Security Basics mailing list archives
RE: FAX a virus
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 8 Mar 2007 05:25:08 +1100
Wrong Daniel, Crying wolf and leading others to exaggerate risk is one of the biggest bugbears in the industry. It takes focus from the true issues and is a dead weight loss economically. Information technology is a science and engineering field. My asserted view of relative positivism is the current leading philosophy of science and the reason that you are reading this email. The point of risk analysis is that you have to have a threat that can exploit a vulnerability and lead to an impact. Theory is low risk at best. Stating that there is a possibility of an attack is crying wolf. The person asking the question wanted to have an idea of risk. They wanted validly sought an answer from the list as to the risk of a system. However, rather than stating to this person that the risk is low at best. That there is no known or considered attack in the given situation; we start to reply about investigating possibilities. We start talking about Trojans over the fax input. This is crying wolf and this is exaggerating the risk. Regards, Craig ________________________________ From: Daniel Anderson [mailto:dtndan () gmail com] Sent: Wed 7/03/2007 6:06 PM To: Craig Wright Cc: Nick Duda; security-basics () securityfocus com; Bob Radvanovsky Subject: Re: FAX a virus Assuming that you are secure is worse then dealing with assessing a few risks that may turn out to be dead ends. "Innocent until proven guilty" might be a great basis for a legal system, and in science theories must be be proven or _disproven_ not assumed away. Bystanders yelling "that is FUD" don't help anything. Claiming that you don't have to prove anything is silly. As a security person (I'm assuming this is your role) you should be all about identifying, analyzing and assessing risks, not declaring debate over. Views like yours ("I don't have to prove it is secure, you need to prove it is insecure.") have lead us to a pitiful state in IT security and software quality. "Of course you can't attack a system with a malformed JPEG" Oh, wait....http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx "Of course you can't attack a wireless card's driver" Oh, wait...http://www.frsirt.com/english/advisories/2006/3100 Etc...(You know we could go on all night with this list...) For security to work you must analyze risks, not make assumptions.... You need to make them prove to you that it is secure, not the other way around. Computer programs do not have rights that need protected. Besides, unless I missed an e-mail, no one "cried wolf", you just started ranting when a couple people said something sensible to the effect of "yea, you might want to investigate this". Dan On 3/6/07, Craig Wright <cwright () bdosyd com au> wrote: PS, they should be analysed before people cry wolf. This is the point. FUD is rampant in the security industry. Rather than jumping blindly on the bandwagon, we should be thinking first, acting responsibly and rejecting unproven BS. If I state that we are vulnerable to attacks from grey aliens, I would expect that I have to prove both that there are grey alins and that we are vulnerable BEFORE anyone goes off the wagon and starts panicing. Craig -----Original Message----- From: Daniel Anderson [mailto:dtndan () gmail com] Sent: Wednesday, 7 March 2007 12:18 PM To: Craig Wright Cc: Nick Duda; anonymous () email com; security-basics () securityfocus com Subject: Re: FAX a virus Nick, I wouldn't waste my time. Craig seems to want to hear himself rant today. You can tell because he is screaming about FUD, making cracks about who is "professional" and who is not, bringing in lots of nonrelated info, and giving us unnecessary background info, but not useful info like current ITU standards, T.30, T.38, etc. Suffice it to say that FAX has grown up into a digital data protocol, and there are various potential areas that could be explored once you get your head around the fact that a FAX no longer has to involve paper any more and, if it is ever analog, is only analog for the physical bit between the modems (which really doesn't matter one way or the other). While the OP suggested a situation that could not really occur (inject macro type virus over FAX) a variety of buffer overflows (driver, tiff libraries, PDF libraries, etc), etc should be analyzed and not merely declared as "FUD, FUD, FUD". Dan On 3/6/07, Craig Wright < cwright () bdosyd com au> wrote: No, the attach is not against the fax. It is not via the fax comms. It is simply an attack against a cisco over IP that you are assuming. The cisco can not be attacked in the manner you suggest. Please feel free to prove me wrong. Craig -----Original Message----- From: Nick Duda [mailto: nduda () VistaPrint com] Sent: Wednesday, 7 March 2007 4:18 AM To: Craig Wright; anonymous () email com <mailto: anonymous () email com <mailto:anonymous () email com> > ; security-basics () securityfocus com Subject: RE: FAX a virus Fax machine + Cisco ATA + IP + CallManager = Fax machine Fax machine can = software Fax can be IP/Software based....a possible vector for an attack. ________________________________ From: listbounce () securityfocus com on behalf of Craig Wright Sent: Fri 3/2/2007 11:51 PM To: anonymous () email com; security-basics () securityfocus com Subject: RE: FAX a virus FAX! There is NO UDP/IP port. NO TCP/IP port. No IP Address. FAX is not IP based. Not theory at all. FUD! Craig ________________________________ From: listbounce () securityfocus com <mailto: listbounce () securityfocus com <mailto:listbounce () securityfocus com> > on behalf of anonymous () email com Sent: Fri 2/03/2007 6:31 AM To: security-basics () securityfocus com Subject: Re: FAX a virus Perhaps something along these lines: Dependant on resolving the phone number to an IP address of course, but once that information is found either through social engineering or voip probes you could use nmap to find which port is working as the fax reciever then attempt to determine the type of fax machine and from there if you knew assembly could *possibly (if the fax machine allowed remote firmware upgrades) rewrite the firmware of the machine itself but a more practical method would be to temporarily store information in the buffer of the fax machine (this would cause garbage to be printed for one thing which would be a big annoyance). And from what you have described from your setup the software itself may be vulnerable to memory bounds checks etc. You would want to research the software using lists such as this if you are truely afraid of vulnerabilities in your fax application. Again this is more theoretical then practical but you get the idea. ------------------------------------------------------------------------ --- This list is sponsored by: BigFix If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix. http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ ITNext/ ------------------------------------------------------------------------ --- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- Re: FAX a virus, (continued)
- Re: FAX a virus anonymous (Mar 02)
- RE: FAX a virus Craig Wright (Mar 06)
- RE: FAX a virus Nick Duda (Mar 06)
- RE: FAX a virus- a PS Craig Wright (Mar 06)
- RE: FAX a virus Craig Wright (Mar 06)
- RE: FAX a virus Craig Wright (Mar 02)
- RE: FAX a virus Craig Wright (Mar 06)
- FUD, risk and videotape... Craig Wright (Mar 06)
- Re: FAX a virus wesley (Mar 06)
- RE: FAX a virus Craig Wright (Mar 06)
- RE: FAX a virus Craig Wright (Mar 07)
- Message not available
- RE: FAX a virus Craig Wright (Mar 07)
- Message not available
- Re: FAX a virus anonymous (Mar 02)
- RE: FAX a virus Craig Wright (Mar 07)
- RE: FAX a virus Scott Ramsdell (Mar 07)
- RE: FAX a virus Craig Wright (Mar 07)
- Re: FAX a virus - THREAD IS NOW CLOSED Kelly Martin (Mar 07)
- RE: FAX a virus Scott Ramsdell (Mar 07)
- Message not available
- RE: FAX a virus Craig Wright (Mar 07)