Symantec Tells Customers To Stop Using pcAnywhere

Orome1 writes "In a perhaps not wholly unexpected move, Symantec has advised the customers of its pcAnywhere remote control application to stop using it until patches for a slew of vulnerabilities are issued. If the attackers place a network sniffer on a customer's internal network and have access to the encryption details, the pcAnywhere traffic — including exchanged user login credentials — could be intercepted and decoded. If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network."

Come on

[jayhawk88]

If the attackers place a network sniffer on a customer's internal network...

You've got a hell of a lot bigger problems than pcAnywhere.

Re:Come on

[cduffy]

If the attackers place a network sniffer on a customer's internal network...

You've got a hell of a lot bigger problems than pcAnywhere.

Au contraire -- if your infrastructure isn't robust against this class of attack (all internal traffic authenticated and encrypted, particularly during password exchange), you're Doing It Wrong.

Moreover, the concept of "defense in depth" applies -- a hard outer shell with a soft inner core means that when the eventual successful attack does happen (and it will!), the damage is that much worse. You can't have decent security if you design all the internal components assuming that the outer layer will protect them.

Re:Come on

[SpanglerIsAGod]

I find it interesting how many enterprise software companies don't understand that. When we run scans against their software and tell them we need them to fix vulnerabilities it's amazing how often they come back with, "This product is designed to be used internally." Like that matters, if your company is bigger then 10 people you shouldn't be surprised to have internal users trying to hack your system.

Re:Come on

[Dishevel]

On the other hand your hard inner shell can cost the company massive amounts in lost productivity. The harder the core is the more people hate to go to work.
You really need specific defenses set up. We have a mostly open wifi network connected to the internet. (Personal Devices, Visitors and the like) We also have a highly filtered connection to the internet for company systems. Servers are set on the local network behind a firewall that drops anything not expected and also drops anything that is expected if it is not coming from the place that it is expected to come from. Really critically confidential stuff is (Credit card data, personnel crap and the like are set nested behind an even more secure firewall.
You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

Re:Come on

[jimicus]

You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

You're not talking about security, you're talking about policies that are thrown together piecemeal in the form of a constantly-updated list of "Things that have been described as insecure in the latest issue of "IT Security for - and written by - PHBs Magazine"". You know how it goes:

Month 1: "Are your users using passwords that are too short?"
EEKS! PANIC! From now all, all passwords must be at least 8 characters long!

Month 2: "Are your users using easily guessable passwords?"
PANIC! From now on, all passwords must be at least 8 characters long and consist of letters and numbers!

Month 3: "Are your users using passwords that are too long? Yes, it's possible. Read our article..."
SHIT! SHIT! SHIT! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers!

Month 4: "Do you change your passwords often enough?"
PANIC! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, and must change every 30 days!

Month 5: "Are your users abusing your policy by typing in the same password every time they're prompted to change it? Read our exclusive report...."
ACTION STATIONS! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

Month 6: "Are you secure against dictionary attacks? Read our article about this SHOCKING new attack method!"
AAARGH! Right, from now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

Month 7: "Did you know? 70% of people use a simple password like 'aaaaaaaaa' or '1234567890123' (not particularly surprising if you've been following everything we've said) Turn to page 12 for our exclusive report!"
DAMN! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

Month 8: "New research suggests 30% of people use their own telephone number as a password!"
OH NO YOU DON'T! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number we have on record for you to ensure it's not that, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

I think you've got the idea by now....

Security through obscurity?

[Sockatume]

What the story doesn't mention is that the pcAnywhere source was nicked. It sounds like Symantec was aware of the weaknesses, and chose not to act until the source was stolen and the security weaknesses became public.

http://www.channelregister.co.uk/2012/01/18/symantec_leak_latest/

Re:There was never a need anyway if you used unix

[Sockatume]

It's not exactly relevant to the subject at hand, is it? His point is that it was really, really handy to be able to do that with Windows. Nobody even brought up Unix, or who did it first.

Re:Symantec AV will kill your PC

[couchslug]

Because they don't know how the magic box works, that's why.

Yes, really.