Security Basics mailing list archives
RE: FUD - was FAX a virus
From: "Craig Wright" <cwright () bdosyd com au>
Date: Wed, 7 Mar 2007 09:39:56 +1100
Here we have reached consensus! I personally see the database as the BIGGEST hole in most firms - and the least checked/secured item as well. It amazes me how many people in the "security professions" do not have the slightest idea of what occurs in the RDBS. Too many database admins seem to "own" the databases they run and are offended when somebody comes to check how the run it. Too much focus is placed on the web site; the network admin etc right when the thief is running down the corridor with the crown jewels (i.e. the data). Regards, Craig -----Original Message----- From: wesleymcgrew () gmail com [mailto:wesleymcgrew () gmail com] On Behalf Of Robert Wesley McGrew Sent: Wednesday, 7 March 2007 9:28 AM To: Craig Wright Cc: TheGesus; security-basics () securityfocus com; alcides.hercules () gmail com; Scott.Ramsdell () cellnet com; Bob Radvanovsky Subject: Re: FUD - was FAX a virus On 3/6/07, Craig Wright <cwright () bdosyd com au> wrote:
Sorry, wrong.
Apologies, I was on the train of thought of email and attachments of images and such and thought you were asking about that. But that's neither here nor there. I never disagreed with your description of how faxes work, nor with how it'll strip a document of everything but a scanned representation of how it looks. If that's the final representation and usage of that image, then you're right, it's game over for an attacker. My position is that what you do with that scanned image after that is something that deserves some attention. If an organization, for the sake of automation, extracts textual data from this image via OCR, and stores it, or uses it as input for some process, then I feel this data should be subject to the same amount of scrutiny and filtering as one would apply to web-based inputs. Same attack, different entry point. -- Robert Wesley McGrew http://mcgrewsecurity.com Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- Re: FUD - was FAX a virus, (continued)
- Re: FUD - was FAX a virus Robert Wesley McGrew (Mar 06)
- RE: FUD - was FAX a virus Craig Wright (Mar 06)
- RE: FUD - was FAX a virus Scott Ramsdell (Mar 06)
- RE: FUD - was FAX a virus Scott Ramsdell (Mar 06)
- Re: FUD - was FAX a virus TheGesus (Mar 06)
- Re: FUD - was FAX a virus Robert Wesley McGrew (Mar 06)
- RE: FUD - was FAX a virus Craig Wright (Mar 06)
- RE: FUD - was FAX a virus Craig Wright (Mar 06)
- Re: FUD - was FAX a virus Robert Wesley McGrew (Mar 07)
- RE: FUD - was FAX a virus Peter Denyer (Mar 07)
- Re: FUD - was FAX a virus Robert Wesley McGrew (Mar 07)
- RE: FUD - was FAX a virus Bob Radvanovsky (Mar 06)
- RE: FUD - was FAX a virus Craig Wright (Mar 07)
- RE: FUD - was FAX a virus Craig Wright (Mar 07)
- Re: FUD - was FAX a virus Robert Wesley McGrew (Mar 07)
- Re: RE: FUD - was FAX a virus krymson (Mar 07)
- RE: RE: FUD - was FAX a virus Craig Wright (Mar 07)