[Dshield] How secure IS GoToMyPC?

Joe Matusiewicz joem at nist.gov
Wed Jun 16 12:59:36 GMT 2004


At 08:01 AM 6/16/2004, Alan Frayer wrote:
>I have a potential client who has been suggesting they want to remotely 
>access critical data using GoToMyPC, rather than placing the data in a 
>web-accessible, password-protected read-only database.
>
>Which approach to accessing the data remotely would be more secure? Am I 
>missing something?

I'm assuming there is a firewall between the home pc and the 
data.  Gotomypc sets up a vpn between the home pc and the pc inside the 
firewall.  You (IT security) have no control over authentication.  If the 
home pc is r00ted then there is a path inside your firewall -- using 
encryption which probably won't set off your IDSs, depending on where 
they're placed.  This is similar to how a certain sw company in Redmond got 
compromised 3 1/2 years ago. It seems an employee was working from home and 
got hit by the QAZ backdoor worm which used the tunnel to infect boxes 
inside the firewall.  Sniffers were set up and it was the start of mischief 
and mayhem.  It's not good to have guest Administrators accessing your 
internal network from overseas.

Assuming that your idea, the web accessible database, uses encryption, it 
sounds like a solution that carries less risk.  BTW, a lot of sites block 
Gotomypc.


Hope this helps....

-- Joe




More information about the list mailing list