Symantec Tells Customers To Stop Using pcAnywhere 149
Orome1 writes "In a perhaps not wholly unexpected move, Symantec has advised the customers of its pcAnywhere remote control application to stop using it until patches for a slew of vulnerabilities are issued. If the attackers place a network sniffer on a customer's internal network and have access to the encryption details, the pcAnywhere traffic — including exchanged user login credentials — could be intercepted and decoded. If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network."
Way ahead of you, Symantec (Score:5, Funny)
Most /.er's stopped using your products a long time ago.
Next up, Intel CEO admits "McAfee is just bloatware that doesn't actually do anything. To be honest, most of it just runs loops that eat up CPU, so people think it's doing something and want to buy a faster Intel CPU. It hasn't stopped an actual virus since the mid-90's."
Re:Way ahead of you, Symantec (Score:5, Funny)
t hasn't stopped an actual virus since the mid-90's."
I wouldn't say that, it seems to do a pretty good job shutting down Windows.
Re: (Score:2)
Yeah, but Symantec is still the undisputed champion in that regard.
Re: (Score:2)
Unfortunately... (Score:2)
Symantec has bought out several good companies where there is no good replacement yet ( free or commercial ).
Im taking things such as Ghost ( corporate, not the mess they made of the home version ), much of the Altiris management suite and workflow, some backup tools... And I'm sure there are others too.
But i agree, that most of what they have bought they have eventually destroyed, and what isn't toast yet will be in time.
Re: (Score:3)
Years ago I used to use Delrina WinFax. Nice product, installed off of two floppies. Nothing fancy, just did exactly what I wanted it to and nothing else. Then Symantec bought it.
But of course (Score:2)
this has nothing to do with the leaked source code. Right?
Re:But of course (Score:4, Informative)
I'm pretty sure that they made this clear in their disclosure?
http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf
First two paragraphs from their Introduction:
Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.
With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.
Re: (Score:2)
If it had been open sourced the bugs would have been found and fixed years ago. How do you know some blackhat didn't find the holes without the source long before it was leaked? Security through obscurity is about as dependable as the TSA groping children in the airport is at keeping terrorists out.
Re: (Score:2)
Oh, I am pretty sure I remember a 0-day being bandied about in certain circles, 2005-ish. I just assumed it was patched at some point.
Come on (Score:5, Insightful)
If the attackers place a network sniffer on a customer's internal network...
You've got a hell of a lot bigger problems than pcAnywhere.
Re:Come on (Score:5, Insightful)
Au contraire -- if your infrastructure isn't robust against this class of attack (all internal traffic authenticated and encrypted, particularly during password exchange), you're Doing It Wrong.
Moreover, the concept of "defense in depth" applies -- a hard outer shell with a soft inner core means that when the eventual successful attack does happen (and it will!), the damage is that much worse. You can't have decent security if you design all the internal components assuming that the outer layer will protect them.
Re: (Score:3, Insightful)
Re: (Score:3)
Re: (Score:2)
You have lots of vendors selling firewalls, who will insist that is all thats needed...
Lots of non technical (and even more pseudo-technical types) believe this, and its become a corporate standard to build networks like this.
After a while, you have so much cruft that it's not viable (in terms of time and cost) to secure the network properly... There are simply too many machines to reconfigure, and too many services you depend on which are fundamentally insecure and would need to be replaced.
Re: (Score:2)
some estimates are that more then 50% of attacks come from inside the firewall.. ( disgruntled employees , corporate espionage , or sometimes people just trying to see things they without permission ( curiosity) ). ( that was what the marketing people at the firewall company I worked for claimed).
Of coarse if you can detect such things , you can always fire those people, part of the problem is most medium and small companies don't have the money it takes to pay some one to act full time as a security offic
Re:Come on (Score:5, Insightful)
On the other hand your hard inner shell can cost the company massive amounts in lost productivity. The harder the core is the more people hate to go to work.
You really need specific defenses set up. We have a mostly open wifi network connected to the internet. (Personal Devices, Visitors and the like) We also have a highly filtered connection to the internet for company systems. Servers are set on the local network behind a firewall that drops anything not expected and also drops anything that is expected if it is not coming from the place that it is expected to come from. Really critically confidential stuff is (Credit card data, personnel crap and the like are set nested behind an even more secure firewall.
You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.
Re: (Score:3)
I'm talking about end-to-end encryption -- your jump into password policies is just bringing up the Mordok the Preventer strawman.
Using TLS for your internal services doesn't make users' lives worse; for that matter, a number of technologies offering end-to-end encryption and authentication
Re:Come on (Score:5, Insightful)
You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.
You're not talking about security, you're talking about policies that are thrown together piecemeal in the form of a constantly-updated list of "Things that have been described as insecure in the latest issue of "IT Security for - and written by - PHBs Magazine"". You know how it goes:
Month 1: "Are your users using passwords that are too short?"
EEKS! PANIC! From now all, all passwords must be at least 8 characters long!
Month 2: "Are your users using easily guessable passwords?"
PANIC! From now on, all passwords must be at least 8 characters long and consist of letters and numbers!
Month 3: "Are your users using passwords that are too long? Yes, it's possible. Read our article..."
SHIT! SHIT! SHIT! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers!
Month 4: "Do you change your passwords often enough?"
PANIC! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, and must change every 30 days!
Month 5: "Are your users abusing your policy by typing in the same password every time they're prompted to change it? Read our exclusive report...."
ACTION STATIONS! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!
Month 6: "Are you secure against dictionary attacks? Read our article about this SHOCKING new attack method!"
AAARGH! Right, from now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!
Month 7: "Did you know? 70% of people use a simple password like 'aaaaaaaaa' or '1234567890123' (not particularly surprising if you've been following everything we've said) Turn to page 12 for our exclusive report!"
DAMN! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!
Month 8: "New research suggests 30% of people use their own telephone number as a password!"
OH NO YOU DON'T! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number we have on record for you to ensure it's not that, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!
I think you've got the idea by now....
Re: (Score:3)
As usual, XKCD to the rescue:
http://www.xkcd.com/936/ [xkcd.com]
Possibly the best advice I've ever heard about passwords. The problem is that people are so concerned about following the rules you discussed, they're actually making their networks less secure.
Re: (Score:2)
They're even worse than that.
Granted, I gave an extreme example - but the thing is a dictionary attack is fantastically easy to defend against. So much so that many half-decent authentication schemes have protection against that baked right into them and turned on by default - get your password wrong too many times in a row and you get locked out.
I would dearly love to know exactly how many security breaches in the real world come from password brute-forcing (either through trying to login with every concei
Re: (Score:2)
The only problem with that is the fact that the space bar makes a unique noise when pressed. It's a good clue to a shoulder surfer.
Of course, following xkcd's advice while removing spaces is quite acceptable.
Re: (Score:2)
You left out the punctuation mark requirements.
Re: (Score:2)
Month 9: "New research suggests that including punctuation marks in your password can make it 43% harder to guess!"
BRILLIANT. From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters, numbers and punctuation, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number
Re: (Score:2)
Keeping records of the last 12 passwords is flawed, you should keep record of infinite passwords for a predetermined period of time otherwise the user can simply change their password repeatedly to expire the old ones from the cache.
Also passwords need to be sufficiently different from previous passwords, or you will get ridiculous situations where Password1 becomes Password2, and then Password3 etc...
Of course, if a password was strong in the first place, stored using a strong hashing algorithm and isn't s
Re: (Score:2)
Keeping records of the last 12 passwords is flawed, you should keep record of infinite passwords for a predetermined period of time otherwise the user can simply change their password repeatedly to expire the old ones from the cache.
That's why the stupider systems not only have maximum password change intervals ("you must change your password at least once every 42 days") but also minimum change intervals ("you can't change your password if you already changed it today or yesterday").
Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...
Re: (Score:2)
Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...
That's when you call the IT help line and tell them you accidentally just shredded the post-it your new password was on.
Unless that's grounds for disciplinary action where you work... in which case, just say you forgot it.
Re: (Score:2)
Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...
That's when you call the IT help line and tell them you accidentally just shredded the post-it your new password was on.
Nice! Must remember this one :-)
Unless that's grounds for disciplinary action where you work... in which case, just say you forgot it.
Or even better: just forget about the incident... after all it's not your personal data that is at risk, but just the company's, and if the company doesn't care more, why should you?
Re: (Score:2)
Nice! Must remember this one :-)
You could write it on a post-it so you won't forget.
it's not your personal data that is at risk, but just the company's, and if the company doesn't care more, why should you?
It's not your personal data that is at risk; it's the ability to use your username and password to do things that would make the company start caring very quickly. Like sending its data to places it shouldn't be. Or, for that matter, to access data that shouldn't be accessed from the company's internet connection (e.g. porn).
Re: (Score:2)
Month 9: "New research suggests 95% of people have their password written on a post-it stuck to their screen!"
... which is understandable, because who is able to remember a password that is at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, does not appear in any dictionary even if common number/letter substitutions are accounted for, does not contain the same character repeated more than twice, does not contain sequential letters or numbers, and is
Re: (Score:2)
I wonder if all your negative responders have ever managed a network.
By the way, I get what you are saying. Even thinking you can lock down everything on a network and believing it will still be useful is naive.
You can create an internal certificate structure for all your employees, IPSec everything end-to-end, full disk encryption, etc... you will still have break in's from social engineering. Beyond Joomla/wordpress/insert spaghetti code php script here, it's becoming far far and few in between where som
Re: (Score:2)
And you're right, of course, but that's not an excuse for being sloppy.
Re: (Score:2)
Re: (Score:2)
Yup. If you make things too difficult for user they will try and figure out a way to make it easier. I am sure that my easy way is much more secure than their easy way.
Though I will state again. There are some things that must be as secure as you can make them. If you treat everything that way though your security will end up for shit.
Re: (Score:2)
Re: (Score:2)
Here is what I know about Dell.
Ordered a pair of servers from Dell for a dirty little project that had to be up by a specific time. Thought that instaed of ordering parts on newegg and throwing them together I might like a little bit of support. Was going to be buying a bunch more servers over time and thought that using Dells and letting them do all the ID tracking on my systems might give me a little more time things I should not be getting paid for. Ordered the servers. Nothing special. They said they wo
Re: (Score:2)
Re: (Score:2)
You can not expect everything to be secure. You have to pick and choose your battles.
Yet, if you do not pick and win all the battles, it's quite likely you'll lose your job when (not if) there is an intrusion.
I've yet to meet an employer who is forgiving about a person leaving the doors unlocked, resulting in a burglary. It doesn't matter if there are 2,000 doors which need to be checked/audited on a daily basis next to the First International Burglary Institute - your (and my) employers are otherwise ignorant to all of this. They live in tiny, simple worlds where "due diligence" means usin
Re: (Score:2)
The use of capitals is really nice. Not sure where I stated that I was allowing rlogin to anything on my network. But if you want to assume that I do ...
What part of my network would I be using them on? Rlogin over wifi to personal devices? Rlogin from a relatively untrusted segment of my local network to my credit card database? Rlogin over a naked connection from the internet directly to my servers? One I care not about, one are a very bad idea, and one would fit your capitals.
Am I doing any of them?
If I
Re: (Score:2)
It is not difficult to have a hard inner shell. Or at least pretty decent security inside. But I see a lot of people with your attitude (oh, it's hard, and it makes it difficult, and it's inside, so who cares anyway).
The rlogin was a _ne plus ultra_ if you couldn't tell from context.
Re:Come on - you are of coarse correct (Score:2)
you are of coarse correct , unfortunately 90% or so of offices in the U.S are 'doing it wrong'
Re:Finish that sentence! (Score:5, Funny)
...you might as well consider Ethernet cables to be inherently insecure...
Shh...don't let the people at monster cable know that. They might find a new source of revenue in "encrypted ethernet cables"
Security through obscurity? (Score:5, Insightful)
What the story doesn't mention is that the pcAnywhere source was nicked. It sounds like Symantec was aware of the weaknesses, and chose not to act until the source was stolen and the security weaknesses became public.
http://www.channelregister.co.uk/2012/01/18/symantec_leak_latest/ [channelregister.co.uk]
Re:Security through obscurity? (Score:5, Interesting)
The source was stole in 2006. This means that they corrected the problems in their other products which had stolen source, but not pcAnywhere. For 5-6 years, Symantec has been selling software which was potentially compromised.
The current reported theft happened recently, but that source code came from a theft (unreported by Symantec, but known) back in 2006. That means, since 2006, Symantec has known the pcAnywhere source was stolen, knew of vulnerabilities, and chose not to fix that product. It sounds like they patched the rest of their products, though.
Re: (Score:2)
This does not surprise me. Symantec is the shit-king of shit software.
And, like many others here, I certainly threw all my weight into helping get that crap outta MY house several years ago. In fact, I personally headed up and executed our Windows XP rollout several years back to get rid of Win2k, and a major selling point in my cost-benefit analysis was dumping PCAnywhere, and all of the headaches, security holes, and bul
Re: (Score:2)
>>>Symantec has known the pcAnywhere source was stolen,
How is this different from any open-source anti-virus software? The source is "out there" and compromised in both cases.
Ooops. I guess I should not have said that.
Re: (Score:3)
There is another possibility here: pcAnywhere, being closed-source commercial software made by a vendor who is keen to sell as many copies to as many countries as possible, might contain one or more backdoors to enable Those_Who_Make_The_Rules (or those who pay enough) to access any pcAnywhere installation out there. These backdoors might not have changed since 2006, especially if they are based on some 'secret' certificate or another 'secret' sauce. With the source leaked, these secrets might not be so sec
Symantec AV will kill your PC (Score:2)
Re:Symantec AV will kill your PC (Score:4, Insightful)
Because they don't know how the magic box works, that's why.
Yes, really.
Re: (Score:3)
This is the same reason Windows has a monopoly on the PC. (Along with the illegal use of monopoly power, natch.)
Re: (Score:2)
Re: (Score:2)
I think much like McAfee, they don't.
Dell or whoever they buy the computer from does it for them, and makes it insanely painful to remove.
Re: (Score:2)
For enterprises perhaps there is merit in some antivirus to be centrally controlle
Re: (Score:2)
Because they don't know that there's free antivirus software out there that does the job just as well, and even if they did they wouldn't trust it - and rightfully so given the amount of malware out there posing as 'anti-virus' and 'anti-spyware' software.
My parents went throuh this painful cycle. First they got duped by some flashing ad on the internet into downloading one of the malware 'anti-virus' programs, then they went to a local big-name store (Australia's infamous Harvey Norman) who were more than
Re: (Score:2)
Many vendors preinstall Symantec. Unless the customer actually knows how big a POS it is and stops them, they'll get it crammed on their box.
Re: (Score:2)
Symantec white paper (Score:2)
Extra information http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf [symantec.com]
Presently if you use PCanywhere for WAN access disable now, if you use it in a closed network should be ok, unless someone is already on the network but if that is the case, you already have a problem better than this.
I think Symantec handled this ok, when Anon stated they had the source code last week Symantec issued a statement
Re: (Score:2)
I think Symantec handled this ok, when Anon stated they had the source code last week Symantec issued a statement about what they had, mainly 2006 code.
Personally, I would feel better if Symantec could come out and say, "You know, Anon does have the source code that was stolen from us in 2006, but we've patched those vulnerabilities over the last 5 years. All of our products, including pcAnywhere, are secure and reliable."
I know that Symantec says the rest of the products are safe- I just wonder why it couldn't be "all" products.
Re: (Score:2)
Who still uses PCAnywhere? (Score:5, Informative)
I remember the first time I used it. It was a Godsend. It was so nice to simply take control and do it rather than sit there on the phone saying, "Click Start. Start. It's on the bottom left. S-T-A-R-T! No, don't type it. Click the button labeled 'Start'. No, it's not on your keyboard. No, wait. Hit CTRL-ESC. Control Escape. It's on your keyboard. Press and hold control and then press and release escape. Keyboard. It's on your keyboard. Nevermind. Do you see Start on your screen?" Even though we were connecting via dialup, it was lightyears better than trying to imagine the screen the use was describing and then describing elements of it it back to them.
But those days are long gone. Now we have RDP, VNC, WebEx, and a host of other remote desktop utilities and protocols. There is no longer a need for PCAW.
Re: (Score:3, Funny)
And that's where you went wrong. The correct procedure for any self respecting BOFH at this point would be:
Re: (Score:2)
RDP requires port forwarding, which requires access to the firewall, which is not always available; it also will not work if your ISP NATs you. Ditto with VNC, unless you use a repeater or know for sure what ip you will be connecting from (so you can do a reverse VNC). WebEx is not free.
There ARE good, free alternatives-- TeamViewer, ShowMyPC, hamachi+rdp, LogMeIn, CrossLoop, etc.
Re: (Score:2)
Unfortunately, Symantec just finished purchasing and absorbing the Altiris Client Management Suite.
Guess what one of the changes was in the latest major version (7.1)? You guessed it: a wholesale replacement of the existing remote control applet with PCAnywhere.
Once again, Symantec buys a functional company that makes a decent product, and then proceeds to ruin it until no one buys it anymore, then they go acquire what everyone moved to so they can ruin that too.
It's like financial speculators, only worse
Re:There was never a need anyway if you used unix (Score:5, Insightful)
It's not exactly relevant to the subject at hand, is it? His point is that it was really, really handy to be able to do that with Windows. Nobody even brought up Unix, or who did it first.
Re: (Score:2)
My point is that it pretty much by definition has to be a juvenile does-it-run-on-linux rant, if it's wedged in apropos of nothing to a conversation on a different topic.
Re: (Score:2)
The OP was saying that people no longer have to use PCAW these days because of VNC etc. My point is we never had to use PCAW anyway if we used unix or linux on a PC. If that explanation still isn't simple enough for you let me know and I'll mail you one drawn in crayon.
Re: (Score:2)
Well, that must've been very nice for you.
Re: (Score:3)
The OP was saying that people no longer have to use PCAW these days because of VNC etc. My point is we never had to use PCAW anyway if we used unix or linux on a PC. If that explanation still isn't simple enough for you let me know and I'll mail you one drawn in crayon.
The problem was that I was working for a digital imaging company that installed photo imaging kiosks in photo labs. Now, this was before digital cameras became popular so the majority of our business was from customers scanning images using flatbed scanner or negative scanner. Our software allowed for customers to manipulate their images in a number of ways and reprint them in minutes using the dye sublimation printer.
Now, I would have loved to used Linux or Unix but we had some issues. First, was findin
Re: (Score:2)
I don't know what you classify as a 'long' time, but I was using a remote solution for Windows as early as 3.1 (1991-92?); called PC Commute, which iirc was made by Winsim, who also had something to do with AccPac. Pretty sure vnc for windows freeware was around then, as well...perhaps a precursor to RealVNC. I think Close-up was bundled with a major software package by about '95.
Anyhow, I *do* subscribe to the *nix fanboy newsletter, (slackware ftw!)...just sayin'
cheers,
Re: (Score:2)
I'd say 7 years is a long time in the computer world! :o)
Anyway , all these old remote packages - and even some around today - simply streamed whatever the graphics card was displaying (instead of setting up an independent network desktop which X win did from the start) which is franky just retarded and useless for any serious remote usage.
Re: (Score:2)
I'd say 7 years is a long time in the computer world! :o)
Not really. [slashdot.org]
Re: (Score:2)
Re: (Score:2)
LOL , yeah , if you say so. I guess I must have been dreaming when I used it to connet to company networks over ISDN in the early 90s.
Re: (Score:3)
This isn't another juvenile does-it-run-on-linux rant, but I think its reasonable to point out that remote full screen GUI access via X windows has been around since the mid 80s. A LONG time before any remote GUI windows app or even Windows itself existed.
Yeah, and unless you're connecting over a LAN connection, it's 100% terrible. That's why projects like FreeNX [berlios.de] and x2go [x2go.org] exist...to clean up the massive bloat and waste the X11 protocol introduces.
Re: (Score:3)
Scraping what someone actually see's on their X-Serv for support reasons is a bit different problem - one that most people solve with VNC oddly enough.
PC-Anywhere had support for modem's too - I remember using it to support backwater glass shops on MS-Dos applications...
Good Job Symantec (Score:5, Interesting)
According to this article [cnet.com], the source code for PCANywhere was stolen from Symantec's network in 2006. That's right . . . . 2006. Good work Symantec. It only took you 6 years.
Re:Good Job Symantec (Score:5, Funny)
It only took you 6 years.
They would have gotten an email out sooner, but Norton was REALLY slowing their computers down.
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
The mail server only just started responding again.
Sniffers are so *EASY* to avoid (Score:2)
Re: (Score:2)
Just use a secret encrypted key exchange, like Diffie-Hellman, to set up a secure communication channel on the wire.
Or use SSL, which uses protocols like DH (depending on configured protocol suite) to set up a secure communication channel. And it's a heck of a lot simpler than writing all that stuff yourself; both the protocols used and the implementation even get independently audited from time to time.
No, you don't actually need to use a CA to use SSL. Or rather, you can easily run with an explicit list of trusted certificates or operate a private CA. Those are in fact a highly secure option (if harder work to scale up
Symantec is a little slow on the uptake here (Score:3)
Re: (Score:2)
I stopped using it in the late 90s when I discovered VNC was free _and_ worked about 10 times faster.
New name (Score:2)
(Your) pcEverywhere
If.... (Score:2)
The researchers continued, "If the Active Directory credentials were used as part of an DoD Exchange tie in, the attackers could get access to incriminating government official emails. If they got access to incriminating DoD emails, they could extort nuclear launch codes out of the officials. If they extorted launch codes out of the officials, they could start a nuclear holocaust."
The researchers concluded, "and that is why you never give a mouse a cookie."
M0R0N5! (Score:2)
So I understand that Symantec is either using very poor cryptography or even exchanging authentication credentials in plain text!
Have they had any chance to read a few basic documents about, say, ssh?
M0R0N5!
Re: (Score:2)
... and please, yes, troll me down!
Re: (Score:2)
Or, maybe a Diffie-Hellman Exchange? I mean, that's only been around since 1976...
http://en.wikipedia.org/wiki/Diffie [wikipedia.org]–Hellman_key_exchange
Hah. (Score:2)
if the attackers place a network sniffer on a customer's internal network
...that customer has much bigger problems to worry about than Symantec applications.
Meanwhile (Score:2)
"Symantec Tells Customers To Stop Using pcAnywhere" ...IT staff have been begging users to stop using pcAnywhere for years.
Didn't know people still used PCAnywhere (Score:2)
Re: (Score:3)
Not immune.
http://en.wikipedia.org/wiki/Linux_malware [wikipedia.org]
Re: (Score:2)
Did you even read what you linked to? The link doesn't even come close to backing up your point. In fact, its lack of naming a single piece of malware in the wild actually moots your point (yes, I verbified a noun).
The worst it has to say is that the kernel didn't prevent buffer overflows until 2009. You only need AV on Windows. Yes, you can be socially engineered on any OS, trojans will run on any OS, and no AV will protect you from deliberately installing anything you want. And yes, given a dedicated enou
Re: (Score:2)
Did you even read what you linked to? The link doesn't even come close to backing up your point
I did, it does. First sentence even.
But as long as you're not a complete idiot,
My point was simply that it is not immune, nothing more.
Re: (Score:2)
When dealing with STDs, which are you more likely to catch one from, the cheap whore house with asian girls in slavery, or the Playboy mansion.
Herpes is pervasive in the adult entertainment industry so you are likely to get one from either choice, but yes you are more likely to get a deadly STD from the the whore house than from the bunnies.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
There is no reason for remote access to a desktop PC in a business environment.
I can understand remote access to data and remote application sessions (citrix/terminal services/remote desktop server/etc), but what is the business case justification for remotely logging in to the PC on your desktop at work?
Re: (Score:2)
That must have cost a pretty penny compared to UltraVNC that will do the same thing for free.