Home page logo
/

basics logo Security Basics mailing list archives

Re: GOTOMYPC Corporate?
From: "Steve Marin" <steve () skabnmarin com>
Date: Wed, 10 Mar 2004 10:31:03 -0800


GoToMyPc in my opinion is a severe security risk. Why you ask? Well for the
fact that, how do you know for sure that an employee has not signed up for
the service and can now access his machine and corp LAN without the
knowledge if any person in management. The answer is you will not know
unless you do an audit of eevery machine. So if you have any data that is
proprietary or confidential, it can be accessed without the company's
knowledge.

Granted I'm extremly biased to my own product (which automatically blocks
off GoToMyPC) but if you really read what GoToMyPC is all about it is not as
"Secure" as they claim, not only that they say that it will bypass your
firewall that is in place.....

-Steve
----- Original Message ----- 
From: "Christopher Herrmann" <CHerrmann () oddfellows com au>
To: <security-basics () securityfocus com>
Sent: Tuesday, March 09, 2004 3:09 PM
Subject: RE: GOTOMYPC Corporate?


I trialled it for a while, and found it very easy to set up and
administer,
but I was concerned about how it actually operates: about how it actually
"gets around" a firewall. It is a java-based system if I'm not mistaken.

CH

-----Original Message-----
From: Mark Medici [mailto:mark () dbma com]
Sent: Wednesday, 10 March 2004 7:35
To: security-basics () securityfocus com
Subject: RE: GOTOMYPC Corporate?


I have used it myself, and have recommended it to clients because it is a
reliable and simple method to circumvent firewalls an NAT boundaries for
outside remote access.  And I have recommended to other clients to block
it
outright for the same reason.

It's primarily a policy concern.  Either you want to allow remote access
or
you don't.  If you do want to allow remote access, then GoToMyPC is a very
nice and very well-supported application choice that can be installed and
used by a novice.  The ongoing cost of GoToMyPC is only slightly higher
than
the support and maintenance costs of doing it yourself via VPN and VNC,
and
is much more usable (IMHO).  The two-year cost is lower than pcAnywhere
when
initial setup and ongoing support are factored-in, plus GoToMyPC is better
supported (every try to get support from Symantec?) and "nicer" and more
convenient to use.

GoToMyPC does encrypt traffic, requires two separate passwords to connect
to
a host, plus optionally a valid Windows logon/password on the host.  This
is
accomplished without drilling holes through your firewall and/or
installing
or configuring ad hoc VPN connections between the remote and the host.  In
fact, the GoToMyPC remote can be a kiosk or Internet café machine -- it
doesn't have to be a notebook or home computer.

____________________________________________________________
DBM Associates * Mark A. Medici * Senior Consulting Engineer
Whitehouse Station, NJ USA * +1 908-534-1665
mark () dbma com * http://www.dbma.com
-----Original Message-----
From: pcannon9 () comcast net [mailto:pcannon9 () comcast net]
Sent: Monday, March 08, 2004 3:40 PM
To: pcannon9 () comcast net
Cc: security-basics () securityfocus com
Subject: Re: GOTOMYPC Corporate?

When the issue came up here last year my concerns were similiar to
yours.

I did the same think you suggested, vpn with vnc, then null routed the
gotomypc servers outbound in case someone installed it locally.

Pat Cannon
Network Administrator
Transcentive
So what is the general consensus on GOTOMYPC Corporate?

Personally, I don't have alot of trust or warm and fuzzy feelings
about
it,
due to the risks it poses, and the possible potential of PHI
(Private/Personal Health Information), and Financial data being leaked
out.
As well as the concerns with it pertaining to HIPAA compliancy.

What is everyones elses feelings on it?

Personally, I would rather have them come in on a VPN client, and use
a
internal VNC (or other remote desktop) solution.

Scott C. Swenka
Network Security
Sun Health Corporation




**************************************************************************
*****

The information contained in this transmission may be legally
privileged
and/or confidential information. Any dissemination, distribution or
copying
of this transmission by anyone other than the intended recipient is
strictly prohibited. If you receive this in error, please inform the
sender
immediately and remove any record of this message.


**************************************************************************
*****






------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of in-the-
field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your
organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html

------------------------------------------------------------------------
----



--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html

--------------------------------------------------------------------------
--




--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------------------
--


========================================================================
   This message has been scanned for spam & viruses by Mail Sleuth.
   To report SPAM forward the message to:    spam () mailsleuth com au
   Mail Sleuth                                www.mailsleuth.com.au
========================================================================

========================================================================
   This message has been scanned for spam & viruses by Mail Sleuth.
   To report SPAM forward the message to:    spam () mailsleuth com au
   Mail Sleuth                                www.mailsleuth.com.au
========================================================================


--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------------------
--




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]