More thoughts on LogMeIn

Posted: August 20, 2008 in Posts, Rethink Remote Access

Last week we posted in response to this Download.com article about LogMeIn – a remote access utility that the author claims could replace his VPN. We decided to pose the question to industry peers using LinkedIn’s Q&A feature. We asked:

Anyone using LogMeIn for Windows and Mac? CNET writer, Seth, posted something on his experience with it and sounds intriguing.

Marcin Antkiewicz wrote:

Using LogMeIn, or any other remote access relay service creates a few issues for us, the security folks. Such services extend the network perimeter to unknown locations, and sneak unknown and untested software to the service portfolio. The important change is not just minor administrative nuisance, but arbitrary changes to the risk profile.

From a user’s perspective, LogMeIn is just an easy way to log in to their email, to me it means corporate secrets accessible on airports and coffee shops. In addition to exposing screen in strange places, such software might not conform to various security best practices with regard to privacy, implementation, and vendor security. Risk management issue again.

While those standards might be restrictive and arbitrary, circumventing controls is a bad idea. You should request an easy remote control access instead, and IT Sec folks should be able to accommodate your request as it’s in their best interest.

Quite a few nasty break-ins happened due to bridged security domains (desktop compromised while running admin/root sessions in screen/vmware console/rdp). You do not want such event to be traced to you machine, while running rogue software…

Caveat – my experience is from the Security side of IT, and my answer assumes a user working for a large corporation with sizable IT. Small shops might easily afford use of software that could cause problems in big enterprises. I am _not_ trying to say using LogMeIn is inappropriate, only that it might be.

Adrian Vianna wrote:

Logmein is great!. I actually use it for both work and pleasure. It’s pretty secure and if you need to handle computer in remote locations it will definitely beat the headaches of VPN’s and all that.

Its a cool feature to have if you need access to a computer from the “Cloud”

Peter Gregory, CISA, CISSP wrote:

I have to agree with Marcin Antkiewicz. While such a product may be *convenient*, tools like GoToMyPC and LogMeIn are essentially covert channels that are difficult to control. The use of such products should be a violation of most organizations’ security policy.

Functionally, these products are no different than an unauthorized dial-in modem or access point inside the enterprise network. Recall that many organizations spend considerable effort rooting out unauthorized modems and access points, and so should we be blocking and/or removing these tools. Organizations should do the best they can to block all such covert access.

Maury Blair, MCP wrote:

LogmeIn or GoToMyPC are great for small shops who don’t have a dedicated IT staff and don’t want to hire a consultant to implement a low cost VPN. The Achilles’ heel of these services is that you are connecting to a PC under the assumption that 1) the pc is turned on (i.e. there were no power issues at the office, the cleaning lady didn’t accidentally unplug the computer, etc. . .) and 2) the computer is functioning correctly. For true remote access you can deploy an affordable VPN for your small office for probably alot less than you think. There are several easy to configure routers for small offices with built in VPN technology for under $200. I once deployed a site to site VPN for my dentist using a couple Netgear FVS318 routers. At the time, each router came with one licensed copy of Netgear’s VPN client for PCs. All in all, they spent about $1000 on the routers and my labor and they were able to eliminate a costly leased line between the offices as well as gain remote access to their network from home. Avoiding VPN altogether Pros: Cheap, no IT consultant necessary to setup and configure, easy to use. Cons: does not account for power outages or malfunctions on the host pc.

Anthony Maughan wrote:

While I think overall LogMeIn is a rather insecure solution, once again ease of use trumps heavy security. The company I’m currently with offers a two-factor solution for LogMeIn (mentioned previously) using your cell-phone. It adds a modicum of safetly for remote login vulnerabilities, but doesn’t resolve the “viewing remote computer” issue. Traditional VPN’s like Cisco, Juniper and such typically use stronger encryption than SSL, which is what you get from LogMeIn. They also allow for some better auditing tools etc. UltraVNC OneClick is an interesting free solution that has some of the same functionality, but not quite as easy to setup or use.

Links:
http://www.phonefactor.com

Eric Humphries wrote:

LogMeIn also has an added bonus of allowing two-factor authentication and notifications when someone successfully logs into your account. Now this is all well and good for remote access to a PC or network, but if you have existing infrastructure that needs access to the network these solutions will not work. You’ll never avoid VPN’s altogether if you’re doing any type of automated processes.

Comments
  1. Marcin Antkiewicz says:

    LogMeIn poses few technical issues, but one huge are-you-breaking-the-rules question.

    I could care less about their 2 factor auth, length of the cypto key, or whatever else is advertised to provide secure connection, because that is not the problem. All remote-control software should be built reasonably securely by now, that much should be taken for granted (review past years of vulnerabilities in RDP and VNC for a list of errors that should be avoided). It’s not about technology, but trust. Do I trust LogMeIn? Should I? Are they trustworthy?

    Another, huge problem is that use of such software extends network perimeter to all of the Internet. I gave one example of shoulder surfing at an airport or cafe. Home user’s have little reason to care who looks over their shoulder, yet few fill out their tax returns on the airport. The same, however, cannot be said for corporate accountants, eager to finish work before whey show up home for a late supper. Corporate finances are far more interesting, because little no-risk gain can be glean from my tax information. The same is not true when the data belongs to a publicly traded company. I have more scenarios to offer, all more-or-less true.

    I understand that corporate VPNs, requiring special software, tokens, time slots, etc are a in direct opposition to the everyday home computer use paradigm. That’s why huge numbers of totally insecure home/small business systems fall, as easy pray, to botnet operators. Most enterprises are able to avoid similar fate, but this success is partially paid by users in decreased usability or ease of access.

    I will not claim here that nothing can be done. Ease of access is rarely high on the priority list of IT Sec departments, so there is little talent or money devoted to it. Sometimes instant, secure, fast, and all-encompassing access to ERP from home pc is just not going to happen. At other times rules can be changed when a proper and sensible argument is presented.

    Again, this does not apply to home, or no-IT businesses. I would use gotomypc to get to home PC from work, sure, mostly because there is nothing of value on the PC. That is, nothing that cannot be stolen anyway, right from the browser, with smart but malicious use of *script.

  2. Alen Chemy says:

    I think your information will help to those people who are looking for good IT solutions. The services you are providing is very much useful requirements for the present ear.

  3. Jason Henderson says:

    I think all the remote access services are very secure, they just differ based on price and functionality. For my small IT support business, LogMeIn Rescue is too pricey, so I’ve recently switched over to Techinline Remote Desktop http://www.techinline.com which is a fraction of the cost and is very easy to use since all the client has to do is open a page in the browser, get a number that you enter on your own end, and that’s it! Although it’s not as fully featured as LogMeIn Rescue, it’s more than enough for simple remote support

  4. Ted says:

    I agree with Jason. It also seems that using Remote Access software is unsafe if the host screen is vulnerable. However, If someone is working from an airport, just because they may not have access to their work pc does not mean data isnt available to them via email, zip drive, stored on the lap top. A simple screen cover would fix that issue.

  5. Ajay Uj says:

    Can some one suggest any better tool for remote connection. If logme in or such kind is not secure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s