Why Faxing is Less Secure Than Email
-
@BRRABill said in Why Faxing is Less Secure Than Email:
Security of faxing and its place in a HIPAA discussion, as you have said many times, are not related.
Mailing a letter via USPS is super not secure, but considered acceptable for HIPAA.
Right, faxing is totally allowed under HIPAA, but not when someone is trying to be secure. That it is allowed is one thing, but email would be allowed as well given that it is an improvement over faxing. HIPAA doesn't make real specific requirements, only levels of effort and the effort demanded is far below business standards.
-
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.
-
@scottalanmiller said
but email would be allowed as well given that it is an improvement over faxing.
Good luck documenting and proving that as reasoning for use.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Faxing is totally open an unsecured from the device through the network to the other device. It is analogue and well defined standard that any old fashioned modem, fax machine or similar can reproduce.
Tapping fax lines is the easiest method of accessing them. Faxes go our over lines that cannot be secured and can be tapped without physical access. PHI in transit is essentially, exclusively a "local" activity either to the recipient or to the sender, and both sides of a fax transaction have to be completely exposed. Even if the building is secured, the external phone lines are not and those are where the biggest vulnerabilities are.
Fax lines are also vulnerable to a man in the middle attack due to the lack of authentication. If someone is being targeted, the opportunity to intercept a fax and repeat it on is trivial, unlike phone calls where you have to speak "live" to the person on the other end.
Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Some people mention concerns around the security of email in transit with the ISP. But this is moot as faxes have to transit the same ISPs and if the ISP themselves are the thread, both cases leave us totally exposed to that threat. So while this is a valid concern, it is not "more" of a concern with one approach or the other.
I agree, this is not part of the concern.
-
@Dashrender said
Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.
Pretty easy to get access to phone lines if you are in any sort of business complex.
-
Another massive factor is that email is sent to a person, faxes are sent to a machine. The machine might be shared, might be insecure, might be unmonitored, might be in a public space, etc. Mailboxes can be as well, in theory, but the idea is that a person is supposed to hand over a mailbox for a person or a role. Faxing do not work this way. People do not have their own lines, faxes, etc. They never have and faxes were never expected to work like that.
This makes for a fundamental difference in security. One goes to whom you intended it to go to, one goes to the machine you intended it to go to... and immediately gets automatically translated into paper and left there for anyone to find.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
Email is no different in this regard.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.
I don't even know what you are disputing here. If you are saying that email gets spam, so do fax machines. I've gotten plenty of fax spam over the years.
You say that it does not eliminate location based attacks but mention cat videos from a non-location attack. What is that comment in reference to?
-
@BRRABill said in Why Faxing is Less Secure Than Email:
@Dashrender said
Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.
Pretty easy to get access to phone lines if you are in any sort of business complex.
Even if you are not. In rural areas it is especially easy to tap lines. There is even equipment that allows you to tap the lines without climbing the poles, you can do it, touchless, from the ground!
-
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
Email is no different in this regard.
It is different and I mentioned that both are affected but it is harder to do so with email. For example, email normally has a logical name in some portion of the email field, not just a random number string. Email is far easier to remember and verify. Email is typically stored in more secure ways.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Another massive factor is that email is sent to a person, faxes are sent to a machine. The machine might be shared, might be insecure, might be unmonitored, might be in a public space, etc. Mailboxes can be as well, in theory, but the idea is that a person is supposed to hand over a mailbox for a person or a role. Faxing do not work this way. People do not have their own lines, faxes, etc. They never have and faxes were never expected to work like that.
This makes for a fundamental difference in security. One goes to whom you intended it to go to, one goes to the machine you intended it to go to... and immediately gets automatically translated into paper and left there for anyone to find.
While that's generally true, it's not exclusively so. Just look at FreePBX. DID's could be set to listen for fax tones on a DID line and intercept the fax then forward it onto the individual.
But as you said, that's a rare exception, definitely not normal.
But I think the purpose of faxes, at least in a medical facility are intended for the practice at large, not an individual. If we moved things over to an email, we'd have to have a group email address used, one that dispersed the message to many people to ensure work was being accomplished and not halted because someone was on vacation.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
Open Email is, of course, not super secure but is very secure compared to faxing. Even insecure email scenarios standardly have email servers at a different location than the place from which the email is sent initially. And the connection between sending and MTA is usually secure and can always be in cases where we are concerned about security. This trivially eliminates the possibility of location based attack on the sending side.
No it doesn't. If you are targeting someone, you send them an ebomb and infect their computer, because, well everyone loves cat videos, now you're watching everything they do their computer, not just email.
I don't even know what you are disputing here. If you are saying that email gets spam, so do fax machines. I've gotten plenty of fax spam over the years.
You say that it does not eliminate location based attacks but mention cat videos from a non-location attack. What is that comment in reference to?
You said you can location attack a fax machine - presumably because it can't/doesn't move, but then say you can't location attack an email user. I say you can attack an email user, by attacking their computer - then I mentioned one way to attack them, by sending them a malware email, infecting their machine and now you have access to their email. You can't do that to a fax machine that I know of. Though it would be funny to hear of phone line delivered update/virus to a fax machine's computer parts that after it receives a fax, it keeps it in memory, then dials another number and sends it to them... lol
-
Continuing from the other thread: Scott's now claiming (I think at least) that sending emails over non TLS, non encrypted connections over the internet is completely fine, and does not put you at any legal risk from HIPAA - he believe this because faxing does not require any type of encryption. And While I understand his argument, I simply don't agree - and personally can't wait for a court case to see the fireworks - Scott's lawyer would claim faxing has no security, therefore email doesn't require any.
I totally agree and would never allow a shop to use faxing. Because of exactly what you describe. Sure the auditor might allow it, but if my data got exposed OR I found out that people were willing to violate my security rights of my PHI by sending it over fax, you might have a case on your hand and have to defend not taking even the most rudimentary security precautions. No matter what your auditor believes is okay, the question will be "will a judge?"
My point in the other thread is that if fax is okay, email is by extension. I've never said that faxing is in any way a minimally acceptable bar for security and is the absolute absence of security itself.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
@scottalanmiller said in Why Faxing is Less Secure Than Email:
A lot of people mention the total lack of authentication with faxing as a means of breaching security, but this is normally mentioned in the context of mistakes and is countered with the fact that obscurity makes that a non-issue. And that is basically true, the same goes for email, the chances that you would type in a keying error and get a real email address and one that would exploit the contents of the email are super low. So that's negligible in both cases.
However, what is often ignored, is that the real risk is in tricking people into using the wrong phone number. We are talking about focused security attacks here, in both cases. This is not someone trying to access stored data, this is about data in transit. If you want to get a fax sent to the wrong number, you use social engineering to get people to send to the wrong number. Same can happen with email, but it is likely harder. Fax numbers are totally anonymous, have zero authentication and involve "tossing the critical security data over the wall" and hoping for the best. It's blind, and no secure process can be blind.
Email is no different in this regard.
It is different and I mentioned that both are affected but it is harder to do so with email. For example, email normally has a logical name in some portion of the email field, not just a random number string. Email is far easier to remember and verify. Email is typically stored in more secure ways.
But people can make up anything they want for an email address on google, then use that unverifiable address to get something sent to them... just like calling and giving a fax number.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
While that's generally true, it's not exclusively so. Just look at FreePBX. DID's could be set to listen for fax tones on a DID line and intercept the fax then forward it onto the individual.
That's very true. And hosted fax can mitigate a lot more risk. But we are doing that by not being fax any longer. Literally... FreePBX and hosted fax solutions secure fax by... turning it into email!!
So the best way to secure fax is to replace it with email, I totally agree.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
But people can make up anything they want for an email address on google, then use that unverifiable address to get something sent to them... just like calling and giving a fax number.
Not in the real world. Go look at a list of email addresses that are used by people (NOT intentional spam catching accounts.) Some are random but very, very few. Most involve part of a name or something that identifies someone... they are things that can be remembered even if they are random-ish. I've never seen a truly random email address that was used. But every fax number is just a number, totally random.
-
@scottalanmiller said in Why Faxing is Less Secure Than Email:
@Dashrender said in Why Faxing is Less Secure Than Email:
While that's generally true, it's not exclusively so. Just look at FreePBX. DID's could be set to listen for fax tones on a DID line and intercept the fax then forward it onto the individual.
That's very true. And hosted fax can mitigate a lot more risk. But we are doing that by not being fax any longer. Literally... FreePBX and hosted fax solutions secure fax by... turning it into email!!
So the best way to secure fax is to replace it with email, I totally agree.
We haven't received paper faxes in my office for more than 10 years - it's all saved to a network share. but the rest of the insecurity is there.
-
@Dashrender said in Why Faxing is Less Secure Than Email:
But I think the purpose of faxes, at least in a medical facility are intended for the practice at large, not an individual. If we moved things over to an email, we'd have to have a group email address used, one that dispersed the message to many people to ensure work was being accomplished and not halted because someone was on vacation.
True, but if that is so you have the ability to secure that group far more extensively, control access by person, have access rules, routing rules, etc. Things that faxing cannot do. Even when it is bad, email retains security advantages.
