Security Review: Web based Remote Access
Many operating systems include some sort of remote access solution by default. Windows XP, for example, ship with Microsoft’s Remote Desktop as a simple remote administration interface. Even OpenBSD, the Unix variant which is usually regarded as the most secure operating system available, includes SSH, which, again, is a simple and secure application that allows command-line access over a network connection to the remote computer.
Without the built-in applications, there are other solutions to control clients remotely with web-browsers, such as RemotelyAnywhere and LogMeIn. People can access their computer in which software that provided by these companies is installed on any platform.
These tools provide users convenience, but they bring security concerns as well. To control clients, first users login their account in which the list of all clients is stored. If this system were compromised, it would be easy for attackers to control clients.
Assets and security goals:
Remote Control: Users easily control their computers on any Operating System.
Easy setting: Users don’t have to understand firewall and port forwarding. The software provided by company takes care of every network setting.
Privacy: What user is doing with clients must not be exposed.
Authentication: Only authenticated users can access clients.
Adversaries and threats:
Denial of Service: Massive connection requests using zombie systems.
Man-in-the-middle attack: Sniffing connection and modifying data in transit.
Cross-site scripting: Stealing authentication cookie.
Phishing: Stealing user id and password using phishing sites.
Weaknesses:
Keystroke logging: Users can access their clients anywhere. If users connected their clients in the compromised computers in which keylogger worm is installed, attacker could steal user id and password.
Stolen mobile phone: Companies provide software allowing users to connect clients on mobile phones. Attackers steal users’ phones and control users’ computers.
Physical attack against internal system: Employees could steal the system storing users’ information.
Defenses:
Secure connection: SSL-secured connection between users and clients. Block cipher implementation like CBC, AES.
Authentication: Message Authentication Code. IP Address Filter. Block excessive login attempts.
According to security reviews provided by researchers and magazines, Both RemotelyAnywhere and LogMeIn provides relatively secure services. Block cipher is used between user and company server and between company server and clients. MAC and certificate also are used for secure connection and integrity. But still there are possibilities for attack such as XSS, stealing phone, and phishing. They regularly should provide materials to inform current possible attacks to their customers.