[IDS] HCD_PSTN_Fax_Enabled attribute

[IDS] HCD_PSTN_Fax_Enabled attribute

Randy Turner rturner at amalfisystems.com
Sat Aug 15 00:46:14 UTC 2009


In my analysis of the data/fax modem solution, it looks like the  
device would have to be massively compromised to engage in such an  
exploit - and if compromised to this extent, any information coming  
from this device regarding it's security posture is probably suspect  
at best, and worthless at worst.

By "massively compromised" in the above sentence, I mean that the  
system code load would probably have to be replaced with a malicious  
software load and/or the system code would have to be "supplemented"  
by additional significant software to cause a data/fax modem exploit  
to occur.

I too think that the data/fax exploit is highly unlikely, and if is  
does happen, we have not provided enough posture information to detect  
it and effect a change in how the device's security posture is  
evaluated by a health validator.

Randy


On Aug 14, 2009, at 5:36 PM, Brian Smithson wrote:

>> In my previous experience with government agencies,
>> the primary concern about PSTN Fax was that it could be
>> used *from a compromised system or by a rogue walkup
>> user* to export documents and system configuration
>> information invisibly, i.e., w/out passing through a firewall
>> and w/out any chance of detection by smart routers
>> (ones with embedded firewalls).
> Also know as "sending a fax"?
>
>
> My understanding of the concern about PSTN fax modems is that  
> someone could establish a data session on the fax modem through  
> which they gain access to the customer network, circumventing the  
> firewall. But I have never heard of any actual exploits, nor even  
> the technical possibility of an exploit, so I consider it to be an  
> irrational fear. I guess its easier to visualize someone sneaking  
> things past a firewall through a fax modem than it is to visualize  
> something like XSS or SQL injection  :-).
> --
> Regards,
> Brian Smithson
> PM, Security Research
> PMP, CSM, CISSP, CISA, ISO 27000 PA
> Advanced Imaging and Network Technologies
> Ricoh Americas Corporation
> (408)346-4435
>
>
> Ira McDonald wrote:
>>
>> Hi Randy,
>>
>> Not that I know of.
>>
>> In my previous experience with government agencies,
>> the primary concern about PSTN Fax was that it could be
>> used *from a compromised system or by a rogue walkup
>> user* to export documents and system configuration
>> information invisibly, i.e., w/out passing through a firewall
>> and w/out any chance of detection by smart routers
>> (ones with embedded firewalls).
>>
>> Cheers,
>> - Ira
>>
>> Ira McDonald (Musician / Software Architect)
>> Chair - Linux Foundation Open Printing WG
>> Blue Roof Music/High North Inc
>> email: blueroofmusic at gmail.com
>> winter:
>>   579 Park Place  Saline, MI  48176
>>   734-944-0094
>> summer:
>>   PO Box 221  Grand Marais, MI 49839
>>   906-494-2434
>>
>>
>>
>> On Thu, Aug 13, 2009 at 9:55 PM, Randy Turner<rturner at amalfisystems.com 
>> > wrote:
>>
>>> Are there any documents on the internet that you guys know about  
>>> that
>>> describe existing attack vectors on PSTN/Analog Fax lines?
>>>
>>> Randy
>>>
>>>
>>> On Aug 13, 2009, at 6:44 PM, Ira McDonald wrote:
>>>
>>>
>>>> Hi Randy,
>>>>
>>>> It's not that we don't care about IFax.
>>>>
>>>> It's that all forms of Internet Fax have protocols and IP
>>>> ports that would be reported in HCD_Firewall_Setting.
>>>>
>>>> But many businesses and government agencies ALSO
>>>> want to close the "back door" of PSTN Fax.
>>>>
>>>> Cheers,
>>>> - Ira
>>>>
>>>> Ira McDonald (Musician / Software Architect)
>>>> Chair - Linux Foundation Open Printing WG
>>>> Blue Roof Music/High North Inc
>>>> email: blueroofmusic at gmail.com
>>>> winter:
>>>>  579 Park Place  Saline, MI  48176
>>>>  734-944-0094
>>>> summer:
>>>>  PO Box 221  Grand Marais, MI 49839
>>>>  906-494-2434
>>>>
>>>>
>>>>
>>>> On Thu, Aug 13, 2009 at 9:02 PM, Randy Turner<rturner at amalfisystems.com 
>>>> >
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> When we came up with this attribute, we include PSTN in the  
>>>>> name, which
>>>>> means we only care about PSTN fax, and not internet-fax options  
>>>>> such as
>>>>> T.38
>>>>> or other fully capable iFax features.
>>>>> Did we mean to do this? We only care about PSTN? Which I assume  
>>>>> to mean
>>>>> analog fax?
>>>>>
>>>>> Randy
>>>>>
>>>>>
>>>>> --
>>>>> This message has been scanned for viruses and
>>>>> dangerous content by MailScanner, and is
>>>>> believed to be clean.
>>>>>
>>>>> _______________________________________________
>>>>> ids mailing list
>>>>> ids at pwg.org
>>>>> https://www.pwg.org/mailman/listinfo/ids
>>>>>
>>>>>
>>>
>>
>>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20090814/6bbf9b8e/attachment-0001.html>


More information about the ids mailing list