Desktop Sharing Woes
Desktop Sharing Woes
Following on from Kindus’ blog on the unsecured risks of remote meetings it is time to consider the perils of sharing a desktop.
Consider a corporate meeting where the presenter wants to show a PowerPoint, Spread Sheet or other document to explain their position. With any remote meeting software there will be some system to allow a screen to be shared. What the presenter needs to do is share a single application and only that application. It is good that a variety of remote meeting solutions are available and that these are regularly updated with more features and increased security. Unfortunately differences and changes in application layouts increase the chances of a presenter messing up screen sharing. It is too easy to share the wrong screen or share a screen that reveals more than the presenter attended.
A business worker will usually leave an email client running so that new emails are regularly pulled down. If a screen with an email application is shared all viewers can see the headers of recent emails and possibly the full text of the currently selected message. A less likely error is to reveal some document of a personal or confidential nature rather than the intended presentation. It is only a matter of a few keystrokes to reverse the mistake and display the relevant application but should any viewer be handy with the ‘PrtScr’ button or have access to a recording of the meeting any information revealed can be deconstructed after the remote session is over.
A lesser mistake is to share the desktop rather than an application. The application itself may be open on the desktop so any presentation can continue albeit with less clarity than if the application were full screen. The sharer should consider what icons are on the desktop or miminised below the running application. If files are saved on the desktop then their titles can be read. Where a web browser is shared all open tabs can be seen. Any of these could reveal the individual’s recent activity on the computer and possibly compromising background information. These details could be used to build up a picture for future phishing attacks. In the physical workplace we are encouraged to follow a tidy desk routine. Clear documents away so no passer-by can access them. It is sensible to follow the same plan for on-line working and not to clutter the desktop with unnecessary icons and files. When it is time for a presenter to share a screen they should always close all unnecessary applications. Unless absolutely necessary this should include any email client.
The security of screen sharing can be a vulnerability. All that needs to be technically achieved is maintain a connection and pass details of what the remote screen looks like, modifying the image as the presenting screen changes. Remote meeting solutions offer this facility together with other collaboration features; some of which can pose considerable risk. Pure remote control software such as VNC (Virtual Network Computing) allows full access to the remote machine. In addition to viewing the monitor, the mouse can be controlled, keyboard entries made, files transferred and applications installed. With the right software a system can be controlled remotely without the user being aware of that. The host does need to grant permission but may not realise that they have done so. If remote meeting software allows some degree of screen viewing and file transfer what else might it offer to the expert and unethical user?
TeamViewer might be considered a remote access program that also allows remote conferencing. Some versions of the software only allow remote control. Others offer an attractive mix of chat, file and screen sharing. The capabilities of the system are showcased in this report of how the UK hacker ‘Jim Browning’ was able to access the computers and CCTV of Indian scammers running a fake tech support racket. The scammers had been banned by TeamViewer from connecting to UK computers so had reverted to letting their ‘marks’ connect to their computers in India. Regardless of the scam and the ethics of hacking to expose it this shows how allowing screen sharing for seemingly ‘safe’ activities can open a security loophole.
Ideally the machine used for home working should be only used for that purpose. For example a NHS worker sent from the office with their NHS machine including its smart card reader. The hospital network is configured to accept a remote connection from that machine and all constraints on system access and use of applications remain unchanged from when the machine was in the hospital. Few organisations maintain these standards. A company machine may be loaned for home use but with only limited restrictions on what can be done on it. The installation of applications may be limited but a web browser is almost certainly present and that can allow access to all sorts of threats and diversions. The corporate network and firewall may prevent access to many web sites while a remote machine connects through that network but the remote user may be able to use the same machine on their home network at other times with the possibility of malware infection.
A solution is to require home workers to access a virtual machine on the corporate network. This virtual machine can be completely controlled by the business. Sufficient virtual machine licenses need to be available for all home workers. If there is more demand than machines then some workers will not be able to connect to a session and not be able to efficiently work at home. There is also some bandwidth hit as the worker will be sending data from their home to a server farm then back out to some other site, a data store, web page or meeting forum. The choke point is likely to be at the home worker’s end. Outside of major cities bandwidth can often be limited. What bandwidth is available might be shared with other household occupants streaming video or playing computer games.
The network itself may not be ideally secure. A remote worker may be away from the office but not at home. Public wifi networks can be compromised or spoofed. A criminal can set up a network with a name similar to a public network. The user’s machine jumps onto the closest, best signal and offers web access. If this is through a compromised connection a criminal has the opportunity to intercept the traffic. Potentially a remote desktop tool could be installed allowing the target machine’s files to be browsed. When accessing any wifi network the security of the connection should be checked. Outside of the office allowing automatic connection to any network is not recommended. Sending encrypted data through a restricted portal is obviously better than sending that data in the clear to a shared portal. Unfortunately once a connection is established both options appear the same to the unwary user.
These security issues should be considered when working remotely but no computer based security system can protect against accidental disclosure of information through desktop sharing applications.