Hmmm....I would be curious to see if the the key is available to me, as a user...because the key isn't actually stored in the JSP...it's stored on the Mid-Tier server config...yes, true, if the key was compromised I'm sure it could be 'faked', but does an end user actually have access to that information....I'll hafta check that out :)
Regarding the 'sensitivity' aspect...completely agree...too many organizations are way too sloppy with their data :) On Thu, May 30, 2013 at 2:53 PM, John Baker <jba...@javasystemsolutions.com>wrote: > Lj > > Removing the input for authentication field is a great step forward for > user friendliness. We replace the BMC login page to provide a polished > entry to Mid Tier with options for LDAP, Windows credentials, and AR System > login (because it removes the AREA LDAP hassle). > > But removing a field doesn't stop one using Fiddler or other tools to post > the authentication field value. > > Obtaining it can be achieved from viewing a Windows User Tool DLL in a hex > editor, or more easily, enumerating it (a classic pen-test fail). > > Saying that, WUT is slowly being killed off by BMC. We keep tweaking our > solution to ensure it carries on working as AR System evolves. > > But there is a secondary debate to sensitivity of data: some organisations > are happy to have almost no security because the data is just help desk > tickets etc. Saying that, CMDB data is more valuable - access to network > data is valuable for attacking other services. > > > > John > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"