Forgot your password?
typodupeerror
Security Bug Cloud Networking Software IT Technology

Symantec Tells Customers To Stop Using pcAnywhere 149

Posted by timothy
from the but-I-gotta-use-it-somewhere dept.
Orome1 writes "In a perhaps not wholly unexpected move, Symantec has advised the customers of its pcAnywhere remote control application to stop using it until patches for a slew of vulnerabilities are issued. If the attackers place a network sniffer on a customer's internal network and have access to the encryption details, the pcAnywhere traffic — including exchanged user login credentials — could be intercepted and decoded. If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network."
This discussion has been archived. No new comments can be posted.

Symantec Tells Customers To Stop Using pcAnywhere

Comments Filter:
  • by elrous0 (869638) * on Thursday January 26, 2012 @10:25AM (#38828147)

    Most /.er's stopped using your products a long time ago.

    Next up, Intel CEO admits "McAfee is just bloatware that doesn't actually do anything. To be honest, most of it just runs loops that eat up CPU, so people think it's doing something and want to buy a faster Intel CPU. It hasn't stopped an actual virus since the mid-90's."

    • by Baloroth (2370816) on Thursday January 26, 2012 @10:45AM (#38828375)

      t hasn't stopped an actual virus since the mid-90's."

      I wouldn't say that, it seems to do a pretty good job shutting down Windows.

    • by mcavic (2007672)
      We have a server at our office running a PCAnywhere host, but it's on a custom port that's normally closed at the firewall.
    • Symantec has bought out several good companies where there is no good replacement yet ( free or commercial ).

      Im taking things such as Ghost ( corporate, not the mess they made of the home version ), much of the Altiris management suite and workflow, some backup tools... And I'm sure there are others too.

      But i agree, that most of what they have bought they have eventually destroyed, and what isn't toast yet will be in time.

  • this has nothing to do with the leaked source code. Right?

    • Re:But of course (Score:4, Informative)

      by Anonymous Coward on Thursday January 26, 2012 @10:36AM (#38828277)

      I'm pretty sure that they made this clear in their disclosure?

      http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

      First two paragraphs from their Introduction:

      Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

      With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

    • by mcgrew (92797) *

      If it had been open sourced the bugs would have been found and fixed years ago. How do you know some blackhat didn't find the holes without the source long before it was leaked? Security through obscurity is about as dependable as the TSA groping children in the airport is at keeping terrorists out.

      • by Magada (741361)

        Oh, I am pretty sure I remember a 0-day being bandied about in certain circles, 2005-ish. I just assumed it was patched at some point.

  • Come on (Score:5, Insightful)

    by jayhawk88 (160512) <jayhawk88@gmail.com> on Thursday January 26, 2012 @10:26AM (#38828165)

    If the attackers place a network sniffer on a customer's internal network...

    You've got a hell of a lot bigger problems than pcAnywhere.

    • Re:Come on (Score:5, Insightful)

      by cduffy (652) <charles+slashdot@dyfis.net> on Thursday January 26, 2012 @10:44AM (#38828369)

      If the attackers place a network sniffer on a customer's internal network...

      You've got a hell of a lot bigger problems than pcAnywhere.

      Au contraire -- if your infrastructure isn't robust against this class of attack (all internal traffic authenticated and encrypted, particularly during password exchange), you're Doing It Wrong.

      Moreover, the concept of "defense in depth" applies -- a hard outer shell with a soft inner core means that when the eventual successful attack does happen (and it will!), the damage is that much worse. You can't have decent security if you design all the internal components assuming that the outer layer will protect them.

      • Re: (Score:3, Insightful)

        I find it interesting how many enterprise software companies don't understand that. When we run scans against their software and tell them we need them to fix vulnerabilities it's amazing how often they come back with, "This product is designed to be used internally." Like that matters, if your company is bigger then 10 people you shouldn't be surprised to have internal users trying to hack your system.
        • by NotBorg (829820)
          It's worse than that. You don't have to have a "guy on the inside" for many sites. There's this myth that if you throw up a big firewall then all the applications behind it are protected. It doesn't take a genius to see that a single compromised machine on the "secured" side of the wall (not uncommon) effectively exposes all those "protected" (internal) applications to risk. Unless you're sure you can keep all your user's workstations free from compromise (good luck with that), you should just start wit
          • by Bert64 (520050)

            You have lots of vendors selling firewalls, who will insist that is all thats needed...
            Lots of non technical (and even more pseudo-technical types) believe this, and its become a corporate standard to build networks like this.

            After a while, you have so much cruft that it's not viable (in terms of time and cost) to secure the network properly... There are simply too many machines to reconfigure, and too many services you depend on which are fundamentally insecure and would need to be replaced.

        • some estimates are that more then 50% of attacks come from inside the firewall.. ( disgruntled employees , corporate espionage , or sometimes people just trying to see things they without permission ( curiosity) ). ( that was what the marketing people at the firewall company I worked for claimed).

          Of coarse if you can detect such things , you can always fire those people, part of the problem is most medium and small companies don't have the money it takes to pay some one to act full time as a security offic

      • Re:Come on (Score:5, Insightful)

        by Dishevel (1105119) on Thursday January 26, 2012 @11:22AM (#38828783)

        On the other hand your hard inner shell can cost the company massive amounts in lost productivity. The harder the core is the more people hate to go to work.
        You really need specific defenses set up. We have a mostly open wifi network connected to the internet. (Personal Devices, Visitors and the like) We also have a highly filtered connection to the internet for company systems. Servers are set on the local network behind a firewall that drops anything not expected and also drops anything that is expected if it is not coming from the place that it is expected to come from. Really critically confidential stuff is (Credit card data, personnel crap and the like are set nested behind an even more secure firewall.
        You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

        • by cduffy (652)

          You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed.

          I'm talking about end-to-end encryption -- your jump into password policies is just bringing up the Mordok the Preventer strawman.

          Using TLS for your internal services doesn't make users' lives worse; for that matter, a number of technologies offering end-to-end encryption and authentication

        • Re:Come on (Score:5, Insightful)

          by jimicus (737525) on Thursday January 26, 2012 @12:55PM (#38830083)

          You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

          You're not talking about security, you're talking about policies that are thrown together piecemeal in the form of a constantly-updated list of "Things that have been described as insecure in the latest issue of "IT Security for - and written by - PHBs Magazine"". You know how it goes:

          Month 1: "Are your users using passwords that are too short?"
          EEKS! PANIC! From now all, all passwords must be at least 8 characters long!

          Month 2: "Are your users using easily guessable passwords?"
          PANIC! From now on, all passwords must be at least 8 characters long and consist of letters and numbers!

          Month 3: "Are your users using passwords that are too long? Yes, it's possible. Read our article..."
          SHIT! SHIT! SHIT! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers!

          Month 4: "Do you change your passwords often enough?"
          PANIC! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, and must change every 30 days!

          Month 5: "Are your users abusing your policy by typing in the same password every time they're prompted to change it? Read our exclusive report...."
          ACTION STATIONS! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

          Month 6: "Are you secure against dictionary attacks? Read our article about this SHOCKING new attack method!"
          AAARGH! Right, from now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

          Month 7: "Did you know? 70% of people use a simple password like 'aaaaaaaaa' or '1234567890123' (not particularly surprising if you've been following everything we've said) Turn to page 12 for our exclusive report!"
          DAMN! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

          Month 8: "New research suggests 30% of people use their own telephone number as a password!"
          OH NO YOU DON'T! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number we have on record for you to ensure it's not that, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

          I think you've got the idea by now....

          • by Dadoo (899435)

            As usual, XKCD to the rescue:

            http://www.xkcd.com/936/ [xkcd.com]

            Possibly the best advice I've ever heard about passwords. The problem is that people are so concerned about following the rules you discussed, they're actually making their networks less secure.

            • by jimicus (737525)

              They're even worse than that.

              Granted, I gave an extreme example - but the thing is a dictionary attack is fantastically easy to defend against. So much so that many half-decent authentication schemes have protection against that baked right into them and turned on by default - get your password wrong too many times in a row and you get locked out.

              I would dearly love to know exactly how many security breaches in the real world come from password brute-forcing (either through trying to login with every concei

            • The only problem with that is the fact that the space bar makes a unique noise when pressed. It's a good clue to a shoulder surfer.

              Of course, following xkcd's advice while removing spaces is quite acceptable.

          • You left out the punctuation mark requirements.

            • by jimicus (737525)

              Month 9: "New research suggests that including punctuation marks in your password can make it 43% harder to guess!"
              BRILLIANT. From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters, numbers and punctuation, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number

          • by Bert64 (520050)

            Keeping records of the last 12 passwords is flawed, you should keep record of infinite passwords for a predetermined period of time otherwise the user can simply change their password repeatedly to expire the old ones from the cache.

            Also passwords need to be sufficiently different from previous passwords, or you will get ridiculous situations where Password1 becomes Password2, and then Password3 etc...

            Of course, if a password was strong in the first place, stored using a strong hashing algorithm and isn't s

            • Keeping records of the last 12 passwords is flawed, you should keep record of infinite passwords for a predetermined period of time otherwise the user can simply change their password repeatedly to expire the old ones from the cache.

              That's why the stupider systems not only have maximum password change intervals ("you must change your password at least once every 42 days") but also minimum change intervals ("you can't change your password if you already changed it today or yesterday").
              Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...

              • by _0xd0ad (1974778)

                Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...

                That's when you call the IT help line and tell them you accidentally just shredded the post-it your new password was on.

                Unless that's grounds for disciplinary action where you work... in which case, just say you forgot it.

                • Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...

                  That's when you call the IT help line and tell them you accidentally just shredded the post-it your new password was on.

                  Nice! Must remember this one :-)

                  Unless that's grounds for disciplinary action where you work... in which case, just say you forgot it.

                  Or even better: just forget about the incident... after all it's not your personal data that is at risk, but just the company's, and if the company doesn't care more, why should you?

                  • by _0xd0ad (1974778)

                    Nice! Must remember this one :-)

                    You could write it on a post-it so you won't forget.

                    it's not your personal data that is at risk, but just the company's, and if the company doesn't care more, why should you?

                    It's not your personal data that is at risk; it's the ability to use your username and password to do things that would make the company start caring very quickly. Like sending its data to places it shouldn't be. Or, for that matter, to access data that shouldn't be accessed from the company's internet connection (e.g. porn).

          • You forgot:

            Month 9: "New research suggests 95% of people have their password written on a post-it stuck to their screen!"
            ... which is understandable, because who is able to remember a password that is at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, does not appear in any dictionary even if common number/letter substitutions are accounted for, does not contain the same character repeated more than twice, does not contain sequential letters or numbers, and is

        • I wonder if all your negative responders have ever managed a network.
          By the way, I get what you are saying. Even thinking you can lock down everything on a network and believing it will still be useful is naive.
          You can create an internal certificate structure for all your employees, IPSec everything end-to-end, full disk encryption, etc... you will still have break in's from social engineering. Beyond Joomla/wordpress/insert spaghetti code php script here, it's becoming far far and few in between where som

          • by cduffy (652)

            The best and highest profile hacks of all time were through humans, not by defeating your naive everything-is-encrypted-hard-inner-core circle jerk.

            And you're right, of course, but that's not an excuse for being sloppy.

        • by hairyfeet (841228)

          Not to mention those places with BOFH password policies are usually less secure than no passwords at all! I'll never forget a story one of my teachers told me about taking some kids on a tour of a place with a BOFH that just kept droning on and on about how is super asshole password policies made them so super secure, finally mike got tired of it and said 'i bet you $100 and a steak dinner that you let me loose in this place for just 20 minutes i'll be in the system' and of course Mr BOFH wanted to show he

          • by Dishevel (1105119)

            Yup. If you make things too difficult for user they will try and figure out a way to make it easier. I am sure that my easy way is much more secure than their easy way.
            Though I will state again. There are some things that must be as secure as you can make them. If you treat everything that way though your security will end up for shit.

            • by hairyfeet (841228)
              Exactly there is no damned point in making Sally the secretary jump through flaming security hoops if she isn't handling payroll or other sensitive information, its just being a BOFH and tying a boat anchor to her productivity. BTW I'm curious about your sig, what is it about dell servers that sucks so bad? i'm out of corporate IT thank the Gods so i haven't messed with a Dell server in ages (always preferred HP myself) but the last time i messed with them, back in the days of the Optiplex p4 office boxes,
              • by Dishevel (1105119)

                Here is what I know about Dell.
                Ordered a pair of servers from Dell for a dirty little project that had to be up by a specific time. Thought that instaed of ordering parts on newegg and throwing them together I might like a little bit of support. Was going to be buying a bunch more servers over time and thought that using Dells and letting them do all the ID tracking on my systems might give me a little more time things I should not be getting paid for. Ordered the servers. Nothing special. They said they wo

                • by hairyfeet (841228)

                  Ahhh...been there friend, been there. Had a company that didn't want to listen to me and went Dell small business and got the same jerking around, finally they called me and said "We've canceled it and are stuck, help please?" and did a variation of what you did only i prefer Tigerdirect barebones. even figuring in my labor they ended up getting nicer systems a good 20% cheaper and as i told them that meant for each five systems i could build them a spare for the same money they were paying so fuck dell sup

        • by CAIMLAS (41445)

          You can not expect everything to be secure. You have to pick and choose your battles.

          Yet, if you do not pick and win all the battles, it's quite likely you'll lose your job when (not if) there is an intrusion.

          I've yet to meet an employer who is forgiving about a person leaving the doors unlocked, resulting in a burglary. It doesn't matter if there are 2,000 doors which need to be checked/audited on a daily basis next to the First International Burglary Institute - your (and my) employers are otherwise ignorant to all of this. They live in tiny, simple worlds where "due diligence" means usin

      • you are of coarse correct , unfortunately 90% or so of offices in the U.S are 'doing it wrong'

  • by Sockatume (732728) on Thursday January 26, 2012 @10:28AM (#38828179)

    What the story doesn't mention is that the pcAnywhere source was nicked. It sounds like Symantec was aware of the weaknesses, and chose not to act until the source was stolen and the security weaknesses became public.

    http://www.channelregister.co.uk/2012/01/18/symantec_leak_latest/ [channelregister.co.uk]

    • by jesseck (942036) on Thursday January 26, 2012 @10:49AM (#38828443)

      The source was stole in 2006. This means that they corrected the problems in their other products which had stolen source, but not pcAnywhere. For 5-6 years, Symantec has been selling software which was potentially compromised.

      The current reported theft happened recently, but that source code came from a theft (unreported by Symantec, but known) back in 2006. That means, since 2006, Symantec has known the pcAnywhere source was stolen, knew of vulnerabilities, and chose not to fix that product. It sounds like they patched the rest of their products, though.

      • For 5-6 years, Symantec has been selling software which was potentially compromised.

        This does not surprise me. Symantec is the shit-king of shit software.

        And, like many others here, I certainly threw all my weight into helping get that crap outta MY house several years ago. In fact, I personally headed up and executed our Windows XP rollout several years back to get rid of Win2k, and a major selling point in my cost-benefit analysis was dumping PCAnywhere, and all of the headaches, security holes, and bul

      • by cpu6502 (1960974)

        >>>Symantec has known the pcAnywhere source was stolen,

        How is this different from any open-source anti-virus software? The source is "out there" and compromised in both cases.

        Ooops. I guess I should not have said that.

    • by knarf (34928)

      There is another possibility here: pcAnywhere, being closed-source commercial software made by a vendor who is keen to sell as many copies to as many countries as possible, might contain one or more backdoors to enable Those_Who_Make_The_Rules (or those who pay enough) to access any pcAnywhere installation out there. These backdoors might not have changed since 2006, especially if they are based on some 'secret' certificate or another 'secret' sauce. With the source leaked, these secrets might not be so sec

  • I can't understand why people still put Symantec on their PC. It's a bloated piece of crap that blocks everything without intelligently deciding if it's a good idea. When I had Symantec installed on my laptop, the CPU was at 100% and I had to manually turn off the firewall just to browse the web.
    • by couchslug (175151) on Thursday January 26, 2012 @11:37AM (#38828999)

      Because they don't know how the magic box works, that's why.

      Yes, really.

      • by lwriemen (763666)

        This is the same reason Windows has a monopoly on the PC. (Along with the illegal use of monopoly power, natch.)

    • by jason777 (557591)
      I'm required to at work. And yes it brings the system to a crawl.
    • by Anrego (830717) *

      I think much like McAfee, they don't.

      Dell or whoever they buy the computer from does it for them, and makes it insanely painful to remove.

    • by DrXym (126579)
      Might be different for corporates but for individuals I don't see any reason to use anything more than the MS Security Essentials app. It's free, it provides good protection, gets new virus definition updates all the time, it doesn't hog the cpu or nag you. That's all one can hope for from antivirus software. It's a refreshing change from the days of MS DOS 6.0 where MS Antivirus was so broken that it was worse than useless.

      For enterprises perhaps there is merit in some antivirus to be centrally controlle

    • by timbo234 (833667)

      Because they don't know that there's free antivirus software out there that does the job just as well, and even if they did they wouldn't trust it - and rightfully so given the amount of malware out there posing as 'anti-virus' and 'anti-spyware' software.

      My parents went throuh this painful cycle. First they got duped by some flashing ad on the internet into downloading one of the malware 'anti-virus' programs, then they went to a local big-name store (Australia's infamous Harvey Norman) who were more than

    • Many vendors preinstall Symantec. Unless the customer actually knows how big a POS it is and stops them, they'll get it crammed on their box.

      • by cusco (717999)
        And then, like my mom, they don't see the point of spending $50/year on it or just plain forget, then a year or two down the road they lose everything because some malware kills their system.
  • Had to deal with this issue this morning

    Extra information http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf [symantec.com]

    Presently if you use PCanywhere for WAN access disable now, if you use it in a closed network should be ok, unless someone is already on the network but if that is the case, you already have a problem better than this.

    I think Symantec handled this ok, when Anon stated they had the source code last week Symantec issued a statement
    • by jesseck (942036)

      I think Symantec handled this ok, when Anon stated they had the source code last week Symantec issued a statement about what they had, mainly 2006 code.

      Personally, I would feel better if Symantec could come out and say, "You know, Anon does have the source code that was stolen from us in 2006, but we've patched those vulnerabilities over the last 5 years. All of our products, including pcAnywhere, are secure and reliable."

      I know that Symantec says the rest of the products are safe- I just wonder why it couldn't be "all" products.

      • by cusco (717999)
        If they didn't patch a product that they knew their customers had installed on mission-critical servers I sincerely doubt that they've bothered with any of their other software.
  • by ArcherB (796902) on Thursday January 26, 2012 @10:40AM (#38828321) Journal

    I remember the first time I used it. It was a Godsend. It was so nice to simply take control and do it rather than sit there on the phone saying, "Click Start. Start. It's on the bottom left. S-T-A-R-T! No, don't type it. Click the button labeled 'Start'. No, it's not on your keyboard. No, wait. Hit CTRL-ESC. Control Escape. It's on your keyboard. Press and hold control and then press and release escape. Keyboard. It's on your keyboard. Nevermind. Do you see Start on your screen?" Even though we were connecting via dialup, it was lightyears better than trying to imagine the screen the use was describing and then describing elements of it it back to them.

    But those days are long gone. Now we have RDP, VNC, WebEx, and a host of other remote desktop utilities and protocols. There is no longer a need for PCAW.

    • Re: (Score:3, Funny)

      by Zocalo (252965)

      "Click Start. Start. It's on the bottom left. S-T-A-R-T! No, don't type it. Click the button labeled 'Start'. No, it's not on your keyboard. No, wait. ...

      And that's where you went wrong. The correct procedure for any self respecting BOFH at this point would be:

      "Turn off the PC at the power switch, turn it back on and call back when you have logged back in. Bye." *Hang up phone* "I'm going on my coffee/cigarette break guys. See you in twenty!

    • RDP requires port forwarding, which requires access to the firewall, which is not always available; it also will not work if your ISP NATs you. Ditto with VNC, unless you use a repeater or know for sure what ip you will be connecting from (so you can do a reverse VNC). WebEx is not free.

      There ARE good, free alternatives-- TeamViewer, ShowMyPC, hamachi+rdp, LogMeIn, CrossLoop, etc.

    • Unfortunately, Symantec just finished purchasing and absorbing the Altiris Client Management Suite.

      Guess what one of the changes was in the latest major version (7.1)? You guessed it: a wholesale replacement of the existing remote control applet with PCAnywhere.

      Once again, Symantec buys a functional company that makes a decent product, and then proceeds to ruin it until no one buys it anymore, then they go acquire what everyone moved to so they can ruin that too.

      It's like financial speculators, only worse

  • Good Job Symantec (Score:5, Interesting)

    by rudy_wayne (414635) on Thursday January 26, 2012 @10:44AM (#38828363)

    According to this article [cnet.com], the source code for PCANywhere was stolen from Symantec's network in 2006. That's right . . . . 2006. Good work Symantec. It only took you 6 years.

  • Just use a secret encrypted key exchange, like Diffie-Hellman, to set up a secure communication channel on the wire. While Diffie-Hellman may be susceptible to MitM attacks, it is about the closest thing you can get to foolproof protection against any form of eavesdropping on any type of broadcast channel, be that over radio, or on local ethernet line (unless the sniffer is a quantum computer, and would be thus break the encryption). To prevent MitM attacks, you need another type of system built on top of
    • by dkf (304284)

      Just use a secret encrypted key exchange, like Diffie-Hellman, to set up a secure communication channel on the wire.

      Or use SSL, which uses protocols like DH (depending on configured protocol suite) to set up a secure communication channel. And it's a heck of a lot simpler than writing all that stuff yourself; both the protocols used and the implementation even get independently audited from time to time.

      No, you don't actually need to use a CA to use SSL. Or rather, you can easily run with an explicit list of trusted certificates or operate a private CA. Those are in fact a highly secure option (if harder work to scale up

  • Most of us have been advising people not to use pcAnywhere for more than a decade now. :)
    • I stopped using it in the late 90s when I discovered VNC was free _and_ worked about 10 times faster.

  • (Your) pcEverywhere

  • The researchers continued, "If the Active Directory credentials were used as part of an DoD Exchange tie in, the attackers could get access to incriminating government official emails. If they got access to incriminating DoD emails, they could extort nuclear launch codes out of the officials. If they extorted launch codes out of the officials, they could start a nuclear holocaust."

    The researchers concluded, "and that is why you never give a mouse a cookie."

  • So I understand that Symantec is either using very poor cryptography or even exchanging authentication credentials in plain text!
    Have they had any chance to read a few basic documents about, say, ssh?
    M0R0N5!

  • if the attackers place a network sniffer on a customer's internal network

    ...that customer has much bigger problems to worry about than Symantec applications.

  • "Symantec Tells Customers To Stop Using pcAnywhere" ...IT staff have been begging users to stop using pcAnywhere for years.

  • LogMeIn, RDP, VNC.. all better alternatives to paying for that shit.

"Out of register space (ugh)" -- vi

Working...