User Securities Lapses Open pcAnywhere Hosts to Prying Eyes

pcAnywhere 10: Remote Access Not a Remote Risk (Update) Symantec recently contacted ?regarding its April 11th, 2001 analysis of pcAnywhere securities issues and pointed out several features we glossed over in our (albeit brief) discussion of pcAnywhere 10.0. To summarize Symantec's claims and our responses:? 1. pcAnywhere 10.0 client-host traffic can be encrypted using internal pcAnywhere, symmetric, or public key encryption. The encryption Symantec refers to prevents network monitors or "sniffers" from capturing a remote pcAnywhere session. But unless you select public key encryption, and then do not publish the key, it will not provide any additional protection from other pcAnywhere users. A login attempt will report the level of security being used. 2. pcAnywhere 10.0 requires that users password protect their pcAnywhere hosts. A "null" password is

not accepted. pcAnywhere 10.0 requires that users password protect new Callers, not new hosts. Password protection of the host is optional. And both levels of password protection can be defeated via the .CIF file "back door." 3. Authentication options offered with pcAnywhere 10.0 include Active Directory, NDS, Novell Bindery, LDAP, FTP, HTTP, and NT Domain. 4. Random searches for pcAnywhere hosts can be prevented by going to Tools > Options > Host Communications and clicking the "Do not display host in TCP/IP search results" box. This is an important feature for pcAnywhere users wishing to ensure their privacy over local area networks and the Internet. 5. pcAnywhere users can add a further level of security by limiting connections to within a specific subnet or even a specific TCP/IP address or host name. This is perhaps the easiest-to-implement safety feature for both home/small business and corporate users. Go to Tools > Options > Host Communications. In the TCP/IP options box you can enter a list of valid connections. Callers from addresses other than those listed will be rejected, regardless of permissions and passwords. 6. If you use the pcAnywhere 10.0 Packager to create custom pcAnywhere hosts, "Integrity Checking" will check the installation every time pcAnywhere is launched for changes in the registry, pcAnywhere objects, executables and DLL's. Integrity Checking prevents .CIF files from being copied into the pcAnywhere data directory and circumventing security settings. "Integrity Checking" applies only to Packager-created hosts. Packager installation requires Windows NT or Windows 2000. Otherwise, pcAnywhere 10.0 does not distinguish between a CIF file generated by its own host and a .CIF file generated elsewhere. In fact, you can copy a foreign .CIF file to the \pcAnywhere directory while the host is running and the host will incorporate the new password and login "on the fly." Subsequently (until and unless either the new Caller or the .CIF file is deleted), all new hosts will incorporate that .CIF file's defined Caller. This porous "back door" necessitates careful attention to all the other security measures pcAnywhere offers and incorporates.