RE: Xerox DocuTech problems

From: Kalbfleisch, Gary R. (GaryK@shore.ctc.edu)
Date: 05/21/02 

From: "Kalbfleisch, Gary R." <GaryK@shore.ctc.edu>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>, "'vuln-dev@securityfocus.com'" <vuln-dev@securityfocus.com>
Date: Tue, 21 May 2002 09:04:17 -0700

The moment I saw the Sun box I started to ask questions. It became
immediately apparent that Xerox took no responsibility for its security. I
took a look and it had virtually every service running (Under the Sun? :-\).
The Sun box really only needs to talk to the printer and the Digipath. The
obvious solution is to put two network cards on the Digipath, then configure
the Sun box and the secondary adapter in the Digipath with a private IP
address. Then you only need to worry about the Digipath box. Xerox
supports this scheme. I don't know why the just don't make it the standard
installation since they seem to know there are some serious security issues.

-----Original Message-----
From: Ken Weaverling [mailto:weave@hopi.dtcc.edu]
Sent: Saturday, May 18, 2002 7:04 PM
To: bugtraq@securityfocus.com
Subject: Re: Xerox DocuTech problems

What a interesting coincidence. My joint just got two of these puppies about
two months ago. My own experiences and comments follow...

On Fri, 17 May 2002 kikaiju@kikaiju.com wrote:

> The Scan workstation does not need to have totally open shares. Done
> correctly, all it needs to share is the printer driver and even that can
be
> moved to another NT server if needed.

Well, there's always C$ and with the default password, anyone can poke
into it that can get to it, packet wise.

OK, here's *my* beef. It's a corporate-sized copier. They were replacements
for our other big giant copiers. So, no one told me this thing was being
purchased. I heard about it a week before it was to be delivered when I was
told "We're getting a new copier, and it requires two network lines." No one
thought to pass it by me before it was purchased because "it's just a
copier."

Of course, alarms immediately go off.

Now, how many of these things get installed out there without any idea of
what kind of security risk it might be to an organization? After all,
it's "just a copier."

If I left it as it was installed, then the old days of students having to
break into the copyroom at night to get a copy of the final exam would no
longer be necessary. Now all they'd need to do is easily grab the saved scan
of the exam from the copy machine's server.

> It is not meant to be a totally secure machine. A hardware firewall
> should be employed between the printer and public internet or even the
> rest of the lan for that matter.

So, it's wide open. There's a doc for locking it down -- somewhat. It
should be behind a firewall. Was any of this told to us when it was
installed? No, nothing, not a thing. No warning about the risk it might
provide. This machine costs several hundred thousand dollars yet they
can't provide some simple firewall appliance to throw between the
components and the network drop.

> >...states that the
> >ultimate responsibility for security lies with the customer.

Wonderful. Don't touch it, but if it gets hacked, it's ultimately your
fault.

> >Kudos to Xerox for setting a new standard of incompetence.

I can imagine a lot of sensitive stuff gets run through a corporate copy
room. Even if it's installed inside a company that isn't on a public net,
it's still a big risk from the inside employees.

Well, our units are currently not connected to our network. I'm still
trying to figure out what to do with them. So far, nothing. All of my
staff are tied up on other projects until at least August. I guess we'll
have to throw up a firewall at each location between these things and the
rest of our network. :(

Disclaimer: Speaking for myself, not my employer, of course. For god's sake
it's Saturday night and I'm home and not at work -- and should be at Star
Wars but Fandango wasn't working tonight (server too busy, so much for
scalibility planning) and when I got to the theater, damn shows were all
sold out...

Relevant Pages

  • Re: Can extra processing threads help in this case?
    ... computers installed in the White House. ... after the installation, hordes of NSA-types descended on the White House to track down the ... This is yet a different form of physical security: the early "smart cards" had encryption ... Bandwidth for connected servers, the path of the data, ...
    (microsoft.public.vc.mfc)
  • Re: lighting---hacked!
    ... the only possible security measure one might take. ... I made to turn off ipchains which we have only been running for about ... Take, in particular, the installation of ipchains, which is what ... >From the GUI interface and what documentation I had ...
    (comp.os.linux.security)
  • Re: Is Sun sincere about encouraging new Solaris users?
    ... bloatware that Sun is unable to condense it to a single installation ... even used Sun hardware a few times in the past, ... click on the Solaris icon just below Dowloads. ... Solaris also has a DVD download. ...
    (comp.unix.solaris)
  • Re: Software Distribution Service 3
    ... to a checkpoint prior to that installation. ... to restore prior to the checkpoint before this Windows Update was applied I ... your best bet would be to open a free support incident. ... security updates. ...
    (microsoft.public.windowsupdate)
  • [Full-disclosure] SUN Java JNLP Overflow
    ... = Java Web Start in JDK and JRE 5.0 Update 11 and earlier ... SUN has released a patch ... Security consultants specialising in providing high quality Information ...
    (Full-Disclosure)