Re: Oracle Directconnect (ODC) Security - is it ok?

From: John Kennedy - Expertcity (johnk@expertcity.com)
Date: 03/05/03 

From: johnk@expertcity.com (John Kennedy - Expertcity)
Date: 4 Mar 2003 16:29:58 -0800

The following information about session security for Expertcity's
DesktopStreaming service may help here:
 
· Session initiation: The end user must initiate contact with a
support rep to engage in a screen-sharing session. Once engaged,
DesktopStreaming allows a support agent to see the end user's screen
and share mouse and keyboard control with an end user to provide
support. The end user, however, has ultimate control of both the mouse
and keyboard and can end a session at any time. There are no "back
doors" for the support provider to perform hidden operations or gain
access to a user's system files or settings.
 
· Session keys: To ensure that the user and support rep are connected
solely with each other, Expertcity uses randomly generated session
authentication keys to verify identity. When a help session is
requested, the system assigns an identical random character string
(key) to both the user and the support rep. The session can only begin
when these matching keys are presented to the server. No other party
can access the session without a matching key. In addition, we use
AES encryption with a 128-bit key to protect all potentially sensitive
network traffic.
 
· No back door access following session termination: Once the session
has ended, the support agent can no longer connect to the user's
computer because the session and encryption keys are invalidated.
 
Over 2 million screen-sharing sessions have been conducted using our
technology without one security problem. Strong security is one of
the main reasons why many leading leading companies have selected
DesktopStreaming for their support and online collaboration needs.

For additional info, see: www.desktopstreaming.com

John Kennedy
Chief Security Architect
Expertcity, Inc.
www.expertcity.com

bisley110@yahoo.co.uk (Biz) wrote in message news:<23bcf5e6.0302270847.465222f5@posting.google.com>...
> Many thanks to those of you who responded. I've found out a bit more
> about the service now.
>
> ODC appears to be founded on a service from Expertcity (of GoToMyPC
> fame) called desktopstreaming
>
> According to their marketing blurb this is being used by several large
> organisations, presumably for providing support ... interesting that I
> haven't come across this before (but then Marketing doesn't always
> reflect the actuality)
>
> It seems that the service is 'Instant Messenger' like ... The engineer
> connects to a server at desktopstreaming and (presumably) remains
> connected for the period that they're available for support activity.
> If a customer needs support they go to the desktopstreaming website
> and select the appropriate engineer from a dropdown list. the engineer
> accepts the connection and the remote control session is activated ...
> something like that anyway
>
> If the session can truly be locked down by the customer to be viewing
> only for the remote end (inferred by some of the blurb I've found)
> then that can be beneficial i.e. can the customer applet operate as a
> sandbox
>
> Has anyone seen this in action? - reviewed the security? ....
>
> So what are the obvious security concerns (particularly as there is
> potential to gain complete control of a PC on the Internal LAN)
>
> 1. Disaffected employees at the Support Company (Oracle) or ExpertCity
> causing havoc on our systems/data
> 2. Virus/Worm infection vulnerability in the applet (customer with
> worm/virus connects to engineer ... spreads infection which is then
> further transmitted by engineer talking to other customers)
> 3. A malicious site somehow spoofing the ExpertCity service (Mmmm..
> this may not be possible)
>
> From intial review it looks like a major benefit for support
> organisations so I can see this becoming a popular service - I'd
> rather not be at the (b)leading edge.
>
> I'm inclined to wait until I hear other reports ... but if anyone out
> there has been there please let me know
>
>
> Cheers
>
> bisley110@yahoo.co.uk (Biz) wrote in message news:<23bcf5e6.0302260302.2adbbdbf@posting.google.com>...
> > Dear All
> >
> > Our DBA wants to prevail upon a relatively new Oracle support service
> > called Oracle DirectConnect (ODC).
> >
> > In a nutshell this allows an Oracle support engineer to gain remote
> > control of the DBA's PC to enable them to 'walk through' the reported
> > problem.
> >
> > .... Remote Control! ... gulp (sounds like a security nightmare)
> >
> > Oracle put a good spin on the service claiming that their top 100
> > customers all use it and it's completely secure.
> >
> > I can see the business benefit (in that faults can be resolved far
> > more quickly) but I'm cautious about what we are opening ourselves up
> > to.
> >
> > I'm happy to instigate policies around how this service can be invoked
> > and how it must be supervised (e.g. ensuring that the remote engineer
> > is on the phone for the period of the connection and that our own DBA
> > should drive the keyboard and mouse) but I don't know the full
> > capabilities of the remote control applet that Oracle download (this
> > occurs each time the service is invoked by the customer) ... I am not
> > too concerned if all activity is displayed on the DBA's PC.
> >
> > Has anyone reviewed the Oracle DirectConnect service? (did you find
> > any nasty surprises)
> >
> > Note: I have a fair degree of faith in Oracle as an organisation but I
> > take issue with the potential anonymity of the service - the customer
> > invokes the service requesting a specific engineer from the website,
> > albeit this is backed up by the same engineer being on the phone at
> > the time.

Relevant Pages

  • RE: ASPX page cant see Session created by WCF with XBAP client
    ... As for the setup ASP.NET seesion in WCF, ... Also, based on my understanding, you're using ASP.NET session to store ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Oracle Directconnect (ODC) Security - is it ok?
    ... > The following information about session security for Expertcity's ... > support rep to engage in a screen-sharing session. ... This is definitely a relief - but from a security person's perspective ... From what I can gather the engineer ...
    (comp.security.misc)
  • Re: Win32_NetworkConnection closes connectios in remote monitoring?
    ... There's also a difference between hacking into a session that's already established and creating a new one. ... I've reproduced the issue on my side that the mapped driver shows "Unavailable" status when it's queried from a remote computer with the Win32_NetworkConnection class. ... In "computer 2", query the local mapped drivers' status with wbemtest, and it returns the "OK" status for the newly created mapped driver. ... We welcome your comments and suggestions about how we can improve the support we provide to you. ...
    (microsoft.public.win32.programmer.wmi)
  • Re: cdevpriv and mmap(2)
    ... driver method. ... Second calls are much harder and essentially require attaching cdevpriv bookkeeping data to the struct vm_map_entry. ... I am not sure whether this support for the second time calls is needed at all in real usage. ... In order to implement session-centric semantics, I think it's actually quite a bit more complicated than just adding vm_map_entry book-keeping -- we also need to have a different VM object for each session. ...
    (freebsd-current)
  • CRT 5.2
    ... extensive session management and customization features. ... support for scalable line-drawing fonts and character attributes ... For a secure terminal emulator for SSH1/SSH2, ...
    (comp.software.shareware.announce)