RE: Passwords

From: Howard C. Berkowitz (hcb@gettcomm.com)
Date: Wed Mar 03 2004 - 14:56:51 GMT-3

• Next message: Scott Morris: "RE: Passwords"
• Previous message: Justler: "Paper lab recommendations"
• Maybe in reply to: Joseph D. Phillips: "Passwords"
• Next in thread: Scott Morris: "RE: Passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

At 12:46 PM -0500 3/3/04, Scott Morris wrote:
>Anything that is sent electronically CAN be sniffed and reassembled. That
>would be a fax, a jpeg, a pdf, whatever.
>
>The bottom line is how much effort it truly takes to do just that. It's
>simpler (depending on your underlying security architecture) to grab a pdf
>or jpeg off of a network line than to intercept a fax.
>
>BUT. If you want to you may be able to. It just follows the sanity thread.
>
>Personally, if you want to send something electronically that you think
>people may intercept, use PGP or S/MIME or some other method of encryption.

At least with medical data covered by HIPAA, one has to think of how
much time that encryption and decryption may add. See below.

>Again, there's slim CHANCE that it could be intercepted and decoded, but it
>falls into that category of "what am I sending?" and "Who the hell has that
>much time on their hands?" :)

There are no simple security decisions. We usually consider the
value of the information to an unauthorized recipient, the time it
will take that recipient to get at the information, and the
perishability of the information. The classic example is that if a
military unit sends a firing order to an artillery unit that it is to
shoot in 3 minutes, with a 2 minute time for rounds flying through
the air, but the target can't get out of range in less than 15
minutes, why not send the order unencrypted? At best, the enemy will
have time to say prayers.

>
>So ... The fact that HIPAA says you can fax just says it's not plausible to
>intercept a fax, not that it's impossible. Be reasonable in your security,
>think through the process (end to end) of what information you're
>transmitting and how you are moving it through whatever networks you are
>moving it through.

One of the specific issues with HIPAA faxing is the information may
be life-critical and needed with minimum delay. It's not uncommon,
for example, to have laboratories in small hospitals have a fax link
to the emergency room, so they can send results as soon as received.

I am familiar with equally life-critical situations when an emergency
room had to get, for example, information on the prescription drugs
an unconscious patient was taking, or their allergies, or information
on critical conditions. Even if there is a risk of disclosure, people
forget the cost of not making the information available.
Unfortunately, in medical bureaucracies, you do run into people that
are more worried about not being sued than saving life.

>
>You're correct about the web site asking you to type in characters.
>Although it's not so much protection from being sniffed, but protection
>against a non-human computer program trolling for information across the
>ether. Those grid things mess up most OCR type software thereby making it
>plausible that it will be a human being on the other end. Problems still
>happen (e.g. that throws off some humans too), which is why most web sites
>also have a phone number so that you can get interaction to still receive
>the information.
>
>Security is always an interesting philosophy in a network!
>
>
>Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
>JNCIS, et al.
>IPExpert CCIE Program Manager
>IPExpert Sr. Technical Instructor
>swm@emanon.com/smorris@ipexpert.net
>http://www.ipexpert.net
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Joseph D. Phillips
>Sent: Wednesday, March 03, 2004 12:26 PM
>To: Group Study (E-mail)
>Subject: Passwords
>
>I have been told by vendors that SSNs can be faxed and still be secure
>enough for HIPAA.
>
>If e-mailing a non-clear-text image of a password is the practical
>equivalent, I would rather do that.
>
>I do notice that many web sites now make you repeat the characters you see
>embedded in images, before you can navigate further into the web sites.
>
>I'm assuming that's how they make sure it's a human being looking at the web
>page, and not some mechanical device sniffing information as the page is
>downloaded.
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: Passwords"
• Previous message: Justler: "Paper lab recommendations"
• Maybe in reply to: Joseph D. Phillips: "Passwords"
• Next in thread: Scott Morris: "RE: Passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:13 GMT-3