RE: Passwords

From: Scott Morris (swm@emanon.com)
Date: Wed Mar 03 2004 - 14:46:19 GMT-3

• Next message: Justler: "Paper lab recommendations"
• Previous message: Howard C. Berkowitz: "Re: Passwords"
• Maybe in reply to: Joseph D. Phillips: "Passwords"
• Next in thread: Howard C. Berkowitz: "RE: Passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Anything that is sent electronically CAN be sniffed and reassembled. That
would be a fax, a jpeg, a pdf, whatever.

The bottom line is how much effort it truly takes to do just that. It's
simpler (depending on your underlying security architecture) to grab a pdf
or jpeg off of a network line than to intercept a fax.

BUT. If you want to you may be able to. It just follows the sanity thread.

Personally, if you want to send something electronically that you think
people may intercept, use PGP or S/MIME or some other method of encryption.
Again, there's slim CHANCE that it could be intercepted and decoded, but it
falls into that category of "what am I sending?" and "Who the hell has that
much time on their hands?" :)

So ... The fact that HIPAA says you can fax just says it's not plausible to
intercept a fax, not that it's impossible. Be reasonable in your security,
think through the process (end to end) of what information you're
transmitting and how you are moving it through whatever networks you are
moving it through.

You're correct about the web site asking you to type in characters.
Although it's not so much protection from being sniffed, but protection
against a non-human computer program trolling for information across the
ether. Those grid things mess up most OCR type software thereby making it
plausible that it will be a human being on the other end. Problems still
happen (e.g. that throws off some humans too), which is why most web sites
also have a phone number so that you can get interaction to still receive
the information.

Security is always an interesting philosophy in a network!

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph D. Phillips
Sent: Wednesday, March 03, 2004 12:26 PM
To: Group Study (E-mail)
Subject: Passwords

I have been told by vendors that SSNs can be faxed and still be secure
enough for HIPAA.

If e-mailing a non-clear-text image of a password is the practical
equivalent, I would rather do that.

I do notice that many web sites now make you repeat the characters you see
embedded in images, before you can navigate further into the web sites.

I'm assuming that's how they make sure it's a human being looking at the web
page, and not some mechanical device sniffing information as the page is
downloaded.

• Next message: Justler: "Paper lab recommendations"
• Previous message: Howard C. Berkowitz: "Re: Passwords"
• Maybe in reply to: Joseph D. Phillips: "Passwords"
• Next in thread: Howard C. Berkowitz: "RE: Passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:13 GMT-3