I have a customer with a couple Falcon III machines, and the question of possible identity theft arose. Has anyone had any discussion or read any articles in this regard? I know we have a data security option for the machines, but I'm not sure how that would prevent, or even if there is a possibility for any type of identity theft. Perhaps hijacking the SMTP server info, or email info could be a slight security risk.

Any thoughts?

Tom

Data security on copiers has become a hot topic primarily because it sells new hardware. We lost a deal on a Falcon I to a Sharp because we didn't have one. The customer really couldn't understand that ours was actually MORE secure because it didn't have a hard drive at all. They were not interested in storing documents on the hard drive anyway.

I don't know how all manufacturer's store their data. It is also unclear to me whether stored documents are encrypted - if not, the data security kit wouldn't help anyway. Most of the data security for copiers I have read about involves erasing and overwriting data to prevent information theft.

If someone can come in and yank the hard drive out of the copier, they have far more serious security issues. As far as I know, there is no direct access to the copier hard drive from the network. Furthermore; unless it is data that was recently copied, it has likely been overwritten already. Also, there's the question of data format - I've never been able to mount a copier hard drive and read ANYTHING from it - much less pull image information off.

It seems to me that it would be easier for a theif to just steal the file cabinets instead of hoping to find something useful on a copier hard drive. Very soon one of the manufacturers will include security enhancements as a standard feature, then the rest will follow. In the mean time it's just another ploy to get customers to upgrade copiers that may work perfectly and suit their needs by suggesting they have a 'security' problem.

They are probably more likely to be stung to death by fire ants than experience identity theft from the copier. Is there some reason they would store their Identity in the copier in the first place?

This subject has always gotten under my skin, mainly because of the ignorance involved. If you are going to be a victim of identity theft, the copier is not going to be your biggest security hole. You are only as secure as your network, and copiers DO NOT put holes in the network, unless you allow them to. And who in the F--- puts secure documents on a copier hard drive anyway?! Like I said before, this subect annoys me because it should be a 'non-issue', if the place you're selling to is that worried about security, perhaps it's a firewall not a copier that they need.

Rob is pretty much right, if the network is locked down sufficiently this should be a non-issue, ISPs are becoming more efficient at preventing spam attacks via SMTP and some are not allowing us to setup on their servers without several levels of security. data encryption on the hard drive is a good idea, just as bit locker (available with Vista Ultimate) for those super secret computer scientists who need as close to absolute security as you can get, which is really non-existant, but it can keep the low level haxors at bay. We've had machines connected at the showromm throughout the years and I have yet to hear of one of our customers getting hacked via thier copier. Configurations of the Server environment is essential for good security, and a Hardware firewall even a lower end model is a good idea to create sort of a DMZ.

Tell this to the customers whos demo machines i have had returned, and seen their corporate credit card statements and account numbers, as well as budgets, stock, and performance upcoming "confidential" corparate presentations, all accessed in seconds and they let the info roll out the door. People print everything, and then let the info go. They spend millions on internal computer and network security. A net administartor looks at comp security as the most important thing he does, and hasnt got the foggiest clue in space of what is happening in printers and copiers now a days. Increased knowledge to your clients can swing alot of deals your way.
When i get the "tire kicker" customers looking at "try" before u buy, i love it!! Get the unit back and see all of the competetive quotes. Also, before they check it out, tell the client what the competetor may be doing after a demo. You may be able to gain some credibility by making the data security an issue before they buy. A little knowledge can go a long way sometimes.

quote:

Originally posted by furnfuz:
Tell this to the customers whos demo machines i have had returned, and seen their corporate credit card statements and account numbers, as well as budgets, stock, and performance upcoming "confidential" corparate presentations, all accessed in seconds and they let the info roll out the door. People print everything, and then let the info go. They spend millions on internal computer and network security. A net administartor looks at comp security as the most important thing he does, and hasnt got the foggiest clue in space of what is happening in printers and copiers now a days. Increased knowledge to your clients can swing alot of deals your way.
When i get the "tire kicker" customers looking at "try" before u buy, i love it!! Get the unit back and see all of the competetive quotes. Also, before they check it out, tell the client what the competetor may be doing after a demo. You may be able to gain some credibility by making the data security an issue before they buy. A little knowledge can go a long way sometimes.

Are you saying you have readily pulled usable data from a Kyocera machine's hard drive that wasn't stored using document filing?

If so, what file format was it in?
What model(s) of machine?
What filesystem was the drive formatted in?
Were the files dated? If so, how far back did they go?

Furfuz:
How and where are you finding this information? Is the customer scanning everything to the hard drive and saving it? If this is the case, then the security issue is NOT the machine, but the training of the customer. If you are pulling information from copier HDD's that is not saved on purpose, then I want to know how. If what you are saying is that all you have to do is browse the hard drive and all this info is there, well... I guess I'm having a hard time believing that, but if you can do it, tell us all how, maybe then we can find a way to close the security hole.
I still think that this 'theory' is just a way of getting a potential buyer to look away from some other issues with the proposed machine, and it it up to the techs to refute this issue before it grows hair and starts talking.

GOD I LOVE THIS SITE!!!!

quote:

robscopyr

If customers spool jobs to the Hdd.(even temporary) Then they are there until written over. I have also used the hard drive utility to pull information off of returned equipment. So it can be done. However, even so it probably is still not there biggest issue. If there is a will there is a way if someone want the info bad enough. Electronic or otherwise.
My wife's purse was stolen while she was on a shoot(photographer) and it tooks us over 6 months to clear it up. They cashed checks, got new credit bought tons of stuff before she was done working.

I was addressing the issue from the point of view of someone hacking "into" the network from outside, not someone going in and removing the hard drive from the machine, any Networking manual, certification book always has a chapter about the boneheads who spend millions on security and leave their server rooms unlocked, read them all. You can get the data off the HD if you get it in your hands. IF said network admins don't realize that, they are not qualified to be in their jobs.

The only way to stop someone from getting data off a HD is to either hit it with an electromagnet, or smash it with a hammer so as to bend, break the platters.

True story: my hard drive crashed in one of my laptops and I had to send it in to IBM after they sent me the replacement HD as it was under warranty, I smashed the HD with a hammer so as to make data retrieval impossible, they never said a word about it because they knew why I did it. I have read of people taking data off HD's that were returned under warranty, so that was why I did what I did.

I totally agree.
I was just stating if you want it bad enough you can get it. The Hdd's weren't removed...they were still in the equipment. That means a disgruntled employee or a hacker that stumbles upon it "could" get it. However I do think most people are paranoid, and a little common sense will go along way.

bawhcs, you are exactly correct, pretty sure that is why they offer the encryption now for these machines, it's a good idea for in house use for certain types of companies who have secure data, most I deal with don't but really personal or secure data is important to the company themselves, if they are dealing with banking, patenting, copywriting, tax returns, that is pretty sensitive data and I would never put any thing like that on my PC period. Until Kyocera or any company can come up with something like a real BIOS or HD password the data is suseptable to being removed very easily, but that would cause more problems I'm sure than even the normal PC user likes to deal with.

While it is true that from the print side information could be reproduced, I still question the copier HDD itself. It is my understanding that the Security Kit for the 6030/8030 and Voyager series is for the copier HDD only - not the print controller HDD - so the easiest place to reproduce data from is still unprotected.
Data that is passed from the print system to the copier HDD is overwritten and/or encrypted by the security kit.
Page 8
________________________________________________
Data not Secured by Overwriting
The Security Kit secures data that is no longer required after printing or
deleted. This means that the responsibility for maintaining data before it is
printed or data that is stored before it is deleted lies with the user.
The data derived from the following functions must be administered by the
user.
• Document Management (Copy Function)
• Quick Copy (Printer Function)
• Proof and Hold (Printer Function)
• Private Print (Printer Function)
• Stored Job (Printer Function)
• Virtual MailBox (VMB) (Printer Function)
• Temporary code Job (Printer Function)
• Permanent code Job (Printer Function)
• FAX Function
_______________________________________________

If I'm reading this right - printer HDD is the end user's responsiblity (not encryped or overwritten)- fax too. I'm assuming the fax reference is really if you have the backup CF card on the Voyager.

The Falcon III's only have one hard drive and the encryption kit appears to cover all functionality.

Encryption isn't a difficult or new concept. Any machine with a hard drive should have had at least a basic encryption method (perhaps by using the machine serial number as an encryption key with the option to change the key, ideally converting and existing data to the new encryption key).
I still want to know what anybody's been able to pull off of a COPIER hard drive - not the printer hard drive.
I pulled one out of a KM4530 today but haven't had a chance to try to mount it. I have a Linux box that can mount several different file systems. I did try to mount a Falcon III hard drive in Windows but was unable to see it.

On the new machines the HD is used to store fax date too, i didn't like this idea when I first heard it because, way to many things are tied in now with the HD, and If you have replaced one yet you know it is a pain.

You can put that HD in another 4530 and print out the user info, or get a USB PATA enclosure and if you do have a machine running a linux distro and the file system on the 4530 IS linux then you should be able to tell (maybe not read) that there is data on that drive, if the OS recognizes the usb Drive. I'm curious what linux distro you are running and is it recognizing all the peripheral devices on you PC? If not I know a guy working on his Phd in CS that could help out who is a linux guru big time.

I'm running Ubuntu - it does map USB HD's without a problem. I'll check it out when I get back in the office.
Ubuntu is really easy to set up. All of my peripherals worked fine out of the chute. The only thing I really needed to do was install the proper video card driver. This was just for performance reasons - screen resolution and scrolling were significantly improved.

Falcon III HD's are a pain to remove. I suppose if one was trying to be sneaky and steal data they could plug in a USB jig to the drive and pull stuff of without actually removing the drive. The operator guides indicate that an administrator must watch the technician servicing the machine at all times to guarantee security (thought that was pretty funny).

It still all falls back to the question of practical access to the data stored on the hard drive. If the only data accessible from the network (or the machine itself) is stored user data that may or may not be protected by a user password then the real security issue only exists if the physical hard drive itself is compromised (either copied or removed). If that kind of activity can occur there are far more serious (and fundamental) security issues at the facility that need to be addressed.

That's great, I tried Ubuntu but the interface was just to plain looking, so I went to Xandros which pretty much looks like Windows, video is an issue with most linux installs and tweaking is usually necessary.

I look forward to seeing the results of your test, I'm going to try the same thing with Xandros, probably do it over the weekend because I have to reload the OS, AND get a PATA USB enclosure, luckily i'm going to tigerdirect today hopefully can get one on the cheap. Hopefully I can find a drive somewhere in the sea of junk we have in our warehouse.

I agree with you as well on the most basic level of security, if a device, no matter what it is can be accessed physcially that is a huge problem, I'm always amazed at how many places I go and they let me in their server rooms with no problem, either log me on or give me thier passwords, and I'm not talking just small networks but large enterprises too.
If I either did not know what i was doing or was a bad guy they'd never know till it was way to late.

After reading all these replies, I would say, the only real threat is internal. Whether it's an employee reprogramming the copiers scan to pc or scan to email settings in an effort to hijack a doc, printing a sensitive doc from document management, wich they shouldn't utilize for those types of docs, or removing the hard drive to try and pull docs. All of these are avoidable by taking care of those sensitive docs by utilizing administrative passwords on the machine config pages and menus, installing the data security kit, and educating the customer as to where and how the info is stored and how it can be pulled. Bottom line for me is that the real threat is internal and there is a greater risk of an employee sitting at someone else’s terminal and viewing sensitive information then getting it from the copier.
Until I hear a horror story about external security risks via the copier, I'll suggest there is no real threat.

One other thought. When the copier is returned, scrapped or sold, the hard drives should be removed, retained and destroyed by the customer. If it is a demo machine, they should not be foolish enough to copy scan or print anything deemed sensitive...

fsmak

True enough...alot of security is company policy and procedure. Limiting access and common sense.