ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Why Faxing is Less Secure Than Email

    Scheduled Pinned Locked Moved IT Discussion
    securityfaxemail
    68 Posts 10 Posters 26.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in Why Faxing is Less Secure Than Email:

      @scottalanmiller said in Why Faxing is Less Secure Than Email:

      @Dashrender said in Why Faxing is Less Secure Than Email:

      @scottalanmiller said in Why Faxing is Less Secure Than Email:

      Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.

      No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.

      I don't even know what you are disputing here. If you are saying that email gets spam, so do fax machines. I've gotten plenty of fax spam over the years.

      You say that it does not eliminate location based attacks but mention cat videos from a non-location attack. What is that comment in reference to?

      You said you can location attack a fax machine - presumably because it can't/doesn't move, but then say you can't location attack an email user. I say you can attack an email user, by attacking their computer...

      Ah. Not what I meant by location attack. With fax you can attack someone by leveraging their location. You simply go to "where" they are (they can't move, the phone line just doesn't move with them) and you can use their location as a vulnerability.

      Email systems move. It's part of their nature. Even if you know where someone is sending email from, you don't know where it will go to or from. So knowing their locality is not useful in attacking the data in transit.

      1 Reply Last reply Reply Quote 1
      • DashrenderD
        Dashrender
        last edited by

        I really feel the need to say - I'm not defending faxing!

        I hate faxing! It's slow, low resolution, as mentioned insecure, often requires dedicated hardware, hell, it's expensive!!

        But moving slow moving entities off of it is difficult or impossible.

        scottalanmillerS 1 Reply Last reply Reply Quote 1
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said in Why Faxing is Less Secure Than Email:

          @scottalanmiller said in Why Faxing is Less Secure Than Email:

          @Dashrender said in Why Faxing is Less Secure Than Email:

          But people can make up anything they want for an email address on google, then use that unverifiable address to get something sent to them... just like calling and giving a fax number.

          Not in the real world. Go look at a list of email addresses that are used by people (NOT intentional spam catching accounts.) Some are random but very, very few. Most involve part of a name or something that identifies someone... they are things that can be remembered even if they are random-ish. I've never seen a truly random email address that was used. But every fax number is just a number, totally random.

          We weren't talking about real people - I though we were talking about people specifically trying to steal data. And just to appear normal, those people too would make fake accounts that look like real accounts, but there's not authentication there either, so again, the fact that there's a real name in the email address doesn't actually make it any better - the believe that it does is social engineering too.

          Right. But, let me give an example, maybe it will make more sense...

          Background: Joanna McMillen needs some PCI data sent to her office at the hospital. Her email is [email protected] and her fax number is (202) 555-2325.

          Debby works in accounts and has to send some data to Joanna's office.

          If she goes to send an email she sees [email protected] and thinks to herself "I've seen that address before and it is totally reasonable." You have light security, hard to trick Debby as you'd need to either trick a LOT of people and change only the name portion of the email address or REALLY trick Debby and alter the domain name.

          Debby goes to send a fax and looks up, likely on paper, a string of numbers to type into the fax. No matter how "normal" the number looks, it is all the same to Debby. Maybe the area code would tip her off, but that produces a crazy number of false positives as people just don't understand area codes so either this gets ignored or you get problems. Debby just doesn't memorize enough numbers to know when one looks "fishy".

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in Why Faxing is Less Secure Than Email:

            I really feel the need to say - I'm not defending faxing!

            But you have defended it often in the past and tried to make a point of it being more secure than email.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller
              last edited by

              Similar goes for home users... if someone hands over an email address we normally check it to see if we can read it. It is super simple for humans to remember the basics of an email address. Not so with phone numbers. In "one off" scenarios, emails get some verification 99% of the time, fax numbers less than 1% of the time.

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender
                last edited by

                You're example works when you are sending emails to the same person or group of people. But if that's not normal, i.e. you send to random people all the time, which we would be doing when sending data to patients, then the email address becomes as meaningless as the fax number does - in fact it could be worse because if you are sending to someone locally with fax, you would think someone would know the local available area code numbers.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in Why Faxing is Less Secure Than Email:

                  You're example works when you are sending emails to the same person or group of people. But if that's not normal, i.e. you send to random people all the time, which we would be doing when sending data to patients, then the email address becomes as meaningless as the fax number does - in fact it could be worse because if you are sending to someone locally with fax, you would think someone would know the local available area code numbers.

                  You were too slow, I mentioned that in the second update. Even the local part because I've had so many places refuse to send me things over the years because they can't tell what local phones are and now as phones don't have locality any longer, it's so much worse. NTG HQ's numbers are all from a different LATA than they are in (about two cities to the east of them) and my home number is in a different country than me physically and uses a local code that even the locals think is somewhere far away. Even pizza people used to refuse to deliver to me within walking distance. Numbers even two decades ago were useless for security as locality is not actually as meaningful as it seems.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender
                    last edited by

                    I think we are both saying that neither email address nor phone numbers are good indicators of identity. If not, you still haven't sold me on why email addresses are better in that regard - but again, really doesn't help solve the problem at hand.

                    scottalanmillerS 2 Replies Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in Why Faxing is Less Secure Than Email:

                      I think we are both saying that neither email address nor phone numbers are good indicators of identity. If not, you still haven't sold me on why email addresses are better in that regard - but again, really doesn't help solve the problem at hand.

                      It's that they almost always offer some verification instead of never offering any. Neither are good, but one is better. In essentially all cases, you get some security.

                      1 Reply Last reply Reply Quote 2
                      • momurdaM
                        momurda
                        last edited by

                        https://en.wikipedia.org/wiki/Fax

                        Fax machines are archaic; first one patented 150 years ago. 'New' ones from ATT designed in the mid 1920s. I try to avoid them, though i imagine they will never go away.

                        1 Reply Last reply Reply Quote 1
                        • tonyshowoffT
                          tonyshowoff @Dashrender
                          last edited by tonyshowoff

                          @Dashrender said in Why Faxing is Less Secure Than Email:

                          @scottalanmiller said in Why Faxing is Less Secure Than Email:

                          Faxing is totally open an unsecured from the device through the network to the other device. It is analogue and well defined standard that any old fashioned modem, fax machine or similar can reproduce.

                          Tapping fax lines is the easiest method of accessing them. Faxes go our over lines that cannot be secured and can be tapped without physical access. PHI in transit is essentially, exclusively a "local" activity either to the recipient or to the sender, and both sides of a fax transaction have to be completely exposed. Even if the building is secured, the external phone lines are not and those are where the biggest vulnerabilities are.

                          Fax lines are also vulnerable to a man in the middle attack due to the lack of authentication. If someone is being targeted, the opportunity to intercept a fax and repeat it on is trivial, unlike phone calls where you have to speak "live" to the person on the other end.

                          Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.

                          How can you say this but then also talk about FreePBX and other things which can intercept and redirect fax calls? Clearly if they can detect them by tone, they can record them. Root a FreePBX box and you're on your way, that doesn't work for already-encrypted email traffic though.

                          Lest we forget about things like Switch Access Service for digitally tapping phone lines that AT&T still has that has been used by criminals in the past, unencrypted VoIP, etc. By default it's just security through obscurity, because you don't consider actually how easy it is compared to breaking SSL and/or PGP.

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in Why Faxing is Less Secure Than Email:

                            I think we are both saying that neither email address nor phone numbers are good indicators of identity. If not, you still haven't sold me on why email addresses are better in that regard - but again, really doesn't help solve the problem at hand.

                            No, but email is better. Neither is good, but one is 100% useless, the other is 50% useful. That's a huge increase.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

                              Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

                              DashrenderD 1 Reply Last reply Reply Quote 1
                              • dafyreD
                                dafyre
                                last edited by

                                All that being said... both my Pops and I heard a fax machine go off in the reception area while we were having our ears reprogrammed yesterday.

                                1 Reply Last reply Reply Quote 1
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Why Faxing is Less Secure Than Email:

                                  https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

                                  Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

                                  When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

                                  travisdh1T 1 Reply Last reply Reply Quote 4
                                  • travisdh1T
                                    travisdh1 @Dashrender
                                    last edited by

                                    @Dashrender said in Why Faxing is Less Secure Than Email:

                                    @scottalanmiller said in Why Faxing is Less Secure Than Email:

                                    https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

                                    Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

                                    When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

                                    It makes social engineering all that much easier if people don't know about that.

                                    DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 1
                                    • coliverC
                                      coliver
                                      last edited by

                                      Number spoofing has been around for quite a long time. You can do it with just about any SIP trunk or POTS hand-off with the right knowledge.

                                      travisdh1T 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @travisdh1
                                        last edited by

                                        @travisdh1 said in Why Faxing is Less Secure Than Email:

                                        @Dashrender said in Why Faxing is Less Secure Than Email:

                                        @scottalanmiller said in Why Faxing is Less Secure Than Email:

                                        https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

                                        Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

                                        When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

                                        It makes social engineering all that much easier if people don't know about that.

                                        Exactly - what an absolutely horrible setup! Many people believe the number showing on caller ID is the number in question - what about 911? I know from setting up a PBX now that you can spoof to them too.

                                        Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

                                        scottalanmillerS 1 Reply Last reply Reply Quote 2
                                        • travisdh1T
                                          travisdh1 @coliver
                                          last edited by

                                          @coliver said in Why Faxing is Less Secure Than Email:

                                          Number spoofing has been around for quite a long time. You can do it with just about any SIP trunk or POTS hand-off with the right knowledge.

                                          You can do it with a touch-tone phone for crying out loud. Security? What security?

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @travisdh1
                                            last edited by

                                            @travisdh1 said in Why Faxing is Less Secure Than Email:

                                            @Dashrender said in Why Faxing is Less Secure Than Email:

                                            @scottalanmiller said in Why Faxing is Less Secure Than Email:

                                            https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

                                            Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

                                            When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

                                            It makes social engineering all that much easier if people don't know about that.

                                            Makes it trivial. When you assume something is secure when it is not at all, it's almost not even social engineering. Like thinking that you are safe from bombs because you think that planes don't exist.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 2 / 4
                                            • First post
                                              Last post