The moment I saw the Sun box I started to ask questions. It became immediately apparent that Xerox took no responsibility for its security. I took a look and it had virtually every service running (Under the Sun? :-\). The Sun box really only needs to talk to the printer and the Digipath. The obvious solution is to put two network cards on the Digipath, then configure the Sun box and the secondary adapter in the Digipath with a private IP address. Then you only need to worry about the Digipath box. Xerox supports this scheme. I don't know why the just don't make it the standard installation since they seem to know there are some serious security issues. -----Original Message----- From: Ken Weaverling [mailto:weaveat_private] Sent: Saturday, May 18, 2002 7:04 PM To: bugtraqat_private Subject: Re: Xerox DocuTech problems What a interesting coincidence. My joint just got two of these puppies about two months ago. My own experiences and comments follow... On Fri, 17 May 2002 kikaijuat_private wrote: > The Scan workstation does not need to have totally open shares. Done > correctly, all it needs to share is the printer driver and even that can be > moved to another NT server if needed. Well, there's always C$ and with the default password, anyone can poke into it that can get to it, packet wise. OK, here's *my* beef. It's a corporate-sized copier. They were replacements for our other big giant copiers. So, no one told me this thing was being purchased. I heard about it a week before it was to be delivered when I was told "We're getting a new copier, and it requires two network lines." No one thought to pass it by me before it was purchased because "it's just a copier." Of course, alarms immediately go off. Now, how many of these things get installed out there without any idea of what kind of security risk it might be to an organization? After all, it's "just a copier." If I left it as it was installed, then the old days of students having to break into the copyroom at night to get a copy of the final exam would no longer be necessary. Now all they'd need to do is easily grab the saved scan of the exam from the copy machine's server. > It is not meant to be a totally secure machine. A hardware firewall > should be employed between the printer and public internet or even the > rest of the lan for that matter. So, it's wide open. There's a doc for locking it down -- somewhat. It should be behind a firewall. Was any of this told to us when it was installed? No, nothing, not a thing. No warning about the risk it might provide. This machine costs several hundred thousand dollars yet they can't provide some simple firewall appliance to throw between the components and the network drop. > >...states that the > >ultimate responsibility for security lies with the customer. Wonderful. Don't touch it, but if it gets hacked, it's ultimately your fault. > >Kudos to Xerox for setting a new standard of incompetence. I can imagine a lot of sensitive stuff gets run through a corporate copy room. Even if it's installed inside a company that isn't on a public net, it's still a big risk from the inside employees. Well, our units are currently not connected to our network. I'm still trying to figure out what to do with them. So far, nothing. All of my staff are tied up on other projects until at least August. I guess we'll have to throw up a firewall at each location between these things and the rest of our network. :( Disclaimer: Speaking for myself, not my employer, of course. For god's sake it's Saturday night and I'm home and not at work -- and should be at Star Wars but Fandango wasn't working tonight (server too busy, so much for scalibility planning) and when I got to the theater, damn shows were all sold out...
This archive was generated by hypermail 2b30 : Tue May 21 2002 - 15:48:22 PDT