Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: gotomypc

Re: gotomypc

From: Rainer Duffner <rainer_at_ultra-secure.de>
Date: Sun, 10 Mar 2002 14:05:42 GMT

kevin mckay writes:

> Has anybody dealt with the services from https://www.gotomypc.com it
> seems to allow end users to completely circumvent an existing network
> security infrastructure.

I think that is just one of several ones:
http://directory.google.com/Top/Computers/Security/Internet/Privacy/Tools_an
d_Services/

Though not all will do the same.
Most notably, to me, is htthost/httport:
http://www.htthost.com/

> The user signs up with gotomypc and establishes a out bound connection
> through the firewall to a go to my pc server, then there server listens
> for a connection that is connected to your internal network
> and the scariest thing is that the listining ports for inbound
> connections are on a gotomypcserver so how would you even audit?.

Once the tunnel is encrypted, there are not many options left:
 - blackhole the relevant IP-adresses -> this becomes futile once users
  use htthost on one of their home DSL-lines
 - run spyware (SMS etc) on the client-pc and employe an armada of
  tech-support people to periodically check every employee-PC for what
  the user has running. -> this will probably boost the economy and get you
  bonus-points from HR and upper management
 - try to lock down the client-configuration to up the ante for the
  employees -> helps until someone has found a way to circumvent it, until
  then it might even annoy the honest users
 - install host-based IDS -> mitigates break-ins that can occur and helps
  pin-down the individual in case

Finally:
 - admit it is a social problem, that cannot be totally dealt with
  technology only.

 

cheers,
Rainer 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rainer Duffner                   Munich
rainer_at_ultra-secure.de          Germany
http://www.i-duffner.de        Freising
========================================
    When shall we three meet again
  In thunder, lightning, or in rain?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Mar 10 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]