Out of the box, the e/pop application has no security settings enabled. Any
peer can take control of your desktop without warning.
The initial configuration not withstanding, I sent an email to
[EMAIL PROTECTED] about a vulnerability in the way the software exchanges
security codes over the network:
Software Affected
-----------------
WiredRed e/pop 2.0.3.125
Description
-----------
Security Codes configured in the e/pop Control Panel are sent in the
clear. Several security codes can be configured from the e/pop control
panel:
Global: must be installed on each e/pop peer in order to
communicate and is also used to restrict access to the
control panel.
Features: Send and Receive codes can be configured for each of the
following features: Message, Chat, Admin, Remote, and
AppShare.
Impact
------
Security codes can be easily snooped and used to communicate with and/or
take control of e/pop peers that have security codes configured.
Suggestion
----------
Send a message digest (e.g. MD5) of the security code instead of sending it
in the clear.
The following was the response I received:
>
>Thank you for your suggestion, but physical security is not the
>responsibility of e/pop, but the responsibility of your company. If
>someone
>has the ability to snoop your network with a packet sniffer, then they have
>the ability to install password grabbing trojans on your PCs and various
>other things.
>
>That is why security classifications such as C2 does not extend to physical
>premises security and control for software, and companies like Novell and
>Microsoft who meet these requirements are still vunerable in physical
>security attacks, such as console access.
>
>We appreciate your suggestions though and will take them into consideration
>as MD5 and RC6 security is used internally within e/pop to encode codes.
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
