RE: FUD - was FAX a virus

["Craig Wright" <cwright () bdosyd com au>]

Scott has stated - "Is that a risk?  You can determine that by
evaluating how the Windows process operates.  I'm assuming it's a
service on your box.  You will want that service to launch with an
unprivileged user account, not the local system account."

This is not a risk. This is a possible vulnerability. A risk is the
chance that a threat will exploit a vulnerability.

Thus again as was stated, this needs to be a risk based response. The
threat needs to be considered. The impact needs to be taken into
account.

Scott, Yes, as you state you are making assumptions. You also fail to
read the emails. Assumptions are dangerous and it is always better to
clear the issue and not make assumptions.

Regards,
Craig

-----Original Message-----
From: Scott Ramsdell [mailto:Scott.Ramsdell () cellnet com]
Sent: Tuesday, 6 March 2007 3:34 AM
To: Scott Ramsdell; Craig Wright; security-basics () securityfocus com
Cc: alcides.hercules () gmail com; wesley () mcgrewsecurity com
Subject: RE: FUD - was FAX a virus

Alcides,

Alcides,

I would like to take the time to address your concern more fully.

> From your original email (which didn't seem to warrant inclusion below
Craig's tirade which he appears to have been simultaneously writing and
ignoring), I'll sum up what some of us interpreted as your environment.

You receive faxes that you want to extract information from.  You have a
process that uses OCR (you didn't mention this but I'm making the
assumption) to identify interesting fields in the fax, and you then read
those fields into your system for processing.

When you identify a field and read it, you are going to want for your
system to validate the input.  So, in a name field, ensure that only
valid characters are accepted.

If you have a field that requires special characters, such as the
parenthesis or dashes in a phone number field, you will want to take
care that only those special characters are allowed through.  If you
allow forward slashes and periods through for instance, you run the risk
of passing http://my.bad.code to your Windows service.  If you allow the
asterisk and parenthesis through, you run the risk of allowing SQL
injection passed to your service.

Is that a risk?  You can determine that by evaluating how the Windows
process operates.  I'm assuming it's a service on your box.  You will
want that service to launch with an unprivileged user account, not the
local system account.

If your process stores the information you extract (likely), it may
store the info in a SQL database.  That is where the concern would be
that your front end service is passing a ("an" if you want) SQL command
to your back end server.

Is that a concern?  The communication is one-way as Craig so eloquently
pointed out.  But what if the command is to drop a database?  In that
case there was never any intention of receiving data back, it's a
malicious vandalism of your database.

Yes, you do have concerns.  You should shoot the Pen Test list an email
with specific info on what your process extracts, how it identifies
interesting fields, how it runs on your box, and how it stores the
results.

Likely you are not the first person doing what you're doing, and likely
someone on the Pen Test list has seen something similar.  If not, they
will at least be able to offer more advice, tailored to your specific
situation.

I'm through with this thread, somehow being called unprofessional is a
turn off.

Kind Regards to most,
Scott Ramsdell

-----Original Message-----
From: Scott Ramsdell
Sent: Monday, March 05, 2007 8:12 AM
To: 'Craig Wright'; security-basics () securityfocus com
Cc: alcides.hercules () gmail com; wesley () mcgrewsecurity com
Subject: RE: FUD - was FAX a virus

Craig,

You don't get it.

The concerns expressed weren't regarding the method of transmission.
The concerns were with respect to the Windows service that accepts the
input.

> From what Alcides says, he has a fax server (this will convert from
analog to digital, BTW) and he has a process running on a Windows box
that accepts input from the fax server.

I merely cautioned him about properly sanitizing the input from the fax
server to the Windows service!  Very valid concern.

Alcides, shoot your question over to the Pen Test list, that way you'll
get a technical response rather than a reply from a lawyer.

Kind Regards,
Scott Ramsdell


-----Original Message-----
From: Craig Wright [mailto:cwright () bdosyd com au]
Sent: Friday, March 02, 2007 3:11 PM
To: security-basics () securityfocus com
Cc: alcides.hercules () gmail com; Scott Ramsdell;
wesley () mcgrewsecurity com
Subject: FUD - was FAX a virus


Hello,

The idea of faxing a virus is ludicrous and this demonstrates the FUD in
the industry. I have to state that I am amazed that people here are even
considering this seriously! In other words, that people are willing to
comment on a technology with no idea how it works without even taking
the time to check the facts.

This is one of the systemic faults within the security industry at the
moment.

The initial question was Ok. It demonstrates that the person wanted to
learn. The responses demonstrate that people are willing to open their
mouth without first checking the facts. This is a bad thing - please
understand this.

A Facsimile is an analogue device - it does not send digital information
and it can not even send the same information twice. Not EVER! More on
this later.

Some history seeing as a lesson seems to be needed. (Responding without
checking facts - bah - as you can see this is a pet hate, people in
security need to take the time to LEARN the truth and not make FUD).

History of the Fax. (A very condensed version)

Alexander Bain (1818-1903)

In 1843 invented a precursor that used two pens connected by an
electrical wire to send information.

In 1862 (correct me if this date is wrong) Giovanni Caselli made the
first pantelegraph to electronically send photos.

? On date, but about 1880. Elisha Gray (founder of the Western Electric
Company) patented a simple (though it took a room to hold and oft caught
on fire) a facsimile transmission system.

Arthur Korn (1870-1945) sent the first inter-city fax in 1907 using a
"telephotographer" to send photos from Munich to Berlin.

And so it goes till Xerox got into the picture in 1964 with Long
Distance Xerography (LDX) and shortly after with the Magnafax Telecopier
(weighing only 46-pound) in 1966. This was where we have what is
essentially a "modern" facsimile machine.

How does a Fax machine work? (First faxes in general than computers)

A fax is a scan of a block of the image to be sent. The scan is analogue
in that the intensity of the tone is converted to a digital signal. This
scan is impacted by ambient temperature, lighting conditions and many
other factors - although none of these will make any difference that the
human eye can note.

This signal is sent as an electronic wave function. Again, analogue and
not digital. It is converted (taking phone line faxes and excluding
radio fax in this case) as a signal similar to a modem communication
that is transmitted to a sound wave if you listen to this on a phone.

Line conditions always impact the transmission. A white noise function
creates variations in the wave form that reflects the error rate on the
page.


In a computer fax card or program, this is interpreted and converted to
make the digital image. The image varies each and ever time that a fax
is send and it is not possible for the sender to control all conditions
to ensure that any stream of information comes out the same.


If you do not believe this statement I have to have you read up on
Quantum cromodynamics, and Quantum wave physics and Uncertainty. (This
is a topic best off list for any of you who want to chat more on a very
interesting subject).

Basically, this is a probabilistic function. If for a SPECIFIC card in a
SPECIFIC computer a SPECIFIC set of code could be send to that machine
that could case some unknown fault (let alone a virus), the sender needs
also to be able to control the line between the receive and him/herself.


Probabilistically we are talking a 1 in 10^34 or larger chance of being
able to control all these conditions EVEN if there was a specific piece
of code (which has never been shown to exist or even be feasible) of
controlling all the required conditions. There is a larger probability
that all the electrons and quarks in both your body and those of the
wall will somehow align just as you walk into the wall - allowing you to
pass through it as it the wall was not there.

So to reiterate (to the tune of Monty Python's SPAM).


FUD, FUD, FUDity FUD....

Now, to the real issue. (Yes time to get on my soapbox AGAIN).

Security "professionals" do not make FUD. Security "professionals" do
not propagate FUD. Security "professionals" check the facts BEFORE going
off half cocked with a story that is about as likely as an alien
abductions. Please check the facts before damaging the industry as a
whole.

I do say industry as a whole for this. Each time we state something that
is not scientific and has no basis in fact designed to make other
percieve an exagerated sense of risk associated with a theretical
conditiuon, we make FUD. In doing this, we lower the standing of all
"security professionals."

To even state - "the threat is extraordinarily low" is an exageration.
If all worlds possible in all galaxies in the known universe all have
all their people sending faxes for all the life of the universe, than
the chance of sending information in the manner suggested is still
approximately zero. This is even with modern error correction
techniques.


So to even make this an issue is FUD. Risk first needs a threat, a
threat needs an impact and a probabilistic likelihood. If these are all
close to zero, than the risk is zero.

Facts first - facts second and than make the decision based on reality.
FUD and an exageration of  risk is one of the greatest evils  today.
Please do not jump on this bandwagon!

Please let's start acting like Security "professionals".

Regards,

Craig S Wright




PS FUD = bad - please remember, FUD = bad...


Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is
confidential. If you are not the intended recipient, you must not use or
disclose the information. If you have received this email in error,
please inform us promptly by reply email or by telephoning +61 2 9286
5555. Please delete the email and destroy any printed copy.


Any views expressed in this message are those of the individual sender.
You may not rely on this message as advice unless it has been
electronically signed by a Partner of BDO or it is subsequently
confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.