13
Oct 14

Who’s Watching Your WebEx?

KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies — many of them household names — about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in.

Department of Energy's WebEx meetings.

Department of Energy’s WebEx meetings.

At issue are recurring video- and audio conference-based meetings that companies make available to their employees via WebEx, a set of online conferencing tools run by Cisco. These services allow customers to password-protect meetings, but it was trivial to find dozens of major companies that do not follow this basic best practice and allow virtually anyone to join daily meetings about apparently internal discussions and planning sessions.

Many of the meetings that can be found by a cursory search within an organization’s “Events Center” listing on Webex.com seem to be intended for public viewing, such as product demonstrations and presentations for prospective customers and clients. However, from there it is often easy to discover a host of other, more proprietary WebEx meetings simply by clicking through the daily and weekly meetings listed in each organization’s “Meeting Center” section on the Webex.com site.

Some of the more interesting, non-password-protected recurring meetings I found include those from Charles Schwab, CSC, CBS, CVS, The U.S. Department of Energy, Fannie Mae, Jones Day, Orbitz, Paychex Services, and Union Pacific. Some entities even also allowed access to archived event recordings.

Cisco began reaching out to each of these companies about a week ago, and today released an all-customer alert (PDF) pointing customers to a consolidated best-practices document written for Cisco WebEx site administrators and users.

“In the first week of October, we were contacted by a leading security researcher,” Cisco wrote. “He showed us that some WebEx customer sites were publicly displaying meeting information online, including meeting Time, Topic, Host, and Duration. Some sites also included a ‘join meeting’ link.”

Omar Santos, senior incident manager of Cisco’s product security incident response team, acknowledged that the company’s customer documentation for securing WebEx meetings had previously been somewhat scattered across several different Cisco online properties.  But Santos said the default setting for its WebEx meetings has always been for a password to be included on a meeting when created.

“If there is a meeting you can find online without a password, it means the site administrator or the meeting creator has elected not to include a password,” Santos said. “Only if the site administrator has elected to allow no passwords can the meeting organizer choose the ability to have no passwords on that meeting.”

Update, 11:24 a.m. ET: Cisco has published a blog post about this as well, available here.

Tags: , , ,

48 comments

  1. TheOreganoRouter.onion.it

    A better solution is to use secure tokens like a Ubikey device along with a password to log into the Webx website

  2. “KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies — many of them household names — about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in.”

    You mean you, Brian. So, that’s what journalists do these days is it? Must have been a slow week. What do you have planned now? Going door to door in your neighbour and jiggling doorhandles? haha

    • Of course I mean me. It *is* Cybersecurity Awareness Month, no? I didn’t publish any of the sensitive info that was available via these sites, but instead reached out to Cisco to help them help their customers.

      But I guess we should just ignore these things when we see them, eh? Better to just pretend it’s not a big deal and carry on, right? Under every bridge…

      • Hey Brian,

        Maybe some people would like it better if you ignored leads, didn’t follow rabbits down holes, and had an editor who buried stories as not to offend advertisers.

        Some people here don’t grasp just how much you’ve done, do, and will do for the infosec community.

        Great job on this one. I had to go look at our webex portal and the portal of all our vendors.

      • The Human Defense

        Brian,
        Yes, this is your job, just like it’s an ethical hackers job to corner attackers and find their vulns and exploit them for the good of others. In fact, you don’t even go that far. I send your information to all sorts of people who now follow your blog because of the useful information you provide.

        I do still need an answer to my question:

        The article suggests that a company’s event center is open to the web for anyone to view. Is that the case?

        If not then how is it that some of these companies sites were available to the web at large?

    • He didn’t jiggle the door knobs. He walked down the street and noticed how many doors didn’t have any locks at all.

    • This is precisely what good journalists do. It’s called original research. On the other hand, he could just regurgitate what NYT or AP or WSJ have to say, which is what the vast majority of “jounalism” is today. But that wouldn’t make for good security reporting would it?

    • Sigh is an idiot

      “Sigh”, you are an idiot.

    • Don’t feed the trolls…

    • “Sigh D’Troll” is just envious. LOL!

      Its better for you “Sigh D’Troll” to create your own security website and it should be, SighD’TrolOnSecurity.

    • It makes sense for Cisco to ask Mr. Krebs for a hand in teaching out to companies. He’s got a lot of credibility, so when he calls, people listen. Also, he’s the guy with a big Rolodex of top contacts.

  3. Kudos Brian.

  4. Thanks for the notice. Brian.

    Indeed a lot of companies are not password protecting their Webex meetings or are protecting them with weak passwords. But it should be mentioned that the meeting organizer (and other participants) can see who connected and might notice there is an extra participant which does not belong.
    In case of really wide attendance an extra participant might slip through but those are not normally discussing really sensitive topics. Sure, as a matter of policy should not be neglected to password protect every meeting, but I think is a less serios oversight than it might seem or is it something I’m missing ?

    • @george

      I think there is something you’re missing. Allowing people to “slip in” or requiring employees to “notice” is not good.

      It’s like when a company tells its employees that they’re “the control” when someone without a badge walks through the front door. That’s not a very robust control. I.E. it doesn’t work.

      Is it convenient to keep your car doors locked? No. Is it more accessible to just hang hang all your money around your neck on a shoe string? Yes. Do we generally do these things with our own personal possessions? No. So why is ok to do this with private conversations that may or may not have valuable information that could be stolen or used to steal more in the future?

      Common sense 4 teh win1.

    • @george WebEx does not validate the names or e-mails of people joining. What if I joined a meeting as “webex auto attendant” or “webex voice assist” with the email noreply@webex.com. Most people would probably shrug that one off don’t you think? You also have the option to just join the audio portion of the call…how many meetings have you been in where there has been an extra beep that nobody claimed?

    • I wrote a long essay and didn’t send it ; then when I submitted it, it was eaten by a grue.

      1. Many use WebEx as a. Telephone bridge — no computers. Sure they can listen for beeps, but someone can join in the crowd of before everyone else / the organizer.

      2. Some use mobile clients which generally hide the user list.

      3. The Desktop client tends for his the user list when you full screen a presentation of similar.

      4. Many don’t configure proper names for their connections and some will connect from multiple devices.

      5. The name field is generally not authenticated.

      6. Some social engineering research can lead to good choices for user names.

      • Another issue would be, even if the contents of the meeting weren’t big secrets, it’s info that can be used for a phishing attack.

  5. I think you might want to cross the Rubicon and get into investigative reporting on this developing E bo la mess.

    It is analogous to the computer security world in many ways:

    Our borders and ingress points are being kept open by foolish Admin

    Our Admin’s admins are saying there is no risk . But yet every day we learn anew that there was risk

    It is like a hack that costs a bunch to detect, and the results of which aren’t visible for 21 days or more . Just like IT risks.

    n a nutshell, people are barely able to protect their computer assets, and this is why you try to help them. Likewise, our hospitals are going to be barely able to protect themselves and us from E. And there are reasons , I am sure, that we are inviting the bug into our country. Just like there are reasons that not all malware is detected by tools. (money, and those in the “system” who need , and maybe further, love it)

    It’s all right up your alley. Seriously. And you have a trusted voice. PM me if you want to chat further on my thoughts.

    • Uggh.

      [Brian sorry to reply to a way off topic comment. Feel free to delete.]

      What a bad idea. Why do people people go off into these Security Theater fantasies? (Also, Bruce Schneier already has lots of posts on Security Theater https://www.schneier.com/).

      We could build a wall around Chicago, then make everyone coming to work wait in a four hour security line every day. It would be good for the economy and make the city safe. What a good idea !!! – Not.

      Thanks. best regards, chris

    • don’t listen to DB82. he probably really wants Brian to get infected with ebola and no longer be able to report on anything.

  6. Brian, i have downloded and just started using the latest Firefox 33.0, release is tomorrow which has a new default plugin “open H264 video codec provided by Cisco Systems Inc” (play back web video and use video chats) any kind of a link to the above situation?

    • Mozilla CTO Brendan Eich previously said that Mozilla intended to add H.264 to Firefox in the first half of 2014. For Mozilla, this concludes a gradual acceptance of H.264 over open video formats. But Cisco’s initiative, and its cooperation with Mozilla, has implications far beyond Firefox, as it could shape the future of voice and video chat across devices and platforms, especially since H.264 is already supported by or downloadable by most other browsers.

    • In short, no.

      Cisco is a company that makes networking solutions. WebEx is a video conferencing solution.

      The Web (and Web browsers especially) is moving away from proprietary browsed plug-ins, such as RealPlayer, WebEx, QuickTime, and Flash Player.

      Most of the popular browsed plug-ins are used for two things: networking and audio / video.

      WebEx for instance involves both (capturing / displaying video and transmitting / receiving the same. Modern web browsers have built-in ways for content to send / receive data (XMLHttpRequest and WebSockets). Unfortunately, they don’t have a standard Royalty Free protocol for audio / video. For Audio / Video, a standard exists called H.264, but it requires someone to pay the MPEG group (and others) licensing fees.

      Mozilla can’t pay for such a license (to H.264) because its products are open source and designed such that anyone can produce a derivative.

      Cisco has agreed to use its license to H.264 and create a plug-in for Mozilla Firefox.

      With the plug-in, a future hypothetical WebEx product could be built using Web technologies instead of requiring you to download and install WebEx Software for your computer.

      But, the bug Brian described is essentially a server misconfiguration. It doesn’t matter what WebEx client you use.

      So, no, the video plug-in isn’t related to the discussion at hand.

  7. Brian, don’t let the nay-sayers get you down. The vast majority of us (even those who don’t know) are glad you have our backs! My Federal gov’t organization uses iLinc rather than WebEx. A password is required to set up a session, but once an invitation is sent via iLinc email to a .gov address with a join link, no password is required to join. I wonder if that is suspect. I suppose so. We do use secure tokens for access to our VPN remote desktop.

    • In general, those links are probably shareable. If someone has mail forwarding, or manually forwards it outside the secure network, then there’s certainly a potential for compromise.

      The other risk is that I’m not sure what the lockout policy is — this is where iCloud failed.
      — this would be addressed by:
      1. Require attendees to have an account on your site
      2. Host Account Management
      3. Account creation
      4. Account passwords

      But, in my experience, 1 is rarely enforced. I am not an administrator, so I can’t speak to the others.

      There are various don’t forward / don’t include password rules, but they are really back news in conjunction with complex passwords.

  8. Could the same be done with something like gotomeeting?

    • Not setting a password on GoToMeeting is also risky, but I don’t think it has a centralized “Meeting Center” type public listing feature.

  9. Brian,

    I would like to thank you again for bringing this to Cisco, and allowing us the time to contact our customers. We’ve posted a blog in reply at: http://blog.webex.com/2014/10/protecting-webex-meeting-information

    Omar Santos
    Cisco PSIRT

  10. Thank you for your comments. They are always insightful and helpful.

    Allen

  11. I agree with those who commend Brian for jiggling our unlocked doors. It seems like entities are passing the buck back and forth … you should have implemented a password, you should have disabled this and that function, you should watch who enters … everyone needs more privacy training, but the product itself should be designed to promote the implementation of best practices.

  12. Hampton DeJarnette

    Thank you, Brian.
    I work with some of those companies and do not want to read of their having been breached. I’ll suggest that they donate to your column – say an amount equal to 0.1% of the salaries of the offending meeting’s chairmen.

  13. It seems to me though that WebEx itself is a serious security problem for any organization. The recent update for Chrome on my Mac requires the “It can read and change all your data on the websites you visit” permission. What possible reason could WebEx need this for? The help for Chrome on that permission states: “This item can read every web page that you visit — your bank, your web email, your Facebook page, and so on”.

    What is my business exposing to webex that doesn’t pertain to hosting meetings? All my SalesForce data?

    • I noticed this exact problem a year ago when my company created a meeting without a password. After it was pointed out, we have not done it since then. I put it down to a lack of common sense, not any failing on the part of Webex.

    • anonymous this time

      I don’t know how it does what it does, but any passwords I’m going to use, for a support call get copid out of my password manager and kept in an unsaved text document. This means I don’t have to have the GUI to my password manager open in a different tab and/or browser. I also keep that text file open on a different display, but I guess I need to start changing the relevant passwords after remote support sessions, even if they were never displayed…..My password manger can do this automatically, but I have to set it up first.

  14. This has been going on for years at Webex. Here at Zoom all your meetings are protected, and secure. Check out Zoom.us

  15. Cisco says that the the WebEx corporate administrators must have turned off the require password option, which is a global option.

    It would make sense to allow more granularity – i.e. to have two separate domains within a company, one for publicly available information and another for private company meetings. This could be done in two ways 1) Cisco provides that functionality within the account – by providing some sort of domain segregation or 2) If Cisco can’t or won’t, then open a second account for publicly available information (I’m sure if you talked to your account rep, they would offer some sort of discount for the second account).

    Security 101 – secure it so it’s harder for your users to make a mistake.

  16. An article about WebEx conference calls potentially being open to eavesdroppers and historical call information being available via the webEx site may not seem very important to anyone who doesn’t use WebEx – hence one rather dismissive post earlier.

    But I use WebEx for conference calls and this article was extremely relevant to me, and to all the others with whom I share the calls. I checked the relevant company section on WebEx and, thanks to this alert, found two potential security risks in the way the calls are set up. Thank you, Brian, for the heads-up.

    • The Human Defense

      Hayton,
      I agree that this is very important. I do not use it myself but my clients tend to and they found the info very useful.
      To your comment about folks who do not use WebEx….I would say that many of the conference calling platforms may have this same type of function that users may not be utilizing correctly. So either way, this is very educational, as it forces us to all ask the question “So, am I using the right process here?”

  17. This sounds like a trial lawyer’s dream, with corporate law requirements and government administrative rules being violated all over the map!

  18. I’m with the crowd that thinks awareness is always good. If it offends a few to see the truth so what?

    You can’t fix something if you don’t identify what is actually broke.

    Krebs does good work.

  19. IIRC WebEx also requires a Java plugin in the browser. Java plugins are a high security risk.