Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Xerox Targets Cloud Document Security Worries

Xerox, working with Cisco and McAfee, launches printers and apps designed to securely route documents to Dropbox, Google Apps and other cloud services.

Multifunction printers today can scan, fax, email and even photocopy. So why not extend those capabilities and allow people to "print" documents to the cloud?

That's the pitch being made by Xerox, which Wednesday announced the release of a set of applications dubbed ConnectKey along with 16 different multifunction printers that build in the software.

Using ConnectKey software -- either on a multifunction device or standalone on an endpoint -- users can route their documents to DropBox, Evernote, Google Drive, PaperPort Anywhere, Salesforce.com and SharePoint Online, as well as connect directly to SharePoint folders. The software can also be used to print from mobile devices -- dedicated apps are available for iOS and Android devices -- as well as transform documents on the fly; for example, to convert a SharePoint-stored PowerPoint to a PDF for easier viewing on an iPad.

A cloud-based version of ConnectKey offered by Xerox will serve as a printer finder for a business, allowing mobile employees to see a geographically organized list of all printers they're authorized to print to and then select one for a particular print job.

[ Have you patched your Flash browser plug-in? Read more at Adobe Issues Emergency Patch For Flash Player. ]

In June, Xerox said it will release App Studio, which will allow businesses to create custom ConnectKey apps that run on multifunction devices and that directly route information to ERP, CRM, and other types of enterprise applications. For example, the software could be used to create an expense app that allows employees to scan business receipts, then press a button to route the information to the corporate payment system for reimbursement.

But making printers -- and the documents they've scanned -- Internet-connected can be a recipe for security disaster, as demonstrated by the large number of unsecured, Internet-connected devices used by businesses that remain publicly accessible due to being misconfigured. Indeed, as further highlighted by recent reports of vulnerabilities in HP's implementation of the JetDirect standard, unless peripherals with embedded Web servers are appropriately locked down, enterprising hackers might remotely intercept documents or crash devices.

Accordingly, why might information security managers allow employees to access cloud-friendly document routers like the ones Xerox is now selling? "From a security point of view, what we're trying to do is get beyond that barrier with many IT administrators -- that it's unknown to me, and if it's unknown, it's bad," said Larry Kovnat, Xerox's senior manager of product security, speaking by phone. "You'll put something with all these capabilities in the enterprise, and IT will say, I don't know anything about this device, I'm going to put it on a VLAN and shut it off."

According to Xerox, ConnectKey was built from the start with security in mind, and the devices sport endpoint security software agents from McAfee, and also whitelist which applications are allowed to run. "The only software that should be running on these devices is software that we wrote; it's not a general-purpose device," said Kovnat. The devices also tie into McAfee's ePolicy Orchestrator, which according to Kovnat, means that "now we can present the device to the IT administrator as a manageable endpoint on the network."

ConnectKey devices can also be monitored using Cisco's TrustSec, which will allow IT managers who use Cisco's Identity Services Engine to watch the traffic going to and from the multifunction printers. "While we haven't embedded anything [from Cisco] in the device, we've worked closely with them to give them proprietary information about our devices, so now at the router or switch level, they can differentiate between a true device and someone who's trying to impersonate a printer," Kovnat explained.

Xerox's forthcoming App Studio can be used to create applications that run on the multifunction printers themselves, including the option of creating a "one-button process," said Rick Dastin, president of Xerox Office & Solutions Business, speaking by phone. "They can grab a document and store it [in the cloud], all in an automated way."

But before any new application can be installed on any printer, it must first be submitted to Xerox for review. If the application passes Xerox's security checks, it will then be digitally signed by Xerox, authorizing it to be installed and to run on designated multifunction printers. According to Kovnat, only something that has been properly signed and registered can execute on the device.

Kovnat also addressed the report of weaknesses in HP's implementation of the JetDirect protocol -- the de facto industry standard for handling network-delivered print jobs -- in some products. (HP has disputed some of the researcher's findings.) "The protocol itself isn't flawed -- it's just meant for printing, not security," said Kovnat of JetDirect. "So if you don't build the right controls into a device, you can get to the internals of a printer in ways that you're not meant to."

Kovnat said Xerox builds controls into its products to validate print files and job commands and ensure that they're not being used by someone to try and inappropriately access other print jobs or a disk or network shares. "The job coming in has to be a valid print job, and these print-control commands are filtered, so there's no access by the printing subsystem to any of the underlying subsystems, or computing resources," Kovnat said. "We test that extensively."

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/14/2013 | 8:59:18 PM
re: Xerox Targets Cloud Document Security Worries
This has very interesting security implications, both bad and good. The good news is that it puts printers on the security radar screen for once.

Kelly Jackson Higgins, Senior Editor, Dark Reading
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18375
PUBLISHED: 2020-04-10
The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.
CVE-2019-18376
PUBLISHED: 2020-04-10
A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.
CVE-2019-7305
PUBLISHED: 2020-04-10
Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information di...
CVE-2020-8832
PUBLISHED: 2020-04-10
The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacke...
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, lea...