Oct 12, 2004 The FCS program has allowed Boeing to use Webex (www.webex.com) to sponsor FOUO meetings. Apparently someone in the Army did some looking at the security issues involved, because for a while there was a moratorium on the use of any such conferencing sites. Note that access is through a Boeing sponsored site, not the generic www.webex.com. I've placed the FCS Webex approval documents in my transfer folder (FCS/Webex) for your information. Please do not distribute these outside MITRE. Doug Atkinson The MITRE Corporation -----Original Message----- From: Russ Hillpot [mailto:rhillpot@mitre.org] Sent: Tuesday, October 12, 2004 8:37 AM To: INFOSEC-LIST@LISTS.mitre.org Subject: Re: WebX security I looked at WebX issues while at DARPA and there were two of them. One, the propriety encryption protocol that you already noted. Two, There is a presentation option that allows users to grant access to (control of) their desktops to remote users. If the unaware user uses this feature (trying to be helpful and cooperative) their desktop now becomes susceptible to any security issues that reside on the remotes hosts computer (also creating a multihomed like environment). This can be controlled by good user awareness training but still exists as a potential security issue. When researching this I was able to find some information on the Internet about it though I no longer have the link. I was able to talk with a WebX engineer and they did admit the potential vulnerability when asked, reminding me that it is the users option to relinquish control of their PC to remote users. Again, this can be controlled if the users are aware of it and never agree to give control of their PC to anyone. I'll try to look tonight and see if I have any additional information at home. -----Original Message----- From: Harry Hogenkamp [mailto:hhogenka@mitre.org] Sent: Monday, October 11, 2004 11:53 AM To: INFOSEC-LIST@LISTS.mitre.org Subject: WebX security Gurus: Does anyone have any real world experience with WebX, from the stand point of both securicty and useability? I need a cross-MITRE-firewall capable collaboration suite to support a sponsor/MITRE/support contractor working group. We have typically used MS NetMeeting, but that requires all participants to be inside the MITRE firewall, resulting in additional MITRE travel to sponsor sites or vice versa. The WG tried Groove 3.0 and found it limited with respect to NetMeeting, particularly in collaborative editing of a document. In Groove, you can only "co-edit" a MS Word document - you can present a Powerpoint or Excel file but not share editing. WebX (http://www.communiqueconferencing.com/index.asp) has been proposed as an alternative and seem to fit the bill, although I am a bit uncomfortable with sharing FUOU or proprietary documents via a commercial provider's web-based collaboration suite. WebX does provide a security whitepaper (attached) but it's security uses prorietary algorthims, vice something that is standards based. Thoughts? V/R Harry