SecureTest reported yesterday that web conferencing sidesteps
every security barrier an organisation may have in place such as
PKI, digital signatures and SSL encryption and is often not covered
by the security policy.
The hacker’s accomplice need have no technical expertise. Anyone
with access to a PC can route information out of the organisation
undetected. Unlike keylogging or physically downloading data onto a
USB key, which requires the insider to know how and where to find
sensitive data, web conferencing requires no special equipment or
software planting.
As a consequence, it is the type of scam that would succeed
where keylogging failed in the Sumitomo Mitsui case, according to
SecureTest.
Last year, police foiled an attempt to steal £220 million from
the London offices of the Japanese bank. Would-be robbers had
managed to install keylogging software to track every button
pressed on computer keyboards. A man was arrested in Israel on
suspicion of trying to transfer almost £14 million to an
account.
To carry out a web conferencing attack, the insider logs on to a
vendor portal via a standard internet browser before then
connecting to a third party conferencing portal to begin a session.
The hacker also connects to the portal, starting the web
conference. The insider then allows the hacker to take remote
control of his desktop and the hacker can now use the mouse pointer
to open files and directories, much like a terminal services
session. He or she can then begin to explore further, using the
desktop as a springboard into other systems on the LAN or WAN. The
discerning hacker can then identify which data is of interest and
extract it.
Detecting or preventing web conferencing theft is extremely
difficult, says SecureTest. There are numerous web conferencing
vendors, all offering free trial subscriptions, and they require no
client-side software other than a browser with the conferencing
ActiveX control.
The software is encrypted in HTTPS so that while the data stream
can be seen, it cannot be read, making it impossible to identify
the information being transmitted. Application or content filters
which usually inspect traffic coming into the organisation cannot
decrypt this data and without any logs there is no evidence of the
theft having taken place.
The only way of tracing web conferencing would be to detect the
source and the destination IP addresses from the conference session
logs, but this would require the cooperation of the web
conferencing organisation. Alternatively, communications could be
inspected using SSL bridging, allowing traffic to be examined
before it is encrypted and sent online. However, this would allow
the SSL bridge administrator to view all data, causing privacy
concerns among employees.
Ken Munro, Managing Director, SecureTest said data theft through
web conferencing is a real threat to corporate, government and even
military sites.
"It’s a pervasive technology with giants such as Webex and
others dominating the field but to our knowledge these vendors
haven’t produced solutions to stop this,” he said. “We believe the
ramifications are even more significant than the security
vulnerabilities posed by Skype and MSN Instant Messaging in the
past."
Whereas IM can be blocked at the firewall, or the traffic
content inspected by an application firewall, web conferencing
remains invisible.
"It’s impossible to say just how much damage has been done using
this channel," said Munro. "But you should ask yourself whether the
convenience afforded by web conferencing is really worth the
risk.”
