Re: remote control program

Joel,
The security of the interface has nothing to do with SSL. In fact, the security of your online banking technology also has nothing to do with SSL. SSL is only good for protecting data in transit, it does nothing at all to protect the end-points. If you can hack the end-points (client or server) then you're golden from a hackers perspective.

Likewise, your password is irrelevant especially if one of the end-points is hackable. If the technology was not properly assessed by a qualified security team then I wouldn't trust it. When I say properly assessed I mean exposed to the wrath and curiosity of a vulnerability research and exploitation project. I do not mean some crack automated scan or quickie assessment.

To get in to the application one does not need credentials, one just needs an exploitable vulnerability. SQL Injection, RFI, LFI, XSS for Phishing, etc. Those are the real keys to the kingdom, and your networks _if_ the technology is vulnerable.

Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn


Joel wrote:
How secure is any administrative interface on the web? It's only as good as
the SSL, which has been broken in theory but not in practice that I'm aware.
I bank online because I trust the interface and the encryption, but I guard
my password carefully and (should) change it (more) often. I do the same
with the master account password for logmein. Still, your last comment isn't
true for the product... from the website it's no free lunch if some
malfeasant gains the account credentials. On the website you have to know
the username and password for each computer when you attempt a remote
session.

More conveniently, the Ignition product has an interface that sits on my
laptop and allows me to gain access in 5 to 15 seconds. And the access if
usually as fast or almost as fast as being at the desktop. YMMV based upon
your throughput. I have 7Mbps down and 2Mbps up at my office; that may
influence the speed. However, I have a partner company that uses Ultra-VNC
for remote work to the same location who complains about jitter and delay
when I have no problems with at all.

Back to security, I trust that my local machine is well-secured and don't
mind the Ignition program caching the credentials for all of the users and
servers. While I'm happy that the website does not cache credentials, it
wouldn't be a security issue I would lose sleep over if it did as long as my
channels are encrypted end-to-end. From what your company site states,
testing the accuracy of the logmein encryption claims might be something you
can investigate independently. If you do and find otherwise, I hope to see
your findings here or on pen-test or bugtraq.

I really do sound like a plant from the company, yes? I'm not.
http://www.linkedin.com/pub/7/6ba/923

Regards,

Joel
Joel at SecureNA dot com


-----Original Message-----
From: Adriel Desautels [mailto:adriel@xxxxxxxxxxxxx] Sent: Friday, May 30, 2008 7:03 PM
To: Joel
Cc: sgp@xxxxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: remote control program

So it sounds like a legit tool. What are the security implications of using
this tool? How secure is the administrative interface? RAT tools always
concern me when thinking about security. If a malicious kid gets control of
the administrative credentials or the administration interface its very much
game over. Just a thought.

Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you
must know : http://tinyurl.com/26pjsn


Joel wrote:
If you refer to the website and search for review, you'll find that the company is legit and has been around quite awhile. They were once called remotelyanywhere, and I don't know why the name changed, but they are very professional whenever I've called. I've had almost zero downtime over the past three years, and I said in my last post, I have 60 licenses I use every day, and I do mean 365 days a year, for remote
support all over the country.
I don't know about LAS region support. I'd call the company and ask them about any routing concerns.

Of a dozen remote tools, this is by far the most advanced tool on the market. Drag and drop to the remote screen, sound from the remote screen, print to your local printer from the remote, magnify, whiteboard,
chat, etc.
Did I mention inventory and alerts? I'm a walking ad for the company because my company is a success since this tool is so well designed. I've supported sales reps driving down the highway. Today I used my AT&T Tilt (a Windows Mobile phone) to do a remote session while I was away from my office. I've copied files for a user while playing golf on a weekend. WM6 support is a rare find. For <$40 a year per license, I
couldn't ask for more.

Regards,
Joel



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of sgp@xxxxxxxxxxx
Sent: Friday, May 30, 2008 4:10 PM
To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: remote control program

Thank you all for the answers, I need to implement remote administration several branches of my clients and was evaluating the tool (Logmein) to implement, at first I thought was spectacular, by not having to configure anything on the routers to allow access from the
internet.
But I am very concerned about whether the tool is reliable, in other words if the company owns the tool is.
Regards.

Sergio Properzi.
San Luis Argentina.


Relevant Pages

  • Re: Interface-based security?
    ... You can use programmatic security. ... You need this check called upon entry from each interface ... One client modifies/writes data, other clients only ... this all runs on a secure machine, remote access is disabled in DCOM ...
    (microsoft.public.vc.atl)
  • RE: remote control program
    ... consider that you meant back-end security measures when I responded; ... I've never seen a vulnerability reported on them anywhere, ... To get in to the application one does not need credentials, ... when you attempt a remote session. ...
    (Security-Basics)
  • Re: Active Directory/HIPPA Question
    ... The client ... > roll out AD when their top priority this year is securing the applications ... Security is one of the biggest reasons. ... ESPECIALLY if you have 800 remote offices. ...
    (microsoft.public.win2000.general)
  • Re: DomainLocalServer$ is not a valid user
    ... it can be a BIG security hole. ... Local System or Network Service account on a machine makes a remote request ... things have access to your SQL Server. ...
    (microsoft.public.sqlserver.security)
  • Re: Gotomypc, remote desktop and other VPNs
    ... "Sanjay Punjab" wrote in message ... > I just started a job at a company that has a tight IT policy (most do ... > you web browse using the browser on the remote pc with realistic ... > security, how does this compare with other VPN's or similar services? ...
    (microsoft.public.windowsxp.general)