Who’s Watching Your WebEx?

[InfoSec News <alerts () infosecnews org>]

http://krebsonsecurity.com/2014/10/whos-watching-your-webex/

By Brian Krebs
Krebs on Security
Oct 13, 2014

KrebsOnSecurity spent a good part of the past week working with Cisco to 
alert more than four dozen companies — many of them household names — 
about regular corporate WebEx conference meetings that lack passwords and 
are thus open to anyone who wants to listen in.

At issue are recurring video- and audio conference-based meetings that 
companies make available to their employees via WebEx, a set of online 
conferencing tools run by Cisco. These services allow customers to 
password-protect meetings, but it was trivial to find dozens of major 
companies that do not follow this basic best practice and allow virtually 
anyone to join daily meetings about apparently internal discussions and 
planning sessions.

Many of the meetings that can be found by a cursory search within an 
organization’s “Events Center” listing on Webex.com seem to be intended 
for public viewing, such as product demonstrations and presentations for 
prospective customers and clients. However, from there it is often easy to 
discover a host of other, more proprietary WebEx meetings simply by 
clicking through the daily and weekly meetings listed in each 
organization’s “Meeting Center” section on the Webex.com site.

Some of the more interesting, non-password-protected recurring meetings I 
found include those from Charles Schwab, CSC, CBS, CVS, The U.S. 
Department of Energy, Fannie Mae, Jones Day, Orbitz, Paychex Services, and 
Union Pacific. Some entities even also allowed access to archived event 
recordings.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/