[opensuse] Fax vulnerability
It the past few days it's been announced that there is a vulnerability in many "fax machines" (more accurately, all-in-one printers with fax capabilities). I've tracked down and downloaded a tarball, but have found very little info about it. The contents of the tarball look like a mix of a website and a python program with some C code and printer drivers and other stuff thrown in. Should I start wading through all that, or will there be an update coming out from Suse? I've got an HP OfficeJet, if that plays a role. tnx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, On Thu, Aug 16, 2018 at 11:34:16AM -0400, ken wrote:
We have not looked into it as it seemed specific to HP Printers. What https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/ describes seems to be vulnerabilities in HP printer implementation of libjpeg. This is software we do not ship (its not opensource), so SUSE is not affected. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Donnerstag, 16. August 2018, 18:05:04 CEST schrieb Marcus Meissner:
is hplip affected? ships with Leap... Cheers MH
Ciao, Marcus
-- Mathias Homann Senior Systems Engineer, IT Consultant. IT Trainer Mathias.Homann@openSUSE.org http://www.tuxonline.tech gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 2018-08-16 18:05, Marcus Meissner wrote:
It appears to be a firmware patch for the printer itself. So, hplip should not be affected. <https://support.hp.com/us-en/document/c06097712> Can the idea affect fax software, such as Hylafax? I don't know. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 2018-08-16 11:34 a.m., ken wrote:
ROTFLMAO! Fax is about as secure as a land line. My GP won't notify me about results, appointments or anything by e-mail, they consider email to be 'insecure'. But I can go to the basement of their building, thee parking ports, and look at the wring and clip a recorder on there. FAX is not secure. The irony is that all those results they won't send me ... Well the place that does my blood work, the X-ray centre that does things like bone density analysis and more, my hospital, all the specialists I deal with, be they eyes, ent, etc etc, all have email, or a web site where I can register to get my results. And yes they do have security layers. And these are all at proper managed servers, not Gmail. Which, yes, is of questionable security. Then, of course, there are a whole other raft of phone hacking methods! -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/16/2018 11:08 AM, Anton Aylward wrote:
Then, of course, there are a whole other raft of phone hacking methods!
I have my bluebox ready.... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/16/2018 09:00 PM, David C. Rankin wrote:
I have my bluebox ready....
That might not get you much these days. Back when the phone network was analog, operators had key pads with 16 buttons, instead of the 12 (10 on older phones) on regular telephones. Those extra buttons were what the operator used to control calling. These days, with the digital network, Signalling System 7 (SS7) is used to control the network. The push buttons are converted to SS7 at the first opportunity, at the exchange with analog phones, and touch tones, but as early as the phone on digital (ISDN) connections. So, these days those extra buttons are useless when making a call. Using touch tones is called in band signalling, but SS7 uses a dedicated 64 Kb data channel, to carry the signalling information. This is known as out of band signalling. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-17 03:42, James Knott wrote:
AFAIK, SS7 is not used for signalling with the customer, but between exchanges. At least, I never saw it. I believe ISDN used its own signalling, Q.931 says wikipedia. And no, there was no security involved in the SS7 code: instead, the transmission channel has to be secured. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 08/17/2018 06:39 AM, Carlos E.R. wrote:
When you set up a multiplexer, as I have done, the mux is talking directly to the network. Here's what that all knowing Wikipedia says: "The ISDN (Integrated Services Digital Network) User Part or ISUP is part of Signaling System No. 7 (SS7), which is used to set up telephone calls in the public switched telephone network (PSTN). It is specified by the ITU-T as part of the Q.76x series. ^https://en.wikipedia.org/wiki/ISDN_User_Part In addition to the multiplexers, I also configured ISUs (ISDN Service Unit), which could be used to connect user devices to the network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/16/2018 12:08 PM, Anton Aylward wrote:
I get the same thing. In fact, I had the same discussion with my doctor recently. People who have little knowledge of telecom and IT have no idea how insecure it is. I have worked in telecom and other areas of IT for decades. I know how easy it is to tap onto a phone line (I was doing that as a teenager) and I can also spoof phone numbers (it's common practice for businesses to display the main number on call displays), if I get my hands on the equipment. There are lots of fax modems kicking around that could easily be modified to intercept faxes. Also, many years ago, shortly after I got my first fax modem, I faxed myself a document that had nothing but my signature on it. I did that so I could cut 'n paste my signature on documents where they wanted a signature. There was nothing to stop me from doing the same with someone else's signature. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/16/2018 06:21 PM, James Knott wrote:
From your perspective, you're correct.... Fax isn't secure. From others (the courts for example) Fax IS secure and is accepted/demanded as a legal document. Email is not... and we all know for bloody good reason. Now, having said all of that I'll address your comment about tapping onto the line to make a copy of a fax transmission... I worked in the telecom business for a fairly long time in central offices and switches. Yes, you can record the audio tones, but a fax modem is a VERY fussy beast and that trick tends to not work. Not saying you can't do it, it's just not as easy as TV and modern security researchers would have you believe. Nor is cracking the ss7 network. Access is tightly controlled. One does not "just get on" that network. If you read the accounts of the researchers doing the security work on the ss7 network, way down at the bottom, you always see where they thank some network/access provider for allowing them onto the ss7 network so they can tell them how they run a crappy network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/16/2018 11:17 PM, Bruce Ferrell wrote:
Years ago, software FAX modems were popular. They were generally just an audio card with the modem software running. Someone who was able could modify that software for monitoring.
Nor is cracking the ss7 network. Access is tightly controlled. One does not "just get on" that network.
I also worked in telecom for many years. I'd often set up Adtran multiplexers for various services, including voice. They can be configured to supply whatever caller ID is desired. These multiplexers would then connect to the phone network via Primary rate ISDN, so they'd originate the SS7 data for that location. So yes, if I was the tech setting up one of those multiplexers, I could make the caller ID show whatever I wanted. At another company, I also used to do a lot of work with Newbridge multiplexers, which could similarly be configured, though that wasn't part of my job at that time. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-17 7:19 a.m., James Knott wrote:
Around the mid 1990s I had an in with a local company that made encryption boxes for FAX. Yes you needed one at each end. Their primary market was embassies and consulates, or at least Canadian ones. Yes around the world. And yes, international phone lines can be crappy at times. They gave me software that let the card on my Laptop which James described do just that hacking. And yes, with the prospect's permission we'd show how we could not only listen in, but hijack a call and substitute a fake message. After all, what ID does the FAX have? Just the printed header, and you can set that (or not) on any machine or software. That firm also made PC Ethernet cards that could do encrypted exchange over Ethernet. I thought those were a wonderful idea! That was in the days before we had printers with built in network, wifi or card readers. A printer was connected via the parallel port to a PC that was on the network. So they showed me a encrypted print job. They had a network analyser showing the packets ... So we walked over to the printer to find someone shifting though all the printout, including our supposed secure stuff, to find his own stuff. Secure, eh? And yes, FAX machines have just the same failure mode. Or more. On time I was waiting for an urgent FAX but the machine was spewing out the long, long printout of a computer generated custom astrological chart and prediction some secretary had ordered. Unlike TCP, voice band doesn't handle multiple channels. By the time the astrological chart finished the window for my 'fix' had passed. My boss was furious. A new policy was enacted: no fax longer than 5 pages. Since our standard NDA was 6 pages .... -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-17 14:51, Anton Aylward wrote:
Ah, yes. Also people moved the dedicated fax machine and forgot to change the identifying header. Then came fax modem and software allowed to put anything in there.
LOL :-)
:-) Those times... I heard people did Spam using FAX, but I never saw it, because in Spain every local phone call was charged, and not really cheap. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 08/17/2018 04:19 AM, James Knott wrote:
Oops! I meant to send this to the list and only sent to James. Mea Culpa! Yea, the customer premises stuff like the Adtran and similar drop and insert mux gear could do that... but that connects to the customer side of the end office switch same as a IP (or any) PBX does. I know for fact the CO switches I worked on checked to assure what came from those installations was "correct", not just whatever the site tech wanted to set... It was a part of the provisioning setup. If it wasn't per the provisioning, no calls went through. People got unhappy about that. BRI and PRI ISDN is and was no fun to set up from either the customer or the CO side. someone always forgets to provide some crucial setting. I've done both. ISUP messages (ISDN User Part) are VERY limited in how far they go through SS7... Their data get's extracted at the switch and then checked and bundled into the stream going the signaling transfer point. It's not like an IP packet that just get's passed along by a router. If one could connect directly to an SS7 signaling transfer point, all sort of mischief can happen... but your customer premise systems (PBX, Adtran etc) aren't allowed that. As I said, access to the "real" SS7 network, is pretty tight... "white list", "unique shared key VPN" or dedicated line only.... And often all three. This is why we see the security researchers thanking their hosts on the SS7 network. If you set up an Asterisk or other IP PBX system instance you can set the outbound caller ID to anything you want too... But you better follow the numbering plan (valid area code/NPA pairing) or the connecting switches have a nasty habit of rejecting your calls too... These days anyway, not at first. I know, I played that game too for a while. Those sound card FAX modems sort of worked and sometime could even be enticed to pretend to be analog telephone interface cards. There were better at that last thing than doing FAXes though (they were a little bit hard of hearing) and this is why USR and other "real" modem makers ate their lunch. At higher speeds the PSK modulation is bi-directional, synchronous and dynamic... Just listening isn't sufficient, because there is end to end adjustment going on in the line carrier modulation... And THEN the FAX protocol comes into play. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/17/2018 02:35 PM, Bruce Ferrell wrote:
As I mentioned, caller ID content could be configured on the multiplexer. Now as far as the actual number used by a device, that's another matter. As mentioned by someone else, the FAX ID is also user configurable. This FAX ID and caller ID are the only things that are noticed by users. If someone looks at their phone and sees a recognizable name or number, why would they dispute it? Same with the FAX ID printed on the received copy. By comparison, when I get an email telling me to click on a link, I hover the mouse pointer over the URL, to see what it actually is, before clicking. Many people don't. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-17 20:42, James Knott wrote:
In Spain you never see a name, it is always a number (and they charge for the service). It is the receiving client side hardware which may have a table of number-names and then display the name. I know this is different in USA or Canada. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 2018-08-17 13:19, James Knott wrote:
I also worked in telecom, although not for many years; also I worked at the switches or at the national control center, never with customer hardware. Ie, I never touched ISDN from the customer side. Thanks for explaining how the caller ID can be changed - at our setups, with POTS, that was not possible, it was done at the exchange. I often wondered about that claim. You see, in Spain at the time telephone companies relied on the Caller ID number for charging across companies, so it was assumed fully reliable. The service, from the client side, worked thus: Say you are a Telefonica client. You want to call a long distance number, so instead you dial: 050XXXXXXXXX. The 050 routed the call via an alternative provider, and the XXXXXXXXX was the destination number. But the signalling had included the A number, which was used when the long distance call transited the alternative network to know who was doing the call and charge him, or deny service if he was not a client. So the A number had to be reliable. All of Spain was adapted. Even old analogical exchanges got new hardware additions to support adding the A number. Except a few that were still on rotatrixes, I think. This indirect service started on Jan 1998, and lasted few years. It has disappeared, I believe. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 08/16/2018 11:17 PM, Bruce Ferrell wrote:
Email is not... and we all know for bloody good reason.
Actually, it can be. Encryption, digital signing, etc. is supported with X.509 certificates. One of the first things I had to do, when I started at IBM back in 1997 was set up encryption in Lotus Notes. Some people also use PGP for that purpose, but it's not as suitable for business use as X.509. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/17/2018 02:24 PM, Bruce Ferrell wrote:
Actually, they do in many countries: Are eSignatures, based on digital signature technology, legally enforceable? Yes. The EU passed the EU Directive for Electronic Signatures in 1999, and the United States passed the Electronic Signatures in Global and National Commerce Act (ESIGN) in 2000. Both acts made electronically signed contracts and documents legally binding, like paper-based contracts. Since then, the legality of electronic signatures has been upheld many times. https://www.docusign.ca/how-it-works/electronic-signature/digital-signature/... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/17/2018 11:35 AM, James Knott wrote:
Yeah, I know... In other countries other things are legal/accepted. There are hordes around the world who like to crow "our way is better" and then do stupid things around that whole idea, up to and including fighting wars. I live in the US... which is more and more like what we used to call third world or back water nations. So I can really only comment on what happens here. And yes, it IS stupid, but them's the rules I have/get to work under. As a boss I had long ago used to tell me "I am but a poor peasant boy". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/16/2018 06:21 PM, James Knott wrote:
From your perspective, you're correct.... Fax isn't secure. From others (the courts for example) Fax IS secure and is accepted/demanded as a legal document. Email is not... and we all know for bloody good reason. Now, having said all of that I'll address your comment about tapping onto the line to make a copy of a fax transmission... I worked in the telecom business for a fairly long time in central offices and switches. Yes, you can record the audio tones, but a fax modem is a VERY fussy beast and that trick tends to not work. Not saying you can't do it, it's just not as easy as TV and modern security researchers would have you believe. Nor is cracking the ss7 network. Access is tightly controlled. One does not "just get on" that network. If you read the accounts of the researchers doing the security work on the ss7 network, way down at the bottom, you always see where they thank some network/access provider for allowing them onto the ss7 network so they can tell them how they run a crappy network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-17 05:18, Bruce Ferrell wrote:
Well, they are silly. An email can be cryptographically signed and/or encrypted, thus both authenticity and privacy can be secured. Fax can not today address any of that. For instance, I had my boss signature scanned so that I could fax documents signed by him - when he told me to do so. It was the only way to fax a signed document from the computer. The alternative was write it up in the computer, print, sign, scan with computer, send. There was some quality loss in the text, so we preferred the other way.
Not as easy, but possible. The machine itself has to be silent, can't negotiate protocols or ask for repeats. Has to know what to do when the receiving machine talks.
That's true, they need access first. It is usually one time slot in a T1 or E1 (MIC?). I suspect that James was referring to the ISDN signalling channel, which can be intercepted by wire tapping into the client copper line. This is not SS7. By the way, any phone conversation (not VoIp, but traditional) can be intercepted digitally anywhere in the road, and interception can not be detected on the ends. It is in fact a computer sending the stream of bits that forms the conversation to another phone line, which can be virtual (a file if capacity and software permits). There is no delay involved, no signal degradation at all - because it is done after the original signal is digitized. However, the capability to do this in the switches I worked at was very limited. It could be done to investigate (debug) problems, not for police work, and perhaps only half a dozen simultaneous taps. And was registered in logs. Possibly for legal wiretapping another module was needed we did not have. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 08/17/2018 07:03 AM, Carlos E.R. wrote:
Actually, I was referring to the multiplexers that combine a variety of services, including dial up voice, over a T1/E1. You'll often find them at customer sites. The ones I have experience with are the Adtran Atlas and Newbridge 3600 Mainstreet. http://portal.adtran.com/web/page/portal/Adtran/group/42 http://www.datacomproducts.com/pdf_files/MainstreetProducts/ms3645.pdf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/17/2018 04:03 AM, Carlos E.R. wrote:
The problem is "can be encrypted and/or signed". It's not done inherently. I worked on Nortel DMS 250/500 and Harris systems in carrier offices They can do a lot more IF one knows the right commands... But you really don't need to do there. Digital monitoring is inherent in central office test equipment... But everyone knows what is going on then and people tend to get fussy about proper documentation and such. channels/circuits with such monitoring going on are flagged for only very senior people to deal with... It absolutely wouldn't do do have the monitor revealed by a ham handed tech. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-08-16 18:08, Anton Aylward wrote:
However, the issue here is a very different one. It appears that sending a particularly crafted fax to the fax machine opens a hole in it, the machine can then be remotely (by phone) repurposed and used to attack the network in which it is installed, send back faxes with information, etc. To do this, first the hackers got one such machine and more or less reverse engineered it in order to find holes in the code. And they found them. Then they told HP about it, who has published patches and list of affected models. But the attack is generic and might be used on other brands, too. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
participants (9)
-
Anton Aylward -
Bruce Ferrell -
Carlos E. R. -
Carlos E.R. -
David C. Rankin -
James Knott -
ken -
Marcus Meissner -
Mathias Homann