RE: FUD - was FAX a virus

["Craig Wright" <cwright () bdosyd com au>]

Here we have reached consensus!

I personally see the database as the BIGGEST hole in most firms - and
the least checked/secured item as well. It amazes me how many people in
the "security professions" do not have the slightest idea of what occurs
in the RDBS.

Too many database admins seem to "own" the databases they run and are
offended when somebody comes to check how the run it.

Too much focus is placed on the web site; the network admin etc right
when the thief is running down the corridor with the crown jewels (i.e.
the data).

Regards,
Craig

-----Original Message-----
From: wesleymcgrew () gmail com [mailto:wesleymcgrew () gmail com] On Behalf
Of Robert Wesley McGrew
Sent: Wednesday, 7 March 2007 9:28 AM
To: Craig Wright
Cc: TheGesus; security-basics () securityfocus com;
alcides.hercules () gmail com; Scott.Ramsdell () cellnet com; Bob Radvanovsky
Subject: Re: FUD - was FAX a virus

On 3/6/07, Craig Wright <cwright () bdosyd com au> wrote:
> Sorry, wrong.

Apologies, I was on the train of thought of email and attachments of
images and such and thought you were asking about that.

But that's neither here nor there.  I never disagreed with your
description of how faxes work, nor with how it'll strip a document of
everything but a scanned representation of how it looks.  If that's
the final representation and usage of that image, then you're right,
it's game over for an attacker. My position is that what you do with
that scanned image after that is something that deserves some
attention.

If an organization, for the sake of automation, extracts textual data
from this image via OCR, and stores it, or uses it as input for some
process, then I feel this data should be subject to the same amount of
scrutiny and filtering as one would apply to web-based inputs.  Same
attack, different entry point.

--
Robert Wesley McGrew
http://mcgrewsecurity.com

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.