In early 2017, HP invited a group of cybersecurity industry bloggers and podcasters to gather for an HP Print Security “Tech Day” at their headquarters in Palo Alto, CA. The purpose of the gathering was to introduce the group to HP’s printer security program (#reinventsecurity), foster discussion, and get feedback on the program. This event was the precursor to a major marketing campaign for HP to promote everything they’ve been doing in terms of making their printers more secure and also building printers with “cyber resilience”, meaning they have the capacity to detect malicious or accidental actions and even recover from the attacks. HP has done some amazing things to facilitate the security of printers which in turn helps to create a more secure enterprise network.
Discussions that day with the industry bloggers and podcasters covered many topics, and HP was very receptive to both positive and critical feedback they received throughout the day. Topics included the technical aspects of the security features they are offering for enterprise printers, the responsibility that HP has to produce a secure product, the need for increased user awareness to assure that printers are implemented and maintained securely, and the many ways that printers can be exploited for direct compromise of data (e.g. print jobs) but also that they can be leveraged as an attack platform or pivot point to gain access to the rest of the network. One particular topic of discussion was how to maintain the security of things like printers given the continuous “discovery” of vulnerabilities and weaknesses to systems and applications.
Somewhere in the conversation the idea of HP starting a bug bounty program apparently took hold. To that end, HP announced just before Black Hat 2018 that it has entered a partnership with Bugcrowd to pay up to a $10,000 bug bounty to security researchers for the discovery of vulnerabilities in their printers. In short, HP is paying hackers to break into their devices.
HP invited me to Black Hat this year to continue discussions with them about their printer security efforts, particularly the new bug bounty program. They asked me to meet with several of their security experts, check out their latest marketing campaign featuring “The Fixer” (more on that later), ask questions, and provide feedback.
The launch of the bug bounty program was one of the key highlights from Black Hat as this is the first time a bug bounty program has been launched that specifically focuses on printers. The buzz actually started before the conference as HP went public with the program on July 31st. The HP folks I talked to at during the week were very encouraged by the public response and direct feedback they were receiving during the week.
What is a bug bounty?
The idea of a bug bounty is to pay independent developers and security researchers (a.k.a. hackers) to share vulnerabilities that they have found in applications and systems with the companies that produce them. It is essentially outsourcing the research & development function or at least supplementing that function. In fact, the concept is sometimes referred to as crowdsourcing. Companies like Bugcrowd have created a business model around brokering the relationships between the companies offering the bounties and the research community.
The concept of “public de-bugging” is not new in this industry. I remember in the early days of the “World Wide Web” the first commercial browser, Netscape Navigator, offered bounties for the discovery and reporting of bugs in its software. The Netscape company rather boldly said something to the effect of, “we know we’re putting out buggy software, and we are willing to pay you for reporting the bugs”. To them, it was more advantageous than relying on internal testing and more importantly it helped them get new software and features to the market more quickly.
It makes sense really, because in the connected world in which we now live it is nearly impossible to build in-house expertise, no matter the number of security researchers hired, that can match the tens of thousands of practitioners and researchers all over the world. Bug bounty programs have become prevalent, and the demand for such programs has resulted in the emergence of companies that are focused on administering and brokering the programs for an increasing number of manufacturers and developers. Bugcrowd has emerged as one of the leading companies in this space and promises to be very successful in managing the program on behalf of HP.
Why the focus on security?
HP traces its origins back to the very beginning of the technology era when the founders, Bill Hewlett and Dave Packard, produced oscilloscopes out of a rented garage. In fact, the “HP Garage” is credited as being the birthplace of what is now known as Silicon Valley. HP has always prided itself on producing the best products from electronic monitoring/tracking systems, calculators, desktop computers, and of course, printers.
Today the company still holds to the values and corporate culture that Bill & Dave nurtured and considers producing the best, and most secure, products as an integral part of preserving the legacy and reputation that was so carefully cultivated by the founders. In addition to the commitment to provide secure printers with secure settings and configurations, the company has developed features that enable the printers to be “self-checking’ and “self-healing” in order to minimize the impact of any attack that is launched against the printer itself.
Implementation is key
HP has made a commitment to educate its customers on the threats that network printers pose to the enterprise and how to configure, maintain, and use printers in a secure manner. To that end, HP has embarked on an extensive marketing campaign that revolves around educating consumers about the threat that networked printers pose through a series of dramatic short stories featuring a dubious character played by Christian Slater (Mr. Robot). The first episode is titled “The Wolf” and the second is titled, “The Wolf: The Hunt Continues”.
The third installment in the series introduces a new and enigmatic character dubbed “The Fixer” played by the often villainous character actor, Jonathan Banks (Breaking Bad, Better Call Saul). To see the latest installment of the HP series and to learn more about printer security check out: “The Wolf: True Alpha”. #reinventsecurity