Please never think that fax is impossible to hack. It is possible at
surprisingly large (and security classified) distances to intercept and read
fax transmissions as if they were addressed to you without the sender or
recipient being any he wiser.
In a past life I dealt with secure equipment and data transmission and
receipt. The acronym TEMPEST is relevant here, as is the (largely
uninformed) discussion on (eg) this messageboard:
http://www.dslreports.com/forum/remark,2051870~root=security,1~mode=flat
_____________________________________________________________
Tim Trent
Chief Privacy Officer EMEA
Gartner
EMEA Marketing, Tamesis, The Glanty, Egham, Surrey, United Kingdom,
TW20 9AW
Switchboard +44 (0)1784 431 611, Direct Line +44 (0)1784 267 335, Mobile +44
(0)7710 126 618, Fax +44 (0)1784 268 932
http://www.gartner.com
[log in to unmask]
The opinions expressed in this message are my own, and may or may not
reflect those of my employer. They are expressed as a part of the
discussion on the JISCMail mailing list on data protection and for no other
purpose. They have no legal standing and are offered as part of informed
and informal discussion. They may NOT be attributed to Gartner in any way.
Any personal data provided is provided expressly for use of discussions on
the JISCMail Data Protection Discussion list. Under the UK Data Protection
Act 1998 I expressly forbid any individual or organisation to make
commercial use of my data published either on the email list or in the
archives of that or other lists whether this message appears or not. This
includes messages already published in the archives.
-----Original Message-----
From: Colette Healiss [mailto:[log in to unmask]]
Sent: 27 September 2002 14:06
To: [log in to unmask]
Subject: Re: Sending data via Fax - a Friday Question!
Hi Les
I have to say our corporate policy on transmission of personal data
advocates secure fax use as an alternative to email which is frowned upon.
To my understanding fax transmissions are impossible to hack. Its the
security at either end which is the potential problem. As far as
misaddressing goes well you could say the same with knobs on for email
couldn't you - its so easy to send the wrong thing to a huge list of people
all in one go.
cheers
Colette
St Helens Council
Les Kingstone
<[log in to unmask] To:
[log in to unmask]
UK> cc:
Sent by: This list is Subject: Sending data
via Fax - a Friday
for those interested Question!
in Data Protection
issues
<data-protection@JISCM
AIL.AC.UK>
27/09/2002 13:43
Please respond to Les
Kingstone
Hi all! Its Friday, so it must be daft laddie question time!
One of the problems of doing an audit is that it raises more problems than
it solves :(( One of the Non Compliances that I raised was
the 'excessive' use of fax for communicating personal and sensitive
information in one of our underwriting areas. (They would also receive a
huge amount of faxes either just prior to or just after sending out even
more stuff themselves.) Typical of the area they have two defenses,
namely:
1. All of our competitors do this, and we would loose business if we made
life a little difficult for our folk!
2. The ABI (Association of British Insurers) gave out some instruction
saying that this is perfectly okay!!
Oh! And this is just our Underwriters!
I'm quite happy to issue an edict, with the usual caring threats!!!
However, that approach just doesn't work.
I'm aware that the fax may be addressed to the wrong machine and that a
non-
authorised person may have an interesting half an hour reading something
they shouldn't. I also suspect that there is a security problem in
intercepting faxes (which I understand from my reading of early hackers
comics). Any new ideas from compliancy type ideas is normally followed by
another user ploy of 'it would cost the business more', or 'who will pay
for this extra work?'!
May I ask a couple of questions?
· Are you aware of the documents from the OIC which state that you
cannot send personal / sensitive information via fax? (I know that you can
deduce that fax is insecure and therefore ...)
· Have you come across the ABI recent draft of a best practice
paper "re HIV and insurance"?
· Do you send Medical /Personal Information via fax?
· Do you have procedures whereby only the minimum data is sent by
fax? If so, what logic do you use with your users to enforce it?
· Do you have any security arrangements regarding fax messages?
Would you be able to share them?
· Do you have anything in your Security Policy saying that there
should be restricted use of faxes?
· Any solutions / thoughts on how to get out of this pickle?
· Anything else ...
Les
AEGON UK
0131 549 3539
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|