[Dshield] Outbound GoToMyPC

Bjørn Ruberg bjorn at ruberg.no
Thu Jun 28 13:34:42 GMT 2007


"Steven Brower" <sbrower at cox.net> writes:

> What about outbound GoToMyPC?  That is, what is the security risk to a
> networked work environment which allows exclusively *outbound* access to
> GoToMyPC?  

(Disclaimer: I have not _tried_ GoToMyPC. A few years ago, I did a
security assessment on the product. Today's posting is somewhat based
on that, but primarily on the information on GoToMyPC's web site,
including whitepapers.)

"Outbound access" only regulates that a connection must be initiated
(hopefully voluntarily) from the office computer. Upon starting
GoToMyPC on the office computer, it (simply put) creates a tunnel to
GoToMyPC's servers and "waits there" for someone to extend the tunnel,
e.g. to a home computer. When the connection has been established,
there are no restrictions on which direction the information *inside*
the GoToMyPC tunnel flows.

Once a GoToMyPC account has been created, and the office computer runs
the application, you may access it from anywhere. So may anyone else
who picks up your password, e.g. using a key logger on a shady
Internet cafe ("I just wanted to check my e-mail").

So, if a user name and password comes astray, anyone may control the
PC in your office. Depending on your workplace's local computer
security, that may include transferring documents out, sending
malicious software in, and sending e-mail as the user. GoToMyPC as
such does not provide any virus scanning mechanisms or other kind of
controls, so there's nothing stopping you (or that Internet cafe guy,
remember) from saving infected files on your corporate server.

To be fair, GoToMyPC has some nice features, like support for One Time
Passwords. That will eliminate the key logging issue, but won't stop
malware from entering. Furthermore, GoToMyPC strongly focuses on the
transport encryption. That does indeed reduce the chances that someone
may listen in on the connection. But you create a wide open pipe into
your internal network, with no restrictions on either side of that pipe.

GoToMyPC is quite like Remote Desktop, VNC and other remote control
products. After you initiate GoToMyPC from your internal network,
there's not much of a difference. The "outbound only" element is no
security mechanism, but it looks good in glossy sales material. And if
I understand the whitepaper correctly, you can't even use IP-based
access lists (as you could've done with e.g. VNC), because all traffic
originates from GoToMyPC's communication server(s).

*phew*, that should give you some background to consider the security
risk. I may sound quite negative to this product, but being paranoid
against products like this is, well, part of my job. That said, I
wouldn't allow GoToMyPC into my home PC either.

Good luck :-)

-- 
Bjørn




More information about the list mailing list