Discussion on:

The truth about copier hard drives: Tips for securing your data

If they do, learn what multi-function peripheral (MFP) manufacturers say should be done to secure the data.

....I need to password protect and encrypt the copy of my scanned a$$?

Edit - Great article.

yes.

I would if you have some distinguishing features.

that says "No Camping"?

Too much information

"Anaconda Entrance"

Even imagine what that means.

Stop imagining before it's too late. ^_^

At Michael's age, who knows what it would do.

Warning - !!Entry Prohibited!!

Exit Only

I guess I am way too stuffy.

Just a thought... in the name of homeland security of course! LOL

How many times this has happened and had to be cleansed.

"Mr. Evens mentioned that most MFPs use proprietary operating systems, which makes them fairly immune to exploitation." I have a hard time with this statement. Just because an OS is proprietary doesn't mean that it's immune. It should be the opposite. The same attacks that the big OS's have been mitigating for years most likely apply to this software as well. It only stands to reason that they have hardened the OS less than the big OS's as they have been tested less and not attacked as much. I keep seeing this "junior tech" reasoning on these forums and it's bothering me. This used to be a place where well thought articles were published. Separate your printers from the rest of the network and don't allow internet access. This is my recommendation.

I should have explained better. The proprietary operating systems are such as each MFP developer has their own system.

They are not computer OSs. They are related to PLC firmware and I believe the firmware resides on a PROM, not the hard drive.

If you look up Sharp on the vulnerability site I linked, you will notice there are no vulnerabilities listed. That says something.

As for your other comments, I am sorry you feel that way. It certainly was not my intent.

Edit: Spelling

A couple of minor observations:

They are computer "Operating Systems"! They are running on some sort of integrated circuit chip, a COMPUTER. Granted, they are not as full function as a Windows or Linux desktop, but they are computer operating systems. And I bet if you dig into them you'll find many are based on some flavor of 'Nix.

Just because the it is a low power computer does not make it harmless. Those IC's probably have as much power as the old 8-bit kit computers we used to buy and assemble from Radio Shack.

Granted, that the OS may be located in a PROM is better than running it from a HD. Not all "hacking" requires changing OS code or installing malware. Some security vulnerabilities stem from using embedded services in unexpected ways, ie connecting to an embedded print server from the internet, after local network has been breached.

Uh ... sorry, just because there are no vulnerabilities listed on the corporate website does not mean the OS/application is secure. I know you know how to say "zero-day vulnerability". And how about that large, well known software vendor who regularly "slipstreams" extra security patches into their OS update system without public notification.

Other than that, keep up the good work

Make sense, I think the experts feel the specificity of PLCs makes them more secure then general usage computer OSs.

Also, I would not consider NIST a corporate Web site.

The PLC itself may not use Windows, but the programmer does. I never ran into a PLC that didn't use some form of Microsoft code to program the chip. Anything from DOS 6.2x to Win98 - I had to leave the industry for health reasons in 2000.

This was just an interface of course; but if that interface uses Windows, who knows what could happen?!?

Hate to muddy the waters but I know from experience that the Ricoh Afficio MFP use NetBSD as their OS. Telnet enabled and all!

I have had to turn off many network services on those printers including telnet. This is why I locked that network down so much; I didn't trust the O/S that was running on them. Also our vendor didn't have any clue as to why that would be a security issue at all. They did not want us to turn off the services, and warned against them. They also did not want us putting them in an isolated network as this will stop them from gathering the metered data. They expect to have the device check in every so often to say how many sheets have been printed through it and if any error codes exist. This is good for us as it makes them much better at maintenance of the device, but again I am not willing to open up what is now a sensitive device to the internet when I don't believe that the O/S is hardened enough. I have downloaded the Ricoh Security Brochure and it says that you can turn on the feature "Hard drive Encryption which encrypts to AES 256Bits", but there are some printers that do not support it. They also have a thing that they call DataOverwriteSecurity System (DOSS). If my memory serves me right this is inadequate as well because it only uses a three pass method. The last that I knew, the DOD wanted 12 passes to ensure that the data was not retrievable. (I cannot find my source on this one so I could be wrong) This is supported on most models however. My plan is just to remove the drive and have it destroyed like I do with all of our other drives here.

would just like to add: It is NetBSD based but is not that similar. They have used their right to change the OS as they want it, and it is now proprietary.

Yes, it says that no one has reported any vulnerabilities of which they also have been apprised. Either that or a palm has been greased to keep the record pristine. (Sorry to be such a cynic today.)

I have more faith in NIST than that.

when you say separate your printers from the rest of the network? If you do that and you don't allow Internet access how do you print to them? USB thumb drive and sneaker net?

In my opinion this is a well thought out article that points out some facts that most people either didn't know or didn't think through entirely. I didn't realize that some of these MFP's keep a copy of everything that is copied or scanned. Now that I am aware of this I will either not buy a product that does this or I will disable the feature if I am able to do so.

This article also served as a reminder that when it is time to replace the old MFP with a new one (something that only happens every 7-8 years) that I will have to ensure the old drive is wiped clean of company information or the drive becomes "lost" on the way to the recycling center.

We use Canon MFPs. They are leased and as part of that agreement they dial home over the internet every day with stats and info on performance

I told him no and they did not fully understand but put it on us to verify the number of pages printed. It's in our best interest to do so.

Most of out customers lease the MFCs for 5 years and replace the machines at that interval.

I's also like to note that manufacturers like Ricoh charge (upgrade) the print controllers fairly rapidly. They name their controller like Ricoh GW 2007 spring or GW 2007 autum controller.
They get more and more integrated for every generation and they feature more and more security options.
But most customers didn't order extras like a DOS (disk overwrite security module), so now that is a standard feature. More and more brands add this as a standard function.
I would also like to add that if a copier supplier that does not format the drives after the leaseing period is over is not a serious supplier.
We have a special machine that we run the drives through that whipe them clean in a few seconds. Some customers would like to keep the disk too, and for that we charge about 40-50 dollars.

Michael, the last comment wasn't necessarily aimed at you, I actually can't think of a time where I felt that way about your articles with the exception of this article. I never see responses to the posts so I figured it would just fall on deaf ears and thought I would just relieve my frustration here. My point on the actual OS is that they are performing computing functions such as FTP, SMB, LPR, SMTP and as such are subject to the same type of vulnerabilities that operating systems are whether they are programmed in a PROM or not.

@SGTPappy: By separating I mean put them in a VLAN and only allow what is needed. For our network we allow TCP 9000 (for printing), SNMP (for device option discovery), and HTTP (for management). But I only allow data to and from the print server itself as I just log onto the print server if I need to change any settings on the printer and I do not allow internet access of any kind to or from that VLAN.

I understand your point. That is why I suggested that you go to the vulnerability site (highly regarded) and see what is vulnerable. I use Sharp MFPs and they do not have one vulnerability last time I checked.

Does allowing HTTP mean possible access from any workstation?

In my configuration it does not. I specifically only allow the HTTP access from the print server to the printer itself. This helps to stop any http vulnerabilities that might exist on the printer from being exploited from workstations that are connected to the internet. It only takes one machine to be infected for a hacker to start his magic rights escalation techniques and I would hope it's not one of our print servers.

I an aware of that aspect now. I had a client that was using Win2K3 servers and did the same thing. A bad guy got into the network and was able to use RDP to hit every server, including the print server.

I was impressed and mad at the same time.

If you have a second, please PM me. I have a question.

I agree about the OS having the same types of vulnerabilities as "normal" Operating systems and I don't allow internet access to my printers either. I haven't locked down our printers like you have but I might reconsider.

Only by virtue of your follow-up posts.

But only just.

I'm surprised that people in US aren't informed about hard drives in MFPs. I really don't know how you obtain them there, but here companies just buy them. It's completely normal to read the manual that comes with the machine. The manuals usually say if the machine has a hard drive and for what the HDD can be used. Are things different over there?
I'm asking this because it looks like whole lot of panic over something that can be solved with simple RTFM.

The manuals I have read do not say what is placed on the hard drive or just in RAM. The manuals do not say whether they save a copy of every document or not.

The Lexmark user manual I have for the 854e only mentions hard disks when they refer to encryption and wiping the disk.

It seems that the question asked is about MFCs "Saving" coipies of documents / files. A marketing person may say "no" on the basis that there is no deliberate process invoked by default that retains a copy for later access or use, however how abot asking if the MFC "Spools" all jobs through the hard drive.

If this latter process is used, then it becomes the same issue as the PC hard drives that have had all the files "deleted".

I've just been investigating an MFC A0 Plotter chosen by a drawing office and in the manual it says [and I paraphrase] "if the system is unable to place the scanned image file onto the configured remote location, then it will be saved to the machine's mailbox folder and can be retrieved using HTTP access via the Print Management application."

For the same machine, the plot files can be loaded via the HTTP interface and then prioritised for plotting, which the manual suggests may be done by someone dedicated to changing the media.

No doubt there. The hard disk is used for "spooling" and print queue management.

Thank you for the reply. I certainly hope that these omissions will be corrected after public has been informed.

I guess I didn't read enough manuals to make a representative sample.

In general a copier will handle small jobbs without collating/stapling/editing of color and so on in RAM. Other jobs are stored on disk. But the next job will overwrite the last job more or less.
Only documents stored with purpose on the drive (doc centers functions) will be saved in a way that is fairly easy to gain access to (even though you need special software to do so). Even if you store in PDF, it is usually not a standard format that is stored to the disk (minor charges is made to the format). We tested this at work.
Oh yeah.. also if people store jobs on the machine and get the pages when they type a code.. those jobs are also stored on the drive. We managed to get several pages from that area too.

All new copiers have security features like data overwrite security units and they usually also have the ability to encrypt the documentes. All this will take some extra seconds. Nothing that the average user will notice if they had it that way from the start - but if you add the feature they might notice once in a while.

A few years ago a friend and I went to electronics recycling area - where PCs were stored for a few days/weeks before it was sent to the recycling facility. We harvested a few machines and extra drives and RAM. It was amazing. Not ONE single PC had the content removed. We got personal pictures, hospital records and grades from a school and so on.

At the same place there were mountains for paper that was stored before recycled. It was several hackers/crackers that were dumpster diving for passwords or just info to get names and how a company was structured so they could use social engineering/hacking to get the info they wanter. Like.. hi Jane, this is John from IT. Peter told me that the PCs in your department was a bit slov. We're going to try to fix that. Can you give me your username and password as I'll try to sort it out. Oh by the way, you're getting a new laptop in December. Do you want it in silver or champagne color? I see wendy at accounting wanted champage because it was SOO stylish.. and so on. In a few seconds she will give them all the info they want.

So a good rule it to wipe all drives weather they are in a PC, TV or a MFC. Use a serious tech company to maintain your equipment that will do it for you. Shred ALL documents, no matter if they are secret or nor. It will make is so much harder for folks to get info from a pile of paper then from just a small plastic bag full of secret documents.

http://security.utexas.edu/admin/mfdevice.html

It is an excellent list. It mentioned data security kits, do you use those?

are handled by another group and I don't know if they use the kits or not.

I still appreciate your input.

Last week I rented a car through Budget at the airport in Vegas. As a FastBreak member, I skipped the checkout and went directly to the booth. They asked for both my driver's license and credit card and photocopied them both on one piece of paper. I observed them doing it to everyone. I'm probably less worried about the copier as I am with what they did with the paper. This was clearly in violation of the new PCI compliance laws effective the first of July. How do you suggest handling that type of transaction. The attendant was obviously clueless and was just following directions. It was late at night and I just wanted to get the car and go to my hotel room, so I let it go.

That is one instance that I forgot about. I've had that happen as well. The paper copy is a worry.

It's those "casual" inappropriate requests that are hardest to deal with.

The photocopy is an old response to corporate request for that information. With changing PII laws it is probably illegal, ie they can properly secure the info in their computer system, but not in paper form.

Since you "joined FastBreak" it sounds like you'll be renting again, so invest a little time.

Read your "Fastbreak" agreement/contract and your paper copy of the rental agreement.

Find the place where driver license is mentioned. I bet there is no wording about photocopy, just something along the lines that you have to show your license.

Email (or phone) the corporate help desk and ask about official corporate policy about photocopy of those IDs. When you get the typical ignorant "I dunno" response, ask to be passed to a supervisor. Continue until you get a good answer. Ask them to mail you a copy of the official policy.

Next time you rent, stand up for your rights! When they go for the photocopy, insist they don't! Odds are you will have to talk to a manager, waving the corporate policy under their noses.

They will resist, you will probably have to be loud and obnoxious, and waste a lot of time (losing the advantage of the membership), but things won't change until we take back our privacy.

A related "privacy" issue that is a pet peeve of mine. I refuse to shop in stores that insist on taking my backpack without locked storage. Women may walk into any store carrying a suitcase sized "purse" with no problem. First, I ignore the sign and just walk in. Then when they "ask" to take my bag I complain about discrimination, make my point and tell them I'll be spending my money elsewhere.

I object on 2 points:
First, the assumption that I am a potential shoplifter because I have a backpack because some previous shoplifter used a backpack. They say "it's nothing personal, it's policy" but I disagree. Apply the policy equally to all potential shoplifting bags/purses, or not at all.

Second, they insist on taking my property without securely storing it, yet claiming "absolution" if they lose my insecurely stored property. I often have expensive prior purchases in my bag. Funny thing, after a while I notice that they stop enforcing that policy. You want my bag, lock it up and give me the key and don't force me to pay for a locker to satisfy your discriminatory "policy".

I understand the PATRIOT act requires a hard copy of your information for some murky reasoning having to do with possible renting of vehicles to put no-nos in. At least that is what I was told last time I rented a car.

Sucks, doesn't it?