Why Faxing is Less Secure Than Email
-
Another massive factor is that email is sent to a person, faxes are sent to a machine. The machine might be shared, might be insecure, might be unmonitored, might be in a public space, etc. Mailboxes can be as well, in theory, but the idea is that a person is supposed to hand over a mailbox for a person or a role. Faxing do not work this way. People do not have their own lines, faxes, etc. They never have and faxes were never expected to work like that.
This makes for a fundamental difference in security. One goes to whom you intended it to go to, one goes to the machine you intended it to go to... and immediately gets automatically translated into paper and left there for anyone to find.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
Email is no different in this regard.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.
I don't even know what you are disputing here. If you are saying that email gets spam, so do fax machines. I've gotten plenty of fax spam over the years.
You say that it does not eliminate location based attacks but mention cat videos from a non-location attack. What is that comment in reference to?
-
@BRRABill said in Why Faxing is Less Secure Than Email:
@Dashrender said
Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.
Pretty easy to get access to phone lines if you are in any sort of business complex.
Even if you are not. In rural areas it is especially easy to tap lines. There is even equipment that allows you to tap the lines without climbing the poles, you can do it, touchless, from the ground!
-
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
Email is no different in this regard.
It is different and I mentioned that both are affected but it is harder to do so with email. For example, email normally has a logical name in some portion of the email field, not just a random number string. Email is far easier to remember and verify. Email is typically stored in more secure ways.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Another massive factor is that email is sent to a person, faxes are sent to a machine. The machine might be shared, might be insecure, might be unmonitored, might be in a public space, etc. Mailboxes can be as well, in theory, but the idea is that a person is supposed to hand over a mailbox for a person or a role. Faxing do not work this way. People do not have their own lines, faxes, etc. They never have and faxes were never expected to work like that.
This makes for a fundamental difference in security. One goes to whom you intended it to go to, one goes to the machine you intended it to go to... and immediately gets automatically translated into paper and left there for anyone to find.
While that's generally true, it's not exclusively so. Just look at FreePBX. DID's could be set to listen for fax tones on a DID line and intercept the fax then forward it onto the individual.
But as you said, that's a rare exception, definitely not normal.
But I think the purpose of faxes, at least in a medical facility are intended for the practice at large, not an individual. If we moved things over to an email, we'd have to have a group email address used, one that dispersed the message to many people to ensure work was being accomplished and not halted because someone was on vacation.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.
I don't even know what you are disputing here. If you are saying that email gets spam, so do fax machines. I've gotten plenty of fax spam over the years.
You say that it does not eliminate location based attacks but mention cat videos from a non-location attack. What is that comment in reference to?
You said you can location attack a fax machine - presumably because it can't/doesn't move, but then say you can't location attack an email user. I say you can attack an email user, by attacking their computer - then I mentioned one way to attack them, by sending them a malware email, infecting their machine and now you have access to their email. You can't do that to a fax machine that I know of. Though it would be funny to hear of phone line delivered update/virus to a fax machine's computer parts that after it receives a fax, it keeps it in memory, then dials another number and sends it to them... lol
-
Continuing from the other thread: Scott's now claiming (I think at least) that sending emails over non TLS, non encrypted connections over the internet is completely fine, and does not put you at any legal risk from HIPAA - he believe this because faxing does not require any type of encryption. And While I understand his argument, I simply don't agree - and personally can't wait for a court case to see the fireworks - Scott's lawyer would claim faxing has no security, therefore email doesn't require any.
I totally agree and would never allow a shop to use faxing. Because of exactly what you describe. Sure the auditor might allow it, but if my data got exposed OR I found out that people were willing to violate my security rights of my PHI by sending it over fax, you might have a case on your hand and have to defend not taking even the most rudimentary security precautions. No matter what your auditor believes is okay, the question will be "will a judge?"
My point in the other thread is that if fax is okay, email is by extension. I've never said that faxing is in any way a minimally acceptable bar for security and is the absolute absence of security itself.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
Email is no different in this regard.
It is different and I mentioned that both are affected but it is harder to do so with email. For example, email normally has a logical name in some portion of the email field, not just a random number string. Email is far easier to remember and verify. Email is typically stored in more secure ways.
But people can make up anything they want for an email address on google, then use that unverifiable address to get something sent to them... just like calling and giving a fax number.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
While that's generally true, it's not exclusively so. Just look at FreePBX. DID's could be set to listen for fax tones on a DID line and intercept the fax then forward it onto the individual.
That's very true. And hosted fax can mitigate a lot more risk. But we are doing that by not being fax any longer. Literally... FreePBX and hosted fax solutions secure fax by... turning it into email!!
So the best way to secure fax is to replace it with email, I totally agree.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
But people can make up anything they want for an email address on google, then use that unverifiable address to get something sent to them... just like calling and giving a fax number.
Not in the real world. Go look at a list of email addresses that are used by people (NOT intentional spam catching accounts.) Some are random but very, very few. Most involve part of a name or something that identifies someone... they are things that can be remembered even if they are random-ish. I've never seen a truly random email address that was used. But every fax number is just a number, totally random.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
While that's generally true, it's not exclusively so. Just look at FreePBX. DID's could be set to listen for fax tones on a DID line and intercept the fax then forward it onto the individual.
That's very true. And hosted fax can mitigate a lot more risk. But we are doing that by not being fax any longer. Literally... FreePBX and hosted fax solutions secure fax by... turning it into email!!
So the best way to secure fax is to replace it with email, I totally agree.
We haven't received paper faxes in my office for more than 10 years - it's all saved to a network share. but the rest of the insecurity is there.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
But I think the purpose of faxes, at least in a medical facility are intended for the practice at large, not an individual. If we moved things over to an email, we'd have to have a group email address used, one that dispersed the message to many people to ensure work was being accomplished and not halted because someone was on vacation.
True, but if that is so you have the ability to secure that group far more extensively, control access by person, have access rules, routing rules, etc. Things that faxing cannot do. Even when it is bad, email retains security advantages.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
But people can make up anything they want for an email address on google, then use that unverifiable address to get something sent to them... just like calling and giving a fax number.
Not in the real world. Go look at a list of email addresses that are used by people (NOT intentional spam catching accounts.) Some are random but very, very few. Most involve part of a name or something that identifies someone... they are things that can be remembered even if they are random-ish. I've never seen a truly random email address that was used. But every fax number is just a number, totally random.
We weren't talking about real people - I though we were talking about people specifically trying to steal data. And just to appear normal, those people too would make fake accounts that look like real accounts, but there's not authentication there either, so again, the fact that there's a real name in the email address doesn't actually make it any better - the believe that it does is social engineering too.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.
I don't even know what you are disputing here. If you are saying that email gets spam, so do fax machines. I've gotten plenty of fax spam over the years.
You say that it does not eliminate location based attacks but mention cat videos from a non-location attack. What is that comment in reference to?
You said you can location attack a fax machine - presumably because it can't/doesn't move, but then say you can't location attack an email user. I say you can attack an email user, by attacking their computer...
Ah. Not what I meant by location attack. With fax you can attack someone by leveraging their location. You simply go to "where" they are (they can't move, the phone line just doesn't move with them) and you can use their location as a vulnerability.
Email systems move. It's part of their nature. Even if you know where someone is sending email from, you don't know where it will go to or from. So knowing their locality is not useful in attacking the data in transit.
-
I really feel the need to say - I'm not defending faxing!
I hate faxing! It's slow, low resolution, as mentioned insecure, often requires dedicated hardware, hell, it's expensive!!
But moving slow moving entities off of it is difficult or impossible.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
But people can make up anything they want for an email address on google, then use that unverifiable address to get something sent to them... just like calling and giving a fax number.
Not in the real world. Go look at a list of email addresses that are used by people (NOT intentional spam catching accounts.) Some are random but very, very few. Most involve part of a name or something that identifies someone... they are things that can be remembered even if they are random-ish. I've never seen a truly random email address that was used. But every fax number is just a number, totally random.
We weren't talking about real people - I though we were talking about people specifically trying to steal data. And just to appear normal, those people too would make fake accounts that look like real accounts, but there's not authentication there either, so again, the fact that there's a real name in the email address doesn't actually make it any better - the believe that it does is social engineering too.
Right. But, let me give an example, maybe it will make more sense...
Background: Joanna McMillen needs some PCI data sent to her office at the hospital. Her email is [email protected] and her fax number is (202) 555-2325.
Debby works in accounts and has to send some data to Joanna's office.
If she goes to send an email she sees [email protected] and thinks to herself "I've seen that address before and it is totally reasonable." You have light security, hard to trick Debby as you'd need to either trick a LOT of people and change only the name portion of the email address or REALLY trick Debby and alter the domain name.
Debby goes to send a fax and looks up, likely on paper, a string of numbers to type into the fax. No matter how "normal" the number looks, it is all the same to Debby. Maybe the area code would tip her off, but that produces a crazy number of false positives as people just don't understand area codes so either this gets ignored or you get problems. Debby just doesn't memorize enough numbers to know when one looks "fishy".
-
@Dashrender said in Why Faxing is Less Secure Than Email:
I really feel the need to say - I'm not defending faxing!
But you have defended it often in the past and tried to make a point of it being more secure than email.
-
Similar goes for home users... if someone hands over an email address we normally check it to see if we can read it. It is super simple for humans to remember the basics of an email address. Not so with phone numbers. In "one off" scenarios, emails get some verification 99% of the time, fax numbers less than 1% of the time.
-
You're example works when you are sending emails to the same person or group of people. But if that's not normal, i.e. you send to random people all the time, which we would be doing when sending data to patients, then the email address becomes as meaningless as the fax number does - in fact it could be worse because if you are sending to someone locally with fax, you would think someone would know the local available area code numbers.