attachment-0001
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I also recall requirements for assurance that there be no
connection between the PSTN modem (fax or data) and the network. Back when I
was selling NICs, this concern seemed remote since (as Randy suggested) it would
have required major FW changes in this case to both the MFD and the NIC, a
truly remote possibility. I don’t recall any concern over the ability to send
or receive PSTN Fax; certainly, all that was needed was to not provide a phone
line. But as Brian indicates</span><span style='font-size:14.0pt;font-family:
"Calibri","sans-serif";color:#1F497D'>, </span><span style='font-size:14.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>"Fax-network
separation" with respect to incoming products was the issue.</span><span
style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Of course, to an extent modern MFDs do provide this PSTN-Network
connection in that FaxIn services can direct their received products to a
network destination. Although these products are nominally images, it would
seem that this path might present a vulnerability.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Bill Wagner<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> ids-bounces@pwg.org
[mailto:ids-bounces@pwg.org] <b>On Behalf Of </b>Brian Smithson<br>
<b>Sent:</b> Saturday, August 15, 2009 7:11 AM<br>
<b>To:</b> Ira McDonald<br>
<b>Cc:</b> ids@pwg.org<br>
<b>Subject:</b> Re: [IDS] HCD_PSTN_Fax_Enabled attribute<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>I have never heard of anyone actually worrying<o:p></o:p></pre><pre>that a data fax connection could somehow bridge<o:p></o:p></pre><pre>ONTO the customer's local intranet.<o:p></o:p></pre></blockquote>
<p class=MsoNormal>"Fax-network separation" is a common requirement
for US gov't sales. It is often certified as part of common criteria
certification.We ended up covering it (in a more general way) in the 2600.1
protection profile.<br>
<br>
Regarding PSTN fax, maybe we should take a closer look at the "PSTN fax enabled"
attribute. If the issue is outbound faxing, then the attribute should be
"outbound PSTN fax enabled" because someone might want to accept
incoming faxes but not allow outgoing. Otherwise, why did they buy a fax in the
first place? If the issue is establishing a data modem connection into the
network, then maybe it should be "Data modem enabled" because, for
example, one could conceivably have a modem enabled for V.92 but disabled for
T.30.<br>
<br>
<o:p></o:p></p>
<pre>--<o:p></o:p></pre><pre>Regards,<o:p></o:p></pre><pre>Brian Smithson<o:p></o:p></pre><pre>PM, Security Research<o:p></o:p></pre><pre>PMP, CSM, CISSP, CISA, ISO 27000 PA<o:p></o:p></pre><pre>Advanced Imaging and Network Technologies<o:p></o:p></pre><pre>Ricoh Americas Corporation<o:p></o:p></pre><pre>(408)346-4435<o:p></o:p></pre>
<p class=MsoNormal><br>
<br>
Ira McDonald wrote: <o:p></o:p></p>
<pre>Hi,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>We appear to have talked past each other here.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>I have never heard of anyone actually worrying<o:p></o:p></pre><pre>that a data fax connection could somehow bridge<o:p></o:p></pre><pre>ONTO the customer's local intranet.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>But certainly allowing PSTN FAX *at all* will break<o:p></o:p></pre><pre>the security perimeter for classified or sensitive<o:p></o:p></pre><pre>documents. An authorized user (low authorization)<o:p></o:p></pre><pre>who is disgruntled (80+% of all security exploits per<o:p></o:p></pre><pre>SANS) can send a document outside the intranet.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>That's a real threat, not in the least imaginary.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Cheers,<o:p></o:p></pre><pre>- Ira<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Ira McDonald (Musician / Software Architect)<o:p></o:p></pre><pre>Chair - Linux Foundation Open Printing WG<o:p></o:p></pre><pre>Blue Roof Music/High North Inc<o:p></o:p></pre><pre>email: <a
href="mailto:blueroofmusic@gmail.com">blueroofmusic@gmail.com</a><o:p></o:p></pre><pre>winter:<o:p></o:p></pre><pre> 579 Park Place Saline, MI 48176<o:p></o:p></pre><pre> 734-944-0094<o:p></o:p></pre><pre>summer:<o:p></o:p></pre><pre> PO Box 221 Grand Marais, MI 49839<o:p></o:p></pre><pre> 906-494-2434<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>On Fri, Aug 14, 2009 at 8:46 PM, Randy Turner<a
href="mailto:rturner@amalfisystems.com"><rturner@amalfisystems.com></a> wrote:<o:p></o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>In my analysis of the data/fax modem solution, it looks like the device<o:p></o:p></pre><pre>would have to be massively compromised to engage in such an exploit - and if<o:p></o:p></pre><pre>compromised to this extent, any information coming from this device<o:p></o:p></pre><pre>regarding it's security posture is probably suspect at best, and worthless<o:p></o:p></pre><pre>at worst.<o:p></o:p></pre><pre>By "massively compromised" in the above sentence, I mean that the system<o:p></o:p></pre><pre>code load would probably have to be replaced with a malicious software load<o:p></o:p></pre><pre>and/or the system code would have to be "supplemented" by additional<o:p></o:p></pre><pre>significant software to cause a data/fax modem exploit to occur.<o:p></o:p></pre><pre>I too think that the data/fax exploit is highly unlikely, and if is does<o:p></o:p></pre><pre>happen, we have not provided enough posture information to detect it and<o:p></o:p></pre><pre>effect a change in how the device's security posture is evaluated by a<o:p></o:p></pre><pre>health validator.<o:p></o:p></pre><pre>Randy<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>On Aug 14, 2009, at 5:36 PM, Brian Smithson wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>In my previous experience with government agencies,<o:p></o:p></pre><pre>the primary concern about PSTN Fax was that it could be<o:p></o:p></pre><pre>used *from a compromised system or by a rogue walkup<o:p></o:p></pre><pre>user* to export documents and system configuration<o:p></o:p></pre><pre>information invisibly, i.e., w/out passing through a firewall<o:p></o:p></pre><pre>and w/out any chance of detection by smart routers<o:p></o:p></pre><pre>(ones with embedded firewalls).<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Also know as "sending a fax"?<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>My understanding of the concern about PSTN fax modems is that someone could<o:p></o:p></pre><pre>establish a data session on the fax modem through which they gain access to<o:p></o:p></pre><pre>the customer network, circumventing the firewall. But I have never heard of<o:p></o:p></pre><pre>any actual exploits, nor even the technical possibility of an exploit, so I<o:p></o:p></pre><pre>consider it to be an irrational fear. I guess its easier to visualize<o:p></o:p></pre><pre>someone sneaking things past a firewall through a fax modem than it is to<o:p></o:p></pre><pre>visualize something like XSS or SQL injection :-).<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>--<o:p></o:p></pre><pre>Regards,<o:p></o:p></pre><pre>Brian Smithson<o:p></o:p></pre><pre>PM, Security Research<o:p></o:p></pre><pre>PMP, CSM, CISSP, CISA, ISO 27000 PA<o:p></o:p></pre><pre>Advanced Imaging and Network Technologies<o:p></o:p></pre><pre>Ricoh Americas Corporation<o:p></o:p></pre><pre>(408)346-4435<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Ira McDonald wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Hi Randy,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Not that I know of.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>In my previous experience with government agencies,<o:p></o:p></pre><pre>the primary concern about PSTN Fax was that it could be<o:p></o:p></pre><pre>used *from a compromised system or by a rogue walkup<o:p></o:p></pre><pre>user* to export documents and system configuration<o:p></o:p></pre><pre>information invisibly, i.e., w/out passing through a firewall<o:p></o:p></pre><pre>and w/out any chance of detection by smart routers<o:p></o:p></pre><pre>(ones with embedded firewalls).<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Cheers,<o:p></o:p></pre><pre>- Ira<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Ira McDonald (Musician / Software Architect)<o:p></o:p></pre><pre>Chair - Linux Foundation Open Printing WG<o:p></o:p></pre><pre>Blue Roof Music/High North Inc<o:p></o:p></pre><pre>email: <a
href="mailto:blueroofmusic@gmail.com">blueroofmusic@gmail.com</a><o:p></o:p></pre><pre>winter:<o:p></o:p></pre><pre> 579 Park Place Saline, MI 48176<o:p></o:p></pre><pre> 734-944-0094<o:p></o:p></pre><pre>summer:<o:p></o:p></pre><pre> PO Box 221 Grand Marais, MI 49839<o:p></o:p></pre><pre> 906-494-2434<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>On Thu, Aug 13, 2009 at 9:55 PM, Randy Turner<a
href="mailto:rturner@amalfisystems.com"><rturner@amalfisystems.com></a><o:p></o:p></pre><pre>wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Are there any documents on the internet that you guys know about that<o:p></o:p></pre><pre>describe existing attack vectors on PSTN/Analog Fax lines?<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Randy<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>On Aug 13, 2009, at 6:44 PM, Ira McDonald wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Hi Randy,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>It's not that we don't care about IFax.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>It's that all forms of Internet Fax have protocols and IP<o:p></o:p></pre><pre>ports that would be reported in HCD_Firewall_Setting.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>But many businesses and government agencies ALSO<o:p></o:p></pre><pre>want to close the "back door" of PSTN Fax.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Cheers,<o:p></o:p></pre><pre>- Ira<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Ira McDonald (Musician / Software Architect)<o:p></o:p></pre><pre>Chair - Linux Foundation Open Printing WG<o:p></o:p></pre><pre>Blue Roof Music/High North Inc<o:p></o:p></pre><pre>email: <a
href="mailto:blueroofmusic@gmail.com">blueroofmusic@gmail.com</a><o:p></o:p></pre><pre>winter:<o:p></o:p></pre><pre> 579 Park Place Saline, MI 48176<o:p></o:p></pre><pre> 734-944-0094<o:p></o:p></pre><pre>summer:<o:p></o:p></pre><pre> PO Box 221 Grand Marais, MI 49839<o:p></o:p></pre><pre> 906-494-2434<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>On Thu, Aug 13, 2009 at 9:02 PM, Randy Turner<a
href="mailto:rturner@amalfisystems.com"><rturner@amalfisystems.com></a><o:p></o:p></pre><pre>wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Hi All,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>When we came up with this attribute, we include PSTN in the name, which<o:p></o:p></pre><pre>means we only care about PSTN fax, and not internet-fax options such as<o:p></o:p></pre><pre>T.38<o:p></o:p></pre><pre>or other fully capable iFax features.<o:p></o:p></pre><pre>Did we mean to do this? We only care about PSTN? Which I assume to mean<o:p></o:p></pre><pre>analog fax?<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Randy<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>--<o:p></o:p></pre><pre>This message has been scanned for viruses and<o:p></o:p></pre><pre>dangerous content by MailScanner, and is<o:p></o:p></pre><pre>believed to be clean.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>ids mailing list<o:p></o:p></pre><pre><a
href="mailto:ids@pwg.org">ids@pwg.org</a><o:p></o:p></pre><pre><a
href="https://www.pwg.org/mailman/listinfo/ids">https://www.pwg.org/mailman/listinfo/ids</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>--<o:p></o:p></pre><pre>This message has been scanned for viruses and<o:p></o:p></pre><pre>dangerous content by MailScanner, and is<o:p></o:p></pre><pre>believed to be clean.<o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>ids mailing list<o:p></o:p></pre><pre><a
href="mailto:ids@pwg.org">ids@pwg.org</a><o:p></o:p></pre><pre><a
href="https://www.pwg.org/mailman/listinfo/ids">https://www.pwg.org/mailman/listinfo/ids</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><br>
-- <br>
This message has been scanned for viruses and <br>
dangerous content by <a href="http://www.mailscanner.info/"><b>MailScanner</b></a>,
and is <br>
believed to be clean. <o:p></o:p></p>
</div>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</body>
</html>