[Dshield] Outbound GoToMyPC

[Tom Love]

A respectful disagreement with sbrower re gotomypc.

1.   The outbound only connection of gotomypc and logmein and the rest 
removes an important attack surface - scans for open inbound ports.  MS 
remote desktop and terminal services invite attacks through port scans 
and there have been some notable attacks on those programs as a result.  
Actually, so do VPNs, since they have open inbound ports (more 
accurately, since they accept unsolicated traffic).  The less 
information the bad guys have the better, and use of an outbound port 
only program makes bad guys less informed.
2.  I don't think gotomypc and their competitors should be singled out 
for criticism on the grounds of loss of username/passwords, since that's 
true of all software the security of which relies on username/passwords, 
which is, essentially, nearly all software.
3.  We switched from gotomypc to logmein for performance reasons, but 
the performance reasons tie into a feature that logmein has that sbrower 
is concerned about.  Gotomypc routes the entire session's traffic 
through their servers.  Logmein operates as a dating service, that is, 
it connects the two pcs directly.  Logmein is therefore (almost) always 
faster than gotomypc, since logmein connections operate at the full 
speed of the two pcs' available bandwidth, whereas gotomypc has the 
additional limitation of the bandwidth that gotomypc's servers have made 
available to you.
But another advantage of logmein's approach is that you most certainly 
can limit access by ip address, because the two pcs not only do know 
each others ip address because of the way logmein works, but they *have* 
to know each other's address.  Thus you can (laboriously, I'll admit) 
type in white listed ip addresses in logmein.

There is no technical reason why gotomypc could not make the ip address 
of the two pcs known to each, since gotomypc's servers know them, but 
having not checked in a while, I don't know if they have added this feature.

Also, since both programs require two logins - one to their service, and 
one actually on the host pc, both allow the use of RSA keys and the like 
(or whatever devices, systems, etc) that you are using to ameliorate the 
shortcomings of the username/password system.  So if you are really 
interested in defeating key logging, then distribute some one-time 
rsa-like system to your users.

I have no financial interest in either company.  I do however, have 
respect for the amount of port scanning that goes on everyday, and thank 
logmein (and gotomypc) for rendering our remote access invisible to the 
port scanners.  (As noted that VPN's must also open inbound ports to 
wait for users and outside vpn hardware to try to break, er, log in, and 
<sarcasm> of course, given the dozens of patched security holes you read 
about everyday, I an nevertheless certain that no vpn software/router 
anywhere ever ever had an attack surface, because unlike all other 
software, vpn software is perfection embodied </sarcasm> ).  I really 
really don't like seeing open inbound ports on our networks.

Why remote control software is superior to vpn's as a practical 
business, support cost, financial matter and intellectual property 
control matter is a discussion for another day.  However, I will note 
that the repeated episodes you read about in the paper of laptops being 
lost with unsecured, embarrassing data on them would not occur if said 
laptops did not have such data on them, and remote control software is 
one way to get such data off said laptops and back on your network where 
it belongs (and logmein allows you to block file transfers, so all the 
wayward absent minded laptop user can do is only what they could have 
done at their desk anyway).  Another way of course is the practical 
expedient of telling everyone in your company, including the ceo, that 
he can't have a laptop and/or no remote access- lotsa luck with that.  
The greatest marketing engine for these companies is lost laptops and 
breathless news reporting.  VPNs on the other hand feed the lost laptop 
issue.  ("wow, network's is slow today, I'll just copy massive amounts 
of crucial, embarrasing unencrypted data down to my laptop and sign out 
so I can work faster, and then leave my laptop on the roof of my car 
when pulling out of the starbucks parking lot".)

Deb Hale wrote:
> I used GoToMyPC for about 3 years and was really pleased with the
> performance and the ease of use.  I never had any security problems.  Of
> course, I never accessed it from a public computer either.  I always used my
> laptop or office computer to access my home computer and vice versa. As with
> any product of this nature there are risks involved, but sensible security
> practices and safe computing can reduce the risk.  
>
> I no longer use it, not because I don't like it, but because I now have a
> secure VPN that gets me what I need to get.
>
> Deb
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
> On Behalf Of "Bjørn" Ruberg
> Sent: Thursday, June 28, 2007 8:35 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Outbound GoToMyPC
>
> "Steven Brower" <sbrower at cox.net> writes:
>
>   
>> What about outbound GoToMyPC?  That is, what is the security risk to a 
>> networked work environment which allows exclusively *outbound* access 
>> to GoToMyPC?
>>     
>
> (Disclaimer: I have not _tried_ GoToMyPC. A few years ago, I did a security
> assessment on the product. Today's posting is somewhat based on that, but
> primarily on the information on GoToMyPC's web site, including whitepapers.)
>
> "Outbound access" only regulates that a connection must be initiated
> (hopefully voluntarily) from the office computer. Upon starting GoToMyPC on
> the office computer, it (simply put) creates a tunnel to GoToMyPC's servers
> and "waits there" for someone to extend the tunnel, e.g. to a home computer.
> When the connection has been established, there are no restrictions on which
> direction the information *inside* the GoToMyPC tunnel flows.
>
> Once a GoToMyPC account has been created, and the office computer runs the
> application, you may access it from anywhere. So may anyone else who picks
> up your password, e.g. using a key logger on a shady Internet cafe ("I just
> wanted to check my e-mail").
>
> So, if a user name and password comes astray, anyone may control the PC in
> your office. Depending on your workplace's local computer security, that may
> include transferring documents out, sending malicious software in, and
> sending e-mail as the user. GoToMyPC as such does not provide any virus
> scanning mechanisms or other kind of controls, so there's nothing stopping
> you (or that Internet cafe guy,
> remember) from saving infected files on your corporate server.
>
> To be fair, GoToMyPC has some nice features, like support for One Time
> Passwords. That will eliminate the key logging issue, but won't stop malware
> from entering. Furthermore, GoToMyPC strongly focuses on the transport
> encryption. That does indeed reduce the chances that someone may listen in
> on the connection. But you create a wide open pipe into your internal
> network, with no restrictions on either side of that pipe.
>
> GoToMyPC is quite like Remote Desktop, VNC and other remote control
> products. After you initiate GoToMyPC from your internal network, there's
> not much of a difference. The "outbound only" element is no security
> mechanism, but it looks good in glossy sales material. And if I understand
> the whitepaper correctly, you can't even use IP-based access lists (as you
> could've done with e.g. VNC), because all traffic originates from GoToMyPC's
> communication server(s).
>
> *phew*, that should give you some background to consider the security risk.
> I may sound quite negative to this product, but being paranoid against
> products like this is, well, part of my job. That said, I wouldn't allow
> GoToMyPC into my home PC either.
>
> Good luck :-)
>
> --
> Bjørn
>
>
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
>
>
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
>