-Updated – 05-11-2007- Most digital copiers manufactured in the past five years have disk drives to reproduce documents. As a result, the seemingly harmless machines that are commonly used to spit out copies of sensitive information can retain the data being scanned.
Digital copier manufacturer Sharp issued a warning about photocopier vulnerabilities in conjunction with tax season. The company warned that it isn’t just people who make copies of their tax returns who are at risk.
A few years ago Sharp was among the first to offer a security kit for its machines. The security kit would encrypt and overwrite the images being scanned. Overwriting the data ensures it isn’t stored on the hard disks indefinitely.
In many cases, a central administrative or IT department monitors an entire fleet of copiers using each machine’s Internet Protocol (IP) address. What they forget is that, because the copiers are managed remotely, other people could get access to them. Firms can take action in several ways.
One option is to close IP ports. When a copier is being installed, the IT staff should close IP ports to ensure there is only one access point to the machine. Another option would be to use media access control (MAC) filtering. MAC filtering sets rules to accept commands only from specified MAC addresses such as the help desk, restricting outsiders.
The Secret Life of Copiers, CFO Magazine May 01, 2004
Last fall, reports began circulating that a large university in the Northeast had uncovered an illegal music-file-swapping service on campus. The music files were stored in a spot nobody would ever think to look: a copy machine. The students were actually transferring MP3s to and from a hard drive on a copier, The machine’s hard drive was designed to capture and store scanned documents. Apparently, a member of the school’s IT department stumbled on the plot after noticing a remarkable amount of traffic going to and from the networked copier.
While the technology for making copies has changed little in the past 50 years, most copiers are now full-blown IT devices, with network and E-mail server connectivity. employees typically have unfettered access to copiers — and thus any information stored on them. This makes copy machines perfect targets for hackers or, since the drives are usually removable, thieves.
Enterprise appliance security could prove to be of real importance in the new era of privacy (for example, the Health Insurance Portability and Accountability Act of 1996, or HIPAA) and document management (the Sarbanes-Oxley Act of 2002). That’s doubly true if a company uses copiers to scan sensitive personal documents such as medical records, birth certificates, or financial forms. Louis E. Slawetsky, president of Rochester, N.Y.-based research firm Industry Analysts Inc said, “People don’t think of copiers as a vulnerability … That’s a problem since they have hard drives and can store whatever has been copied for an indefinite period of time.”
This creates a potential security problem: customers have access to a machine connected to the bank’s network. mitigates the danger by placing the machine behind two firewalls and making the copier password-protected. Security consultants say potential buyers of new copiers should almost always look for machines with encryption or overwriting capabilities.
Hard-copy security is also an issue — you don’t want the wrong person picking up someone else’s copy job. Hence, experts advise prospective buyers to stick to machines that come with password protection. That way, says Larry Kovnat, systems security program manager for Xerox’s office group in Rochester, N.Y., “no one can inadvertently see documents or pick them up.”
Despite the improvements in copier-machine defenses, one security hole still has not been addressed: E-mail. Although copiers generally can keep track of who is E-mailing a document (through passwords), it is nigh impossible to put limits on what can be sent or where the E-mails can be sent. This could change, however, as copier hard drives and network connections become more sophisticated.
Related articles
- The Fed Single-Handedly Keeps Xerox And HP Alive (zerohedge.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
we offer a oslution that is like the nail in the head.
we offerd to a NY university the solution.
thier issue was that while students tried printing, sometimes the printer would have a jam, or misfeed, and then once it was fixed all the jobs on queue would print out, sometimes leaving student papers sitting on a m achine thery could not get out to print, [and sometimes having other students pick up another students work…]
ehre is world trade copiers came into the picture. we set up that all copiers and printers are on the same secure network, and when a student or anyone prints a job it goes to the server, and then whenever they are near a copier or printer, anywhere on campus, they can then swipe thier card, and then see all the jobs they have stored and then elecdt which job to print out. they get billed per each print job. to learn more visit http://www.worldtradecopiers.com