Re: [PEN-TEST] WebEx security?

[Steve <steve () SECURESOLUTIONS ORG>]

> Portscanning has nothing to do with it. The last thing I'm going to do
> is announce which vulnerabilities are present within the Webex system to
> this list, that is not my intention.

But that is exactly what you have done by making such a broad statement with
no facts to back it up.  Oh, and by the way, portscanning has a lot to do
with it.  I am pretty sure that your comment caused a few of the list
subscribers to fire up a portscanner and start looking at the WebEx network.


> I do not condone anyone mapping out
> their network topology, or attempting to exploit known holes within
> their network. A simple "would I want my corporation's non-public data
> residing on this system?" would suffice.

But it is clear that you must have done this yourself in order to make such
a comment.  I agree with Alfred's earlier statement.  Just because a company
creates a security product, it doesn't mean that their IT staff will be 100%
when it comes to security issues.  It would be nice and obviously it makes
sense for the company to have their IT Staff work with the security people
to protect their own assets.  But in a real world, this is harder said than
done.

A good example of this would be another large corporation, IBM, they market
their security services as world class, yet I know that if any of you where
to look at their internal IT Security recommendations you would vomit and
shake your head.  But does this mean that we should stay away from all IBM
hardware and software?  No, other issues may cause this to be the case but
the security of their own network has nothing to do with it.

Now if you have information on the product itself that would make it a bad
choice lets hear it.