Post on 28-Apr-2018
Copier Security – The SequelNetwork Access, Vulnerabilities and Solutions
with your hostwith your hostAnthony Phillips
KSU Offi f I f ti S it dKSU Office of Information Security and Compliance
Disclaimers: I am not a lawyer, I am not a Savin/Ricoh engineer, I am not a photocopier or security engineer of any sort, I have not read ALL of the documentation related to said devices, past performance does not guarantee future returns, your mileage may vary, I do not know everything there is to know, I did not stay at a Holiday Inn Express last night.
Review From Last YearReview From Last Year
• Copier hard drives = Risk of data leakageCopier hard drives = Risk of data leakagehttp://www.k‐state.edu/policies/ppm/3433.html
S i i i f• State contract contains provisions for safeguarding data – most cost money
• KSU now has a degausser !!!• OK, I did all that. Now I’m safe, right?, , g
Not ExactlyNot Exactly
• Copiers have network jacks (oh my!)Copiers have network jacks (oh my!)• Additional functionality
– Network printing / scanning / faxingNetwork printing / scanning / faxing– Remote device management– Email notifications and documentsEmail notifications and documents
• Copiers are computers with operating systems, web servers, email enginessystems, web servers, email engines
• Rarely (if ever) receive updates, virus scans, vulnerability scansu e ab ty sca s
What Are the Risks?What Are the Risks?
• Document leakageg– HIPAA protected health data– FERPA protected student dataPCI DSS t t d t d d t– PCI‐DSS protected payment card data
– Personally identifiable data used in identity theft– Confidential research datao de a esea c da a– Any University confidential or proprietary data
• You and K‐State can be on the news• Account compromise• Outright machine compromise
How Can That Happen? It’s Just a CopierS i N 5 00 ( h // ) 2011 04 01 16 07 C l D li h TiStarting Nmap 5.00 ( http://nmap.org ) at 2011‐04‐01 16:07 Central Daylight TimeInteresting ports on tribble.cns.ksu.edu (129.130.***.***):Not shown: 992 closed portsPORT STATE SERVICE80/tcp open http427/tcp open svrloc427/tcp open svrloc515/tcp open printer631/tcp open ipp1124/tcp open unknown2000/tcp open callbook5200/tcp open unknown9100/tcp open jetdirectMAC Address: 00:15:99:3A:**:** (Samsung Electronics Co.)Nmap done: 1 IP address (1 host up) scanned in 3.81 seconds
Starting Nmap 5.00 ( http://nmap.org ) at 2011‐04‐01 16:07 Central Daylight TimeI t ti t 129 130 *** ***Interesting ports on 129.130.***.***:Not shown: 992 closed portsPORT STATE SERVICE21/tcp open ftp23/tcp open telnet80/tcp open http80/tcp open http139/tcp open netbios‐ssn514/tcp open shell515/tcp open printer631/tcp open ipp9100/tcp open jetdirectNmap done: 1 IP address (1 host up) scanned in 17.53 seconds
Notably absent : 443, 445 ports for encrypted traffic
… And That Means What?
This is available to the whole InternetThis is available to the whole Internet
What Can I Do About It?What Can I Do About It?
• Unplug the network cable – DONE!Unplug the network cable DONE!• Set your passwords
h d i ll h k i ki• Purchase and install the network security kit– Enable encryption
• Turn off unused or unneeded protocols• Restrict accessible IP addresses• Put copiers and printers on an isolated networknetwork
Set Your Passwords – Web MonitorSet Your Passwords Web Monitor
Set Your Passwords – Control PanelSet Your Passwords Control Panel
Purchase and Install the Network Security Kit
• $10 35 / mo – spread over 36 mo contract$10.35 / mo spread over 36 mo contract• $372.60 total cost
i b i d i i• Log into Web Monitor as Administrator– Select Network Security– Set to Level 2 (options 0, 1, 2)– Enable Encryption– Disable IPX and IPV6– Enable Encrypted SNMPv3 only
Set Network Security to Level 2y
A = Available - = Unavailable O = Port is open C = Port is closed M = Automatic P = Ciphertext only X = Ciphertext priority
Function Network security level Level 0 Level 1 Level 2
Interface IEEE1394 SBP-2 A A - Bluetooth A A - IPv4 over 1394 A A - TCP/IP A A ATCP/IP A A A
HTTP
Port 80 O O O Port 443 O O O Port 631 O O C Port 7443/7444 O O O
IPP Port 80 O O O Port 631 O O CPort 443 O O O
DIPRINT A A - LPR A A - FTP Port 21 O O O ssh Port 22 O O O sftp O O O
TCP/IP RFU Port 10021 O O O RSH/RCP A A - SNMP A A A
SNMP v1v2 Setting A - - Browse A A -
SNMP v3 A A A SNMP v3 SNMP Encryption M M PTELNET A - - SSDP Port 1900 O O C NBT Port 137/138 O O C
SSL A A A SSL/TLS Encryption Mode X X P Mode
DNS A A - SMB A A -
NetWare NetWare A A - AppleTalk AppleTalk A A -
Enable Encryption – SSL / TLSEnable Encryption SSL / TLS
Disable IPV6 and IPXbl lEnable SNMPv3 only
Turn Off Unused or Unneeded Protocols
Restrict Accessible IP Addresses
Put Copiers and Printers On an l d kIsolated Network
• 10 X X X IP addresses are not routed10.X.X.X IP addresses are not routed• Private to the University network
i k l bili i• Protects against unknown vulnerabilities• Takes a lot of work and coordination• Talk to your network administrator
The Bad NewsThe Bad News
• Whew that was a lot of workWhew, that was a lot of workNow I’m safe, right?
• Security is an ongoing process not an• Security is an ongoing process, not an accomplishmentTh b d d l l d• The bad guys develop new tools every day
• New vulnerabilities are being discovered• Copiers and printers often hold some of the most valuable data
The Good NewsThe Good News
• Copiers and printers are not a huge targetCopiers and printers are not a huge target (yet)
• The more you do the more secure you will be• The more you do, the more secure you will be• The more you know, the easier it gets• There is help available. You’re not in this alone.
Some HelpSome Help
K‐State Office of Information and Security ComplianceK State Office of Information and Security Compliance
http://www.k‐state.edu/its/security/
Ricoh / SavinNetwork Security White Paper
http://rfg‐esource.ricoh‐usa.com/oracle/groups/public/documents/communication/rfg042562.pdf
Knowledge Basehttp://www.savin.com/support/kb/
Questions, Comments, CriticismsQuestions, Comments, Criticisms