Schneier on Security

It's amazing how much the healthcare industry still relies upon faxes for distributing Protected Health Information (PHI). Not only is it a privacy issue, but could you imagine abuse of pharmaceuticals or medical procedures because of a social engineering attack? Yet, take away the fax today, and many healthcare organizations would be unable to conduct business.

A similar story happenned last year in France. I guess it's a pretty common way to get prisonners out of jail...

The article does in fact mention that the fax was missing the "standard letterhead with the WMPD logo on it". The fax header also apparently said it originated from a McDonalds. I don't know if I'd call that "trust"...

Like that last comment said, the fax machine probably isn't the weak link here. It's not as if this is a new idea -- the most successful escape attempt from Alcatraz was based on forged release orders.

Mark one up for Social Engineering (SE) Attacks! - The human is the weakest link and is very vulnerable to things that shouldn't make sense!

Israel Torres

Setting aside for the moment the reasons that this fax (and the many release-papers forgeries that have preceded it) should have been recognized as a fake, I think that faxes in general are perceived as trustworthy because most people experience fax machines as closed systems, with neither directories to send to any arbitrary unauthorized destination nor arbitrarily-settable sender information. (That the experience is contrary to fact is a minor nit.)

I was thinking about this the other day when I had to fax a legal document overseas. It would have been easier and cheaper to just email the scan to the recipient for printing, but that embedded timestamp and sender information added a veneer of authenticity that a printed PDF attachment couldn't match.

As sender-address spoofing becomes even more common -- From: headers, caller-ID, fax headers -- when will people finally stop relying on the transmission infrastructure for (apparent) authentication?

I am consistantly amazed by the number of small businesses (especially law offices) where the FAX is the responsibility of the front- desk receptionist. FAXes come out and are stacked for pickup in the front- office waiting area. Anybody who walked in the door could look them over.

Wow. Even if they had had a system that included certain special official "marks" and such, allowing someone to be released simply with a fax seems, uh, not too bright. The same goes for (as a prior person has commented) the notion that 'the fax came from the right number'

One would think that a required call-back to a predetermined, pre-validated number at the _very_ least would be required.

--Kevin

hi hacking faxes i am logan known as scott engle. believe it!

I would like to have some more information about fax hacking in general.

Is it possible to enter a faxmachine by remote services ?

Is it also possible to enter a faxnumber through hacking the protocal of the remote services from the faxmichine?

Hello Rick,

What do you exactly mean by "enter a faxmachine".
With remote services it is quite easy to change the fax settings or to inspect (parts) of the fax memory. It certainly is possible to add or modify fax numbers stored in the remote machine, if the machine is equiped with remote service possibilities (and most machines do), unless the fax is connected through some fax firewall.
Occasionaly you can also read "private" fax mailboxes because passwords are stored in plain ASCII. What would you like to modify in the fax machine?

Another fine example of creativity and another demonstration that software is not a security solution, no matter how much of it you buy!

Hello.
This message is for Ricky and George, about messages posted on May 1, 2006 and June 30, 2006, talking about the possibility to enter in remote fax machine.
For "enter in fax machine" i mean that with a regular modem class2 is possible to dial a fax machine, every where in the world, and send, trought some commands, setup, configuration, store numbers, etc.
But really exist a procedure for make it?
Can be send a fax to remote fax machine that is not regular fax but a command sequence for configure it or trought AT commands?
For example configure a callback number for dial a schedule time or send fax a schedule time?
Thanks you.

Hello again.
I have forgot to write a side of message.
One month ago, I have receive my phone bill. I have a regular fax machine (HP multifuncion).
With big surprise i have seen 6 international calls to some numbers.
I have try with tech assistance to retrieve info from the fax with report, etc. But totally empty. No trace about these calls.
After 2 weeks talking with others people in the same city, happened the same with them.
No fax was sent, simple dial call, because the duration of calls was 2-3 seconds.
Then I would like to know how is possible this?

Thanks you.