[IDS] proposal to add something to the IDS F2F agenda

[IDS] proposal to add something to the IDS F2F agenda

Michael R Sweet msweet at apple.com
Thu Jul 28 15:39:50 UTC 2011


Agreed.

Sent from my iPhone

On Jul 28, 2011, at 9:51 AM, Ira McDonald <blueroofmusic at gmail.com> wrote:

> Hi Brian,
> 
> Sounds like a good addition to IDS agenda to me.
> 
> Cheers,
> - Ira
> 
> Ira McDonald (Musician / Software Architect)
> Chair - Linux Foundation Open Printing WG
> Co-Chair - IEEE-ISTO PWG IPP WG
> Chair - TCG Embedded Systems Hardcopy SWG
> IETF Designated Expert - IPP & Printer MIB
> Blue Roof Music/High North Inc
> http://sites.google.com/site/blueroofmusic
> http://sites.google.com/site/highnorthinc
> mailto:blueroofmusic at gmail.com
> Christmas through April:
>   579 Park Place  Saline, MI  48176
>   734-944-0094
> May to Christmas:
>   PO Box 221  Grand Marais, MI 49839
>   906-494-2434
> 
> 
> 
> On Wed, Jul 27, 2011 at 6:03 PM, Brian Smithson <bsmithson at ricohsv.com> wrote:
> Hello IDS people,
> 
> In addition to the PWG F2F meetings, Black Hat is also happening next week. One of the sessions that might be of interest to PWG members is "Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers". Among the embedded web servers that researchers found (accessible on the Internet, not properly protected as one might hope) are in MFPs. The track that contains this particular session is being made available as a live webcast, free of charge. Unfortunately, it overlaps with the IDS meeting.
> 
> Here is the session description:
>> Today, everything from kitchen appliances to television sets come with an IP address. Network connectivity for various hardware devices opens up exciting opportunities. Forgot to lower the thermostat before leaving the house? Simply access it online. Need to record a show? Start the DVR with a mobile app. While embedded web servers are now as common as digital displays in hardware devices, sadly, security is not. What if that same convenience exposed photocopied documents online or allowed outsiders to record your telephone conversations? A frightening thought indeed.
>> 
>> Software vendors have been forced to climb the security learning curve. As independent researchers uncovered embarrassing vulnerabilities, vendors had little choice but to plug the holes and revamp development lifecycles to bake security into products. Vendors of embedded web servers have faced minimal scrutiny and as such are at least a decade behind when it comes to security practices. Today, network connected devices are regularly deployed with virtually no security whatsoever.
>> 
>> The risk of insecure embedded web servers has been amplified by insecure networking practices. Every home and small business now runs a wireless network, but it was likely set up by someone with virtually no networking expertise. As such, many devices         designed only for LAN access are now unintentionally Internet facing and wide open to attack from anyone, regardless of their location.
>> 
>> Leveraging the power of cloud based services, Zscaler spent several months scanning large portions of the Internet to understand the scope of this threat. Our findings will make any business owner think twice before purchasing a 'wifi enabled' device. We'll share the results of our findings, reveal specific vulnerabilities in a multitude of appliances and discuss how embedded web servers will represent a target rich environment for years to come. Additionally, we'll launch BREWS, a crowd sourcing initiative to build a global database EWS fingerprinting data. Traditional security scanners largely ignore EWSs and gathering appropriate fingerprinting data is a challenge as most reside on LANs where external scanning is not an option. As such, we're issuing a call to arms to collectively gather this critical data.
>> 
> 
> Additional information, including a few MFP vendors mentioned by name, is in this article: http://www.darkreading.com/taxonomy/index/printarticle/id/231002364
> 
> The session starts at 11:15am PDT and ends at 12:30pm. The IDS meeting is schedule to go until 12:00pm and then start again at 1:00pm. If there is interest from others, I propose that we take a break from the usual agenda and watch the webcast, then break for     lunch at 12:30~1:30. After all, we are the Imaging Device Security WG ;-).
> 
> To watch the webcast, you need to register here https://www.blackhat.com/html/bh-us-11/bh-us-11-uplink.html. 
> 
> What do you think? Please reply soon so we can make plans accordingly.
> 
> 
> 
> -- 
> Regards,
> Brian Smithson
> PMP, CSM, CISSP, CISA, ISO 27000 PA
> Security Research, Planning
> Advanced Customer Technologies
> Ricoh Americas Corporation
> bsmithson at ricohsv.com
> (408)346-4435
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean.
> 
> _______________________________________________
> ids mailing list
> ids at pwg.org
> https://www.pwg.org/mailman/listinfo/ids
> 
> 
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean.
> _______________________________________________
> ids mailing list
> ids at pwg.org
> https://www.pwg.org/mailman/listinfo/ids

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20110728/bdc85138/attachment-0001.html>


More information about the ids mailing list