Hi Steve,
I had the exact same concerns when our company moved to implement WebEx for
our support guys. I asked their representative a bunch of questions but
they (cough) apparently didn't have much idea about bigger security issues.
Instead, I heard "well Microsoft, Novell, and Dell all use it so it must be
safe." Yeah, okay.

So, not being able to stop too much of the stream of progress we went with
it and I monitored it heavily. I will say that the remote control feature
can only be enabled if the end-user grants access. However, be warned. Two
minutes into testing WebEx with a friend, I asked him to only grant me
control of a single application and I was able to gain control of the whole
desktop without his permission. This is all end-user visible however.

Each WebEx session or meeting is session-based and privilege-oriented. But,
since it runs on port 80, there is always that concern. A user cannot
reconnect a WebEx session once that session has ended and during a session
an end-user can always take away control and close the session. It does not
run as a service or actively. The client must be invoked via the web
browser during a WebEx session which means that once it's off and your away
from your computer, it will not spontaneously send your SAM out to the
world.

Overall, I have been pleased with its performance. It is a good tool to use
and excellent for any type of remote client support. It is also good for
general meetings. I would like to see them implement some form of
end-to-end secure encryption in a later release.

So, give it a try. Slap snort on a box and watch the packets. You should
be okay (grimace).

-----Original Message-----
From: Steven Bonici [mailto:sbonicigroupea.com]
Sent: Thursday, December 20, 2001 1:25 PM
To: 'focus-mssecurityfocus.com'
Subject: Taking control of ones machine

You have to forgive me with the following questions, as I am not sure if
this is the right group.

We have been asked by one of our software vendors to allow them to use WebEx
to take control of one of our servers. They explained to me that all I need
to do is to install a "plug-in" and they can take control of the server
through a web browser. We staged a test with a test server, and they came
right in and took control. Isn't way too easy?

I haven't contacted them yet, I thought I would ask here first. Is there
any documentation or white papers into how this actually works and what can
be done to protect the machine? Does anyone have any insight into WebEx? I
am really curious as to how easy this is. I know once you go to the WebEx
web site you need to agree and "allow" someone to actually connect, but it
just seems way too easy.

I know that websites can grab information from your browser, but again I
would love to know "how" and all this seems to be connected in some way. I
downloaded a copy of "pcaudit.exe" (by Internet Security Alliance), and that
just goes to prove how vulnerable one is.

Any information would be greatly appreciated.
Thanks - Steven

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]