Nationwide Bomb Threat Hoax Underscores the Need for Access Restrictions and Print Data Security

In the past few days, universities, local businesses and churches woke up to unauthorized print jobs on their printers and fax machines that say the following:

[[{"fid":"41703","view_mode":"default","fields":{"format":"default","field_file_image_alt_text[und][0][value]":"Nationwide Bomb Threat Hoax","field_file_image_title_text[und][0][value]":"Nationwide Bomb Threat Hoax"},"type":"media","field_deltas":{"3":{"format":"default","field_file_image_alt_text[und][0][value]":"Nationwide Bomb Threat Hoax","field_file_image_title_text[und][0][value]":"Nationwide Bomb Threat Hoax"}},"link_text":null,"attributes":{"alt":"Nationwide Bomb Threat Hoax","title":"Nationwide Bomb Threat Hoax","class":"media-element file-default","data-delta":"3"}}]]

Although this turned out to be a hoax and the threat wasn’t credible, it shows that security landscape is constantly changing and just relying on building security or network security may not be enough. From Institutions such as Vanderbilt University and University of Virginia to Shiloh Missionary Baptist Church were targeted by the scammers who exploited the open ports of printers that were connected to the internet. Such a setup allowed anyone who connected to those printers’ IP addresses could print to them. In most cases, it was Port 9100, the printer’s default printing port.

Today’s multi-function printers (MFP) are sophisticated computing devices, according to Federal Trade Commission (FTC). It is estimated that 61% of organizations have reported at least a single print-related data breach in the past year.  In this case, the following factors contributed to the widespread hoax:

• Smaller organizations and universities not having enough IT staff to manage and monitor every print device, leaving most printers with default configurations
• Most security efforts are focused on perimeter security and network security, while security of other business systems often falls behind.
• Traditional secure print capabilities rely on users entering username and pin to release their print jobs thus creating a cumbersome end–user experience. In an university environment, such deployment is a non-starter because of the volume of students and print jobs.

What can we do to prevent incidents like this from happening?

As the FTC recommends, IT security plans should cover digital copiers and printers. The MFPs should be configured right to ensure that no default settings can be exploited. A step further will be to make the MFPs identity-aware. Using location and user authentication, it can be ensured that the print data stays away from the prying eyes. Also, we need to ensure that the platform capabilities we build today can also be applicable tomorrow.

Recent study estimates 48% of the users expect mobile devices to be the main form of ID in next 5-7 years. With this trend, we need to ensure that the print platforms we invest in can identify the authorized users using a variety of form-factors, including cards, mobile phones and wearables. I

t is also critical that this increased security doesn’t come at the expense of convenience. The next generation of students expect everything to happen instantly, and any experience that does not meet that expectation will be rejected.

There is no “silver bullet” or panacea to address the new threats, but a conscious security policy and identity-aware business systems can definitely address most of the challenges.