[Dshield] How secure IS GoToMyPC?

Stephane Grobety security at admin.fulgan.com
Wed Jun 16 14:43:47 GMT 2004


AF> I have a potential client who has been suggesting they want to remotely 
AF> access critical data using GoToMyPC, rather than placing the data in a 
AF> web-accessible, password-protected read-only database.

AF> Which approach to accessing the data remotely would be more secure? Am I
AF> missing something?

GotomyPC is great for tech support, but it's a poor choice for remote
control: While the overall design is pretty secure, it puts too much
trust on the end user making the proper security decision and it
doesn't include any proper control on what the user does with the
remote machine.

You seem to have omitted two key point here: How much is the data
worth to them and how "visible" or "exposed" are they ? The answer to
these question is critical to make a threat assessment and provide an
educated answer.

For instance, consider a security breach here could cost, say a million
dollars (not an unrealistic number: anything that is based in the US and
contains private data from a third party could fall in this
category). Consider that they are a mid-sized business (~100 employee)
that deals with a medium number of customers for their size (1000+)
and that every customer knows that this data is there, you can bet
that about 10'000 people know about the application somehow. That
would make it a medium visibility in my book. If these people can
benefit directly from a security breach (for instance, by suing the
customer) then you have about 10'000 people with a direct motive to
break in.

I personally would be willing to spend a few thousand dollars to
secure such a system. Now, with that money, I could setup a system
that uses strong crypto and hardware authentication for about 10
users: Use a VPN system with token authentication and connect them to
a locked down terminal server machine running the client app.

On the other hand, if the application contains no-so-critical data
(e.g. the log file of your web site), that there is no money to
make in breaking into it and that losing the data is not going to
cause more than an annoyance, then go for a web-based DB solution:
it'll be quite cheap and secure enough for most things.




More information about the list mailing list