RE: fax software in the domain

From: Rocky Heckman (rocky.he_at_g-wizinnovations.com)
Date: 07/30/04

  • Next message: Handy, Mark (IT): "RE: AD in the DMZ . . . OK?"
    To: "'Henry, Christopher M.'" <chenry@radiologycorp.com>, "'Philip Wagenaar'" <p.wagenaar@accon.nl>, <security-basics@securityfocus.com>
    Date: Fri, 30 Jul 2004 15:49:40 +1000
    
    

    *IF* you have a PBX that can do this, and you can guarantee that the system
    will not answer the phone, sure this is fine. However, if you don't' have a
    PBX that can do this, and/or you must also receive faxes on that modem
    (preventing you from turning off the answer feature), then the overkill is
    required.

    RH

    -----Original Message-----
    From: Henry, Christopher M. [mailto:chenry@radiologycorp.com]
    Sent: Wednesday, 28 July 2004 5:00 AM
    To: Philip Wagenaar; security-basics@securityfocus.com
    Subject: RE: fax software in the domain

     
    I have been reading through all these posts and I am wondering if this
    is not a bit of over kill. I have 3 computers on my network that require
    the use of a modem. The only steps I took were

            1. make sure the app or the PC does not answer calls
            2. In my PBX I only allow out going calls over this line

    It would be a pain in ass to try to maintain a second security policy
    for these PC and really I don't want to deal with it. Also to the
    outside the modems are invisible so there is really no way for an
    attacker to dial in. Even if you don't have a PBX, as long as nothing
    answers the modem line everything be fine, after all what are they going
    to do ring your modem to death?

    This communication is intended only for use by the addressee. It may
    contain confidential or privileged information. If you are not the
    intended recipient, please contact us immediately and then delete this
    message from your system. You should not copy or use it to disclose its
    contents to any other person. Thank you.

     

    -----Original Message-----
    From: Philip Wagenaar [mailto:p.wagenaar@accon.nl]
    Sent: Tuesday, July 27, 2004 3:15 AM
    To: security-basics@securityfocus.com
    Subject: Betr.: RE: fax software in the domain

    Hi,

    Usually the phone numbers of a company are in the same range, the same
    way usually as they IP addressed that they get assigned from their ISP.

    An attacker might look up your company's phonenumber and try to dial the
    numbers below and above it.

    Ie. your company's phonenumber is 555-2345. An attacker might try all
    the numbers in the 555-234x range.

    You could add an extra layer of security by changing by connecting the
    fax to a phoneline with a phonenumber that is not 'near' your company's
    phonenumber(s).

    So if your company's phonenumber is 555-2345, the faxline would have a
    totally diffrent number like 555-8896.

    Met vriendelijke groet,

    Philip Wagenaar
    Junior Projectleider ICT

    AccoN Accountants & Adviseurs
    ICT Project Bureau
    Postbus 5090
    6802 EB Arnhem
    The Netherlands

    tel. +31 (0)26-3842384
    fax. +31 (0)26-3630222
    mobile: +31 (0)6-25388935
    MSN/E-mail: p.wagenaar@accon.nl
    Yahoo: philip_wagenaar
    http://www.accon.nl

    >>> "Depp, Dennis M." <deppdm@ornl.gov> 26-07-04 19:50 >>>
    Ensure the modem is not configured to accept incoming calls. Also don't
    allow bridging or connection sharing on this pc. I don't know if its
    possible to restrict access to ISPs or not.

    Dennis

    -----Original Message-----
    From: Juan B [mailto:juanbabi@yahoo.com]
    Sent: Saturday, July 24, 2004 6:06 AM
    To: security-basics@securityfocus.com
    Subject: fax software in the domain

    Hi,

    Im my domain we have w2k servers and the workstations we use xp pro.

    On the station of one employee he must use also a fax with a modem
    connected to the telefhone line.

    I think that this is a security problem.

    I cant remove the fax from his pc .my question is what are the steps to
    protect this pc from being a security problem to all the network ?

    thanks !!

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail is new and improved - Check it out!
    http://promotions.yahoo.com/new_mail

    ------------------------------------------------------------------------

    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off any course! All of our class sizes are guaranteed to be 10 students
    or less to facilitate one-on-one interaction with one of our expert
    instructors.
    Attend a course taught by an expert instructor with years of
    in-the-field pen testing experience in our state of the art hacking lab.
    Master the skills of an Ethical Hacker to better assess the security of
    your organization.
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    ----
    ------------------------------------------------------------------------
    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off
    any course! All of our class sizes are guaranteed to be 10 students or
    less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of
    in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
    ------------------------------------------------------------------------
    ----
    ##################################################################
    Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde.
    De informatie hierin is vertrouwelijk, zodat het derden niet is
    toegestaan om daarvan kennis te nemen of dit te verstrekken aan
    andere derden. Indien u dit e-mail bericht ontvangt terwijl het
    niet voor u bestemd is, verzoeken wij u contact op te nemen met
    de afzender en de informatie te verwijderen van iedere computer.
    Bij voorbaat dank. 
    ==================================================================
    The information transmitted in this e-mail is intended only for
    the person or entity to which it is addressed and contains
    confidential information. Any review, retransmission or other
    use by persons or entities other than the intended recipient is
    prohibited. If you received this in error, please contact the
    sender and delete the material from any computer. Thank you. 
    ##################################################################
    ########################################################################
    #############
    This e-mail message has been scanned for Viruses and Content and cleared
    by MailMarshal
    ########################################################################
    #############
    ------------------------------------------------------------------------
    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off 
    any course! All of our class sizes are guaranteed to be 10 students or
    less 
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of
    in-the-field 
    pen testing experience in our state of the art hacking lab. Master the
    skills 
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the
    skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Handy, Mark (IT): "RE: AD in the DMZ . . . OK?"

    Relevant Pages

    • RE: restore Administrator password
      ... >> Ethical Hacking at the InfoSec Institute. ... >> Attend a course taught by an expert instructor with years of ... >> pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: fax software in the domain
      ... You could add an extra layer of security by changing by connecting the ... Ethical Hacking at the InfoSec Institute. ... Attend a course taught by an expert instructor with years of ...
      (Security-Basics)
    • RE: Windows SUS
      ... > Ethical Hacking at the InfoSec Institute. ... > Attend a course taught by an expert instructor with years of ... > pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Windows patch mgmt.
      ... > Ethical Hacking at the InfoSec Institute. ... > Attend a course taught by an expert instructor with years of ... > pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Windows SUS
      ... I had done all that and the SUS is running on client as expected. ... > Ethical Hacking at the InfoSec Institute. ... > expert instructors. ... > Attend a course taught by an expert instructor with years of ...
      (Security-Basics)