Security Alert Shows Web Remote Access Weaknesses

Remote computer access users beware - several new vulnerabilities have been revealed in existing solutions. One solution, LogMeIn, was noted to have such vulnerabilities with the exploits to take advantage and control your PC without authorization. More info here: http://securethoughts.com/2009/06/multiple-vulnerabilities-in-logmein-web-interface-can-be-used-to-control-your-computer-and-steal-arbitary-files/

This announcement leads to a critical question in today's hyperconnected world: just how secure is the web? The answer, sadly, is "not very secure". With the rapid proliferation of web browsers (IE, Mozilla, Chrome, Opera, Safari, and so on), the arms-race style of releasing new version upgrades before the ink on the last version is even dry, and (relatively) new technologies like PHP, CSS, javascript, and so on, browsers are increasingly vulnerable to attack.

Factor in the ever-targeted SSL / CA infrastructure at the core of browser-based encryption and site authentication, and you've got fertile territory for malicious forces.

So what's the solution? Don't use browser-based interfaces unless you absolutely have to. "Real" desktop software is remarkably portable these days - on USBs directly or via U3 or VMWare Pocket Ace, or via download on broadband that's available anywhere you have cell coverage, or even installed directly on the disk of a lightweight UMPC. These solutions can provide additional security through 2-factor authentication. There's no need to risk your critical information on web-based access tools. If you need to have a more secure solution you might want to look for a GoToMyPC alternative or a LogMeIn alternative.

Is Remote Access Over the Internet Safe?

If you telework, telecommute, or just travel a lot as part of your job, you may wish that you could access the files on your office or work computer remotely. But is it safe?

The safety of your remote access connection depends on many connected attributes. If done well, it can be perfectly safe, and tremendously helpful. If implemented poorly, your remote access systems can be a huge security hole. The two critical areas to manage to ensure secure remote access are authentication and encryption.

Authentication is key because it allows the software system to validate your identity. If another person can convince those systems that they are, in fact, you, then all other security elements are defeated because they will simply grant the imposter the same privileges the "real" you would have. Passwords alone are generally considered too weak for this purpose, particularly if you handle any sort of sensitive data - financial records, HR information, medical records, product information, etc. A "multifactor" authentication system (one where a password is combined with something you have, like a physical USB key, or something you are, like a fingerprint or retina scan) is necessary to truly protect your identity.

Assuming your authentication is strong, encryption is used to protect your data as it traverses the Internet between your remote device and your office PCs and networks. If the data isn't encrypted, anyone can intercept and read the information. With encryption, even if an attacker intercepts the data stream, they won't be able to read the information because it's scrambled. 256-bit AES encryption is the gold standard at the moment, because it requires an absurdly high amount of computing power and time to crack (by some estimates, 149 trillion years), and therefore protects your information against malicious use.

So, when the technology is implemented properly, you can indeed work from home safely.