[IDS] proposal to add something to the IDS F2F agenda

[IDS] proposal to add something to the IDS F2F agenda

Ira McDonald blueroofmusic at gmail.com
Thu Jul 28 13:51:34 UTC 2011 

Hi Brian,

Sounds like a good addition to IDS agenda to me.

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Co-Chair - IEEE-ISTO PWG IPP WG
Chair - TCG Embedded Systems Hardcopy SWG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music/High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto:blueroofmusic at gmail.com
Christmas through April:
  579 Park Place  Saline, MI  48176
  734-944-0094
May to Christmas:
  PO Box 221  Grand Marais, MI 49839
  906-494-2434



On Wed, Jul 27, 2011 at 6:03 PM, Brian Smithson <bsmithson at ricohsv.com>wrote:

> **
> Hello IDS people,
>
> In addition to the PWG F2F meetings, Black Hat is also happening next week.
> One of the sessions that might be of interest to PWG members is "Corporate
> Espionage for Dummies: The Hidden Threat of Embedded Web Servers". Among the
> embedded web servers that researchers found (accessible on the Internet, not
> properly protected as one might hope) are in MFPs. The track that contains
> this particular session is being made available as a live webcast, free of
> charge. Unfortunately, it overlaps with the IDS meeting.
>
> Here is the session description:
>
> Today, everything from kitchen appliances to television sets come with an
> IP address. Network connectivity for various hardware devices opens up
> exciting opportunities. Forgot to lower the thermostat before leaving the
> house? Simply access it online. Need to record a show? Start the DVR with a
> mobile app. While embedded web servers are now as common as digital displays
> in hardware devices, sadly, security is not. What if that same convenience
> exposed photocopied documents online or allowed outsiders to record your
> telephone conversations? A frightening thought indeed.
>
> Software vendors have been forced to climb the security learning curve. As
> independent researchers uncovered embarrassing vulnerabilities, vendors had
> little choice but to plug the holes and revamp development lifecycles to
> bake security into products. Vendors of embedded web servers have faced
> minimal scrutiny and as such are at least a decade behind when it comes to
> security practices. Today, network connected devices are regularly deployed
> with virtually no security whatsoever.
>
> The risk of insecure embedded web servers has been amplified by insecure
> networking practices. Every home and small business now runs a wireless
> network, but it was likely set up by someone with virtually no networking
> expertise. As such, many devices designed only for LAN access are now
> unintentionally Internet facing and wide open to attack from anyone,
> regardless of their location.
>
> Leveraging the power of cloud based services, Zscaler spent several months
> scanning large portions of the Internet to understand the scope of this
> threat. Our findings will make any business owner think twice before
> purchasing a 'wifi enabled' device. We'll share the results of our findings,
> reveal specific vulnerabilities in a multitude of appliances and discuss how
> embedded web servers will represent a target rich environment for years to
> come. Additionally, we'll launch BREWS, a crowd sourcing initiative to build
> a global database EWS fingerprinting data. Traditional security scanners
> largely ignore EWSs and gathering appropriate fingerprinting data is a
> challenge as most reside on LANs where external scanning is not an option.
> As such, we're issuing a call to arms to collectively gather this critical
> data.
>
>
> Additional information, including a few MFP vendors mentioned by name, is
> in this article:
> http://www.darkreading.com/taxonomy/index/printarticle/id/231002364
>
> The session starts at 11:15am PDT and ends at 12:30pm. The IDS meeting is
> schedule to go until 12:00pm and then start again at 1:00pm. If there is
> interest from others, I propose that we take a break from the usual agenda
> and watch the webcast, then break for lunch at 12:30~1:30. After all, we *
> are* the Imaging Device Security WG ;-).
>
> To watch the webcast, you need to register here
> https://www.blackhat.com/html/bh-us-11/bh-us-11-uplink.html.
>
> What do you think? Please reply soon so we can make plans accordingly.
>
>
>
> --
> Regards,
> Brian Smithson
> PMP, CSM, CISSP, CISA, ISO 27000 PA
> Security Research, Planning
> Advanced Customer Technologies
> Ricoh Americas Corporationbsmithson at ricohsv.com(408)346-4435
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
> _______________________________________________
> ids mailing list
> ids at pwg.org
> https://www.pwg.org/mailman/listinfo/ids
>
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20110728/6bbef943/attachment-0001.html>

More information about the ids mailing list