Good points, John. It would be interesting to know (not that they'd tell us) how much attention is given by BMC during a development cycle to address anticipated security concerns to not only the product, but the connectors. My own development experience, coupled with what little I know of BMC development practices, would tell me that it's probably not much, unless specific requirements were given prior to development, or an individual developer happened to color outside the lines a bit.
I suppose an argument could be made that that level of effort is justifiable, given the low risk already mentioned here, but one hopes that the powers that be don't plan on that as a long-term strategy apart from accompanying and constant vigilance. Rick -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of John Baker Sent: Saturday, January 20, 2007 4:12 AM To: [email protected] Subject: Re: Remedy Vulnerability Dave, Rick, Interestingly, we briefly covered the way in which hackers operate, and that's frequently through the remote execution of code through buffer overflows. An assumption has been made that this is not so much of an issue with Remedy as it exists inside the corporate network, and on the long list of things that Mr. Bad Guy may wish to attack, Remedy is near the bottom. However, there is an increasing number of people who are running the Midtier live on the Internet. Hence, I wonder if BMC has actually done some serious security testing on both the Midtier and the AR System - in particular, for buffer overflows in the login parameters? I define serious as, "We took a bunch of well respected C/Unix hackers and told them to start hacking". The problem doesn't stop at the AR System. How old are the LDAP libraries used by the AREA plugin? What other libraries are used by the AR System that have been perhaps over looked? A buffer overflow could easily exist in some external library, but trigged through the use of the AR System (or any other product installed that makes use of the library). While this is entirely speculative, the security of systems should always be taken seriously, and more often than not, it's not. Although, if your aim is to simply extract data from Remedy (or any other username/password application), it's often easier to just guess the password. John Java System Solutions : http://www.javasystemsolutions.com ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
