Re: Kaseya

["M.B.Jr." <marcio.barbado () gmail com>]

Dear Jerry,


On 5/25/08, Shenk, Jerry A <jshenk () decommunications com> wrote:
>  Obviously, there needs to be a fair amount of trust when dealing with an
>  MSP and quite honestly, it's no different than dealing with a vendor who
>  has VPN access to manage their device...in all reality, there are a lot
>  of issues like this that people either don't think through or they just
>  decide to accept the risk.


Indeed.
My suggestion:
read the book "DOES IT MATTER?" by Nicholas G. Carr

and understand how we got to this uncomfortable point.


Best regards,


>  -----Original Message-----
>  From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
>  On Behalf Of M.B.Jr.
>
> Sent: Saturday, May 24, 2008 3:01 PM
>  To: pen-test list
>  Subject: Kaseya
>
>
> Hello list,
>  there's this infrastructure tool set for automating managed services,
>  named Kaseya (proprietary technology).
>
>  Basically, the managed-services-provider controls one of his
>  customers' remote LANs with two intercommunicating "appliances":
>
>   * a Kaseya dedicated server located at the MSP data center; and
>
>   * a "probe" equipment at the remote LAN.
>
>  The audit team to which I belong is about to examine the probe-featured
>  LAN.
>  Right now, we're researching whether this "solution" can cause the LAN
>  some weaknesses;
>  the resulting research's report is going to shape the logical tests.
>
>  So, the question is (I guess):
>  does anyone know of any Kaseya-enhanced LAN security
>  implication/vulnerability?
>
>  Thank you,
>  yours sincerely,
>
>
>  --
>  Marcio Barbado, Jr.
>
>
> ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Top 5 Common Mistakes
>  in Securing Web Applications
>  Find out now! Get Webinar Recording and PPT Slides
>
>  www.cenzic.com/landing/securityfocus/hackinar
>  ------------------------------------------------------------------------
>
>
>
> **DISCLAIMER
>  This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
> they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
> intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
> message. If you have received this communication in error, please notify the sender and delete this e-mail message. 
> The contents do not represent the opinion of D&E except to the extent that it relates to their official business.


-- 
Marcio Barbado, Jr.

"In fact, companies that innovate on top of open standards are
advantaged because resources are freed up for higher-value work and
because market opportunities expand as the standards proliferate."
Scott Handy
Vice President Worldwide Linux and Open Source, IBM

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------