Why Faxing is Less Secure Than Email

Dashrender

@travisdh1 said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

It makes social engineering all that much easier if people don't know about that.

Exactly - what an absolutely horrible setup! Many people believe the number showing on caller ID is the number in question - what about 911? I know from setting up a PBX now that you can spoof to them too.

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

travisdh1

@coliver said in Why Faxing is Less Secure Than Email:

Number spoofing has been around for quite a long time. You can do it with just about any SIP trunk or POTS hand-off with the right knowledge.

You can do it with a touch-tone phone for crying out loud. Security? What security?

scottalanmiller

@travisdh1 said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

https://www.schneier.com/blog/archives/2004/11/hacking_faxes.html

Faxes are insecure in both directions, as well. Not only can you not trust where the information went, you can't trust what you receive.

When I learned that a caller could spoof their number without any help from the phone system provider, it was a WTF day for me.

It makes social engineering all that much easier if people don't know about that.

Makes it trivial. When you assume something is secure when it is not at all, it's almost not even social engineering. Like thinking that you are safe from bombs because you think that planes don't exist.

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

Well, far more importantly, why would they assume that people can't?

Dashrender

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

Well, far more importantly, why would they assume that people can't?

I understand your question and don't have an answer, but let me ask you the opposite, why would you assume they can?

Is it better to live with trust or no trust? Most people I believe live with trust, and expectation that things around them are setup to not be able to hurt them. So I believe that people look at the phone system and believe that it should be setup in a manner that protects them - sadly it clearly does not.

coliver

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

Well, far more importantly, why would they assume that people can't?

I understand your question and don't have an answer, but let me ask you the opposite, why would you assume they can?

Is it better to live with trust or no trust? Most people I believe live with trust, and expectation that things around them are setup to not be able to hurt them. So I believe that people look at the phone system and believe that it should be setup in a manner that protects them - sadly it clearly does not.

And most of those people are idiots. We know that most things are designed to be the least costly and sold for the most money. It is common knowledge that people aren't educated consumers so businesses can take advantage of them left and right. Why would you assume a technology developed in the mid to late 1800s would have any semblance of security?

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@Dashrender said in Why Faxing is Less Secure Than Email:

Why would the public at large believe that literally anyone can just send out any CID info? just DAMN!!!!!

Well, far more importantly, why would they assume that people can't?

I understand your question and don't have an answer, but let me ask you the opposite, why would you assume they can?

You don't need to. Just don't make any assumption and you are all set. It is the assumption alone that makes people vulnerable.

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

Is it better to live with trust or no trust?

Trusting something assumed is not the same as trusting something. If I make something up, like that the world is ending tomorrow, and I trust in that arbitrarily made up thing, is that smart or good? No.

Trusting what someone tells you, okay. Trusting what you've told yourself, though?

scottalanmiller

@Dashrender said in Why Faxing is Less Secure Than Email:

Most people I believe live with trust, and expectation that things around them are setup to not be able to hurt them. So I believe that people look at the phone system and believe that it should be setup in a manner that protects them - sadly it clearly does not.

That's not trust, though. Not as a concept. The issue is not with a lack of trust, but trusting in false assumptions.

I trust that assumptions are bad. So I equally live with "trust" in the same context.

scottalanmiller

@coliver said in Why Faxing is Less Secure Than Email:

And most of those people are idiots. We know that most things are designed to be the least costly and sold for the most money. It is common knowledge that people aren't educated consumers so businesses can take advantage of them left and right. Why would you assume a technology developed in the mid to late 1800s would have any semblance of security?

Right, it isn't just trusting that people wanted security of this nature, it's also trusting that it is possible! The legacy phone system doesn't have a mechanism for this kind of security. So making a wild, baseless assumption and then "trusting it" are very bad when they fly in the face of the technology, business model and common sense. It's fine to not expect either case, but to just make up the least likely case AND trust in it blindly is inherently insecure.

coliver

I'm researching about securing PII and policies surrounding that today. Basically every government and business who is liable for PII has a clause that says, "Don't Fax this!" They recommend you encrypt the file itself and then email it.

JaredBusch

@coliver said in Why Faxing is Less Secure Than Email:

I'm researching about securing PII and policies surrounding that today. Basically every government and business who is liable for PII has a clause that says, "Don't Fax this!" They recommend you encrypt the file itself and then email it.

But that is a completely unworkable solution at scale because that prevents the recipient from being able to easily decrypt the file.

coliver

@JaredBusch said in Why Faxing is Less Secure Than Email:

@coliver said in Why Faxing is Less Secure Than Email:

I'm researching about securing PII and policies surrounding that today. Basically every government and business who is liable for PII has a clause that says, "Don't Fax this!" They recommend you encrypt the file itself and then email it.

But that is a completely unworkable solution at scale because that prevents the recipient from being able to easily decrypt the file.

Pretty much. I just found it funny that the consistent thing was to not fax it and encrypt it. Some of them recommended 7zip or winzip encryption and relaying the password via a different medium.

JaredBusch

@coliver said in Why Faxing is Less Secure Than Email:

Pretty much. I just found it funny that the consistent thing was to not fax it and encrypt it.

Oh yes, that part is such a given to me that I did not react to it.

JaredBusch

@coliver said in Why Faxing is Less Secure Than Email:

Some of them recommended 7zip or winzip encryption and relaying the password via a different medium.

A perfectly viable solution to suggest. Just cannot scale.

coliver

@JaredBusch said in Why Faxing is Less Secure Than Email:

@coliver said in Why Faxing is Less Secure Than Email:

Pretty much. I just found it funny that the consistent thing was to not fax it and encrypt it.

Oh yes, that part is such a given to me that I did not react to it.

It seemed relevant to the topic at hand and It was something I hadn't really research before.

travisdh1

@coliver said in Why Faxing is Less Secure Than Email:

@JaredBusch said in Why Faxing is Less Secure Than Email:

@coliver said in Why Faxing is Less Secure Than Email:

I'm researching about securing PII and policies surrounding that today. Basically every government and business who is liable for PII has a clause that says, "Don't Fax this!" They recommend you encrypt the file itself and then email it.

But that is a completely unworkable solution at scale because that prevents the recipient from being able to easily decrypt the file.

Pretty much. I just found it funny that the consistent thing was to not fax it and encrypt it. Some of them recommended 7zip or winzip encryption and relaying the password via a different medium.

Winzip encryption? Poor people really have no clue, huh? At least 7zip uses something that will take me longer than a couple minutes to break.

JaredBusch

@coliver said in Why Faxing is Less Secure Than Email:

@JaredBusch said in Why Faxing is Less Secure Than Email:

@coliver said in Why Faxing is Less Secure Than Email:

Pretty much. I just found it funny that the consistent thing was to not fax it and encrypt it.

Oh yes, that part is such a given to me that I did not react to it.

It seemed relevant to the topic at hand and It was something I hadn't really research before.

Stop being relevant. We don't do that here past post 2.

coliver

@JaredBusch said in Why Faxing is Less Secure Than Email:

@coliver said in Why Faxing is Less Secure Than Email:

Some of them recommended 7zip or winzip encryption and relaying the password via a different medium.

A perfectly viable solution to suggest. Just cannot scale.

Agreed, this is really where things like ERPs and CMS' come into play. If it is centralized then there should be no need to be emailing this information around.

Jason

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@BRRABill said in Why Faxing is Less Secure Than Email:

@Dashrender said

Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.

Pretty easy to get access to phone lines if you are in any sort of business complex.

Even if you are not. In rural areas it is especially easy to tap lines. There is even equipment that allows you to tap the lines without climbing the poles, you can do it, touchless, from the ground!

Our buliding here is in a rural area.. but because we are the biggest company around Verizon brought the whole trunk of lines multiplex in to our buliding incase we need all of them we would have them.. there are resturants, stores, and urgent medical care centers all around us. all of their analog lines both phone and fax come into our building and we could listen in from the NID