This article can also be found in the Premium Editorial Download "Information Security magazine: Exploring the benefits of enhanced SIEM products."
Download it now to read this article plus other related content.
Symantec is still reeling from its 2006 data breach, which exposed the source code of its Norton antivirus product and caused serious problems for users of its Norton pcAnywhere remote management software.
Earlier this year, an anonymous hacker based in India exposed the source code of pcAnywhere, forcing Symantec to recommend users disable the troubled software. The company repaired some longstanding vulnerabilities and then issued a
The Symantec breach and resulting problems with pcAnywhere shed light on the potential weaknesses caused by remote management tools, experts say. The 2011 Verizon Data Breach Report, which analyzed thousands of data breach investigations, recommends organizations mitigate weaknesses in remote management services and monitor privileged activity. A more recent report conducted by Trustwave SpiderLabs analyzed 300 data breaches and 2,000 penetration tests and found remote management software as one of the most commonly used attack vectors.
Remote IT administration tools -- the kinds of tools used by IT administrators to remotely connect to servers and workstations -- are safe as long as they are properly configured and consistently maintained, says HD Moore, chief architect of Metasploit and CSO of Rapid7. Moore and his team scanned millions of IP addresses during Symantec’s pcAnywhere problems and found thousands of systems using the software with open ports that could be accessed by an attacker. Moore says he believed some of the software was likely installed by an IT admin long ago and forgotten. A more serious problem, he says, is that some of those deployments appear to be on point-of-sale systems.
“Based on the host names and the IP addresses, it was clear many pcAnywhere installations are configured at organizations or sites without much in the way of technical expertise,” Moore says.
According to Moore, IT teams should be using Terminal Services combined with strong local security policy that limits access to administrators and requires complex passwords. “Common pitfalls include exposing Terminal Services on a system that has weak accounts,” Moore says. Attackers and penetration testers are finding default passwords or the same password used at multiple locations, he said. In addition, freely available tools like VNC or RAdmin are commonly deployed by IT admins and often are not using encryption and aren’t being updated when security patches are released.
Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs, says his team found deployments of VNC containing the VNC authentication bypass vulnerability, a problem that first surfaced in 2006 and was patched by the maintainers of the VNC tools. “These tools are being used by IT admins and when they leave the organization [the tools] remain on systems and go unchecked,” Percoco says. “It’s a common problem.”
Symantec’s pcAnywhere ended up as a torrent file made widely available on the popular file-sharing site The Pirate Bay. Access to the source code enables attackers to find and exploit vulnerabilities in the software. Symantec insists the tools can be used securely if enterprises follow its recommendations and deploy additional security measures. “Symantec recommends each customer evaluate their existing security procedures and pcAnywhere configuration to assess and weight any security risks,” the company advises.
Robert Westervelt is the news director of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org
This was first published in February 2012