[Dshield] How secure IS GoToMyPC?

Chuck Lewis clewis at iquest.net
Fri Jun 18 14:56:43 GMT 2004


Stephane wrote:

>On a side story, I work for a company that develop accounting software. We
>use GoToAssist when necessary for supporting people. One thing that happens
>pretty often is that is somebody's data is broken, we ask them to send them
>in so we can repair them (not that the data often breaks, but we it does,
>we prefer to do the work on our own systems). Some people refuse. The
>amazing thing is that these same people usually don't mind giving us access
>to their machine remotely via GoToAssist! They even kindly click on the
>"Yes" or "Ok" button of every security warning that happens during the
>installation of the Java client application... Security awareness still has
.a LONG way to go :(

LOL and cringing at the SAME time. That is so trued (and that example great
and ironic) isn't it ?

It is probably never going to matter how good the security software and
hardware gets as long as you throw "social engineering" into the mix until
users learn NOT to do this things...

Chuck

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Stephane Grobety
Sent: Friday, June 18, 2004 2:25 AM
To: M Cook
Cc: General DShield Discussion List
Subject: Re[2]: [Dshield] How secure IS GoToMyPC?

MC> If I'm not mistaken, GoToMyPC has been purchased by Citrix, so it isn't
MC> exactly a fly-by-night outfit. Not that big companies are immune from 
MC> encounters with malicious software or people, but at least one might 
MC> assume Citrix would try to protect its name.

They have also an impressing list of customers, but mostly on their
"GotoAssist" product (same technology, different target).

MC> They claim that the connections are encrypted. In other words, they talk

MC> a good game. I'd like to audit the encryption, to see if they really do 
MC> set up a tunnel which they can't intercept, or if they are by definition

MC> the "man in the middle" (which I think is likely) with access to the 
MC> unencrypted stream.

The deal is the following: everything goes through their server, no
way out of that. That means that Expertcity has the potential to snoop
into everything that passes through them.

Everything else is handled by SSL (either directly or via HTTPS) so
there is little possibility of an outside soucre snooping in, at least
is they handeled the certificate validation properly (a point often
overlooked in SSL implementations).

MC> The primary functionality is to give an operator the ability from afar 
MC> to control a PC. Yes the PC being controlled is inside the firewall and 
MC> the operator likely outside. On the other hand, the primary thing 
MC> traveling through the firewall is screen and possibly printer output, or

MC> keyboard, and mouse input. To cause problems, a malicious file would
MC> have to be uploaded via a file tranfer, then executed.

There is a built-in file transfer that takes cut-and-paste of files.
The clipboard is also accessible, making it another channel to upload
malicious code in the remote machine.

MC> While the uploading would take place over the encrypted channel,
MC> once the file hit the file system the AV software could check it.
MC> That doesn't mitigate that risk completely, and we can all think
MC> of openings for nasty things, but it is much different from a PC
MC> outside the firewall becoming a part of the network via a VPN.

AV most likely won't help here: since the remote operator is the risk,
he could easily bypass the AV or even stop it before doing it's
tricks.

MC> Perhaps there's a way to turn off the file 
MC> transfer capability -- that would also make it difficult to download, 
MC> say, an Access database containing company secrets or private healthcare

MC> information, along with making it slightly harder to upload malware.

Even if the possibility was disabled, it wouldn't help on the
security. One could simply upload the file as ASCII (or type it in),
decode it and run it. (That makes me wonder one thing: how complex
would it be to write a Base64 decoder in a batch file ?)

MC> (Of course malware could be donloaded via the PC's web browser too
MC> from the public Internet, unless that sort of thing is blocked at
MC> the firewall.)

That too could be foiled. There is usually enough tools already on a
typical PC not to require much download. Plus, the attacker already
has local console access: all he needs is privilege escalation.

MC> I agree that a well designed web application can handle all the 
MC> authentication and encryption issues directly while opening none of the 
MC> vulnerabilities we can envision. On the other hand, GoToMyPC isn't quite

MC> as bad as others on the list have implied. Almost, but not quite.

GoToMyPC is designed to solve a specific set of problems and it does
it well. However, using it IS a security risk no matter what.

On a side story, I work for a company that develop accounting
software. We use GoToAssist when necessary for supporting people. One
thing that happens pretty often is that is somebody's data is broken,
we ask them to send them in so we can repair them (not that the data
often breaks, but we it does, we prefer to do the work on our own
systems). Some people refuse. The amazing thing is that these same
people usually don't mind giving us access to their machine remotely
via GoToAssist! They even kindly click on the "Yes" or "Ok" button of
every security warning that happens during the installation of the
Java client application... Security awareness still has a LONG way to
go :(

_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list