From owner-freebsd-questions@FreeBSD.ORG Tue Apr 3 13:51:03 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3EB81065673 for ; Tue, 3 Apr 2012 13:51:03 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 01F658FC22 for ; Tue, 3 Apr 2012 13:51:03 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.182]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPSA id 9B7165C29 for ; Wed, 4 Apr 2012 00:04:37 +1000 (EST) Message-ID: <4F7B0045.2050809@herveybayaustralia.com.au> Date: Tue, 03 Apr 2012 23:51:01 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0.1) Gecko/20111109 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4F75D37C.2020203@lovetemple.net> <20120330232307.41e420b1.freebsd@edvax.de> <4f7770b7.BkVKquuSmumStBb/%perryh@pluto.rain.com> <20120401112923.47e6c8a7.freebsd@edvax.de> <4f79c113.4NFuCWPOnCnPln6u%perryh@pluto.rain.com> <20120402073303.1ae0ea96@scorpio> <4f7b3fe0.PWM597T4KrLqJxhq%perryh@pluto.rain.com> <20120403084005.576af98e@scorpio> <20120403153039.55a7f5d5.freebsd@edvax.de> In-Reply-To: <20120403153039.55a7f5d5.freebsd@edvax.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Printer recommendation please X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2012 13:51:03 -0000 On 04/03/12 23:30, Polytropon wrote: > On Tue, 3 Apr 2012 08:40:05 -0400, Jerry wrote: >> On a serous note, I have spent the last 12 hours, more or less, >> checking with my friends and business associates. Not a single one has >> ever had or knows of a single incident of anyone actually ever being >> infected or having suffered any negative reaction to having printed a >> PDF file. Most, but not all of these friends / associates are Microsoft >> users; however, that should not invalidate the statistics. > That might be a problem: Malicious acts take place in the > background. The time where a virus would pop a "funny message" > on the screen are long over. In "Windows" land, there are > limited resources for means of diagnostics and troubleshooting. > Many people believe (and please take that word seriously) > that they "have no virus", and if you bring a laptop with > a traffic scanner (e. g. Wireshark, ex Ethereal), you can > see scary things happen on their network. In worst case, > the police rushes in, takes all the PCs, and the sloppy > explaination they give is: "We're investigating a case of > copyright infringement, we suspect your PCs being an active > sharepoint of copyrighted material." While "Windows" and > its programs presents lots of bells& whistles to the user, > there's no real chance to find out what's _really_ happening > behind that curtain. > > There are _tons_ of programs out there that can be considered > "snake oil" in regards of security. "Windows" users know 'em, > many of them use 'em. I can imagine if PDF printers spread > more and more, they become more interesting to attackers, and > malware like "Professional Printer Anti-Malware Check XXL Super > High Security Programs" will spread, waiting for the poor-minded > victims to run them, and BANG! printer pwn'd. This is the _first_ > step into turning a corporate network into a botnet. If the > attacker is able to "hide inside" a printer, it's much easier > for him to do "sniper attacks" with precision as he is in > control of a full-featured networking devices that nobody > recognizes... or verifies. Running virus scans, malware scans > and so on on "Windows" PCs has become standard by the majority > of its users. Printers are not concerned here, and maybe there > are no proper tools available to do the pending tests. No. A traffic sniffer would be required to intercept traffic and discover any abnormalities. Most sysadmins wouldn't pay much attention, but you can bet it _will_ require a printer technician with training on the model to fix it- firmware usually requires either passworded telnet access or similar, possibly in conjunction with service software only available to the dealer- and may provide yet a whole new market for office machine service. I'd say sysadmins would expect the manufacturer to actually handle this issue. > > Applying that consideration to PDF files, virus scanners > would have to check them before they are sent to the printer. > > > >> In fact, the >> FOSS society claims MS is more vulnerable to infections/hijacking >> then they are. > This is due to its usage share. I believe if Linux (for example) > would run on 90% of home PCs, attackers would concentrate > their activities on that platform. Given the statement that > the platform is more secure in a technical way (by design and > implementation), attackers would potentially try to access the > weakest part: the user. This kind of attack is different from > those that work in a technical way (e. g. overwriting a printer's > firmware silently and secretly), because it does not depend on > technical vulnerabilities in the first place. > > FOSS or not, people have to understand that security is not > a static thing, it's a process that involves _them_ to act. > A Linux server with telnet enabled and empty root password > is as dangerous as a "Windows" PC in a corporate network. > > Now there's something interesting "hidden": Let's say a malicious > file is sent to the printer to compromise it. It's send from > a Linux workstation. Will Linux (to keep this example) have > to contain a kind of "PDF virus scanner" by default? Take > into mind what I said about "behind the curtain". When a printer > is compromised, and it acts maliciously within a Linux environment > that is poorly secured, I agree with your statement that using > a FOSS system does not imply security per se. > Having found a poorly 'written' pdf, I believe a simple pdf2pdf (using gs with similar commands as pdf2ps) will be sufficient to 'clean' the pdf file- or render it harmless. But essentially running through the cups filters (speaking of the general user) will do this I think- easily verified. Incidentally the pdf was written using MS Office, which offers yet another can o' worms. > >> The original PDF code was written years ago. Since about 2006 hackers >> have started finding vulnerabilities in it. > That's a well-known fact in IT security. As I said, it's up > to the manufacturers to properly deal with the security issues > as good as possible. If they _can_ remove certain attack vectors > for example by ignoring specific sections of PDF data, it would > be a benefit for security without actually reducing functionality. > It starts beginning complicated if there is a feature that is > needed which can be used _against_ the system. Maybe data > validation can help here... > > > >> There was one that attacked >> scanned documents in MS Office. That problems was fixed over two years >> ago. Virtually all PDF attacks now target Web Browsers. A case can be >> made that viewing PDF files in a Web Browser is far more likely to >> infect a machine than printing such document ever could. > Yes, that approach is welcome to attackers as it allows them > to take over a full-featured "Windows" PC within seconds - the > user just has to visit a certain web page. By "auto-open magic" > of certain MUAs it's even easier to accomplish. > > Attacking a printer, however, is much more silent. Why? > Because nobody CARES. Printers are not in the scope of > security. Does anyone imagine to run a virus check on a > printer? Does the firmware have the latest manufacturer > patches? Is there a password in the administration interface? > What traffic is running across the printer? While many sysadmins > (even in MICROS~1 environments) are aware of checking and > cleaning (and reinstalling) the "Windows" PCs frequently, > the things "hidden" in the printer are often left out. So > right after cleaning the PCs, the network could be "re-initialized" > by an attacker who "lives inside" the printer. > > After all, I think social engineering based attacks will become > much more popular than addressing printers. I do _not_ say to > keep ignorant and carry on, but there are higher threats than > the PDF-capable laser printer in room 101. :-) > > >