Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Xerox Targets Cloud Document Security Worries

Xerox, working with Cisco and McAfee, launches printers and apps designed to securely route documents to Dropbox, Google Apps and other cloud services.

Multifunction printers today can scan, fax, email and even photocopy. So why not extend those capabilities and allow people to "print" documents to the cloud?

That's the pitch being made by Xerox, which Wednesday announced the release of a set of applications dubbed ConnectKey along with 16 different multifunction printers that build in the software.

Using ConnectKey software -- either on a multifunction device or standalone on an endpoint -- users can route their documents to DropBox, Evernote, Google Drive, PaperPort Anywhere, Salesforce.com and SharePoint Online, as well as connect directly to SharePoint folders. The software can also be used to print from mobile devices -- dedicated apps are available for iOS and Android devices -- as well as transform documents on the fly; for example, to convert a SharePoint-stored PowerPoint to a PDF for easier viewing on an iPad.

A cloud-based version of ConnectKey offered by Xerox will serve as a printer finder for a business, allowing mobile employees to see a geographically organized list of all printers they're authorized to print to and then select one for a particular print job.

[ Have you patched your Flash browser plug-in? Read more at Adobe Issues Emergency Patch For Flash Player. ]

In June, Xerox said it will release App Studio, which will allow businesses to create custom ConnectKey apps that run on multifunction devices and that directly route information to ERP, CRM, and other types of enterprise applications. For example, the software could be used to create an expense app that allows employees to scan business receipts, then press a button to route the information to the corporate payment system for reimbursement.

But making printers -- and the documents they've scanned -- Internet-connected can be a recipe for security disaster, as demonstrated by the large number of unsecured, Internet-connected devices used by businesses that remain publicly accessible due to being misconfigured. Indeed, as further highlighted by recent reports of vulnerabilities in HP's implementation of the JetDirect standard, unless peripherals with embedded Web servers are appropriately locked down, enterprising hackers might remotely intercept documents or crash devices.

Accordingly, why might information security managers allow employees to access cloud-friendly document routers like the ones Xerox is now selling? "From a security point of view, what we're trying to do is get beyond that barrier with many IT administrators -- that it's unknown to me, and if it's unknown, it's bad," said Larry Kovnat, Xerox's senior manager of product security, speaking by phone. "You'll put something with all these capabilities in the enterprise, and IT will say, I don't know anything about this device, I'm going to put it on a VLAN and shut it off."

According to Xerox, ConnectKey was built from the start with security in mind, and the devices sport endpoint security software agents from McAfee, and also whitelist which applications are allowed to run. "The only software that should be running on these devices is software that we wrote; it's not a general-purpose device," said Kovnat. The devices also tie into McAfee's ePolicy Orchestrator, which according to Kovnat, means that "now we can present the device to the IT administrator as a manageable endpoint on the network."

ConnectKey devices can also be monitored using Cisco's TrustSec, which will allow IT managers who use Cisco's Identity Services Engine to watch the traffic going to and from the multifunction printers. "While we haven't embedded anything [from Cisco] in the device, we've worked closely with them to give them proprietary information about our devices, so now at the router or switch level, they can differentiate between a true device and someone who's trying to impersonate a printer," Kovnat explained.

Xerox's forthcoming App Studio can be used to create applications that run on the multifunction printers themselves, including the option of creating a "one-button process," said Rick Dastin, president of Xerox Office & Solutions Business, speaking by phone. "They can grab a document and store it [in the cloud], all in an automated way."

But before any new application can be installed on any printer, it must first be submitted to Xerox for review. If the application passes Xerox's security checks, it will then be digitally signed by Xerox, authorizing it to be installed and to run on designated multifunction printers. According to Kovnat, only something that has been properly signed and registered can execute on the device.

Kovnat also addressed the report of weaknesses in HP's implementation of the JetDirect protocol -- the de facto industry standard for handling network-delivered print jobs -- in some products. (HP has disputed some of the researcher's findings.) "The protocol itself isn't flawed -- it's just meant for printing, not security," said Kovnat of JetDirect. "So if you don't build the right controls into a device, you can get to the internals of a printer in ways that you're not meant to."

Kovnat said Xerox builds controls into its products to validate print files and job commands and ensure that they're not being used by someone to try and inappropriately access other print jobs or a disk or network shares. "The job coming in has to be a valid print job, and these print-control commands are filtered, so there's no access by the printing subsystem to any of the underlying subsystems, or computing resources," Kovnat said. "We test that extensively."

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/14/2013 | 8:59:18 PM
re: Xerox Targets Cloud Document Security Worries
This has very interesting security implications, both bad and good. The good news is that it puts printers on the security radar screen for once.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-2486
PUBLISHED: 2021-06-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-0534
PUBLISHED: 2021-06-22
In permission declarations of DeviceAdminReceiver.java, there is a possible lack of broadcast protection due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: Android...
CVE-2021-0535
PUBLISHED: 2021-06-22
In wpas_ctrl_msg_queue_timeout of ctrl_iface_unix.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID...
CVE-2021-0554
PUBLISHED: 2021-06-22
In isBackupServiceActive of BackupManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-158482162
CVE-2021-0555
PUBLISHED: 2021-06-22
In RenderStruct of protostream_objectsource.cc, there is a possible crash due to a missing null check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-1791617...