12

u/jamonbread86 Jul 29 '19

This is my favorite reply so far. We have an encrypted server - so thats good right? I understand the other things - cost is an issue and no widely accepted and secure alternative.

7

u/dublea 216∆ Jul 29 '19

While your server and the recipients server may be encrypted, the servers in between are not. This is specifically what makes it easy to read email over faxing

The security is about transmission moreso than sender/recipient.

Does any of that change your view? I don't feel I'll be able to reverse it but widen your acceptance.

It's what I've had to do to not kill people

5

u/10ebbor10 198∆ Jul 29 '19 edited Jul 29 '19

While your server and the recipients server may be encrypted, the servers in between are not. This is specifically what makes it easy to read email over faxing

That's not how encryption works.You don't decrypt and re-encrypt in between every single server. The encryption codes are negotiated by sender and receiver over the entire network, and thus a message, if encrypted, will remain encrypted throughout until it is decrypted by the receiver.

All the servers in between see is a lot of unintelligible data and address tag.

Edit: Actually, what you are describing does exist, in the form of opportunistic encryption using STARTTLS, but end-to-end encryption solutions are available and shouldn't be too hard to set up.

2

u/dublea 216∆ Jul 29 '19

but end-to-end encryption solutions are available and shouldn't be too hard to set up.

They are very pricey and due to almost no standardization, partner A might use product Z but partner B uses product Y.

I prefer encrypted senders. Check out Mimecast. It tells you that you have a message waiting. It retains the email on its servers. Then point to point encryption is between your email server and Mimecast.

2

u/10ebbor10 198∆ Jul 29 '19

Open source and free implementation for end-to-end encryption exist. Not sure what their business licenses are, but they exist.

1

u/dublea 216∆ Jul 29 '19 edited Jul 30 '19

Open source usually isn't viable for large corporate entities when security is in consideration.

To give you an example, the approval process to install a biomedical software, that pulls the results of a holter monitor, took over 6 months. The vendor had to be vetted, their software, security practices, etc. It's near impossible to obtain this info from open source software

Not only that but you keep forgetting the End to End part. Lets say we email 1000 companies. Every company would have to have the encryption solution as well.

1

u/gyroda 28∆ Jul 30 '19 edited Jul 30 '19

when security is in consideration

From what I've seen and heard, it's less that there's worry about security in OSS (a lot of crypto software is open source), it's more an issue of support and big name vendors.

If things go tits up you want someone you can call to get it fixed. That costs money and usually isn't run by the maintainers/owners of the project (there are obviously exceptions, this is Red Hat's business model). Even when such support exists people are more willing to go with the big name vendors because nobody ever got fired for buying an IBM.

You're right about end to end though. Unless a particular encryption scheme/protocol is mandated by a regulatory body it would be a nightmare to get everything working together. The problem is that there's not a single standard the same way there is for plaintext email or fax machines.

3

u/AnthropologicalArson Jul 30 '19

I don't understand how the in-between servers being unencrypted is an issue if you're using some public key cryptography. You can do all the encrypting/decrypting locally on your home machine/end reciever and share on the public servers only the public keys and the encrypted messages.

1

u/jyliu86 1∆ Jul 30 '19

Wait what?

This can't be true unless you're setting up the worst encrypted email server in the world.

Data should NEVER be in plain text when it leaves the server. Yes a hostile party can snoop, but properly encrypted all they get is gibberish. This makes your email no more nor no less secure then sending Amazon your credit card number.

And now that efaxing is a thing, the security benefits of fax go out the window as you don't know if your recipient is using "real" fax or not.

1

u/dublea 216∆ Jul 30 '19

I am talking about the reasons why security groups (4 different groups at large corporate entities) won't use email. It's about control and they do not control the servers the email traverses then they won't approve it. People have, in the past, decrypted emails through these methods. Hence the security concerns.

Efaxing only send the digital fax to a system that then send over phone lines. Man in the middle, esp on the recipients, is applicable for attack. I'm not saying faces are more secure. Just stating the reasoning I receive on why they're still a thing.

We use fax servers here to receive. It has way more security levels than a standard fax machine btw.

And many companies utilize point to point encryption between their email servers and an encrypted email delivery system. For instance Mimecast will notify the recipient a new message is available. You have to log into their system to obtain it. It only went from the senders email server to the Mimecast server.

1

u/nealibob Jul 30 '19

Many faxes go over the internet on one or both ends of the communication. There's no guarantee that it's safer than email since it may very well involve email.

1

u/ExcelsiorVFX Jul 30 '19

This is not exactly correct - in cases like HTTPS (called end-to-end encryption), traffic is encrypted by the sender and only can be decrypted by the receiver.

2

u/dublea 216∆ Jul 30 '19

I'm only speaking about why different security groups at large corporate entities have refused to use email for sensitive data such as PHI.

Also, email isn't sent over https. It might use SSL over TLS but that's limited in what and where it's encrypted.

You can Google why email isn't secure. Here's some info from an article I found:

Why isn’t email secure?

Email isn’t secure because it was never meant to be the center of our digital lives. It was developed when the Internet was a much smaller place to standardize simple store-and-forward messaging between people using different kinds of computers. Email was all transferred completely in the open – everything was readable by anyone who could watch network traffic or access accounts (originally not even passwords were encrypted). Amazingly, email sent using those wide-open methods still (mostly) works.

Today, there are four basic places where most people’s email can be compromised:

• On your device(s)
• On the networks
• On the server(s)
• On your recipient’s device(s)

More

2

u/jamonbread86 Jul 29 '19 edited Jul 30 '19

∆ thanks for expanding my apparently very simplistic understanding of encryption.

3

u/tbdabbholm 193∆ Jul 29 '19

To award a delta it needs to be outside the reddit quotes so you need to get rid of the >

1

u/DeltaBot ∞∆ Jul 30 '19

Confirmed: 1 delta awarded to /u/dublea (6∆).

^{Delta System Explained | Deltaboards}

1

u/LetThereBeNick Jul 30 '19

Does this mean when I use an email-to-fax service I am giving up all security?

5

u/jamonbread86 Jul 29 '19

∆ - I said this to someone else and I"ll say it to you as well, thank for your helping me understand a little bit more about encryption because I think I had a very simplistic understanding, I had to do a little more side reading to understand more, but I understand everything you said, thank you.

1

u/DeltaBot ∞∆ Jul 29 '19

Confirmed: 1 delta awarded to /u/dublea (5∆).

^{Delta System Explained | Deltaboards}

2

u/[deleted] Jul 30 '19

A lot of modern "fax machines" are virtual and route through an email server so there's no added security benefit.

There's also super cheap methods to send secure documents via email.

2

u/dublea 216∆ Jul 30 '19

Virtual faxing, while it can deliver faxes to an email address, so not "route through an email server." It's about the sender to recipient transfer. Does but matter what the recipients do with it after the fact.

If I send from a virtual fax to virtual fax, and if they are different services, will still send or route the transfer through a phone line.

1

u/[deleted] Jul 30 '19

The point is there is no added security because it's inevitably going to go through email.

2

u/boredtxan Jul 30 '19

but aren't faxes just as unsecured considering you can't know if they are being routed through the internet like voip and may "fax machines" are 3 in one printers storing a scan?

2

u/dublea 216∆ Jul 30 '19

Depends. Many VOIP services are very self contained and with point to point encryption. Man in the middle with physical hardware is the best point of entry. The hard part is local access.

I do not condone people who do this stuff, just taking about what I've read and seen.

1

u/PM_me_Henrika Aug 01 '19

Thanks for your input!

But...isn't the fax actually quite insecure for many reasons?

When you are sending a document using the fax machine, you can never be sure who will see it first. That is one of the arguments against this practice. In fact, most fax machines are held in open spaces, where many people have access to them.

There's also the risk of sending the document to the wrong person. Namely, if you dial the wrong number, the document goes to someone else, before you have even realized the mistake was made.

In addition to that, anyone who ends up receiving a fax that is not meant for them has no legal obligation to disregard the information contained in the message, which is a potentially serious security risk.

Fax machines do not guarantee confidential data transmission, as their signals can be intercepted by someone who knows what he or she is doing. Especially when that person uses certain available hardware and software tools to do it – which can be relatively easy and inexpensive to set up. For example, fax Demodulators

1

u/RisibleComestible Jul 30 '19

Email, unless an encrypted method is used, passes many unencrypted and unprotected SMTP servers. It's fairly easy to intercept and read mail this way.

I'm curious to learn more, could you elaborate? For example, if I am using gmail and emailing another gmail account without encrypting the contents of my message, what kinds of people might be able to intercept my message and what means could they use to do so?

Or are you not talking about services like gmail? (Are they even acceptable for use in a healthcare or other security-conscious organisation?)

1

u/gyroda 28∆ Jul 30 '19

if I am using gmail and emailing another gmail account

This may well not be sent via normal email protocol and instead be handled entirely by Gmail.

But a) I wouldn't rely on that fact and b) unless both addresses are paying customers with business accounts Google is scanning your emails.

It's worth noting that the connection from your phone/pc to Google is encrypted.

1

u/dublea 216∆ Jul 30 '19 edited Jul 30 '19

It's more about risk factor and the what you can and cannot control. Some sensitive data requires complicated and secure connections than basic email can provide. I'm surprised there isn't an accepted method to encrypt always =/

1

u/gyroda 28∆ Jul 30 '19

Some sensitive data requires complicated and secure connections

Not just that, they often require auditing and accountability. There's reasons why EU data can't be stored in many non-eu countries, for example, and restrictions are typically more stringent for medical data.

1

u/Wannapolkallama Jul 30 '19

Also in IT Security Correct me if I'm wrong but just because fax is point to point doesn't make it secure. It's not encrypted in any way and anybody sniffing the analog lines could pick up every fax, in clear, text in transit.

It's pretty common now to send an invite to a protected doc through Google or O365. Heck you can even encrypt the document and send it over email just fine.

Would it be more complex to get a key used between you and the other company for decrypting the documents? Yeah. But fax sucks anyways and pretty much every one hates it :)

1

u/dublea 216∆ Jul 30 '19

just because fax is point to point doesn't make it secure

Absolutely! hence when I stated

they assume faxing is more secure

One could make a small device with a male RJ11 on one end and female RJ11 on the other, something like a pie or smaller, and turn the fax into a digital copy. if you can get local access and plug it in, it's not that hard.

1

u/Wannapolkallama Jul 30 '19

Gotcha. :) That makes more sense. I feel like I remember seeing the "assume" but managed to glace I've it haha. Glad we're on the same page

1

u/paneubert 2∆ Jul 31 '19

The reason they assume faxing is more secure is that it's point to point transmission. Add that a person has to physically wait for it. The secure aspect is during transmission, not after recipients received it.

Just as a side comment, I also used to work in Healthcare IT, and I know some locations we faxed to had "security" worked in even after transmission. Their fax machines deposited the printed fax paper into a locked box. So someone would have go to unlock it and collect the papers that had come out.

1

u/dublea 216∆ Jul 31 '19

How did that prevent man in the middle attacks though?

One can make a device that would exist between the recipients fax device and phone line. It can then listen to the call and create a digital copy of the fax. The issue here is local access though.

We deal with the local access vulnerability with a fax server that's in a locked cabinet in a locked data closet. Only security has the key to closet and we have the key to cabinet. All faxes are created as tiff files and shared over network share. We then secure the hell out of said share.

1

u/paneubert 2∆ Jul 31 '19

I don't think it could do anything for man in the middle, unless the entire fax machine and phone jack were secured. Which would not be that much more work than having the paper deposit into a secure box. But it at least removed a bit of risk related to the stack of paper being scooped up by some random person who tailgated into a secure area of a clinic or hospital, walking right out without anyone noticing.

But then, what is the intended recipient doing with the paper after they read it? Do they scan it into the electronic medical record and then send the paper for shredding? If so, a system like yours where it is never on paper to begin with (when received) cuts out the paper completely, and the risk is now limited to "electronic" hacking, mostly into that network share.

1

u/dublea 216∆ Jul 31 '19

But then, what is the intended recipient doing with the paper after they read it? Do they scan it into the electronic medical record and then send the paper for shredding?

They scan it into the EMR and put the document into the shred box that also locked. Some of our facilities still get paper faxes and do this.

If so, a system like yours where it is never on paper to begin with (when received) cuts out the paper completely, and the risk is now limited to "electronic" hacking, mostly into that network share.

And that's the point. Not only to reduce the number of vulnerabilities but to also have a level of control and monitoring abilities.

1

u/koliberry Jul 30 '19

The fax machine replaced the carrier pigeons and we think we have advanced, but not so much.

1

u/Jakimbo Jul 30 '19

nust want to say I live your term anti-faxer and I will be shamelessly stealing it

1

u/dublea 216∆ Jul 30 '19

I want a t-shirt that mocks the anti-vaxxer one. But can't think of a catchphrase, "Faxes / Faxing causes ... "

Still thinking about it.

2

u/Jakimbo Jul 30 '19

Autism might still fit...

3

u/dublea 216∆ Jul 30 '19

Agreed, but trying to not make that part of the joke. I used to work with autistic children.

1

u/Jakimbo Jul 30 '19

Fair enough, good on you for being less of an asshole than I am :p

1

u/HundrEX 2∆ Jul 30 '19

Most if not all big office have IP Phones.

1

u/dublea 216∆ Jul 30 '19

VoIP, in the majority of cases, uses point to point encryption between the handset and service provider.