| « Getting passwords from memory dumps | Playing with smbshell » |
Playing with LogMeIn and Hamachi
Well, I just finished a program (thanks Irongeek for showing me AutoIt) for a client which detects installations of LogMeIn and Hamachi on other systems for him.
To build it, I had to install both programs to see how I can detect their presence. After having installed the programs on some VM's, I thought it fun to try and see what the programs do.
Well, they do exactly as advertised:
- Hamachi gives a near passwordless access to your network and machines on said network.
- LogMeIn gives remote desktop access to the systems on which you installed it, guarded by passwords of course.
At least Hamachi is obvious in it's insecurity: Very little in the way of security is required, you create a 'personal vpn' by typing a name and optionally entering a password. Some brute-forcing will probably give you a shitload of networks and access to the systems on those networks.
LogMeIn on the other hand is a lot more sinister: You have to log in to the LogMeIn website using your email address and password (over SSL of course). There you can access the list of computers on which you installed LogMeIn. Some clicking and you get to the "Log in to your domain" screen (I installed it on a computer connected to a domain in VMWare). This was not the Microsoft login-box but a webform in which you should enter your username, password and domain (dropdown). After entering those details, there you go, access to the desktop with some nice fancy Java applet.
So, what's wrong with that? Nothing, at first glance. Except for the fact that you have to type your username and password to your domain into a form hosted on the systems of LogMeIn. They say they won't store it and whatever, but as with many things I have no control over, I don't trust that. What guarantee do I have that they will keep their word? There is no way to check, as I have no access to their source code, databases or configuration.
Frankly, after seeing the way it works (which is flawless), I think I'll just pass on those easy-to-use-vpn-through-our-network-so-you-dont-have-to-do-anything-but-install-our-software programs and keep things the nice and hard way: Get myself a dyndns account, install openvpn on my server, forward port on router to server, install openvpn on my laptop and be happy with it.
