in Canada tried to send a fax to a doctor’s office. (By the way, for U.S. readers, Canada is the large blank pink region north of the border on your maps and which, contrary to popular belief, actually includes people as well as moose and beavers.) Alas, the clerk mistyped a 5 as an 8 in the fax number and inadvertently sent medical records to a local gasoline station. The owner very kindly gave the fax to a doctor who was a regular customer and the doctor reported the breach of the Freedom of Information and Protection of Privacy Act. 

Everyone knows that fax misdirection is a problem; even properly directed faxes pose a security risk when confidential documents are sent, unprotected, to a nonsecure fax machine that prints everything out whether the proper recipient is ready to receive the documents or not. Now hold those ideas for a moment - and let’s go back to when I was a young man, oh so long ago. (Compare Data Leak Protection products)

In April 1981, I was sent to HP headquarters in Cupertino, Calif., on a six-month assignment to be trained as an HP3000 operating systems internals and performance specialist and also to work on a pioneering computer-based training system I invented for the company. I brought my flute along and met a friendly lab engineer named Dale Morris who played excellent guitar. We had a good time playing duets that summer. I remember that he was working on a new series of HP3000 machines with a vastly increased memory space: 4GB.

I laughed and wondered why anyone could possibly need so much main memory - especially since a 1MB memory board still cost $64,000 at that time (about $200,000 in today’s currency).

Today, I have 2GB of RAM on my main tower PC and Dale Morris is a Distinguished Technologist at HP in Fort Collins, Colo. Recently he told me about an interesting security issue involving printers, and I invited him to tell us about it in this column. It turns out that the old problem of misdirected faxes has a new twist: networked printers are posing the potential for misdirected printouts - including printer hacking.

The remainder of today’s contribution is from Dale and his colleague Gary Lefkowitz, with minor edits.

* * *

In 1999, TechWeb reported an alleged printer-based attack on the Space and Naval Systems Warfare Center in San Diego (SSC San Diego). A network operations engineer noticed that a local print job took an unusually long time. After examining the problem, he concluded that a network intruder had hacked into the printer and reconfigured the routing tables - so that the print job shipped to Russia!

We've all thought about security as it applies to printing. Your organization probably has written policies governing who can print certain documents and where and when they can be printed. But such policies are difficult to enforce; for example, authorized users printing sensitive documents might find the documents missing from the tray of a shared network printer. Furthermore, informal policies aren’t the best support for audit requirements, and such approaches address only a subset of printer security issues.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.