back to article Sysadmin finds insecure printer, remotely prints 'Fix Me!' notice

Well what do you know? The working week is all-but over, which means it is time to share a story from a reader's working life in our weekly On-Call column. This week, meet “Doug” a techie who tells us he has “a client in central Dublin and find myself in their offices every other week or so to deal with the usual stuff, new …

Silver badge

A few years back, when the likes of BT were still foisting USB ADSL modems onto users and collectively sticking their fingers in their ears and chanting "lalalalalala, can't hear you", I demonstrated to a friend and his family that perhaps they should invest in a firewall. This was before Windows came with a firewall, therefore to deploy one a user had to actively go out of their way to install it.

How did I demonstrate this? By grabbing their IP address from email headers, accessing their PC remotely, opening one of their personal files and printing it to their printer with a cover page telling them that I'd dunnit. :)

22
0
Devil

Noice, mate

A few years ago went on a mostly unplanned roadtrip in an asian country which shall remain unnamed, although it IS very elongated and does sport some recent fortification line across the middle. Although technically on holidays I was keeping in touch with salary central every day, and I also used the web to book (and pay for) accomodation for the next night, meaning "sensitive" network communications pretty much every evening. One evening, I noticed that the wireless network for the boutique hotel I was staying in was open to the world, with the access points' admin credentials factory-set, and a wee bit of poking revealed that they were doing all the admin from a laptop connected to the same WiFi. I raised the concern with the staff who told me "no problem, very secure". Later that evening, while the handbrake was under the shower, I logged into all of the APs I could get from the room and set their WiFi passwords to "CHANGE_ADMIN_PASS". Half an hour later I heard some noise along the staircase. The next morning, I noticed that the admin credentials on the APs were no longer the factory-set ones. I got a few dark looks; I did leave a substantial tip, because I felt like a jackass, but their network is a bit more secure now. Not sure if angel or demon.

4
1
Anonymous Coward

'PUB'lic Printer

Our local big-chain pub has their office printer connected to the pub's "The Cloud" public Wi-Fi, so when we get bored of paying extortionate prices for a pint, we 'AirPrint' dubious images and amusing messages from our phones, until the paper or ink runs out.

Over a year later the printer is still on the public Wi-Fi accepting print requests, but we've never witnessed the fallout from our hi-jinks.

Their Samsung TVs are all also controllable from an Android app, which makes for interesting responses to surreptitious channel changes just before a goal is scored!

48
0
Anonymous Coward

Re: 'PUB'lic Printer

I stayed with friends a while ago who lived in a village in a house next door to a gastropub. Had a very nice lunch there, introduced to the landlord and the odd complimentary bottle of red made things even better. Later that afternoon Mrs X as I'll call her is having problems printing. She's sent the document several times but nothing is reaching the printer. It's a wireless one and I'm asked if I'll take a look because the laptop she's printing from is brand new and this is a first time print from it. She says her stuff isn't coming - out the printer just appears to be doing nothing no matter what she tries.

After looking at her printer I can't initially spot the problem, it's connected to the wifi fine. Then I realised she's not sending things to her printer. The unsecured wifi that her laptop is connected to belongs to the gastropub. She's added that printer instead of her own and the pub must have the same model by the looks of it. A quick visit to the pub and they have two and a bit copies (paper ran out) of her 80 page thesis and they're mystified as to how she's been able to print on their machine. After pointing out that the wifi in the office is unsecured there's a very red face on the landlord. His security idea was 'interesting' in that he'd bought a wifi router just for the printer to connect to the ageing computer they used for just for printing the menu etc. After a few problems connecting to the router wirelessly he'd come up with a brilliant solution. He'd checked on his phone that the signal couldn't be picked up in the public areas of the pub through the thick stone walls & metal kitchen but not if it reached anywhere else. Happy with that he'd decided it was sufficient security and had disabled the wifi encryption to make things 'easier' and less likely not to connect. I suggested enabling the encryption and using an ethernet cable to connect to the router.

8
1
Silver badge

Re: 'PUB'lic Printer

stayed with friends a while ago who lived in a village in a house next door to a gastropub etc

Always a good idea to help out a gastropub landlord.

9
1
Silver badge

Re: 'PUB'lic Printer

Few years back I was looking up some firmware issue for an HP printer and sure enough, Google indexed web interface of some printer in Canadian provincial government. I surely printed out a note suggesting to have it fixed (if I recall the interface allowed to review at least titles of print jobs, possibly more). No idea why the printer was out on Internet.

2
0
Silver badge

"On one visit Doug couldn't help but notice a multifunction laser printer that had been hooked up to a neighbouring network, but left wide open to the world."

"So one day Doug dug into the printer's web interface and figured out how enough about the network to which it was connected to learn the name of the company that owned it"

"And because he knew enough about the company to also send a document to the printer by email..."

Er... which is it? Is it open to the world, or did it have the print-by-email switched on? Was it open to the network and exposing the address book, or was the web interface open, or was it browseable?

Because something doesn't add up here, as an anecdote.

If the printer is insecure, and you SEE THE PRINTER, leave a Post-It on it.

If the printer isn't visible but you found it on the network, just print to it.

But, no, he went hunting on LinkedIn, then probed mail settings, and then the address book stuff? Address book from the printer? On an MFP it might contain certain people who've scanned, etc. but if the AD is open enough that you can just get a list of all users then that's a bigger problem than an open printer.

My biggest question, really, though, is how you're able to access another company's network whatsoever. Even in a shared office. Because that's the REAL problem here. If one office can happily send broadcast to everyone, or probe IP addresses and web interface of any internal devices, that's a much serious problem - just think of WannaCry.

Techy detail please, when he says he could "see" this printer, and the configuration of that network that allows him to see that that DOESN'T come down to "Holy cow the whole site is insecure, but hey, let's play games with a printer".

28
1
Anonymous Coward

I agreed, if it was indeed a neighboring network, i.e. in the next office, why didn't he simply knock on the door, instead of doing this over the top, convoluted means of letting them know.

2
1
Anonymous Coward

"why didn't he simply knock on the door"

Because that wasn't any fun?

18
1
Anonymous Coward

Let me answer that

Because narcissists like to show off.

8
10
Anonymous Coward

Re: Because narcissists like to show off.

I particularly like the way this narcissist showed off by anonymously (and remotely) printing a message some time later; then even later still, getting the story printed in a light-hearted Friday column of a not-especially-famous IT website, under the pseudonym "Doug".

12
0
Silver badge

Re: Because narcissists like to show off.

All the people on ON CALL are given pseudonyms by El Reg.

5
0
Anonymous Coward

Well maybe the printer was hooked up to a neighbouring network but had also left that handy little WiFi direct printing function turned on. Therefore when 'Doug' fired up his WiFi finder he saw the printer which could be somewhere in the same business park, for instance.

Perhaps he then spend a few hours finding out a bit about the company as he was waiting for some windows updates to install and wanted to find out if they were a company that might be in a position to pay him for his services.

However, it creates a bit more of an impact to print out that their printer/network is insecure that it does to knock on the door and try to explain it all. The company address book could just be stored on it as it was used for incoming faxes, or scan to e-mail or mailbox.

But I'm not 'Doug' so I don't know.

10
0
Silver badge

Then why print-by-email?

0
1
Anonymous Coward

Perhaps so he didn't have to download and install the printer drivers, or he didn't have the relevant print service plugin on his mobile phone, or to prove that you could print to it from anywhere in the world.

2
0
Silver badge

Re: Because narcissists like to show off.

Hence the famous dyslexic advice to "beware of the doug"

10
0
Silver badge
Thumb Up

Why not knock?

"...why didn't he simply knock on the door, instead of doing this over the top, convoluted means of letting them know."

Perhaps because you say these kind of things to people and they are ignored. Maybe their eyes glaze over. Maybe they've stopped paying attention to security warnings. Maybe they thank you, say they'll address it later and their regular day pushes it into Indefinite Limbo. It's just words, and those carry little meaning with civilians. How well do they respond to your other warnings? Poorly, of course.

Demonstrate that someone can invade the network and print anything they like and you'll get their attention QUICK.

16
0

This post has been deleted by its author

Re: Because narcissists like to show off.

"given pseudonyms by El Reg"

I'm pretty sure that at least some of the pseudonyms are provided by the "on call" story submitter - here's looking at you Teresa May(be).

0
0

Re: Why not knock?

"Demonstrate that someone can invade the network"

Yeah, and just to show 'em, that particular "someone" encrypted all their files and asked for a ransom - makes me wannacry.

1
0
LDS
Silver badge

"the printer was no longer visible"

They moved it to another closed room, so the prankster couldn't see it, and connected it to the same network...

You also get Google & others trying to convince you that printing sending your documents to their server first, which in turn route them to your printer, is a clever idea....

12
1
Silver badge

Re: "the printer was no longer visible"

Google Cloud Print?

Go ask your local school.

Because it means that the kids are authenticated via their Google accounts (can be done without any AD integration by google-sync tools), they can print from their Google Classroom, Google Docs, Google Mail, etc. accounts (all free and unlimited storage for schools, by the way), no matter what device they print from (web, home PC, Chromebook, Android, iPad app, etc.) and it comes into the network as a Google Cloud Print account that you can plug direct into, say, PaperCut (so you are authenticated again, departmentalised, held-for-teacher-authorisation and billed accordingly before a printer is ever involved). Whether they are in the next room or the next continent (e.g. on holiday doing their homework, printing it to their teacher's printer to get it in on time, etc.)

Some things have uses. Even if they have the word Cloud in them.

And what horrendous, disgusting, terrible abuses of privacy are possible? The kids scribbles might be briefly visible to a bored tech at Google. Except they are one of the few companies (*cough* f*** you Apple) that provides EU data protection guarantees that state that your Google Education account data for ALL users will never leave the UK.

11
15
LDS
Silver badge

Re: "the printer was no longer visible"

Believe me, everything that pass through Google is carefully processed and any useful (for Google) information extracted - in UK, if needed to comply somehow with the law - and not by "bored techs".

And I'm glad my local school is not a Google school. I would have something to say if it forced my children to have an account for a commercial entity well known for its privacy invasions to study. But luckily here privacy laws are much stronger.

16
8
Paris Hilton

Re: "the printer was no longer visible"

I'm assuming I missed the 'cynicism alert' icon or maybe some sort of irony whooshed over my head with a loud clang, otherwise that reads like a lot of scary google-fanboi fantasy.

.

There is no such thing as free. By the usual definition, this means the schoolkids are the product and this should make us all feel very uneasy indeed.

17
1
Silver badge

Re: "the printer was no longer visible"

Not quite.

The incentive for Google is to hook them into their ecosystem early and then keep them as long term customers, same way that banks fall over themselves to give students bank accounts.

10
0
Anonymous Coward

Re: "the printer was no longer visible"

Privacy of a school assignment? That's a game changer. Burn them!

0
3
Anonymous Coward

Re: "the printer was no longer visible"

"And what horrendous, disgusting, terrible abuses of privacy are possible?"

Child's name, school, devices used, subjects taken, grades, likes / dislikes, friends, skills competencies, happiness levels, favourite music / films / tv shows....

Shall I go on?

20
1
Silver badge

Re: "the printer was no longer visible"

"Except they are one of the few companies (*cough* f*** you Apple) that provides EU data protection guarantees that state that your Google Education account data for ALL users will never leave the UK."

Well, the "f*** you Apple" company stores your iCloud data so that nobody can read it, including Apple itself, so (a) it doesn't matter where it is stored, and (b) it is safe from Theresa May and GCHQ.

7
2

Re: "the printer was no longer visible"

Actually, Apple very much can and will decrypt iCloud data including device backups - it's data on the devices they can't do.

2
0
Gold badge

Re: "the printer was no longer visible"

@Aladdin: Er, so you've explained how the school-children aren't the product, they're merely being groomed to become the product later. Mmm... I feel much more comfortable with the arrangement now.

3
0
Gold badge

Re: "the printer was no longer visible"

Please do go on.

Although you've hinted at it, the same information may also be available in respect of the friends and relatives of the child and since these are electronic documents you can add pictures (or possibly even sound or video) or links to social media to the list of source data.

0
0

Re: "the printer was no longer visible"

Google have stated that they do no slurping of GSuite Accounts and I find it hard not to believe them. If they do they are REALLY stupid and I think many things about Google but thinking them stupid isnt one.

The moment they were found to be slurping kids accounts etc then schools would drop them in droves.

Google want to do a Bank job on the kids, get them used to it at a young age and like most people and bank accounts they will never leave (even after they do start slurping)

1
0
Silver badge

Re: "the printer was no longer visible"

"I think many things about Google but thinking them stupid isnt one."

So they'd never do anything stupid like have their streetview cars slurp any wifi access points they passed.

1
1
Silver badge

Re: "the printer was no longer visible"

The moment they were found to be slurping kids accounts etc then schools would drop them in droves.

The problem is, all this stuff they provide is convenient, and people like that. And people seldom really give a stuff about "it's only my school work, nothing really important" and so on. And people are creatures of habit. Look at how many people do stupid stuff they know is bad for them yet become "stuck in a rut" and continue even when they hate it (how many smokers get stuck in a "I wish I could stop but I can't" habit (no not addiction, I was stuck for a long time on that myself).

As Dr Syntax mentions, Google did stupid. Most people did "meh" in response, at least among the relatively few who even heard about it.

0
0
Silver badge
Pint

Re: "the printer was no longer visible"

@Lost all faith... Shall I go on?

Read: "How Facebook's tentacles reach further than you think"

http://www.bbc.co.uk/news/business-39947942

I'm a little surprised it hasn't received the attention of El Reg yet...

0
0
Silver badge

See the printer?

So presumably visible (look it up) over WiFi.

I am assuming that the printer had the web interface enabled over WiFi and that there was no password set for WiFi access to the printer.

Guessing further (yes, wild speculation) there was another connection to the printer by Ethernet or USB which opened up the internal LAN to the printer and it was browsable from the printer web page. Or there were at least two WiFi networks one secured and the other hosted by the printer.

Otherwise it was just wide open WiFi and the printer was irrelevant.

6
0
Silver badge
Holmes

Re: See the printer?

I'm guessing here, but he physically saw it, remembered make and model, and also saw it on one of his devices as discoverable and put 2 and 2 together... The rest of the shenanigans seem a bit fluffy, linkedin, address book etc.

1
0
Silver badge

Re: See the printer?

I'm guessing here, but he physically saw it, remembered make and model

Not necessarily. If you can access the web interface, you're usually presented with this info, and much more such as page count and ink/toner levels, in one of the maintenance pages.

3
0
Silver badge
Devil

Biggest surprise to me...

... a printer that actually worked, REALLY? Printers ----->

21
0
Gold badge

Re: Biggest surprise to me...

We got a new printer yesterday. Small office, small network. So last thing I set it up and it worked. Then I went home for some well-earned dinner.

This morning, it didn't work. But weirdly, though my PC couldn't see it, it could see my PC and so I could scan direct to my pooter.

So I then fixed it, and got the printer working again. Now I can print to it, but it can't see my PC to scan to it. I guess this is like the uncertainty principle. My PC can either know where the printer is, or the printer my PC, but not both - or the universe explodes...

19
0
Silver badge

Re: Biggest surprise to me...

I like how there's an link at the bottom of the page where you can buy a printed out copy of the cartoon...

3
0
Silver badge

Re: Biggest surprise to me...

Possibly a Windows update borked that. I'm seeing weird things with our Win 7 machines after every update. Suddenly "features" stop working or printer weirdness as you describe. Linux is getting closer to landing in my house.... just one more piece needs to work.

2
0
Anonymous Coward

The long arm of the Law

might be coming for you Doug. Like it or not, you commited a crime by accessing their printer. The wide open barn door won't fly as your defence. Look at all those poor sods who got into the NSA and other TLA's networks through open doors who have or are spending time behind bars!

Knocking on their physical door when you noticed the open network should have been as far as you went. Getting into the printer was as I understand it, unauthorised access under the terms of the Computer Misuse Act.

But at least what you did got results. Sadly we don't have a statute of limitations in this country so beware Doug (if that is your real name), the Plod could come knocking on your door any time before you pop your clogs.

But hey look on the bright side, that one way to get 3 meals a day on the state in your dotage isn't it!

7
2
Silver badge

Re: The long arm of the Law

"Computer Misuse Act."

UK legislation. RTFA - location of printer: Dublin. Location of Dublin: not in UK.

23
1
Silver badge

Re: The long arm of the Law

Still a crime in Ireland though:

http://www.irishstatutebook.ie/eli/2001/act/50/section/9/enacted/en/html#sec9

8
0
Silver badge

Re: The long arm of the Law

they're bloody _Irish_ cops! the next time I see an Irish cop who had clue one about anything more technical than how to drink a few pints without spilling any, why, that will be the _first_ time.

To be sure, I haven't been near Ireland since 1977 so they could have improved. I doubt it.

2
0
Silver badge

Re: The long arm of the Law

...To be sure, I haven't been near Ireland since 1977...

Surely, that should read "...To be sure, to be sure, I haven't been near Ireland since 1977, to be sure..."

0
0

Never do this

Seriously, don't. I work in IT Security and I can tell you: if you don't have a clear mandate (written request) from the system's owner, don't touch that system.

It doesn't matter if you had the best of intentions. You still broke the law. All it takes is one determined prosecutor. You don't want to roll that dice.

You want to be a hero? Fine. There are plenty of authorized bug bounty programs where you actually get paid if you find security holes.

And if you do happen to notice by accident a (potentially) vulnerable system that's not part of your scope of work, just contact directly the respective company and let them know what you observed. But don't dig into the matter any further without written permission.

To give you an analogy: if you notice someone's bag is open with a visible wallet inside, it's OK to tell them that they left the bag open and that you advise them to close it. But it's not OK to take the wallet yourself just to prove the point.

31
0
Silver badge

Re: Never do this

"To give you an analogy: if you notice someone's bag is open with a visible wallet inside, it's OK to tell them that they left the bag open and that you advise them to close it. But it's not OK to take the wallet yourself just to prove the point."

Ooh that explains what I've been doing wrong...

16
0
Silver badge

Re: Never do this

"To give you an analogy: if you notice someone's bag is open with a visible wallet inside, it's OK to tell them that they left the bag open and that you advise them to close it. But it's not OK to take the wallet yourself just to prove the point."

That's a bad analogy. A better analogy would be to slip a piece of paper into said wallet pointing out that they have left it on view and someone could have nicked it. Would that be a crime? I don't think it would, which illustrates a flaw in the Computer Misuse Act (and analogues in other countries, such as Eire in this case).

15
2

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018