[Dshield] How secure IS GoToMyPC?

Stephane Grobety security at admin.fulgan.com
Fri Jun 18 07:24:46 GMT 2004


MC> If I'm not mistaken, GoToMyPC has been purchased by Citrix, so it isn't
MC> exactly a fly-by-night outfit. Not that big companies are immune from 
MC> encounters with malicious software or people, but at least one might 
MC> assume Citrix would try to protect its name.

They have also an impressing list of customers, but mostly on their
"GotoAssist" product (same technology, different target).

MC> They claim that the connections are encrypted. In other words, they talk 
MC> a good game. I'd like to audit the encryption, to see if they really do 
MC> set up a tunnel which they can't intercept, or if they are by definition 
MC> the "man in the middle" (which I think is likely) with access to the 
MC> unencrypted stream.

The deal is the following: everything goes through their server, no
way out of that. That means that Expertcity has the potential to snoop
into everything that passes through them.

Everything else is handled by SSL (either directly or via HTTPS) so
there is little possibility of an outside soucre snooping in, at least
is they handeled the certificate validation properly (a point often
overlooked in SSL implementations).

MC> The primary functionality is to give an operator the ability from afar 
MC> to control a PC. Yes the PC being controlled is inside the firewall and 
MC> the operator likely outside. On the other hand, the primary thing 
MC> traveling through the firewall is screen and possibly printer output, or 
MC> keyboard, and mouse input. To cause problems, a malicious file would
MC> have to be uploaded via a file tranfer, then executed.

There is a built-in file transfer that takes cut-and-paste of files.
The clipboard is also accessible, making it another channel to upload
malicious code in the remote machine.

MC> While the uploading would take place over the encrypted channel,
MC> once the file hit the file system the AV software could check it.
MC> That doesn't mitigate that risk completely, and we can all think
MC> of openings for nasty things, but it is much different from a PC
MC> outside the firewall becoming a part of the network via a VPN.

AV most likely won't help here: since the remote operator is the risk,
he could easily bypass the AV or even stop it before doing it's
tricks.

MC> Perhaps there's a way to turn off the file 
MC> transfer capability -- that would also make it difficult to download, 
MC> say, an Access database containing company secrets or private healthcare 
MC> information, along with making it slightly harder to upload malware.

Even if the possibility was disabled, it wouldn't help on the
security. One could simply upload the file as ASCII (or type it in),
decode it and run it. (That makes me wonder one thing: how complex
would it be to write a Base64 decoder in a batch file ?)

MC> (Of course malware could be donloaded via the PC's web browser too
MC> from the public Internet, unless that sort of thing is blocked at
MC> the firewall.)

That too could be foiled. There is usually enough tools already on a
typical PC not to require much download. Plus, the attacker already
has local console access: all he needs is privilege escalation.

MC> I agree that a well designed web application can handle all the 
MC> authentication and encryption issues directly while opening none of the 
MC> vulnerabilities we can envision. On the other hand, GoToMyPC isn't quite 
MC> as bad as others on the list have implied. Almost, but not quite.

GoToMyPC is designed to solve a specific set of problems and it does
it well. However, using it IS a security risk no matter what.

On a side story, I work for a company that develop accounting
software. We use GoToAssist when necessary for supporting people. One
thing that happens pretty often is that is somebody's data is broken,
we ask them to send them in so we can repair them (not that the data
often breaks, but we it does, we prefer to do the work on our own
systems). Some people refuse. The amazing thing is that these same
people usually don't mind giving us access to their machine remotely
via GoToAssist! They even kindly click on the "Yes" or "Ok" button of
every security warning that happens during the installation of the
Java client application... Security awareness still has a LONG way to
go :(




More information about the list mailing list