SecureTest reported yesterday that web conferencing sidesteps every security barrier an organisation may have in place such as PKI, digital signatures and SSL encryption and is often not covered by the security policy.
The hacker’s accomplice need have no technical expertise. Anyone with access to a PC can route information out of the organisation undetected. Unlike keylogging or physically downloading data onto a USB key, which requires the insider to know how and where to find sensitive data, web conferencing requires no special equipment or software planting.
As a consequence, it is the type of scam that would succeed where keylogging failed in the Sumitomo Mitsui case, according to SecureTest.
Last year, police foiled an attempt to steal £220 million from the London offices of the Japanese bank. Would-be robbers had managed to install keylogging software to track every button pressed on computer keyboards. A man was arrested in Israel on suspicion of trying to transfer almost £14 million to an account.
To carry out a web conferencing attack, the insider logs on to a vendor portal via a standard internet browser before then connecting to a third party conferencing portal to begin a session. The hacker also connects to the portal, starting the web conference. The insider then allows the hacker to take remote control of his desktop and the hacker can now use the mouse pointer to open files and directories, much like a terminal services session. He or she can then begin to explore further, using the desktop as a springboard into other systems on the LAN or WAN. The discerning hacker can then identify which data is of interest and extract it.
Detecting or preventing web conferencing theft is extremely difficult, says SecureTest. There are numerous web conferencing vendors, all offering free trial subscriptions, and they require no client-side software other than a browser with the conferencing ActiveX control.
The software is encrypted in HTTPS so that while the data stream can be seen, it cannot be read, making it impossible to identify the information being transmitted. Application or content filters which usually inspect traffic coming into the organisation cannot decrypt this data and without any logs there is no evidence of the theft having taken place.
The only way of tracing web conferencing would be to detect the source and the destination IP addresses from the conference session logs, but this would require the cooperation of the web conferencing organisation. Alternatively, communications could be inspected using SSL bridging, allowing traffic to be examined before it is encrypted and sent online. However, this would allow the SSL bridge administrator to view all data, causing privacy concerns among employees.
Ken Munro, Managing Director, SecureTest said data theft through web conferencing is a real threat to corporate, government and even military sites.
"It’s a pervasive technology with giants such as Webex and others dominating the field but to our knowledge these vendors haven’t produced solutions to stop this,” he said. “We believe the ramifications are even more significant than the security vulnerabilities posed by Skype and MSN Instant Messaging in the past."
Whereas IM can be blocked at the firewall, or the traffic content inspected by an application firewall, web conferencing remains invisible.
"It’s impossible to say just how much damage has been done using this channel," said Munro. "But you should ask yourself whether the convenience afforded by web conferencing is really worth the risk.”