IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
T 5.31 Unauthorised reading of fax transmissions
Where fax machines are placed in places with free access there is a danger that
incoming faxes could be read by unauthorised persons. Again, if the
distribution list used within the organisation is inaccurate, unauthorised
persons could obtain knowledge of the information contained in confidential
fax transmissions.
If the access rights to a fax server are not granted very strictly, it may be
possible for unauthorised persons to read incoming and outgoing fax
transmissions which pass over the fax server.
Fax servers contain so-called address books. These eliminate some of the
work involved in sending a fax as users do not have to enter the recipient's call
number every time they send a fax to him, but merely to select his name. If the
call number entered in the address book for a given recipient is incorrect, then
every time this entry is used the fax will be sent to the wrong recipient. A lot
of address books also provide facilities for combining several addresses into a
single group. The user who wishes to send a fax to the members of such a
group only has to specify the group as the recipient, rather than each member
of the group individually. But if the group contains addresses which should
not be there, the corresponding recipients could obtain access to all fax
transmissions which are sent using this group definition. The assignment of
incorrect addresses may be due to carelessness or it could be the result of
deliberate manipulation.
Incoming faxes sent to a fax server have to be distributed to recipients. This
can be done either by printing out the incoming faxes and manually
forwarding them to recipients or the fax server can distribute the faxes
automatically over the network.
Where incoming faxes are distributed manually and the printer used to print
out the faxes is located in an area with open access or the process of
distributing faxes within the organisation is flawed, it is possible for them to
be read by unauthorised persons.
In order to forward fax transmissions automatically, the fax server requires an
assignment table which specifies to which user or to which user group
incoming faxes, for example from a particular originator or sent using a
particular call number should be sent. If an unauthorised person is included in
such an assignment table, either out of carelessness or as a result of deliberate
manipulation, he will receive faxes which are not intended for his eyes.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Access rights too
loosely defined
Manipulated address
books
Unauthorised reading of
documents on the
printer
Manipulated assignment
tables