RE: Taking control of ones machine

From: Darren W. MacDonald (darrydoo@sympatico.ca)
Date: 12/29/01 

From: "Darren W. MacDonald" <darrydoo@sympatico.ca>
To: "'Tom Love'" <tlove@pretendceo.com>, <focus-ms@securityfocus.com>
Date: Fri, 28 Dec 2001 19:56:56 -0500

Interesting. This is all new. Thanks, Tom!

Still makes me leery -- they purposely wrote this product to circumvent
firewalls. Not very corporate-policy-friendly. But it makes their
product work, so they don't care (IMHO). And the product uses (likely)
obfuscated clear-text by default, but cough up some coin, and your
traffic can be SSL encrypted.

'Nuf said.
Darren

> -----Original Message-----
> From: Tom Love [mailto:tlove@pretendceo.com]
> Sent: Friday, December 28, 2001 11:23 AM
> To: focus-ms@securityfocus.com
> Subject: RE: Taking control of ones machine
>
>
> Webex appears to have a fair amount of security information on their
web
> page:
> http://www.webex.com/home/tech_security.html
>
> -----Original Message-----
> From: Darren W. MacDonald [mailto:darrydoo@sympatico.ca]
> Sent: Thursday, December 27, 2001 8:26 PM
> To: 'Eric Moore'
> Cc: focus-ms@securityfocus.com
> Subject: RE: Taking control of ones machine
>
>
> I understand and have used X Windows, and VNC, and SMS Remote Control,
> and RDP/ICA, and PCAnywhere, and a myriad of other "remote control"
> products. Webex is not in the same class. It's more like Netmeeting
than
> anything else, except it's not a big fat application that locked-down
> users can't install, it's a much smaller ActiveX control.
>
> The issue here is not how a remote control tool works in a general
> sense; the issue is with the Webex ActiveX control. Specifically, why
> its developers chose to use port 80 (which invalidates my firewall
> rules, and makes it impossible to regulate this product, as anyone on
my
> network can go download it), whether or not its traffic is encrypted,
> and how vulnerable the ActiveX control is (for example, if user goes
to
> badguy's website, and badguy's site can circumvent the so-called
> authorization functionality of this tool, then badguy has the same
level
> of access on the PC, and on my network, as user -- and even if he
can't
> circumvent the authorization, he could get a gullible user to
authorize
> them via social engineering -- and since I'm not necessarily involved
in
> the process, I may not have the opportunity to educate said user).
>
> Finally, my biggest concern is with the inability of Webex support
> personnel to answer these, and other, questions. It appears that I'm
not
> alone in this problem, based on other messages in this thread.
>
> TTYL
> Darren
>
>
> > -----Original Message-----
> > From: Eric Moore [mailto:ruztedrute@altavista.com]
> > Sent: Thursday, December 27, 2001 4:23 PM
> > To: darrydoo@sympatico.ca
> > Subject: RE: Taking control of ones machine
> >
> > I suggest doing a web search on virtual network computing (VNC).
This
> > particular acronym is also a product offered by AT&T and will
explain
> the
> > foundation of X-Windowing. Thanks!
> >
> >
> > On Thu, 20 December 2001, "Darren W. MacDonald" wrote:
> >
> > >
> > > Steven:
> > >
> > > I was presented with the same Webex situation in September 2000. I
> > > requested some information from Webex on how it worked, and got
> nowhere
> > > with them. The tech that I spoke to, Charles, couldn't tell the
> > > difference between Netscape and IE, couldn't/wouldn't tell me how
it
> > > worked or what the security risks were, but he assured me that it
> was
> > > safe. (!) Management decided that my concerns weren't valid.
> > >
> > > Since then, three different groups at the company I work for use
it,
> for
> > > three different applications: Aperture, Manugistics, and Aldon.
All
> > > groups are using it for software support and web meetings from the
> > > vendors, IIRC. It basically allows sharing of applications and the
> > > desktop across port 80, similar to Netmeeting -- except it's just
a
> > > plugin. I really dislike that it uses port 80 -- it basically
> nullifies
> > > firewall rules (unless you block IP addresses to webex.com and any
> other
> > > Webex servers entirely, I suppose). The three companies I have
> > > experience with all use the webex.com domain.
> > >
> > > In all the sessions I saw, users had to grant permission for the
> > > requesting party to take control, and sessions can be interactive
or
> > > look only; however, I don't know if this is always the case. My
> comfort
> > > level isn't all that high, as it's a black box that I don't know
> enough
> > > about and can't get any information about.
> > >
> > > HTH
> > > Darren
> > >
> > >
> > > > -----Original Message-----
> > > > From: Steven Bonici [mailto:sbonici@groupea.com]
> > > > Sent: Thursday, December 20, 2001 3:25 PM
> > > > To: 'focus-ms@securityfocus.com'
> > > > Subject: Taking control of ones machine
> > > >
> > > >
> > > >
> > > > You have to forgive me with the following questions, as I am not
> sure
> > > if
> > > > this is the right group.
> > > >
> > > > We have been asked by one of our software vendors to allow them
to
> use
> > > > WebEx
> > > > to take control of one of our servers. They explained to me
that
> all
> > > I
> > > > need
> > > > to do is to install a "plug-in" and they can take control of the
> > > server
> > > > through a web browser. We staged a test with a test server, and
> they
> > > came
> > > > right in and took control. Isn't way too easy?
> > > >
> > > > I haven't contacted them yet, I thought I would ask here first.
> Is
> > > there
> > > > any documentation or white papers into how this actually works
and
> > > what
> > > > can
> > > > be done to protect the machine? Does anyone have any insight
into
> > > WebEx?
> > > > I
> > > > am really curious as to how easy this is. I know once you go to
> the
> > > WebEx
> > > > web site you need to agree and "allow" someone to actually
> connect,
> > > but it
> > > > just seems way too easy.
> > > >
> > > > I know that websites can grab information from your browser, but
> again
> > > I
> > > > would love to know "how" and all this seems to be connected in
> some
> > > way.
> > > > I
> > > > downloaded a copy of "pcaudit.exe" (by Internet Security
> Alliance),
> > > and
> > > > that
> > > > just goes to prove how vulnerable one is.
> > > >
> > > > Any information would be greatly appreciated.
> > > > Thanks - Steven
> >
> >
> > Find the best deals on the web at AltaVista Shopping!
> > http://www.shopping.altavista.com
>
>
>

Relevant Pages

  • RE: Taking control of ones machine
    ... Webex appears to have a fair amount of security information on their web ... I understand and have used X Windows, and VNC, and SMS Remote Control, ... Webex is not in the same class. ... >>> to take control of one of our servers. ...
    (Focus-Microsoft)
  • RE: Taking control of ones machine
    ... I understand and have used X Windows, and VNC, and SMS Remote Control, ... Webex is not in the same class. ... >>> to take control of one of our servers. ...
    (Focus-Microsoft)
  • RE: Taking control of ones machine
    ... I will say that the remote control feature ... minutes into testing WebEx with a friend, I asked him to only grant me ... Each WebEx session or meeting is session-based and privilege-oriented. ... and excellent for any type of remote client support. ...
    (Focus-Microsoft)
  • Taking control of ones machine
    ... We have been asked by one of our software vendors to allow them to use WebEx ... to take control of one of our servers. ... We staged a test with a test server, ... I know that websites can grab information from your browser, ...
    (Focus-Microsoft)
  • Re: PasswordRecovery question
    ... You can set up config for password recovery ), but you have to circumvent the natural motion of the control by circumventing its events. ... Write your own membership provider and avoid a lot of headaches. ...
    (microsoft.public.dotnet.framework.aspnet)
Quantcast