Posts Tagged ‘vnc’

Not even remotely secure

Who has access to your network? More importantly, who else do they give that access to, and how do they check their authorisation?

A few weeks ago, I was given the task of installing a piece of software onto a client’s server. Initially it was suggested that I drive to their office – two hours each way with no guarantee that I would have access to the resources I required. Thankfully, the day beforehand I discovered that they had a support contract with a local IT firm who had remote access directly to their server.

The next ten minutes were, from a security viewpoint, possibly the scariest I’ve had in my career so far.

To their credit, the support company were very accommodating. Their first suggestion was that they assign our mutual client’s account over to us; when that suggestion was rejected as impractical they set up an VNC-like service instead. Logged in as the system administrator, I was able to install all the software I required, even those elements that we had written ourselves.

There was just one, very minor, concern.

At that point in time, our client still thought I was visiting in person, so hadn’t notified the support company. This company, based on nothing more than me supplying them with the name of one of their clients, had effectively signed over full ownership of that company’s network to an unknown individual on the end of a phone line.

Scared? You should be.

Categories: Security Tags: , , ,