DATA SECURITY UPDATE
Who can forget the hubbub that circulated
throughout the office technology industry after
that 2010 CBS News story on data security breaches
at the MFP? It certainly got the industry to sit
up and take notice and become a whole lot more
vociferous in letting customers and potential
customers know about the vulnerability of the
content on their MFP's hard drives along with the
various security options that have long been
available to them. But that was then, what about
"There's been less attention [paid] to
the data security issue," states BTA General
Counsel Bob Goldberg. "BTA took the approach that
this wasn't as much a data security issue as much
as it was an education issue with the end user and
took the position we needed to get the word out
and actually complimented CBS for doing it."
what Goldberg says was a lot of inaccurate
information in that news report, some 10 states
introduced various forms of legislation related to
data security at the MFP, none of which were
passed or implemented. There's still a lame duck
session in New Jersey to keep an eye on what they
may or may not be considering.
they're considering is basically an education
process," says Goldberg.
Goldberg - General Counsel BTA
It's not like the OEMs weren't prepared for this,
the story just put them and their channels into
"The manufacturers have
had solutions for this for awhile, but the
question was whether or not they would be included
as basic features on the equipment or if they
would be an added cost," says Goldberg. "In most
instances they weren't an added cost and
encryption services are also available. From a
dealer perspective it's become part of the sales
cycle and is often raised again and discussed when
the equipment is coming off lease."
almost as if the industry turned what was
initially perceived as a negative into something
they could use in a more positive manner, at least
from a marketing perspective.
remains top of mind across the board with our
customers, there's no question about it," adds
Vince Jannelli, director of product management
applications and partners with Sharp. "In the
enterprise it goes without saying, but even in
small- and medium-sized businesses consciousness
has increased-not only of document security but
Sharp continues to
provide sales training and information to its
dealer channel and its direct operations. Plus
last year Sharp announced at its annual dealer
meeting an end-of-lease feature that is now
standard on all its engines.
lot of awareness around data security on the hard
drive compared to two years ago and both consumers
and dealers are being mindful," adds Bill Melo,
vice president of marketing, services & solutions
for Toshiba America Business Solutions. "We're
continuing to build smarter products so it's
become less of an issue. We went from optional
overwrite encryption to it being standard, to
introducing a self-encrypting hard drive. It's
becoming harder to even inadvertently expose your
Education remains an
important element of data security whether we're
talking about the industry as a whole, the OEMs,
or the dealer channel.
definitely being more proactive," reports Melo.
"We're doing our best to present seminars with
companies in finance and healthcare. As we get
further down and start telling people about
security assessments and plugging holes and about
ERM, it's almost like insurance. Some
[organizations] don't want to talk about it or do
anything until it actually happens and then it's
too late. We've become insurance salesman."
Bill Melo - VP of Marketing, Services
& Solutions Toshiba America Business Solutions
Meanwhile Toshiba is working on its
next generation of the Encompass application,
which will have an enhancement that makes it
easier to identify and correct possible
"Right now security on
the copier side is not affecting us," reports
Jennie Fisher, senior vice president and general
manager of GreatAmerica Leasing Corporation's
Office Equipment Group.
"Bob Goldberg is
obviously doing some very good work on behalf of
the BTA channel; however, it has not gone away.
Until legislation states differently, it's the end
user's responsibility to wipe the devices clean."
One thing that GreatAmerica has done is
researched various companies that wipe the
device's hard drive clean to determine if this was
a value that they could bring to the market to
ensure that it is being taken care of at the end
of the lease. What they found was that it was an
expensive proposition for a leasing company to do.
"When you think about getting that equipment
back, that would be a large expense for
GreatAmerica to administer that," explains Fisher.
"Depending on what happens in the next 12 months,
and it's been pretty quiet, if the State
legislatures come back and says anything different
about whose responsibility it is, then we're going
to have to figure out what we're going to do."
Hytec Repair, a supplier of circuit boards,
fusers, staplers, and hard drives for MFPs, has
seen its hard drive business shoot through the
roof as awareness of data security has grown. In
fact, that business has more than doubled over the
last year. The company also offers a hard drive
data cleansing and destruction services-another
November we had the largest hard drive sales in
the history of our company and part of that is
because of data security with copiers coming off
lease, but also some recent flooding in Thailand,"
reports Robert Mitchem, sales manager.
flooding made it difficult for some OEMs to source
the drives and at press time the price of hard
drives had gone up 50 percent in the past 30 days.
That hasn't been a problem at Hytec, however,
since they were well stocked and at press time
were selling drives at pre-shortage prices.
Mitchem believes data security offers plenty of
opportunity for the office technology dealer, but
it's up to the dealer to embrace it.
Jennie Fisher - Sr. VP & GM
directly to the dealer so they have to find the
demand," he says. "The beauty is they're just
educating their customer and letting them know
when they turn these machines in there's data on
there. As long as they say that, and if the
customer is responsible, they're going to ask what
they should do about it. Then it's pretty much
sold and the dealer can make good service call
revenue and be able to get a drive or use us for
He expects data
security opportunities to grow with increased
"Just like dealers are trying to
figure out managed print services versus selling
boxes, this is just another tool in their toolbox
for dealing with lease turn ins and renewals. Why
not say, 'With those 10 machines why don't we
offer a solution to get rid of your data?' It just
makes sense. If they're not doing this, they're
missing out on revenue."
Where is the
dealer channel today when it comes to security?
HP Responds to the MSNBC Story
Following is a
portion of the HP response to the MSNBC
story on the vulnerability of its printers
from hackers entering through the cloud:
printers have a hardware element called a
"thermal breaker" that is designed to
prevent the fuser from overheating or
causing a fire. It cannot be overcome by a
firmware change or this proposed
While HP has
identified a potential security
vulnerability with some HP LaserJet
printers, no customer has reported
unauthorized access. The specific
vulnerability exists for some HP LaserJet
devices if placed on a public internet
without a firewall. In a private network,
some printers may be vulnerable if a
malicious effort is made to modify the
firmware of the device by a trusted party
on the network. In some Linux or Mac
environments, it may be possible for a
specially formatted corrupt print job to
trigger a firmware upgrade.
HP is building
a firmware upgrade to mitigate this issue
and will be communicating this proactively
to customers and partners who may be
impacted. In the meantime, HP reiterates
its recommendation to follow best
practices for securing devices by placing
printers behind a firewall and, where
possible, disabling remote firmware upload
on exposed printers.
continue to educate customers about
security risks and the features available
to address them, and take proactive steps
to maintain the security of devices in the
field. HP Imaging and Printing Security
Solutions work directly at the device and
on the network to protect information at
rest and in motion, and to prevent
Jim Oricchio, president of Coordinated
Business Systems, Ltd., in Burnsville, Minnesota
has seen the interest in data security level off
compared to two years ago.
he says. "Out of ten machine orders, one might ask
for their hard disk drive to be scrubbed or
That's a big change from the
months following the CBS News story when
Coordinated was selling security kits left and
right and Oricchio's vendor was back ordered on
them. Despite the decline in customer interest or
fewer questions, Coordinated remains proactive in
informing customers about the security offerings
they have as an option when they first place a
device and then again at the end of the lease.
Even as customer interest has waned, Oricchio
doesn't expect manufacturers to put security on
the back burner.
"My gut feeling is you
will see more products with that built in."
Ray Belanger, president of Bay Copy in
Rockland, Massachusetts initially had a lot of
customers express interest about security when
that news story first hit, but the concern has
died down there too.
"It's still a concern
among the larger customers and we're almost
routinely doing data cleansing. The smaller
companies, it's on some of their radar, but not
like the larger companies."
continues to raise the issue with customers even
though Belanger feels they should be working it
"We can do a better job of
incorporating it in our regular talk track and
anytime we upgrade or change a lease,"
As the industry
continues to educate businesses about data
security on the device itself, there's another
potential threat hovering overhead-information
stored on the cloud.
"I'm very concerned
I'm going to find that there's been a breach in
the cloud and there's all kinds of information up
there the dealers haven't thought about," says
BTA's Goldberg. "Once you lose control of your
data and it's residing on a server outside of your
physical facility, you've got some considerable
risk and things to think about."
The issue of
data security on the cloud came up a couple of
times last year, most recently in November when
MSNBC did a story based on a Columbia University
study that discovered HP printers can be hacked
into through the cloud and via a malicious
firmware update that causes them to overheat and
potentially catch on fire. (See the sidebar for
the HP response.)
The vulnerability of
data stored outside of the hard drive is one that
Toshiba's Melo finds more intriguing than data
security on the MFP and one he acknowledges that
people are still trying to wrap their heads
around. He references the MSNBC story about HP's
printer vulnerabilities, which is especially
appropriate since Toshiba sells HP printers.
"There's a lot of sensationalism in there
along with disinformation, but it's also exposed
some real vulnerabilities," he says. No doubt the
next wave of security initiatives will focus on
"As you think about the cloud
you have to think about what new security issues
are going to be exposed and you have to think
about where is the user, where their credentials
will be stored, and as they travel you have to
think about the storage of the documents within
the account," notes Sharp's Jannelli. "Some
industries are sensitive to that information so
any solution that tries to incorporate the cloud
must address these concerns."
for everyone when it comes to data security,
whether on the device or in the cloud, is staying
ahead of the curve and that curve continues to
widen as new technology becomes more important
within corporate environments.
accessing data on tablets and for corporate smart
phones and that's a concern for IT," says
Jannelli. "That's what's driving the cloud; people
want to access information regardless of what
platform they're on and where they're physically
located. Those are important elements that IT has
to respond to, and we continue to look at those
things and come up with ways to address them."
Another cloud-related security issue received
publicity early last year thanks to the February
2011 Shmoocon computer security convention and
sessions focusing on how Internet-connected MFPs
and printers can be accessed by hackers through
the cloud who can then capture information from
By taking advantage of
poor printer security and vulnerabilities during
penetration testing, researchers were able to
harvest information from MFPs, including user
names, e-mail addresses, authentication
information as well as SMB, e-mail, and LDAP
passwords. Leveraging this information they
successfully gained administrative access into
core systems, including e-mail servers, file
servers, and Active directory domains using a tool
called "PRAEDA" (Greek for "plunder").
PRAEDA exploits common security faults such as
default passwords that haven't been changed. Deral
Heiland, whose security research team, foofus.net,
developed "PRAEDA", and who was one of the
presenters at Shmoocon, hacks into computer
networks to identify weaknesses.
problem with MFPs in Heiland's opinion is that
they usually aren't secured as well as computer
systems. It's mostly a configuration issue. He
claims manufacturers typically don't require
owners to set a new password for these devices.
All a hacker needs to do is locate the default
password in a manufacturer's instruction manual,
which is typically posted online, and they're
often in. The other issue is that printers can be
accessed by a Web browser running Web server
software that isn't secure, so a smart hacker can
easily find user names and passwords.
"Generally multifunction printer devices-even the
ones that are just printers-have reached the point
where they integrate into a business environment
for sending and receiving faxes and e-mails or
doing fax to e-mail, and scan to file and storing
it on a server, or the user sends files from the
file server directly to the printer," says
Heiland. "That level of integration requires the
device have some level of authentication
information to connect to other devices, including
user names and passwords as a way to authenticate
itself or the user. What we've done is focused on
stealing or finding that information off a
printer." Hacking into these systems is easy.
"If the printer is configured to integrate
into the business environment, probably eight out
of ten times we're able to access user credentials
where we're able to actually gain access into
active directory or into other business systems,"
On a positive note, he
reports most organizations don't expose their MFPs
to the Internet. Those that do as he's discovered
are typically colleges and universities. The
solution to this latest security threat is fairly
simple. "It starts with awareness," contends
At a minimum, Heiland recommends
that users reset the default passwords on their
devices. He also recommends securing the device
based on how it's going to be used as well as
limiting its exposure to the Internet or not
exposing to it at all.
change but some things will continue to remain the
same and that is security vulnerabilities and the
office technology industry's never-ending
commitment to doing their part to keep their
device's and their customer's information safe and
secure whether it's at the device or up in the