RE: Xerox DocuTech problems

["Kalbfleisch, Gary R." <GaryK () shore ctc edu>]

The moment I saw the Sun box I started to ask questions.  It became
immediately apparent that Xerox took no responsibility for its security.  I
took a look and it had virtually every service running (Under the Sun? :-\).
The Sun box really only needs to talk to the printer and the Digipath.  The
obvious solution is to put two network cards on the Digipath, then configure
the Sun box and the secondary adapter in the Digipath with a private IP
address.  Then you only need to worry about the Digipath box.  Xerox
supports this scheme.  I don't know why the just don't make it the standard
installation since they seem to know there are some serious security issues.


-----Original Message-----
From: Ken Weaverling [mailto:weave () hopi dtcc edu] 
Sent: Saturday, May 18, 2002 7:04 PM
To: bugtraq () securityfocus com
Subject: Re: Xerox DocuTech problems



What a interesting coincidence. My joint just got two of these puppies about
two months ago.  My own experiences and comments follow...

On Fri, 17 May 2002 kikaiju () kikaiju com wrote:

> The Scan workstation does not need to have totally open shares.  Done
> correctly, all it needs to share is the printer driver and even that can
be 
> moved to another NT server if needed.

Well, there's always C$ and with the default password, anyone can poke 
into it that can get to it, packet wise.

OK, here's *my* beef.  It's a corporate-sized copier. They were replacements
for our other big giant copiers. So, no one told me this thing was being
purchased. I heard about it a week before it was to be delivered when I was
told "We're getting a new copier, and it requires two network lines." No one
thought to pass it by me before it was purchased because "it's just a
copier."

Of course, alarms immediately go off. 

Now, how many of these things get installed out there without any idea of 
what kind of security risk it might be to an organization?  After all, 
it's "just a copier." 

If I left it as it was installed, then the old days of students having to
break into the copyroom at night to get a copy of the final exam would no
longer be necessary. Now all they'd need to do is easily grab the saved scan
of the exam from the copy machine's server.

> It is not meant to be a totally secure machine.  A hardware firewall 
> should be employed between the printer and public internet or even the 
> rest of the lan for that matter.

So, it's wide open. There's a doc for locking it down -- somewhat. It 
should be behind a firewall.  Was any of this told to us when it was 
installed?  No, nothing, not a thing. No warning about the risk it might 
provide.  This machine costs several hundred thousand dollars yet they 
can't provide some simple firewall appliance to throw between the 
components and the network drop.

> > ...states that the
> > ultimate responsibility for security lies with the customer.

Wonderful. Don't touch it, but if it gets hacked, it's ultimately your
fault.

> > Kudos to Xerox for setting a new standard of incompetence.

I can imagine a lot of sensitive stuff gets run through a corporate copy
room. Even if it's installed inside a company that isn't on a public net,
it's still a big risk from the inside employees.

Well, our units are currently not connected to our network. I'm still 
trying to figure out what to do with them. So far, nothing. All of my 
staff are tied up on other projects until at least August. I guess we'll 
have to throw up a firewall at each location between these things and the 
rest of our network. :(

Disclaimer: Speaking for myself, not my employer, of course. For god's sake
it's Saturday night and I'm home and not at work -- and should be at Star
Wars but Fandango wasn't working tonight (server too busy, so much for
scalibility planning) and when I got to the theater, damn shows were all
sold out...