[Dshield] How secure IS GoToMyPC?

Stephane Grobety security at admin.fulgan.com
Fri Jun 18 15:07:28 GMT 2004


MC> My point was that a malicious file uploaded by a clueless user (the more
MC> likely event) would have a good chance of being intercepted by AV, not 
MC> that a malicious user couldn't do all sorts of things to the machine 
MC> once at the console.

I'm hard pressed to imagine a situation where this might arise,
honestly: why would a user upload a malicious file and run it ?
Granted, there are some people that will happily download
http://www.hackzeworld.org/trojan.exe and run it but I can't see them
doing that AND uploading the file to the server.

Someone taking control of the remote client, snooping the login
procedure and reproducing it, however, seems far more likely to me.

MC> On the other hand, it's not physical access, so a locked down
MC> machine would make it harder for a malicious (or clueless) user to
MC> mess up the machine.

The sad thing is that you can't count on stupidity. You can expect it,
but not count on it. It means that if you have to take into account a
malicious user, you have to assume he is not too dumb. And getting
full access to windows once you have minimal access to the console is,
sadly, not too complex.

MC> But we all know how often we see a locked
MC> down machine, let alone one that a creative black hat can't get
MC> into.

>> typical PC not to require much download. Plus, the attacker already
>> has local console access: all he needs is privilege escalation.

MC> Exactly my point. Using GoToMyPc removes a layer or eight of protection, 
MC> but it's not like opening an otherwise secure machine to the Internet 
MC> completely.

Of course it's not. But if you follow a defence in depth model, it
doesn't make sense to use GoToMyPC for database access since it
transform a potential security failure into a total breach. Plus you
now have to secure and maintain at least two machines instead of one.

I know what I'm talking about: I'm responsible for a citrix server
farm that is accessed by external users. Trust me on that: securing
things like that properly doesn't come cheap and it doesn't come easy.

MC> For example, a disgruntled employee could do a comparable 
MC> amount of damage sitting in front of the machine as through GoToMyPC.

That depends on the application, access control and exactly what they
have access to, but the same applies to almost everything (ever heard
of an employee voluntarily entering false accounting data and them
calling in the tax office) ?


MC> A socially-engineered employee sitting in front of the machine
MC> might be coerced into installing a back door or keystroke logger
MC> or other malware.

No need to go that far, really. Here are a couple of scenarii that leads to
a system breach:

1/ Employee Alice, far from home, get a call that request him to log into
GoToMyPC. He goes to the local internet cafe and logs in from a rented
machine. Sadly for him, Bob, the guy next to him is simply looking at his
keyboard when he logs in. After some time, he logs out and walks away.
Bob goes to the machine Alice just left, uses the history to navigate
to the login page and gets access to your machine.

2/ Alice is at home and just got cable network. Unfortunately, for
her, Bob lives next door and uses the same service. Since Alice is new
to broadband, she doesn't have a very secure box. Bob, on the other
hand, is bored, hacks into Alice's machine and get a keyloger in
place. After a while, he has the keys to your machine.

MC> So a GoToMyPC installation with good password discipline is 
MC> somewhat comparable to some sort of good physical control of employees 
MC> coming to work in the building.

In the sense that, if that level of security fails, you're having a
complete security break, yes. But it's hardly a situation you can be
proud of. And except if you're running a virtual office, you simply
can't avoid the problem of physical access control or mitigate it
much. Remote control, however, can be avoided in this case.

MC>  We all know how often either of those 
MC> happens, plus you never know when the employee who is properly 
MC> identified at the front door (or uses a strong password) is going to do 
MC> something clueless or malicious.

There are ways to prevent that as well, but they are usually expensive
AND have an impact on productivity. But if you want to push your
comparison, I might not control strictly who gets through the main
door, but I'm watchful of who comes into the dev room. And I'm
paranoid about who gets into the server room. And I'm fighting all I
can to keep everyone from touching my PC, either physically or nia the
network. That's called segregation: don't give someone more access
that he needs to do his job and we do that in the real world too.

MC> Having other layers of defense to take 
MC> care of those situations is critical, and makes it that much harder for 
MC> an unauthorized person to do nasty things through GoToMyPC or some other 
MC> access method.

The problem with remote access is that you simply can't control who is
on the other side. Or rather, you can't do it using passwords alone.

A potential solution would be:
1/ Only to allow remote access via VPN. Not really because you don't
trust the encryption, but because some VPN clients includes security
systems: firewalling, antivirus and all. If a client doesn't show that
he's protected and up-to-date, he simply won't be allowed in.
2/ Use SSL client certificates and store these certificate on hardware
tokens. Strangely, I've not seen any cryptographic token that also
includes a fingerprint reader (though I've seen fingerprint readers
protecting USB key drives) but it could improve security further.

Believe it or not, this would make a pretty good security system (I'm
currently doing research on such a system for outfitting a large
customer in that fashion to secure their administrators accounts.

MC> So instead of saying "it's a security risk" -- what's NOT a security 
MC> risk?

That's a good way NOT to answer the question. Of course, mostly
everything is a security risk and that why in my original answer I
pointed out that many informations where missing to properly discuss
te matter. But given what we know - that a web-based solution with
read-only access to the data would do the same job - I would say that
the rather large impact such setup would have on security really isn't
worth it's advantages (namely: it would cost a bit less upfront).

MC>  -- I'm suggesting more that we analyze and mitigate as many of the 
MC> real risks as possible, on the theory that some malicious or clueless 
MC> act done through GoToMyPC is probably using an opening that could be 
MC> exploited through another vector.

I don't really agree. GoToMyPC (or any remote control) is an
additional attack vector that has several improtant properties:

1/ It's difficult to control since you can't have access to the
clients that will use it.
2/ Is very brittle in the sense that a single mistake has important
consequences: damage mitigation is, in that case, nearly impossible.
3/ Other solutions are available that do not have the same properties
together (for instance, web access is difficult to control but not so
brittle while physical access to the database machine is brittle but
easier to control).

This makes GoToMyPC a security gamble that is, IMNSHO, not worth the
risk.




More information about the list mailing list