Portal Home | IS News Menu | Portal Menu | ISB Menu | Main Content
Using Conferencing Tools To Smuggle Data
22 May 01:22

Web conferencing software tools readily available online can be used by attackers to access and extract data from organisations, according to SecureTest.

The independent penetration testing consultancy found that conferencing tools can provide direct access to the desktop of any PC on the internal network. Provided the hacker has an inside accomplice, such as a jaded employee, he or she can hack into the organisation from any remote location. Passwords and sensitive files and documents can then be exported for corporate theft or sabotage while personal information can be harvested and used for ID theft.

Web conferencing sidesteps every security barrier an organisation may have in place such as PKI, digital signatures and SSL encryption and is often not covered by the security policy. Moreover, the hackers accomplice need have no technical expertise. Anyone with access to a PC can route information out of the organisation undetected. Unlike keylogging or physically downloading data onto a USB key, which requires the insider to know how and where to find sensitive data, web conferencing requires no special equipment or software planting. As a consequence, it is the type of scam that would succeed where keylogging failed in the Sumitomo Mitsui case.

To carry out a web conferencing attack, the insider logs on to a vendor portal via a standard internet browser before then connecting to a third party conferencing portal to begin a session. The hacker also connects to the portal, starting the web conference. The insider then allows the hacker to take remote control of their desktop and the hacker can now use the mouse pointer to open files and directories, much like a terminal services session. He or she can then begin to explore further afield, using the desktop as a springboard into other systems on the LAN or WAN. The discerning hacker can then identify which data is of interest and extract this.

Detecting or preventing web conferencing theft is extremely difficult. There are numerous web conferencing vendors, all offering free trial subscriptions, and they require no client-side software other than a browser with the conferencing ActiveX control. The software is encrypted in HTTPS so that while the data stream can be seen, it cannot be read, making it impossible to identify the information being transmitted. Application or content filters which usually inspect traffic coming into the organisation cannot decrypt this data and without any logs there is no evidence of the theft having taken place.

The only way of tracing web conferencing would be to detect the source and the destination IP addresses from the conference session logs, but this would require the cooperation of the web conferencing organisation. Alternatively, communications could be inspected using SSL bridging, allowing traffic to be examined before it is encrypted and sent online. However, this would allow the SSL bridge administrator to view all data, causing privacy concerns among employees.

Data theft through web conferencing is a real threat to corporate, government and even military sites. Its a pervasive technology with giants such as Webex and others dominating the field but to our knowledge these vendors havent produced solutions to stop this, says a SecureTest spokesperson. We believe the ramifications are even more significant than the security vulnerabilities posed by Skype and MSN Instant Messaging in the past. Whereas IM can be blocked at the firewall, or the traffic content inspected by an application firewall, web conferencing remains invisible. Its impossible to say just how much damage has been done using this channel. But you should ask yourself whether the convenience afforded by web conferencing is really worth the risk.

[That port 80! Presumably a web conference attack can only be carried out with the privileges of the user initiating the session, hence a sensible security domain architecture will limit the damage. Admittedly there is a scarcity of those around. Ideally IT should be conducted inside an enterprise-wide security architecture, produced by a science-based business-driven top-down approach - infosec is all too often run by operations people who have completely different goals and targets.

Secondly, a proper document classification system should be operated for many reasons (not least compliance, which can't be guaranteed without proper document classification) - and high-level documents protected by cryptography. That way thieves may steal them but they will never know they have a Picasso... --Ed].

Related links: (Open in a new window.)
External link www.securetest.com/

View Printable View printable version (opens in new window)
Back Back