Remote Access Application - GoToMyPC
| Attack ID: | CPAI-2002-14 |
 |
|
| Publish Date: | |
|
|
| Last Update: | |
|
|
| Category: | Remote Access Application - GoToMyPC |
|
|
| Vulnerable Systems: | Corporate networks |
|
|
| Source: | |
|
|
| Description: | GoToMyPC is a user installable remote access application, which enable SSL browser-base access to a Windows PC on the Internet or within the corporate network, even if this PC is behind a firewall. |
|
|
| Severity: | |
| While the GoToMyPC application can be used to provide legitimate access according to an organization's security policy, the program can be used to facilitate unauthorized remote users to bypass security or acceptable usage policies. | |
| Details: | GoToMyPC enable SSL based browser access to a Windows PC on the Internet or within the corporate Internal network. The server application, installed on the computer to be accessed, is using outbound HTTP connection to register itself on the Broker server at static. expertcity.com. The client Browser registered itself on the Broker. The Broker matches between a server and the client and pass both identities details to the Communication Server. The Communication server is an intermediate system responsible to create an encrypted stream from client to Server. Although the GoToMyPC application by itself is secure, providing strong authentication and encryption, it can be used to circumvent corporate policy and violate the AUP. |
|
|
| Attack Detection: | Using the Smart View Tracker identify attempts to open outbound connections (from the LAN towards the Internet) , using HTTP, HTTPS and 8200/TCP . The Destination server is poll.gotomypc.com or static.gotomypc.com |
|
|
| Solution: | GoToMyPC server register itself on the Broker servers poll.gotomypc.com through port 80, 443 and 8200, taking advantage of the fact that most corporate allow HTTP and HTTPS access to the Internet. Blocking access to this host, poll.gotomypc.com, will prevent local hosts running the software from registering their presence to the service. However, the actual logins are not from this server and there are no guarantees that the server software cannot be configured to register to another location or accept direct login attempts from the outside without registering. It is recommend blocking traffic to port 8200 as well as this is the port used for the actual connections. It is highly recommended blocking access to GotoMyPC Broker servers poll.gotomypc.com and static.gotomypc.com on the firewall, ports 80, 443 and 8200. |
|
|
| Industry Reference: | |
|
|
| Additional Information: |
|