Pleeaaaze, not only is this old hat to some of us, but yes it is generally ignored by the major corporations that utilize networked MFPs heavily. But the reality is there is already corporate policy in place within IT. Its called a corporate security policy. The only thing that needs to change to utilize it is realize they are SERVERS that just happen to spit bits of plastic on paper.

That networked multifunction printer sitting innocently in the corner of your office just might be the most significant entry point for hackers to hijack sensitive data from your business.

Even worse, security researchers warn, they are a forgotten risk in every enterprise, featuring hardware that combines several functions in a single unit—fax, copier, printer and scanner.

“A compromised [multifunction printer] is dangerous for a number of reasons. First and foremost, no one in the enterprise pays attention to them. That lack of visibility makes for a very attractive attack platform,” said Brendan O’Connor, a researcher who was among the first to call attention to the printer security risk during a Black Hat talk in 2006.

“When I was doing my research, I had dozens and dozens of MFDs under my control, and no one in IT knew what I was doing. The idea of an attacker having equipment completely under their control on a company’s internal network is a frightening proposition,” O’Connor said in an interview with eWEEK.

Continuting…

Thomas Ptacek, principal and founder at New York-based penetration testing firm Matasano Security, said the risk is more than just theoretical.
“Should my mom be worried that a hacker is living in her printer? No. But, if you’re a Fortune 500 company, vulnerable printers on your network is a scary thing,” Ptacek said in an interview with eWEEK.

“There are several of these printers on every floor of every business, basically working as file servers for important documents,” Ptacek said. “Printers deal with much more sensitive information than your typical file or storage server, but they get no protection whatsoever. They’re altogether ignored as a risk on the network. Do you know of anyone looking for patches for a printer? People underestimate how dangerous these things are.”

In the financial and health sectors, for example, he said a skilled hacker with unfiltered access to a print server can do serious damage.

“He can hide himself in there with a rootkit, capture all the documents passing through the print server. He can take over the printer and basically have full control of every action. It’s the perfect catbird seat,” Ptacek said.

What is missed by most IT types is the concentration of information flow that hits a printer. Some of it at the very top, in executive row. For all the data that sits on servers to mine by some hacker it is a diffuse chunks of data compared to what would come out of a hacked printer from the Executive Assistants in the typical board room row of the Fortune 500. It is all nicely condensed, formatted and forward leaning in what the company is preparing to do for the future. It also carries with the considered assessments of the 1/4 of management as to actionable thinking.

[Shameless Plug Dept.: So still concerned and don't know what to do? I am available to consult, having 10yrs experience in corporate print methodologies and cost reductions in this area of IT for a fortune 10. link.]

Linky

Banks first created the teller, and it was considered good. Banks then created the ATM, and it was considered great. Banks then created electronic banking systems and it was considered fanastic. Banks have now created checks scanned to deposit, and it is? Oh, well the jury is still out. Fact the technology is just now being trialed. –

Soon you will be able to deposit checks by scanning them at home and sending them electronically to your bank. No need to visit a branch or even an ATM.

This is possible because of the Check Clearing for the 21st Century Act, passed in 2003, which allows banks to exchange electronic images of checks. Already about half of all checks are scanned by businesses or the banks they are deposited into and not shipped in bags back to the banks on which they were drawn.

Fiserv, the big transaction services company, has announced new software that will enable banks to let home users deposit checks by scanning them. It already has a similar service for small and medium businesses. USAA, the financial services company that serves the military, has offered deposits through scanners for two years, but the idea has not yet caught on.

The time is right for such a service, said Rodney Springhetti, a Fiserv vice president of business development. The technology has been debugged through several years of working with businesses, and meanwhile consumers increasingly have scanners at home, largely in the form of all-in-one printer units.

And this from Fiserv a provider of the service –

BROOKFIELD, Wis.–(BUSINESS WIRE)–CheckFree, now part of Fiserv Inc. (NASDAQ: FISV - News), a leading provider of information technology services to the financial industry, today unveiled its new remote deposit capture product, an innovative solution that allows retail customers to electronically scan and deposit checks from any location with a PC, a scanner and an Internet connection. It provides simple, easy-to-use functionality for the consumer without compromising the security, fraud identification or processing quality required by financial institutions.

Competition in the retail banking market is tremendous and banks must continually seek to offer new and innovative products to attract new consumers and retain existing customers. By providing a convenient, secure and easy–to-use online banking option for depositing checks, financial institutions will offer their customers faster funds availability without a trip to the branch, ATM or post office, thereby enriching the banking experience.

“Consumer capture will fundamentally change the way consumers interact with their financial institution, brokerage firm, utility or other payment processor when depositing checks. By offering consumer capture, financial institutions can quickly provide an online product that will attract new customers without regard to geographic territory; accelerating expansion beyond their brick and mortar branches,” said Mike Ringuette, executive vice president, Fiserv Global Payments. “This new solution allows banks, credit unions, other financial institutions and payments processors to offer expanded deposit windows due to the immediate receipt of an electronic image and all associated electronic data, with the potential to reduce costs and environmental resources associated with personnel, transportation and processing in the branch or back office.”

I might be interested in this as a service were I a small business. Considering funds to me are distributed direct deposit I don’t have many paper checks passing thru my front door. But others needs may vary. The other issue for me would be security. How valid is it in electronic form? The few checks I do deposit at the Credit Union, the teller still asks for ID’s on deposits. So the institution knows that the person presenting is who they say they are. [I should go on record here a note that most checks institution to institution travel in electronic form for which I have no qualms about.]

NYT article.
Fiserv press release.

A Skype feature that allows users to share videos form MetaCafe.com and DailyMotion.com has been disabled due to a worm vulnerability.

Last week Raff showed how attackers could exploit the bug to run unauthorized software on a Skype user’s PC. But on Tuesday, the security researcher said the flaw was more serious than he’d first thought. It can “be triggered by simply visiting a Web site, or clicking on a link from your instant messaging application,” he wrote in a blog posting, “Which basically means that this vulnerability is now wormable.”

More on Worm scare kills Skype Video sharing

John is the gadget guy on Boing Boing. He was invited onto the Thompson Show for the latest and greatest cool stuff. Instead he b slapped AT&T for its pending policies.

Irony? The Thompson show’s biggest sponsor is AT&T.

In case you don’t know it but NetFlix has been eating BlockBusters lunch, so to speak. When 2 giants in a marketplace segment lock horns corporate indifference to the customer base can wreak havoc. Case in point –

Incident 3: Today. I tightly clutched my return envelopes as I slowly browsed the shelves for three new movies to exchange. Finally, I settle on two movies and a Wii game. Last year, I was able to use a return envelope to pick-up a Wii game without a problem. Well apparently things have now changed. After scanning my three envelopes, they scanned the three items I had brought up. $5.34. “Excuse me, this should be an even exchange.” Apparently not. Now the returned movie only counts as $4 off a $9 game rental. Oh well, I thought, “Just take it off and I’ll grab another movie”. Nope - Apparently each credit gets automatically applied to a specific item and can’t be re-transfered to another item. On top of that, they wouldn’t remove the game from my checkout and insisted that I HAD to pay for the game, even though I hadn’t payed yet and the transaction was unfinished. They insisted that the transaction WAS finished and now I had to pay for it (Which doesn’t make any sense. How can the transaction be over before I am even told what the cost will be). After much debate with the manager, they agreed to take the game off the transaction (as a “Favor”), but they couldn’t do anything about applying the credit to another movie. By this time I had already decided that I would be writing this letter when I got home, and canceling my year-long subscription to Blockbuster Total Access.

It no longer surprises me that Blockbuster is failing as a company. They are closing many stores and hemorrhaging cash. Many analysts don’t even expect them to survive more than a few years. They may not be able to compete with the price and selection of Netflix or the new Apple video rentals, but they had one thing strongly going for them - availability. I knew that if I really needed to, I could go down the street and pick up a physical movie and talk to a real person if I needed to. Now my mindset has changed. Clearly, Blockbuster has decided that their employees and even managers are too incompetent to run their own stores and must be treated like trained monkeys. Even when I found a sympathetic ear, they were simply powerless to over-ride the computer for even simple tasks. Oh well, now that Netflix has unlimited downloads at less than half of the price I was paying at Blockbuster, maybe this is exactly the incentive I needed to make the change.

A general business rule of thumb is that for every customer a business ‘loses’ for bad service they also lose 4-5 other customers thru watercooler talk. [Or Angies List] But BlockBuster has more than a customer problem they have a structral problem as well. BlockBuster is competing against, if your excuse the latitude, a ThridPipe company. I say that as NetFlix is really physical in only two cases — the DVD’s and the USPS van that delivers them. And NetFlix doesn’t own one of them.

As a consequence NetFlix’s advantage is the lack of retail outlets as part of it’s cost structure. That reduces head count/labor, it eliminates energy costs, and the errant bad customer experience for a surly clerk. The thing is this game can be played in nearly every market segment you can think of. Any company today paying $50+/sqft for commerical office space will be at a cost structure disadvantage to any company who can align their management operations to a telecommuter based virtual office environment. That requires management retooling, that many are loathe to contemplate. But it will happen, the cost-profit potentional is too great to ignore. With it the ThirdPipe infrastructure expands to fill the space.

Full article.

Do you do business on the Internet using a debit card account? Or do you have an account with someone using automatic debit? I would advise you reconsider. –

Dreamhost would like you to know that its very very sorry for accidentally billing its customers $7.5 million it wasn’t actually owed. You see, someone typed 2008 when they really meant 2007 and their billing system decided to charge all of their customers in advance for the entire 2008 calendar year. This included debiting huge amounts of money from people’s checking accounts and all the “worst possible scenario” situations you could possibly imagine.

Tom, friend of the blog, and master of the internet, was among those affected:

Well, this morning I got a billing email from them:

This is just a notice that your DreamHost [redacted] (”zug’s Account”) has a balance of $380.87 (including any charges not due until 2009-01-14), with $340.97 due (since 2008-12-14).

Dreamhost is a very reputable hosting service and has been around longer than most. But they billed out erroneously $7.5m to all their customers. Granted its not a lot of money nor is any individual account a lot of money. But many live on the financial edge. So getting hit with a $500 unexpected withdrawal on the 20th could be the difference between paying the rent or mortgage or not.

Alternatives –

1. Get a low value credit card, say no more than $500. Use it only for internet purchase/services. Any merchant who is unwilling to take it does not deserve your business.
2. Along a similiar vein get a reloadable cash card with MC/Visa linkage. WalMart, Walgreens and others have these available. Just walk in and reload it in any increment you desire.

Keep in mind that credit cards have certain protections that debit cards lack. Like total exposure is $50 if fraud is reported quickly. But the bigger issue is the debit system is in the merchants favor. Try to get a debit cycle cancelled. It near impossible. So they can keep sending you erroneous bills even after you have terminated service. Eliminate the credit card account however and there is little the merchant can do.

Someday an intelligent secure payment system will arise. But till then be very wary.

[Update] Just to reinforce the point. Read this over at Consumerist.

Mike Egan over at ComputerWorld has written an opinion piece subtitled ‘Big Brother is always watching you. But who’s watching Big Brother?’ It is an apt question in this increasingly watched over world we live in. —

In my first year as a reporter for a local newspaper back in the year (mumble, mumble), I sat down to interview three candidates for city council who were running as a “slate.” I pulled out my tape recorder, and one of them said, “I’m sorry, but we’re not willing to do the interview if you’re going to record it.” When I asked why, he said, “Because we don’t want to be misquoted.”

The candidates didn’t trust me because the editorial page of the newspaper I worked for had endorsed their opponents. But the encounter always bothered me. How can a verbatim record of a conversation increase the chance of being misquoted?

At the time, I hesitated for a moment and considered walking away from the interview. But I changed my mind and put the tape recorder away. In hindsight, I should have said, “Look, I can’t take notes as fast as my tape recorder can. Why don’t you go grab a tape recorder, too. We’ll both tape it. If I misquote you, you can prove it.”

The problem they had — and one problem with surveillance in general — is that it upsets the balance of power. Whoever has the tape has the power to use, not use, selectively use or misuse the information or proof or evidence recorded.

As Egan mentions in the article, maybe the problem isn’t totally an issue of privacy but one of equity. Those who use surveillance technology should be compelled to permit other to tape them as well. It at least realigns the balance of power. In a ThirdPipe wireless world getting people on video will be a slamdunk so we as a society might as well even the playing field.

A highly recommended read.

Mark Andrejevic is the author of a book called iSpy. No its not a review of the old TV series but the matters of digital capture of your personal habits. The matters he touches on will be of considerable importance to the wireless ThirdPipe world we will live in, in the not too distance future.

Program is from C-Span. Approximately 1hr. Select your appropriate viewer of choice once you arrive at the page.

And we haven’t even mentioned RFID as another tool to be used to track us…;l

Wired has a story on the considerations and implications of marketing to cellphone devices. This is what we here at ThirdPipe call ‘Place’. [See Dictionary] This may even be a critical battle for the cellular carriers as Google has already demonstrated the use of georeferential markers in portable devices. As Wired observes –

Carriers are now guarding the data zealously, but many people believe it’s only a matter of time - over the next year or two - before marketers can routinely target ads to a potential customer’s location and actions.

Imagine getting pitches for rental cars and hotels the moment you land in San Francisco because an analysis of past calls suggests you tend to take weeklong trips there. Or if day trips to Boston are your thing, you might get an offer for cab service instead.

“My phone has a lot of very specific and detailed information about myself … information that isn’t always going to be resident when I’m at a number of PC browsers,” said Rob Adler, chief executive for mobile Web company go2 Media Inc.

The research firm eMarketer estimates that U.S. spending in mobile ads, at about $900 million in 2007, will grow more than fivefold to nearly $4.8 billion in 2011. By contrast, paid search and other online spending will only double, to about $42 billion in 2011.

More on Politics of Place

in the world of black ops pratically anything is possible given enough money and time. It was rumored several years ago the Russians penetrated the CIA by loading a trojan on network printers. They got copies of everything printed in Moscow. Or so says the urban legend. Now we have a claim that NSA is buying up SSL or should we say firms that use SSL as part of their product offering. —

United States - A writer identifying himself as “Cryptome”, who appears also to be offering a product for free which would help a user learn more about secure data transmission, even including previously used and declassified protocols from 1945 - 1985, is claiming that the NSA has been secretly buying up secure socket layer services (SSL) that many people rely on for email and data privacy.

Claims
The author claims Hushmail is now owned by a private NSA affiliate. Safe-mail.net, which is based in Israel and was “lauded by NSA and US military several years ago for its sound implementation of SendMail with SSL webmail GUI frontend”, is now providing mail server data to the NSA in real time. Guardster.com, a SSH/SSL proxy service, has been compromised when NSA contractors bought full access rights to Guardster servers “a few days ago”. There are additional claims related to Zone Alarm, Symantec, MacAffee, that these all facilitate NSA-controled remote admin access via IP/TCP ports 1024 through 1030, alloing access without a security flag.

Is it probable? Well yes. Is it practical? Eh, well no. If you consider that SSL/SSH can also set private keys, server to server without using a hosting service, buying up such firms would not likely catch the most cautious. Say like Al Qaeda. But hey, if you lean to the paranoid side then read the full article here.