Forwarded from: William Knowles <wkat_private> http://www.wired.com/news/technology/0,1282,55145,00.html By Michelle Delio 2:00 a.m. Sep. 16, 2002 PDT Malicious hackers are no longer limited to looking at private data -- now they can also see their victims. Even a relatively unskilled attacker can transform some video-conferencing systems into video-surveillance units, using the devices to snoop, record or publicly broadcast presumably private video conferences. A half-dozen exploits have recently been discovered in the operating system of Polycom's popular ViewStation device. Some of the issues have been addressed in a system upgrade released last week, but many users said they weren't advised they needed to upgrade their ViewStation's operating system and were unaware of the security problems. Attackers can easily retrieve ViewStation administrator passwords, remotely take control of the device and record or monitor video conferences, according to Eric Goldberg, general manager of Navastream, a company that provides communication security services. "There are some very serious problems," confirmed Ken Pfeil, senior security consultant at Avaya, a company that designs, builds and manages corporate communications networks. "A hacker could very easily take administrative control over the entire conferencing system. One would need only a Web browser to point and click their way into the system." The ViewStation is vulnerable to denial-of-service attacks and other sorts of data-flood attacks that can destabilize the system and allow an attacker to gain control over it. Goldberg added that even after the ViewStation system upgrade is completed, some security flaws remain. Navastream researchers discovered that ViewStation passwords are transmitted in "clear text," unencrypted and easily readable to anyone who is snooping on the system. Goldberg said Polycom's patch does not address the clear-text issue. "Any potential attacker monitoring the connection with a network sniffer will be able to retrieve the password to gain access to remote management controls," Goldberg said. "And if I were to gain remote control, I could turn on the device and publicly broadcast over the Internet every meeting a corporation held in a room with a ViewStation." Goldberg also said that once a system was penetrated, an attacker could create a simple programming script that virtually anyone could use to access that system remotely. According to Patty Azzarello, chief marketing officer of Polycom, upgrading the ViewStation's operating system provides protection from many of these exploits. The upgrade was released last week. Affected units are Polycom ViewStation 128 Version 7.2 and earlier, Polycom ViewStation H.323 version 7.2 and earlier, Polycom ViewStation 512 version 7.2 and earlier, Polycom ViewStation MP version 7.2 and earlier, Polycom ViewStation DCP version 7.2 and earlier, Polycom ViewStation V.35 version 7.2 and earlier, and Polycom ViewStation FX/VS 4000 version 4.1.5 and earlier. Some ViewStation users complained that Polycom didn't openly announce the security issues on their website or notify users, and said they didn't announce that the system upgrade was necessary to secure their devices. In three separate calls to Polycom technical support, none of the representatives was aware of the security issues addressed by the update. Azzarello said the company's sales force and marketing partners had notified their customers that they needed to update their product's operating systems. "Regarding the technical support issue, we educate the technical support representatives regarding all new product information, upgrades and patches," Azzarello said. "Your experience indicates the need to revisit this topic with the support staff, which we are in the process of doing." In addition to keeping up with patches, placing video-conferencing devices behind a protective firewall is advisable, experts say. Dedicated video-conferencing security products such as Navastream's VIP are also available. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 06:01:40 PDT