Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Dead Thread
From: Etaoin Shrdlu <shrdlu () deaddrop org>
Date: Tue, 31 Oct 2000 15:53:41 -0800

Jim Howard wrote:

Al, I agree it has not, however, can we re-direct it instead of
killing it? Products such as webex are just starting to come into
their own, in the public light, and they pose some interesting
questions for security people.  They employ a tunnel through your
firewall via http, and allow such things as remote desktop control.
 While "handy", the penetration possibilities are huge.

May I please concur? I am finding a discussion of the first product that
uses tunneling to be quite interesting. I have collections of various
tunnels (including http), and expect that products like this will be a
significant problem to manage.

I feel that they are indeed something that we should be examining,
albeit the security or lack of it on their site seems less important
than whether or not the product it self can be compromised.

Wonder if people could stick to the Penetration side of this product
and what it means to have tunneling products be in the limelite (was
only a matter of time)

The implications of this are trememdous. An internal compromise may
depend on tunneling to take software out unobtrusively. How can one tell
the difference between an application like this that is meant to tunnel,
and the disgruntled employee that is not?

Thanks for your consideration,



Life at university, with its intellectual and inconclusive discussions
at a postgraduate level is on the whole a bad training for the real
world. Only men of very strong character surmount this handicap.
                        (Paul Chambers)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]