COMMAND

    Timbuktu

SYSTEMS AFFECTED

    Timbuktu v3.0 and Public LDAP Server

PROBLEM

    Al Lilianstrom  found following.   Timbuktu v3.0  by Netopia,  for
    those who  don't know,  is a  remote control  software package for
    Windows  9x,  NT,  and  the  Macintosh  that gives you GUI console
    access.  LDAP  support was recently  introduced to make  it easier
    to find machines  that have Timbuktu  on them in  your enterprise.
    This is good and has the potential to be very useful.

    However  -  when  you  install  the  application  your  machine is
    registered on  a public  LDAP server  at the  vendors site.   This
    information is  updated whenever  you restart  your machine.   And
    your Timbuktu  client is  configured to  use that  server.  If the
    server wasn't configured to only  return a maximum of 500  entries
    at a time it would be interesting to see exactly how many were  in
    there.  Lilianstrom  used ldapsearch to  check for entries  in the
    server from our network and there were 131 of them there.

    Anyways there  doesn't appear  to be  any critical  information in
    there except your  ip address, computer  name, and sometimes  your
    windows user name.

    Potential security risk?  Since  you can search for machine  names
    or  ip  addresses  with  wildcards  there  is  a  possibility of a
    unsecured machine being compromised over the network/internet.

SOLUTION

    Tal Benzion from the product  management team for Timbuktu Pro  at
    Netopia  said  following.    Although  Timbuktu  Pro  has   always
    encrypted the passwords used  to actually authenticate the  remote
    control  session,  prior  versions  did  not  encrypt  the  remote
    control data stream because Netopia's proprietary graphic protocol
    is  complicated  enough  to  prohibit  the decoding and display of
    data.  However, since data typed during the remote control session
    was only hidden  to the extent  that the keystrokes  were randomly
    commingled  with  other  upstream  data,  these  keystrokes  were,
    technically, clear text, and a potential security hole.

    Netopia has  now added  a security  enhancement, available  in the
    current release of the Timbuktu Pro Enterprise Edition as well  as
    Timbuktu Pro  2000, which  dynamically scrambles  and encodes  all
    keyboard and mouse data  that is sent from  the guest to the  host
    machine  on  a  per  session  basis.   Based  on customer feedback
    regarding  performance,   complexity  and   the  cost   issues  of
    implementing  full  standards  based  PKI security solutions, they
    believe  that  their  current  solution  offers  the  best balance
    between security and performance at the application level.   Their
    position has always been that a proper encryption program  focuses
    on all transmissions across the  network and that in the  long run
    customers are  better served  to implement  an umbrella encryption
    strategy.