Tag Archive for IOT

| October 11, 2019
Comments Off on How Secure are Your Printers?

How Secure are Your Printers?

How Secure are Your Printers?Printers are under the security microscope again. Printers are IoT devices that sit on the network and never get updated. I have covered some of the problems that printers cause a number of times on the Bach Seat. And now more vulnerabilities have been identified by UK-based security consultancy NCC Group in six popular enterprise printers.

Vulnerabilities in printers

NCC Group logoThe research team was made up of Daniel Romero, managing security consultant and research lead, and Mario Rivas, security consultant at NCC Group. They identified several classes of vulnerabilities in printers including:

  • Denial of service attacks that could crash printers;
  • The ability to add back-doors into printers to maintain attacker persistence on a network.
  • The ability to spy on every print job sent to vulnerable printers.
  • The ability to forward print jobs to an external internet-based attacker.

Matt Lewis, research director at NCC Group told  ComputerWeekly,

Because printers have been around for decades, they’re not typically regarded as enterprise IoT [internet of things devices], yet they are embedded devices that connect to sensitive corporate networks and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT.

Who to blame

There is plenty of blame to share for most of these latest vulnerabilities. Mr. Lewis says the manufacturers are causing these problems by neglecting to build security into their products.

Finger point for printer vulnerabilitesBuilding security into the development life-cycle would mitigate most, if not all, of these vulnerabilities and so it’s therefore important that manufacturers continue to invest in and improve cybersecurity, including secure development training and carrying out thorough security assessments of all devices.

End-users have to take some of the blame as well according to NCC Group

Corporate IT teams can also make small changes to safeguard their organization from IoT-related vulnerabilities, such as changing default settings, developing and enforcing secure printer configuration guides, and regularly updating firmware.

Impacted printer models

The printers tested by the researchers were from HP, Ricoh, Xerox, Brother, Lexmark, and Kyocera.

The NCC Group found vulnerabilities in HP (HPQ) printers. The Color LaserJet Pro MFP M281fdw printers have buffer overflows, cross-site scripting (XSS) vulnerabilities, and cross-site forgery countermeasures bypass.

HP has posted firmware updates to address potential vulnerabilities to some of its Color LaserJet series. “HP encourages customers to keep their systems updated to protect against vulnerabilities,” the company said in a statement.

Lexmark logoThe vulnerabilities in Lexmark CX310DN printers NCC Group found include denial of service vulnerability, information disclosure vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.

The NCC Group found Vulnerabilities in Kyocera (KYO) Ecosys M5526cdw printers. The security holes include buffer overflows, broken access controls, cross-site scripting vulnerabilities, and lack of cross-site request forgery countermeasures.

NCC Group identified stack buffer overflows, heap overflows and information disclosure vulnerabilities in Brother (6448) HL-L8360CDW printers.

The vulnerabilities reported in Ricoh (RICOY) SP C250DN printers include buffer overflows, lack of account lockout, information disclosure vulnerabilities, denial of service vulnerabilities, lack of cross-site request forgery countermeasures, and hard-coded credentials.

https://www.xerox.comNCC Group claims the Xerox (XRX) Phaser 3320 printer vulnerabilities include buffer overflows, cross-site scripting vulnerabilities, lack of cross-site request forgery countermeasures, and lack of account lockout.

All of the vulnerabilities discovered during this research have either been patched or are in the process of being patched by the relevant manufacturers. NCC Group recommends that system administrators update any affected printers to the latest firmware available, and monitor for any further updates.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| March 9, 2019
Comments Off on Holy Sell Out Batman

Holy Sell Out Batman

Batman is being used to pump 5GThe Caped Crusader has sold out. While the full benefits of next-generation wireless – 5G won’t be realized until at least mid-2020, Batman is being used to pimp 5G.  AT&T used The guardian of Gotham to create demand for mixed-reality at last month’s Mobile World Congress in Barcelona Spain. The mixed-reality experience featured DC Comics Batman and the Scarecrow battling it out on the MWC show floor.

Fierce Videoaugmented reality headset reports that AT&T (T), Ericsson (ERIC), Intel (INTC), and Warner Bros., with DC, are using 5G technology and edge computing to build a location-based mixed-reality experience. For the walk-in experience at MWC, visitors put on an augmented reality headset. There they witnessed a 2 to 3-minute experience.

Ade Kushimo, director of business development, IoT, and emerging business at Ericsson told Fierce Video, “The really cool part of the experience is going to be the fact that you have this virtual, digital content being embedded into your physical space. That gives you that mixed reality experience.

Sensorama (patented 1962) which was an arcade-style theatre cabinet that would stimulate all the senses, not just sight and sound.

Mixed reality experience with Batman

Doug Matheson, vice president of strategic business development at Ericsson, said the proof-of-concept experience demonstrated that 5G technology (both radio and core) could be combined with intellectual property to create a mixed reality experience that’s both mobile and untethered.

In order to create a good mixed-reality experience, image lag has to be kept to a minimum. Image lag will make you dizzy and ruin the experience. That means that compute power has to be pushed out to the edge of the network to reside closer to the end-user. The compute power needed to process a mixed reality experience can’t live in a centralized data center somewhere.

Cloud computingThe cloud and edge network architecture allows for heavy computing to be done away from the device. So, the goal is to shift processing to the cloud and transport it there using a 5G network. The Batman demo ran on a fully integrated 5G network using Ericsson radio base stations 5G network technology will help supply the lower latency and higher speeds and enabled by Intel Xeon processors and the Intel 5G mobile trial platform.

5G – What is it

rb-

Mobile Marketer says that 5G will have a huge impact on AT&T’s mobile network. Its data traffic has grown more than 470,000% since 2007, with video making up half of the mobile data. Video may expand its share of data traffic to more than 75% by 2022, according to the company’s estimates.

Batman now works for AT&T following its acquisition of Time Warner who owned Warner Brothers, which owned DC Comics, the home of Batman, Superman, Wonder Woman, Harley Quinn, the Joker, Lex Luthor, Oswald Cobblepot, and the Flash.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| September 24, 2018
Comments Off on AT&T Still Trying BPL

AT&T Still Trying BPL

AT&T Still Trying BPLFresh off its dismantling of net neutrality and its drunken binge of bribing its staff, AT&T (T) has launched two field trials of its AirGig technology, fueling hopes it can gain broader acceptance of its version of the failed broadband over powerline (BPL) technology. The AirGig plan, as AT&T explained in 2016, is to use millimeter-wave radio signals (above 24 GHz) to travel along power lines. Radios on the power lines would regularly refresh the signal as it travels.

At&T kogoFirecetelecom reports that the first trial was with an electricity provider outside the U.S., and the second trial is underway with Georgia Power. Stopping short of revealing a service rollout plan, AT&T will take what it learns from the trials and continue to develop AirGig. Based on its evaluation of the current trials, AT&T will look at expanding more advanced BPL technology trials in other locations. AT&T told Firecetelecom that while “there’s no timeline yet for commercial deployment, we’re encouraged and excited by what we’ve seen so far.”

The service is bullish on AirGig. The telco is touting AirGig’s potential to deliver 1 Gbps speeds via a millimeter-wave signal guided by power lines. Firecetelecom says AT&T’s Ultimate goal with AirGig is to accelerate broadband deployments.

Broadband over power line (BPL)While there have been plenty of BPL failures, AT&T claims AirGig is different. They say it is more efficient than earlier generations of BPL because it runs along, and not within, the medium voltage power lines. The technology differs from earlier BPL technologies, which traveled with the current.

In order to roll out Airgig, AT&T had to develop several new BPL innovations to distribute signals from the power lines to homes and businesses. AT&T labs developed a Radio Distributed Antenna System (RDAS), which uses low-cost plastic antennas, aka mmWave surface wave launchers, along with inductive power devices, which receive power without direct electrical connections (for simplified installation).

The RDAS will reconstruct signals from multi-gigabit mobile and fixed deployments. Those data signals are then transmitted using mmWave over power lines. The mmWave surface wave launchers are inductive power devices that create multi-gigabit signals that travel along or near the medium-voltage wire, not through it.

Maxwells EquationsThe data signal uses the existing pole infrastructures mostly line-of-sight wire paths act as a waveguide that channels the signal and improves the transmission quality, according to Mark Evans, a director on AT&T’s AirGig team. A waveguide is a structure (like an electrical wire) that restricts how much waves can expand over distance, thereby minimizing energy loss. AT&T radio technology engineer Peter Wolniansky explained in a demo that electromagnetic physics make it work,  “The signal energy clings like a glow to this wire, … It’s bound by Maxwell’s equations to stick to this wire.

Millimeter waves are radio waves from 24-300 GHz. The benefit of using these high-frequency bands is access to high bandwidth, between 100-800 MHz, which is 20-100x more than today’s common cellular systems.

AT&T plans to put wireless stations periodically along the route to provide the last-mile connections. For that last communication link to a home or business, AT&T will use more conventional wireless equipment. Customers would use 5G CPE equipment to connect to the AirGig data flow. Once the CPE has received the signal, it can use Wi-Fi (802.11ad or 802.11ac) or an LTE femtocell unit to connect to the end users’ smartphones, tablets, laptops, television, autonomous vehicles or other IoT devices. CNet quotes Mark Evans, a director on AT&T’s AirGig team.”We’re aiming to be ready to deploy it commercially in the 2021 timeframe.

CNET also quotes Gordon Mansfield, AT&T’s vice president of converged access and devices who says they are moving forward. He confirmed that AT&T has contracted with manufacturers to build more refined hardware for a new round of AirGig testing most likely in 2019.

At&T Airgig eggsA key part of the AirGig technology for AT&T is that it is easy to install. Antenna modules — AT&T calls them eggs — clamp in pairs on the power line extending each direction from the power pole. The devices can power themselves via inductive power devices without a direct electrical connection. The eggs configure themselves automatically, and the early test showed it takes people 10 minutes to hook up to the network, said AT&T Chief Technology Officer Andre Fuetsch.

rb-

Kudos to AT&T for trying to figure out how to get everybody else to do their work just like Tom Sawyer..

AT&T can use the existing electrical right of way to bypass local municipality requirements, a long-running tactic of AT&T.

AT&T does not want to be in the business of connecting customers. They want to use the electric company’s infrastructure for free because fiber optic cable is expensive to bury underground or string along telephone poles.

AT&T will be using totally free unlicensed spectrum to sell access back to us at a huge profit.

They don’t even want to pay for electricity to run the equipment. They are using inductive power right off the mainline so it is not metered, which means everybody will have to pay.

 

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| April 3, 2018
Comments Off on Michigan Leader In Tech Jobs

Michigan Leader In Tech Jobs

Michigan Leader In Tech JobsThe latest CyberStates report from CompTia ranks Michigan 3rd nationally when it comes to growing tech jobs. According to the report (PDF), Michigan added 13,160 new tech jobs during 2017. Michigan ranks 9th overall in net tech employment.

The 404,300 tech workers in CompTIA CyberState reportMichigan include tech industry workers in technical and non-technical positions, technical workers in other industries, and self-employed tech workers according to CompTia. In addition to added jobs, the Cyberstates report shows Michigan’s tech sector is responsible for an estimated $34.7 billion of the overall state economy.

The CompTIA report also ranked Metro Detroit 11th for increases in tech employment with 8,700 new tech jobs in 2017. Metro Detroit out-paced, traditional tech hot-spots like Atlanta, Boston, Dallas, and LA in tech job growth. The top CyberCities by net tech employment job gains were:

1. San Francisco +20,000
Made in Detroit2. San José +12,600
3. New York City +10,200
4. Seattle +8,800
5. Detroit +8,700
6. Dallas +7,400
7. Boston +7,100
8. Los Angeles +5,700
9. Atlanta +5,300
10. Denver +5,100

The Cyberstate report also found there was a 43.4% increase in the number of job postings related to emerging technologies, such as the Internet of Things, smart cities, drones, artificial intelligence, machine learning, virtual reality, and augmented reality and blockchain.

Michigan’s leading tech occupations include software and web developers, computer support specialists, and computer system and information security analysts.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| March 24, 2018
Comments Off on Will Wi-Fi Be Secure This Time

Will Wi-Fi Be Secure This Time

Will Wi-Fi Be Secure This TimeOne event at CES 2018 that was overlooked by many people was the Wi-Fi Alliance announcement of WPA3, a long overdue update to Wi-Fi Protected Access (WPA). This increases the strength of a security protocol that hasn’t been updated in 14 years.

Wi-Fi AllianceThe Wi-Fi Alliance says Wi-Fi carries more than half of the internet’s traffic, so improvements to WPA are good news. The WPA3 update is a response to the evolution of Wi-Fi usage and WPA2 vulnerabilities. There are four improvements to Wi-Fi Protected Access via WPA3 over the current standard (WPA2).

Stronger passwords

WPA3 gets a new layer of protection so its security is not contingent on passwords (as followers of the Bach Seat know, passwords suck). WPA3 is an improvement on WPA2’s largest vulnerability the handshake when the key is being exchanged. KRACK (Key Reinstallation Attack) is a major vulnerability discovered in 2017 in WPA2 and WPA. It exploits the Wi-Fi handshake. KRACK allows attackers to snoop on encrypted data being transferred between computers and wireless access points (WAP).

WPA2 uses a four-way handshake mechanism, starting with a nonce provided by the access point.Brute force “dictionary attacks” are the backbone of the KRACK attack. WPA3 implements IEEE 802.11s, Simultaneous Authentication of Equals (SAE) to provide protection against this flaw. SAE is also known as the Dragonfly protocol. The Internet Engineering Task Force (IETF) describes Dragonfly,employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.

This improvement will offer better security even if poor passwords are used. This feature is very useful since we know that users have difficulties creating strong and hard-to-guess passwords. The Wi-Fi Alliance claims WPA3 makes it almost impossible to breach a Wi-Fi network using the current dictionary and brute-force attacks.  Mathy Vanhoef, the security researcher who discovered KRACK, appears very enthusiastic about the security improvements in WPA3.

Secure public Wi-Fi

Secure public Wi-FiWPA3 secured open networks will offer more privacy than ever before. Everything transmitted over today’s open Wi-Fi networks at airports, coffee shop, libraries, are sent in plain text that people can intercept. WPA3 will apply encryption to each user on the public Wi-Fi to eliminate clear text with “individualized data encryption”.

Malwarebytes Lab speculates that WPA3 will include Opportunistic Wireless Encryption. OWE enables connection on an open network without a shared and public Pre-Shared Key (PSK). That’s important because a PSK can give hackers easy access to the Traffic Encryption Keys (TEKs), allowing them access to a data stream. OWE implements a Diffie-Hellman key exchange during network sign-on and uses the resulting secret for the 4-way 802.11 handshake and not the shared, public Pre-Shared Key (PSK) that can be easily exploited. WPA3 will be more difficult for people to snoop on your web browsing without actually cracking the encryption while you’re at Starbucks.

Stronger encryption

WPA3 will use stronger cryptographic algorithms. The new security protocol will use the  Commercial National Security Algorithm (CNSA) 192-bit encryption mandated by the U.S. government for secure Wi-Fi networks. Experts speculate WPA3 will use a 48-bit initialization vector to support backward compatibility with WPA and WPA2  The 192-bit encryption will make WPA3 compliant with the highest security standards and fit for use in networks with the most stringent security requirements. (rb- Ironic – Go to the CNSA site and get an invalid cert warning in Chrome) The CNSS is part of the US National Security Agency.

Easier IoT security

The WPA3 update simplifies setting up secure Wi-Fi connections for devices that don’t have a graphical user interface. This is critical the secure the 30.7 billion IoT devices that will be on the network by 2020. The new protocol will add Device Provisioning Protocol (DPP) which sets up a simple, secure and consistent method for securing devices with limited or no display. NetworkWorld reports that You will be able to tap a smartphone against a device or sensor and then provision the device on the network.

What happens to WPA2 devices

So far, most manufacturers have been quiet about legacy device support. We do know that future W-Fi certified WPA3 routers will be backward compatible to support WPA2. The question remains whether current WPA2 devices will be capable of connecting to WPA3.

WPA2 devices are not immediately obsolete. The Wi-Fi Alliance explained that current WPA2 devices will be able to connect with WPA3 hardware. The Alliance also announced that it will continue to do security tests on WPA2 to further protect wireless networks. WPA3 is not an immediate replacement for WPA2

Even after you get a WPA3 enabled router, you’ll need WPA3 compatible client devices—your laptop, phone, refrigerator, security camera, industrial temperature sensor, or anything that connects to Wi-Fi—to fully take advantage of the WPA3 features. The good news is that shiny new router will accept both WPA2 and WPA3 connections at the same time.

Even when WPA3 is widespread, expect a long transition period where some devices are connecting to your router with WPA2 and others are connecting with WPA3. Once all your devices support WPA3, you should disable WPA2 connectivity on your router to improve security.

rb-

I am suspicious about the NSA link to the new WPA3 encryption. The NSA has introduced weaknesses in other encryption protocols.

Until we get our hands on real hardware, it is safe to speculate that like all things Wi-Fi, backward compatibility will cost your performance. What will the impact of one legacy device have on the capabilities of the WAP? Have a pair and turn off 802.11, 802.11b, WEP, and WPA connections on your current router.

It’s about time to update WPA. But as the 802.11n process proved, if you want to get nothing done, turn it over to an industry consortium. Andy Patrizio at NetworkWorld explained that’s where standards go to die because everyone wants their IP used so they make money off every sale. The end result is nothing gets done.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »