Sounds like a good addition to IDS agenda to me.
Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Co-Chair - IEEE-ISTO PWG IPP WG
Chair - TCG Embedded Systems Hardcopy SWG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music/High North Inc
mailto:blueroofmusic at gmail.com
Christmas through April:
579 Park Place Saline, MI 48176
May to Christmas:
PO Box 221 Grand Marais, MI 49839
On Wed, Jul 27, 2011 at 6:03 PM, Brian Smithson <bsmithson at ricohsv.com>wrote:
> Hello IDS people,
>> In addition to the PWG F2F meetings, Black Hat is also happening next week.
> One of the sessions that might be of interest to PWG members is "Corporate
> Espionage for Dummies: The Hidden Threat of Embedded Web Servers". Among the
> embedded web servers that researchers found (accessible on the Internet, not
> properly protected as one might hope) are in MFPs. The track that contains
> this particular session is being made available as a live webcast, free of
> charge. Unfortunately, it overlaps with the IDS meeting.
>> Here is the session description:
>> Today, everything from kitchen appliances to television sets come with an
> IP address. Network connectivity for various hardware devices opens up
> exciting opportunities. Forgot to lower the thermostat before leaving the
> house? Simply access it online. Need to record a show? Start the DVR with a
> mobile app. While embedded web servers are now as common as digital displays
> in hardware devices, sadly, security is not. What if that same convenience
> exposed photocopied documents online or allowed outsiders to record your
> telephone conversations? A frightening thought indeed.
>> Software vendors have been forced to climb the security learning curve. As
> independent researchers uncovered embarrassing vulnerabilities, vendors had
> little choice but to plug the holes and revamp development lifecycles to
> bake security into products. Vendors of embedded web servers have faced
> minimal scrutiny and as such are at least a decade behind when it comes to
> security practices. Today, network connected devices are regularly deployed
> with virtually no security whatsoever.
>> The risk of insecure embedded web servers has been amplified by insecure
> networking practices. Every home and small business now runs a wireless
> network, but it was likely set up by someone with virtually no networking
> expertise. As such, many devices designed only for LAN access are now
> unintentionally Internet facing and wide open to attack from anyone,
> regardless of their location.
>> Leveraging the power of cloud based services, Zscaler spent several months
> scanning large portions of the Internet to understand the scope of this
> threat. Our findings will make any business owner think twice before
> purchasing a 'wifi enabled' device. We'll share the results of our findings,
> reveal specific vulnerabilities in a multitude of appliances and discuss how
> embedded web servers will represent a target rich environment for years to
> come. Additionally, we'll launch BREWS, a crowd sourcing initiative to build
> a global database EWS fingerprinting data. Traditional security scanners
> largely ignore EWSs and gathering appropriate fingerprinting data is a
> challenge as most reside on LANs where external scanning is not an option.
> As such, we're issuing a call to arms to collectively gather this critical
>>> Additional information, including a few MFP vendors mentioned by name, is
> in this article:
>http://www.darkreading.com/taxonomy/index/printarticle/id/231002364>> The session starts at 11:15am PDT and ends at 12:30pm. The IDS meeting is
> schedule to go until 12:00pm and then start again at 1:00pm. If there is
> interest from others, I propose that we take a break from the usual agenda
> and watch the webcast, then break for lunch at 12:30~1:30. After all, we *
> are* the Imaging Device Security WG ;-).
>> To watch the webcast, you need to register here
>https://www.blackhat.com/html/bh-us-11/bh-us-11-uplink.html.>> What do you think? Please reply soon so we can make plans accordingly.
> Brian Smithson
> PMP, CSM, CISSP, CISA, ISO 27000 PA
> Security Research, Planning
> Advanced Customer Technologies
> Ricoh Americas Corporationbsmithson at ricohsv.com(408)346-4435
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
> ids mailing list
>ids at pwg.org>https://www.pwg.org/mailman/listinfo/ids>>
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...