Hello IDS people,
In addition to the PWG F2F meetings, Black Hat is also happening next week.
One of the sessions that might be of interest to PWG members is "Corporate
Espionage for Dummies: The Hidden Threat of Embedded Web Servers". Among the
embedded web servers that researchers found (accessible on the Internet, not
properly protected as one might hope) are in MFPs. The track that contains
this particular session is being made available as a live webcast, free of
charge. Unfortunately, it overlaps with the IDS meeting.
Here is the session description:
>> Today, everything from kitchen appliances to television sets come with an
> IP address. Network connectivity for various hardware devices opens up
> exciting opportunities. Forgot to lower the thermostat before leaving the
> house? Simply access it online. Need to record a show? Start the DVR with
> a mobile app. While embedded web servers are now as common as digital
> displays in hardware devices, sadly, security is not. What if that same
> convenience exposed photocopied documents online or allowed outsiders to
> record your telephone conversations? A frightening thought indeed.
>> Software vendors have been forced to climb the security learning curve. As
> independent researchers uncovered embarrassing vulnerabilities, vendors
> had little choice but to plug the holes and revamp development lifecycles
> to bake security into products. Vendors of embedded web servers have faced
> minimal scrutiny and as such are at least a decade behind when it comes to
> security practices. Today, network connected devices are regularly
> deployed with virtually no security whatsoever.
>> The risk of insecure embedded web servers has been amplified by insecure
> networking practices. Every home and small business now runs a wireless
> network, but it was likely set up by someone with virtually no networking
> expertise. As such, many devices designed only for LAN access are now
> unintentionally Internet facing and wide open to attack from anyone,
> regardless of their location.
>> Leveraging the power of cloud based services, Zscaler spent several months
> scanning large portions of the Internet to understand the scope of this
> threat. Our findings will make any business owner think twice before
> purchasing a 'wifi enabled' device. We'll share the results of our
> findings, reveal specific vulnerabilities in a multitude of appliances and
> discuss how embedded web servers will represent a target rich environment
> for years to come. Additionally, we'll launch BREWS, a crowd sourcing
> initiative to build a global database EWS fingerprinting data. Traditional
> security scanners largely ignore EWSs and gathering appropriate
> fingerprinting data is a challenge as most reside on LANs where external
> scanning is not an option. As such, we're issuing a call to arms to
> collectively gather this critical data.
>
Additional information, including a few MFP vendors mentioned by name, is in
this article:
http://www.darkreading.com/taxonomy/index/printarticle/id/231002364
The session starts at 11:15am PDT and ends at 12:30pm. The IDS meeting is
schedule to go until 12:00pm and then start again at 1:00pm. If there is
interest from others, I propose that we take a break from the usual agenda
and watch the webcast, then break for lunch at 12:30~1:30. After all, we
/are/ the Imaging Device Security WG ;-).
To watch the webcast, you need to register here
https://www.blackhat.com/html/bh-us-11/bh-us-11-uplink.html.
What do you think? Please reply soon so we can make plans accordingly.
--
Regards,
Brian Smithson
PMP, CSM, CISSP, CISA, ISO 27000 PA
Security Research, Planning
Advanced Customer Technologies
Ricoh Americas Corporation
bsmithson at ricohsv.com
(408)346-4435
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20110727/7f6eaf03/attachment-0001.html>