By Rob Lemos
There are a lot of good reasons to have remote-access software installed on a business network: It might be there to allow a remote administrator to manage a database; or to give a third-party point-of-sale management firm to apply patches; or even to allow a PBX vendor access to the server managing their client’s voice-over-IP lines. Unfortunately, through poor configuration, bad passwords or vulnerabilities, the software is also allowing attackers in to steal data and is becoming an increasingly popular attack vector.
In Verizon’s 2011 Data Breach Investigations Report, half of all breaches involved hacking, and of those, almost two-thirds of attacks came through remote-access software. In the recently released Trustwave 2012 Global Security Report, remote access software accounted for the method of entry in a stunning 62 percent of breaches surveyed by the firm, up from 55 percent in the previous year.
“We see this happen time and time again,” says Nicholas J. Percoco, senior vice president of Trustwave’s SpiderLabs. “Once they get onto one of these systems, then they will use that access to compromise a hundred, 250 systems in the environment.”
While the recently-acknowledged theft of Symantec’s source code for pcAnywhere has put that remote access program in the spotlight, the security issues posed by remote management products have been growing significantly over the last two years. Much of the reason has to do with small franchises, such as restaurants and retail chains, turning to third-party technology-management firms. Those third-party firms use remote management software to access the client’s information systems, but at the same time introduce weaknesses — such as a single password across multiple client accounts — into the mix.
“It has really become an issue since 2010,” says Christopher Porter, a principal with Verizon’s RISK team. “It has become a much larger part of our data set.”
Both Trustwave and Verizon noted the trend over the last two years. Early Verizon data also indicates that remote-access software was again a major vector of attack in 2011, says Porter. Verizon will release its 2012 DBIR, which studies data from 2011, by the end of February.
It’s easy to find hints of the magnitude of the problem: A recent Internet scan conducted by vulnerability management firm Rapid7 found that 140,000 systems running pcAnywhere were directly accessible via the Internet — out of an estimated 7.7 million systems that allowed requests on the ports typically used by the software.
Yet, pcAnywhere is a minor player in the remote-access management arena. The Remote Desktop Protocol (RDP) developed by Microsoft, and the virtual network computing (VNC) system, an open source way of remotely managing desktops, account for far more users and potential targets. Current estimates using NMap data suggest that more than 250 million systems have open RDP ports and another 80 million systems have open VNC ports. If a similar proportion of VNC and RDP systems were as vulnerable as those running pcAnywhere, some 5 million systems could be targeted by attackers.
A handful of criminals groups have really focused on compromising remote-access systems, so that they can install a keylogging trojan to capture credit-card numbers and other customer information, says Verizon’s Porter.
“They have innovated and improved their methods to make capturing the information as easy as possible,” he says. “They have scripted the compromise. They have scripted the keylogging.”
All three remote-access programs are frequently targeted by attackers and penetration testers, says HD Moore, chief security officer of vulnerability-management firm Rapid7. Yet, they pose somewhat different situations for companies. A strong password on a Remote Desktop installations can provide adequate security, but misconfigurations can undermine that security, he says.
“Remote Desktop installation are not too bad … the default security is adequate for most organizations,” Moore says. “However, if the system is configured to allow any domain user to login, and an attacker identifies a weak user account using existing brute force utilities, a Remote Desktop installation can be provide a real foothold into the network.”
Companies that use Virtual Network Computing (VNC) systems frequently have greater issues, he says. Many firms have older versions installed, for example.
“VNC is often deployed with weak credentials and many times using versions of the server software that are vulnerable to an authentication bypass flaw,” Moore says.
Small businesses that are relying on third-party providers to manage their technology, should check to make sure that the company is not using the same password across multiple client or systems.
Trustwave recommends implementing two-factor authentication to make the task of compromising a remote-access system much more difficult. “If a vendor asks for a general login and password, say no,” stresses Percoco.
A few, more basic measures could dramatically shore up security, says Rapid7’s Moore. If a company knows from where a remote users will log in, they can limit access at the firewall by IP address or at the Remote Desktop server by group and domain. Otherwise, using strong passwords, keeping the software up-to-date, and implementing lock outs can go a long way to protecting the systems.
“If access is limited to administrative users and each of those users has a complex password, there is little to no risk of an attacker gaining access,” Moore says.