Re: Oracle Directconnect (ODC) Security - is it ok?

From: Biz (bisley110@yahoo.co.uk)
Date: 02/27/03

• Next message: Stavros Jones: "Cain Algorithm"
• Previous message: Ulrich K. Boche: "Re: Any usage of DES cryptosystem in applications?"
• In reply to: Biz: "Oracle Directconnect (ODC) Security - is it ok?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: bisley110@yahoo.co.uk (Biz)
Date: 27 Feb 2003 08:47:19 -0800

Many thanks to those of you who responded. I've found out a bit more
about the service now.

ODC appears to be founded on a service from Expertcity (of GoToMyPC
fame) called desktopstreaming

According to their marketing blurb this is being used by several large
organisations, presumably for providing support ... interesting that I
haven't come across this before (but then Marketing doesn't always
reflect the actuality)

It seems that the service is 'Instant Messenger' like ... The engineer
connects to a server at desktopstreaming and (presumably) remains
connected for the period that they're available for support activity.
If a customer needs support they go to the desktopstreaming website
and select the appropriate engineer from a dropdown list. the engineer
accepts the connection and the remote control session is activated ...
something like that anyway

If the session can truly be locked down by the customer to be viewing
only for the remote end (inferred by some of the blurb I've found)
then that can be beneficial i.e. can the customer applet operate as a
sandbox

Has anyone seen this in action? - reviewed the security? ....

So what are the obvious security concerns (particularly as there is
potential to gain complete control of a PC on the Internal LAN)

1. Disaffected employees at the Support Company (Oracle) or ExpertCity
causing havoc on our systems/data
2. Virus/Worm infection vulnerability in the applet (customer with
worm/virus connects to engineer ... spreads infection which is then
further transmitted by engineer talking to other customers)
3. A malicious site somehow spoofing the ExpertCity service (Mmmm..
this may not be possible)

>From intial review it looks like a major benefit for support
organisations so I can see this becoming a popular service - I'd
rather not be at the (b)leading edge.

I'm inclined to wait until I hear other reports ... but if anyone out
there has been there please let me know

Cheers
  
bisley110@yahoo.co.uk (Biz) wrote in message news:<23bcf5e6.0302260302.2adbbdbf@posting.google.com>...
> Dear All
>
> Our DBA wants to prevail upon a relatively new Oracle support service
> called Oracle DirectConnect (ODC).
>
> In a nutshell this allows an Oracle support engineer to gain remote
> control of the DBA's PC to enable them to 'walk through' the reported
> problem.
>
> .... Remote Control! ... gulp (sounds like a security nightmare)
>
> Oracle put a good spin on the service claiming that their top 100
> customers all use it and it's completely secure.
>
> I can see the business benefit (in that faults can be resolved far
> more quickly) but I'm cautious about what we are opening ourselves up
> to.
>
> I'm happy to instigate policies around how this service can be invoked
> and how it must be supervised (e.g. ensuring that the remote engineer
> is on the phone for the period of the connection and that our own DBA
> should drive the keyboard and mouse) but I don't know the full
> capabilities of the remote control applet that Oracle download (this
> occurs each time the service is invoked by the customer) ... I am not
> too concerned if all activity is displayed on the DBA's PC.
>
> Has anyone reviewed the Oracle DirectConnect service? (did you find
> any nasty surprises)
>
> Note: I have a fair degree of faith in Oracle as an organisation but I
> take issue with the potential anonymity of the service - the customer
> invokes the service requesting a specific engineer from the website,
> albeit this is backed up by the same engineer being on the phone at
> the time.

---

• Next message: Stavros Jones: "Cain Algorithm"
• Previous message: Ulrich K. Boche: "Re: Any usage of DES cryptosystem in applications?"
• In reply to: Biz: "Oracle Directconnect (ODC) Security - is it ok?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: license sets ... I have a customer who has two CSI's. ... bought a database EE development and runtime license for Oracle through ... they bought a different named user EE license ... Now, they want to only pay support for the EE license, and don't want ... (comp.databases.oracle.misc) Re: customer support identifier ... May I know what is customer support identifier ... you can buy a support contract from oracle. ... (comp.databases.oracle.tools) license sets ... I have a customer who has two CSI's. ... bought a database EE development and runtime license for Oracle through ... they bought a different named user EE license ... Now, they want to only pay support for the EE license, and don't want ... (comp.databases.oracle.misc) Re: Oracle 10g on Microsofts Virtual Server ... Customer Direction for our Support of VMWare by Oracle Support Services ... (comp.databases.oracle.server) Re: Oracle Directconnect (ODC) Security - is it ok? ... > called Oracle DirectConnect. ... > and how it must be supervised (e.g. ensuring that the remote engineer ... > occurs each time the service is invoked by the customer) ... ... > invokes the service requesting a specific engineer from the website, ... (comp.security.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2003-02