Out of the box, the e/pop application has no security settings enabled. Any peer can take control of your desktop without warning. The initial configuration not withstanding, I sent an email to supportat_private about a vulnerability in the way the software exchanges security codes over the network: Software Affected ----------------- WiredRed e/pop 2.0.3.125 Description ----------- Security Codes configured in the e/pop Control Panel are sent in the clear. Several security codes can be configured from the e/pop control panel: Global: must be installed on each e/pop peer in order to communicate and is also used to restrict access to the control panel. Features: Send and Receive codes can be configured for each of the following features: Message, Chat, Admin, Remote, and AppShare. Impact ------ Security codes can be easily snooped and used to communicate with and/or take control of e/pop peers that have security codes configured. Suggestion ---------- Send a message digest (e.g. MD5) of the security code instead of sending it in the clear. The following was the response I received: > >Thank you for your suggestion, but physical security is not the >responsibility of e/pop, but the responsibility of your company. If >someone >has the ability to snoop your network with a packet sniffer, then they have >the ability to install password grabbing trojans on your PCs and various >other things. > >That is why security classifications such as C2 does not extend to physical >premises security and control for software, and companies like Novell and >Microsoft who meet these requirements are still vunerable in physical >security attacks, such as console access. > >We appreciate your suggestions though and will take them into consideration >as MD5 and RC6 security is used internally within e/pop to encode codes. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:43 PDT