Copier Security – The SequelNetwork Access, Vulnerabilities and Solutions

with your hostwith your hostAnthony Phillips

KSU Offi f I f ti S it dKSU Office of Information Security and Compliance

Disclaimers: I am not a lawyer, I am not a Savin/Ricoh engineer, I am not a photocopier or security engineer of any sort, I have not read ALL of the documentation related to said devices, past performance does not guarantee future returns, your mileage may vary, I do not know everything there is to know, I did not stay at a Holiday Inn Express last night.

Review From Last YearReview From Last Year

• Copier hard drives = Risk of data leakageCopier hard drives = Risk of data leakagehttp://www.k‐state.edu/policies/ppm/3433.html

S i i i f• State contract contains provisions for safeguarding data – most cost money

• KSU now has a degausser !!!• OK, I did all that.  Now I’m safe, right?, , g

Not ExactlyNot Exactly

• Copiers have network jacks (oh my!)Copiers have network jacks (oh my!)• Additional functionality

– Network printing / scanning / faxingNetwork printing / scanning / faxing– Remote device management– Email notifications and documentsEmail notifications and documents

• Copiers are computers with operating systems, web servers, email enginessystems, web servers, email engines

• Rarely (if ever) receive updates, virus scans, vulnerability scansu e ab ty sca s

What Are the Risks?What Are the Risks?

• Document leakageg– HIPAA protected health data– FERPA protected student dataPCI DSS t t d t d d t– PCI‐DSS protected payment card data

– Personally identifiable data used in identity theft– Confidential research datao de a esea c da a– Any University confidential or proprietary data

• You and K‐State can be on the news• Account compromise• Outright machine compromise

How Can That Happen? It’s Just a CopierS i N 5 00 ( h // ) 2011 04 01 16 07 C l D li h TiStarting Nmap 5.00 ( http://nmap.org ) at 2011‐04‐01 16:07 Central Daylight TimeInteresting ports on tribble.cns.ksu.edu (129.130.***.***):Not shown: 992 closed portsPORT     STATE SERVICE80/tcp open  http427/tcp open svrloc427/tcp open  svrloc515/tcp open  printer631/tcp open  ipp1124/tcp open  unknown2000/tcp open  callbook5200/tcp open  unknown9100/tcp open  jetdirectMAC Address: 00:15:99:3A:**:** (Samsung Electronics Co.)Nmap done: 1 IP address (1 host up) scanned in 3.81 seconds

Starting Nmap 5.00 ( http://nmap.org ) at 2011‐04‐01 16:07 Central Daylight TimeI t ti t 129 130 *** ***Interesting ports on 129.130.***.***:Not shown: 992 closed portsPORT     STATE SERVICE21/tcp open  ftp23/tcp open  telnet80/tcp open http80/tcp open  http139/tcp open  netbios‐ssn514/tcp open  shell515/tcp open  printer631/tcp open  ipp9100/tcp open  jetdirectNmap done: 1 IP address (1 host up) scanned in 17.53 seconds

Notably absent : 443, 445 ports for encrypted traffic

… And That Means What?

This is available to the whole InternetThis is available to the whole Internet

What Can I Do About It?What Can I Do About It?

• Unplug the network cable – DONE!Unplug the network cable  DONE!• Set your passwords

h d i ll h k i ki• Purchase and install the network security kit– Enable encryption

• Turn off unused or unneeded protocols• Restrict accessible IP addresses• Put copiers and printers on an isolated networknetwork

Set Your Passwords – Web MonitorSet Your Passwords  Web Monitor

Set Your Passwords – Control PanelSet Your Passwords  Control Panel

Purchase and Install the Network Security Kit

• $10 35 / mo – spread over 36 mo contract$10.35 / mo  spread over 36 mo contract• $372.60 total cost

i b i d i i• Log into Web Monitor as Administrator– Select Network Security– Set to Level 2 (options 0, 1, 2)– Enable Encryption– Disable IPX and IPV6– Enable Encrypted SNMPv3 only

Set Network Security to Level 2y

A = Available - = Unavailable O = Port is open C = Port is closed M = Automatic P = Ciphertext only X = Ciphertext priority

Function Network security level Level 0 Level 1 Level 2

Interface IEEE1394 SBP-2 A A - Bluetooth A A - IPv4 over 1394 A A - TCP/IP A A ATCP/IP A A A

HTTP

Port 80 O O O Port 443 O O O Port 631 O O C Port 7443/7444 O O O

IPP Port 80 O O O Port 631 O O CPort 443 O O O

DIPRINT A A - LPR A A - FTP Port 21 O O O ssh Port 22 O O O sftp O O O

TCP/IP RFU Port 10021 O O O RSH/RCP A A - SNMP A A A

SNMP v1v2 Setting A - - Browse A A -

SNMP v3 A A A SNMP v3 SNMP Encryption M M PTELNET A - - SSDP Port 1900 O O C NBT Port 137/138 O O C

SSL A A A SSL/TLS Encryption Mode X X P Mode

DNS A A - SMB A A -

NetWare NetWare A A - AppleTalk AppleTalk A A -  

Enable Encryption – SSL / TLSEnable Encryption  SSL / TLS

Disable IPV6 and IPXbl lEnable SNMPv3 only

Turn Off Unused or Unneeded Protocols

Restrict Accessible IP Addresses

Put Copiers and Printers On an l d kIsolated Network

• 10 X X X IP addresses are not routed10.X.X.X IP addresses are not routed• Private to the University network

i k l bili i• Protects against unknown vulnerabilities• Takes a lot of work and coordination• Talk to your network administrator

The Bad NewsThe Bad News

• Whew that was a lot of workWhew, that was a lot of workNow I’m safe, right?

• Security is an ongoing process not an• Security is an ongoing process, not an accomplishmentTh b d d l l d• The bad guys develop new tools every day

• New vulnerabilities are being discovered• Copiers and printers often hold some of the most valuable data

The Good NewsThe Good News

• Copiers and printers are not a huge targetCopiers and printers are not a huge target (yet)

• The more you do the more secure you will be• The more you do, the more secure you will be• The more you know, the easier it gets• There is help available.  You’re not in this alone. 

Some HelpSome Help

K‐State Office of Information and Security ComplianceK State Office of Information and Security Compliance

http://www.k‐state.edu/its/security/

Ricoh / SavinNetwork Security White Paper

http://rfg‐esource.ricoh‐usa.com/oracle/groups/public/documents/communication/rfg042562.pdf

Knowledge Basehttp://www.savin.com/support/kb/

Questions, Comments, CriticismsQuestions, Comments, Criticisms