Re: [PEN-TEST] Dead Thread

[Etaoin Shrdlu <shrdlu () deaddrop org>]

Jim Howard wrote:
> Al, I agree it has not, however, can we re-direct it instead of
> killing it? Products such as webex are just starting to come into
> their own, in the public light, and they pose some interesting
> questions for security people.  They employ a tunnel through your
> firewall via http, and allow such things as remote desktop control.
>  While "handy", the penetration possibilities are huge.

May I please concur? I am finding a discussion of the first product that
uses tunneling to be quite interesting. I have collections of various
tunnels (including http), and expect that products like this will be a
significant problem to manage.

I feel that they are indeed something that we should be examining,
albeit the security or lack of it on their site seems less important
than whether or not the product it self can be compromised.

> Wonder if people could stick to the Penetration side of this product
> and what it means to have tunneling products be in the limelite (was
> only a matter of time)

The implications of this are trememdous. An internal compromise may
depend on tunneling to take software out unobtrusively. How can one tell
the difference between an application like this that is meant to tunnel,
and the disgruntled employee that is not?

> Thanks for your consideration,

Ditto.

.shrdlu

--
Life at university, with its intellectual and inconclusive discussions
at a postgraduate level is on the whole a bad training for the real
world. Only men of very strong character surmount this handicap.
                        (Paul Chambers)