General discussion

Locked

Back Door into your Network

Has anyone ran into this. Watch Out!

http://www.gotomypc.com

This could give access to internal systems to employees even after they are terminated.

A client of ours has employees who installed this on company machines and was access the system after hours.

Their words

Software
Users download a 1.4 MB installer on their host computers. The
software runs as a service and waits for a connection request. When
a connection is requested, the program prompts the user for an
access code before completing the request.

Firewall Friendly
Because the GoToMyPC software on the remote computer initiates an
outgoing connection, the technology works with your existing
firewall and does not require special configuration. Nor does it
compromise the integrity of your firewall.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Have you anaylzed the connection?

by LordInfidel In reply to Back Door into your Netwo ...

Were you able to sniff out the access code or was it encrypted?

I have not seen this one yet.

Does it bypass *all* NTFS security or is it like Radmin, where it will get you in, but if the machine is locked you will need a valid u/p to get in.

Do you know what port it is running on? It just seems odd that you can't block it at the firewall. At lease the incoming request. The firewall has to have at lease some port open inbound to that machine.

Generally you restrict both inboundand outbound connections.

Collapse -

I Took a Look.....

by LordInfidel In reply to Back Door into your Netwo ...

For some of you out there, it is a fairly simple process.

Most firewalls allow connections to ports 80 and 443 out. That is computer A sitting behind firewall 1 needs to get to a website on Server X.

It iniatates a request to port 80 on server X from a high port on computer A.

The firewall will allow this thru.

So how does this work?

A user installs the program and registers their system with the GoToMyPc system. The program then polls the servers at a specified interval to letthem know that it is alive. (or I theorize to keep session state for the reverse connection).

The end user, logs on to the GoToMyPc site, and connects via a java applet to computer A, which is going thru intermediary GoToMyPc servers.

So it looks like a connection is continually open with their servers, which enables a reverse connection to the computer.

Their security model looks fine, they use MD5 and other standard security practices. And all traffic is encrypted. They also do notbypass OS security, but build on top of it. So like other remote progarms, if the system is locked you will need to log in with a valid u/p. I could not see if they do integrated OS security or just access codes.

They did state that the serviceis permamnetly installed. I am sure that you can disbale it though from starting up. And/Or it can be removed.

As an admin though, this program would fall into the category of *sh*t that should never be installed by users. I do not like backdoors into my network at all. Only what I let in get's in.

Collapse -

by tbragsda In reply to Back Door into your Netwo ...

Seen this pop-up add lots. Scary stuff.

I have setup a strict VPN/RAS policy, and not everyone gets rights. When I turn people down, it?s inviting for them to look into something like this.

In another company, I had to fear PCAW. People everywhere had it, and many had modems. This was some time ago, and VPN was not really an option. The temptation to self install PCAW, and work from home was too great for some.

Point is, stuff like this is getting worse, not better. We all will have to really address IM clients soon.

Collapse -

Solutions?

I suggest blocking the address poll.gotomypc.com
It is required for the system to stay online.

Also and most importantly
Management needs to take an active roll and a policy should be enforced to stop the installation of any program without approval. This can be enforced automatically.

Related site and vulnerability
http://www.dcphonehome.com/index.html

Collapse -

Eliminate ALL Unauthorized Programs

by dennis In reply to Back Door into your Netwo ...

A solution to this growing problem is the Storage Firewall which automatically eliminates any unauthorized programs installed upon reboot. Not to mention Viruses, Trojans and Spyware. A further problem with gotomypc is trying to get the idiots to stop billing your credit card.
The Storage Firewall info is at www.valtx.com.

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums