Here is an extract from the article on BUGTRAQ (I have left off the program
that does the exploit):
-----Original Message-----
From: Pascal Longpre [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, April 05, 2000 11:10 PM
To: [EMAIL PROTECTED]
Subject: PcAnywhere weak password encryption
PcAnywhere weak password encryption
---- Discussion ----
PcAnywhere 9.0.0 set to its default security value uses a
trivial encryption method so user names and password are
not sent directly in clear. Since most users have the
encryption methods set to either "none" or "PcAnyWhere",
their password are sent with weak encryption.
A major concern lies in the fact that PcAnywhere can
authenticate users based on their NT domain accounts and
passwords. When the user logs on, it is prompted for its NT
username and password. They are then "encrypted" through
the PcAnywhere method and decrypted by the host computer
for validation by the NT domain controller. Someone
snooping on the traffic between the two stations will
unlock both the PcAnywhere and NT account. All that without
even having to go through the L0phtCrack process.
Version 7.0 is not at risk since no encryption is used at
all. Username and password are sent in clear. I haven't
tested version 8 yet.
On Tuesday, May 23, 2000 3:47 PM, me user [SMTP:[EMAIL PROTECTED]] wrote:
> Hello there,
>
> This is in regards to your message saying that pcANYWHERE's password
scheme
> has been cracked. I am the security administrator for our LAN and a user
> wants to use it on our network. Is there any documentation on this topic
or
> a site that has made the claim of cracking it? I just don't want to trust
a
> company that says their security is solid (there is a shocker)when it
infact
> isn't. Any information or URL's that can point me in the right direction?
>
> TIA
>
> Jim
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
