[Micronet] Printer spam.....

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Printer spam.....

Baril
To all,

Well if you all "thought" you had your printer settings locked down,
then I guess we were proven wrong with all the printer spam spewing from
our printers. I have read the Storify piece on "Weev" (below link) and
gleaned enough info out of it to apply further controls on my printers
here. We have a combination of HP laser printers and some Ricoh
copier/printers. The Ricoh link below explains "diprint" protocol that
uses port 9100 and in the HP config pages you will find the 9100 port
referenced. You need to disable anything that uses port 9100 to prevent
the current rash of spam from printing. Good luck to all!

https://storify.com/weev/a-small-experiment-in
http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001036/0001036377/view/netsys/unv/0130.htm

Best,

Roy

--
Roy A. Baril
Director of Technology
Graduate School of Journalism
University of California
121 North Gate Hall
Berkeley, CA 94720
510-643-9215 -- Work
510-643-9136 -- Fax
925-352-9543 -- Cell


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Printer spam.....

Graham Patterson

Access controls are not enough? Admittedly the Ricohs only have five
address range slots which makes complex network access control a bit
more of a challenge.

You are exclusively Macs, so LPR is probably all you need?

Graham

On 3/30/16 2:05 PM, Baril wrote:

> To all,
>
> Well if you all "thought" you had your printer settings locked down,
> then I guess we were proven wrong with all the printer spam spewing from
> our printers. I have read the Storify piece on "Weev" (below link) and
> gleaned enough info out of it to apply further controls on my printers
> here. We have a combination of HP laser printers and some Ricoh
> copier/printers. The Ricoh link below explains "diprint" protocol that
> uses port 9100 and in the HP config pages you will find the 9100 port
> referenced. You need to disable anything that uses port 9100 to prevent
> the current rash of spam from printing. Good luck to all!
>
> https://storify.com/weev/a-small-experiment-in
> http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001036/0001036377/view/netsys/unv/0130.htm
>
> Best,
>
> Roy
>


--
Graham Patterson, Systems Administrator
Rm 111, Lawrence Hall of Science, UC Berkeley   510-643-1984
"...past the iguana, the tyrannosaurus, the mastodon, the mathematical
puzzles, and the meteorite..." - used to be the directions to my office.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Printer spam.....

Beth Muramoto
In reply to this post by Baril
Thanks for doing the research for these options and testing them. I have to admit that I was at a bit of a loss reading the security.berkeley.edu site about all the best practices, and having no idea about how to approach it. Between this and the OS updates, I feel pretty overwhelmed so I'm ever grateful for the information.

Beth

On Wed, Mar 30, 2016 at 2:05 PM, Baril <[hidden email]> wrote:
To all,

Well if you all "thought" you had your printer settings locked down,
then I guess we were proven wrong with all the printer spam spewing from
our printers. I have read the Storify piece on "Weev" (below link) and
gleaned enough info out of it to apply further controls on my printers
here. We have a combination of HP laser printers and some Ricoh
copier/printers. The Ricoh link below explains "diprint" protocol that
uses port 9100 and in the HP config pages you will find the 9100 port
referenced. You need to disable anything that uses port 9100 to prevent
the current rash of spam from printing. Good luck to all!

https://storify.com/weev/a-small-experiment-in
http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001036/0001036377/view/netsys/unv/0130.htm

Best,

Roy

--
Roy A. Baril
Director of Technology
Graduate School of Journalism
University of California
121 North Gate Hall
Berkeley, CA 94720
<a href="tel:510-643-9215" value="+15106439215">510-643-9215 -- Work
<a href="tel:510-643-9136" value="+15106439136">510-643-9136 -- Fax
<a href="tel:925-352-9543" value="+19253529543">925-352-9543 -- Cell



-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.



--
***********************************************
Beth Muramoto
Computer Resource Specialist
Graduate School of Education
University of California, Berkeley
1650 Tolman Hall
Berkeley, CA 94720
Email:  mailto:[hidden email]
Phone:  (510) 643-0203 
Fax:  (510) 643-6239

“Finish each day and be done with it. You have done what you could. Some blunders and absurdities have crept in – forget them as soon as you can. Tomorrow is a new day. You shall begin it serenely and with too high a spirit to be encumbered with your old nonsense.”
                            -Emerson

This is the essence of forgiveness. You can't change what happened but you can make sure it doesn't have the power to prevent you from being happy tomorrow.
                           
                             -Paul Boese

“Kind words do not cost much yet they accomplish much.” 

                            -Blaise Pascal


***********************************************


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Printer spam.....

Igor Savine
In reply to this post by Graham Patterson
Denying access to ports 9100 (JetDirect), 631 (IPP), and 515 (LPD) from off-campus sources would alleviate the problem. Pretty easy to implement campus wide. Then the SNS group may restart scanning public printers (I don't know why they stopped a year ago) for known vulnerabilities.

Best,
Igor

On Wed, Mar 30, 2016 at 2:13 PM, Graham Patterson <[hidden email]> wrote:

Access controls are not enough? Admittedly the Ricohs only have five
address range slots which makes complex network access control a bit
more of a challenge.

You are exclusively Macs, so LPR is probably all you need?

Graham

On 3/30/16 2:05 PM, Baril wrote:
> To all,
>
> Well if you all "thought" you had your printer settings locked down,
> then I guess we were proven wrong with all the printer spam spewing from
> our printers. I have read the Storify piece on "Weev" (below link) and
> gleaned enough info out of it to apply further controls on my printers
> here. We have a combination of HP laser printers and some Ricoh
> copier/printers. The Ricoh link below explains "diprint" protocol that
> uses port 9100 and in the HP config pages you will find the 9100 port
> referenced. You need to disable anything that uses port 9100 to prevent
> the current rash of spam from printing. Good luck to all!
>
> https://storify.com/weev/a-small-experiment-in
> http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001036/0001036377/view/netsys/unv/0130.htm
>
> Best,
>
> Roy
>


--
Graham Patterson, Systems Administrator
Rm 111, Lawrence Hall of Science, UC Berkeley   <a href="tel:510-643-1984" value="+15106431984">510-643-1984
"...past the iguana, the tyrannosaurus, the mastodon, the mathematical
puzzles, and the meteorite..." - used to be the directions to my office.


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Printer spam.....

Allison Henry-2

Hi Micronetters, just as an FYI we have scanned and will continue to
scan all devices connected to the campus network, including printers and
multifunction devices, for known vulnerabilities. Many of you must know
this as you have received security notifications from us concerning
out-of-date or mis-configured printer devices. We do make an effort to
tune our scanning to avoid garbage printouts and other service disruptions.

I would also like to remind folks that the appropriate place to discuss
specific vulnerabilities and associated security controls is the
non-public UCB-Security mailing list:

https://security.berkeley.edu/resources/mailing-lists-workgroups/ucb-security-mailing-list

We're also very open to any suggestions on how to improve our advice and
documentation, on this subject or any other found on our website. Please
feel free to email [hidden email] if you have any questions or
feedback to offer. Thanks all,

- Allison Henry

On 3/30/16 2:30 PM, Igor Savine wrote:

> Denying access to ports 9100 (JetDirect), 631 (IPP), and 515 (LPD) from
> off-campus sources would alleviate the problem. Pretty easy to implement
> campus wide. Then the SNS group may restart scanning public printers (I
> don't know why they stopped a year ago) for known vulnerabilities.
>
> Best,
> Igor
>
> On Wed, Mar 30, 2016 at 2:13 PM, Graham Patterson <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>     Access controls are not enough? Admittedly the Ricohs only have five
>     address range slots which makes complex network access control a bit
>     more of a challenge.
>
>     You are exclusively Macs, so LPR is probably all you need?
>
>     Graham
>
>     On 3/30/16 2:05 PM, Baril wrote:
>     > To all,
>     >
>     > Well if you all "thought" you had your printer settings locked down,
>     > then I guess we were proven wrong with all the printer spam spewing from
>     > our printers. I have read the Storify piece on "Weev" (below link) and
>     > gleaned enough info out of it to apply further controls on my printers
>     > here. We have a combination of HP laser printers and some Ricoh
>     > copier/printers. The Ricoh link below explains "diprint" protocol that
>     > uses port 9100 and in the HP config pages you will find the 9100 port
>     > referenced. You need to disable anything that uses port 9100 to prevent
>     > the current rash of spam from printing. Good luck to all!
>     >
>     > https://storify.com/weev/a-small-experiment-in
>     > http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001036/0001036377/view/netsys/unv/0130.htm
>     >
>     > Best,
>     >
>     > Roy
>     >
>
>
>     --
>     Graham Patterson, Systems Administrator
>     Rm 111, Lawrence Hall of Science, UC Berkeley   510-643-1984
>     <tel:510-643-1984>
>     "...past the iguana, the tyrannosaurus, the mastodon, the mathematical
>     puzzles, and the meteorite..." - used to be the directions to my office.
>
>
>     -------------------------------------------------------------------------
>     The following was automatically added to this message by the list
>     server:
>
>     To learn more about Micronet, including how to subscribe to or
>     unsubscribe from its mailing list and how to find out about upcoming
>     meetings, please visit the Micronet Web site:
>
>     http://micronet.berkeley.edu
>
>     Messages you send to this mailing list are public and
>     world-viewable, and the list's archives can be browsed and searched
>     on the Internet.  This means these messages can be viewed by (among
>     others) your bosses, prospective employers, and people who have
>     known you in the past.
>
>     ANNOUNCEMENTS: To send announcements to the Micronet list, please
>     use the [hidden email]
>     <mailto:[hidden email]> list.
>
>
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
>

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.