[Dshield] Outbound GoToMyPC

Deb Hale haled at pionet.net
Thu Jun 28 14:20:23 GMT 2007


I used GoToMyPC for about 3 years and was really pleased with the
performance and the ease of use.  I never had any security problems.  Of
course, I never accessed it from a public computer either.  I always used my
laptop or office computer to access my home computer and vice versa. As with
any product of this nature there are risks involved, but sensible security
practices and safe computing can reduce the risk.  

I no longer use it, not because I don't like it, but because I now have a
secure VPN that gets me what I need to get.

Deb

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of "Bjørn" Ruberg
Sent: Thursday, June 28, 2007 8:35 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Outbound GoToMyPC

"Steven Brower" <sbrower at cox.net> writes:

> What about outbound GoToMyPC?  That is, what is the security risk to a 
> networked work environment which allows exclusively *outbound* access 
> to GoToMyPC?

(Disclaimer: I have not _tried_ GoToMyPC. A few years ago, I did a security
assessment on the product. Today's posting is somewhat based on that, but
primarily on the information on GoToMyPC's web site, including whitepapers.)

"Outbound access" only regulates that a connection must be initiated
(hopefully voluntarily) from the office computer. Upon starting GoToMyPC on
the office computer, it (simply put) creates a tunnel to GoToMyPC's servers
and "waits there" for someone to extend the tunnel, e.g. to a home computer.
When the connection has been established, there are no restrictions on which
direction the information *inside* the GoToMyPC tunnel flows.

Once a GoToMyPC account has been created, and the office computer runs the
application, you may access it from anywhere. So may anyone else who picks
up your password, e.g. using a key logger on a shady Internet cafe ("I just
wanted to check my e-mail").

So, if a user name and password comes astray, anyone may control the PC in
your office. Depending on your workplace's local computer security, that may
include transferring documents out, sending malicious software in, and
sending e-mail as the user. GoToMyPC as such does not provide any virus
scanning mechanisms or other kind of controls, so there's nothing stopping
you (or that Internet cafe guy,
remember) from saving infected files on your corporate server.

To be fair, GoToMyPC has some nice features, like support for One Time
Passwords. That will eliminate the key logging issue, but won't stop malware
from entering. Furthermore, GoToMyPC strongly focuses on the transport
encryption. That does indeed reduce the chances that someone may listen in
on the connection. But you create a wide open pipe into your internal
network, with no restrictions on either side of that pipe.

GoToMyPC is quite like Remote Desktop, VNC and other remote control
products. After you initiate GoToMyPC from your internal network, there's
not much of a difference. The "outbound only" element is no security
mechanism, but it looks good in glossy sales material. And if I understand
the whitepaper correctly, you can't even use IP-based access lists (as you
could've done with e.g. VNC), because all traffic originates from GoToMyPC's
communication server(s).

*phew*, that should give you some background to consider the security risk.
I may sound quite negative to this product, but being paranoid against
products like this is, well, part of my job. That said, I wouldn't allow
GoToMyPC into my home PC either.

Good luck :-)

--
Bjørn


_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)




More information about the list mailing list