Jump to content
  • 0
manny2002

ScreenConnect 5.6 , Security and Privacy Flaw

Question

Hi

Im using a labtech hosted instance, the one you pay LT a monthly fee and they run on an AWS EC2 VM.

The instance comes with ScreenConnect integration, and thats what I have been using for remote control.

 

Originally, about 2 years ago when I started using LT, I expressed concerns over privacy so LT support advised me to change a setting on the ScreenConnect admin interface so the endpoint would get a "Request for Consent" every time a tech would try to remote in.

I have a particular customer that handle inventions, patents and other intellectual property on their PCs and they specifically requested that nobody has the ability to perform remote sessions unless each user grants permissions on case by case basis.

 

All the way to ScreenConnect 5.5 all that was good.

Turns out that labtech rolled out the 5.6 about two weeks ago and now the "request for consent" is gone.

The setting is still there, with the same documentation and the same description, but when you set it it works this way:

- User gets "request for consent" on the remote PC, the first time (first time after ScreenConnect tray app is installed on the target PC), and then it never get it again. Basically the support tech can connect, disconnect and connect again without permission every single time.

 

Labtech support has been giving me a run for two weeks, first they seems not to know the problem, later they check if this is a misconfiguration, later they implied I changed some setting, and eventually the say this is "by design", and later they finally said that on 5.6 the functionality changed because "many customers asked for it"

 

Im trying to figure out which customer would like to explain to their end users that the techs can now connect without permission, day or night, on their business PCs (those PCs from Lawyers, accountants, doctors, etc), that has tons of private information.

 

My Account Manager at LT told me this morning, the CTO say that this change was on purpose, and that if I want to have request for consent then the user needs to log out and log back in on their PC after each remote session!!!!!

 

I smell that LT made a huge mistake, and instead of taking ownership and fix it, they are buying time blaming customers.

 

I know is a ScreenConnect issue and not a LT integration issue, because I also own a ScreenConnect license in premise, that I use for supporting customers with no contract, and it is the same,, 5.5 works with request for consent every time, and as soon as I move to 5.6 the request for consent breaks.

 

 

What you guys think on all this? have you experience similar issues?

I dont trust LT anymore, they can come and change any functionality that you already have deployed with your customers and then take no responsibility about it.

Share this post


Link to post
Share on other sites

2 answers to this question

Recommended Posts

  • 0
Hi

I dont trust LT anymore, they can come and change any functionality that you already have deployed with your customers and then take no responsibility about it.

 

Software companies have every right to change any aspect of anything they make if they want to, features change with each release and when you opt in to cloud services you are always at their mercy. It is the same with Office 365, Dropbox, AWS, Google Apps for Work, etc etc. I'm not saying you don't have a perfectly good reason to need a specific function a certain way but if you want to guarantee a static solution I would suggest buying full packaged product software and run it on our own equipment. We run LT in house and SC in house on a separate server, both are at my mercy to upgrade when and if we want and if we want to stay on the same version for 10 years we can.

 

I would assume that this was changed because people complained about getting bugged too often for permission to connect and because there is a notification banner across the top of the screen for every session you connect to that notifies the user. I don't think it is unreasonable to ask that they add the ability to choose between prompt for consent once vs every time tough. Screenconnect has their own user voice site here which would be the perfect place for that request http://product.screenconnect.com/

Share this post


Link to post
Share on other sites
  • 0

95% of my business is NOC services, 5% is Managed Desktops (I dont put servers on LT, I use Solarwinds for monitoring and we patch OS with other mechanisms, because Devs do regression test on every update, if we dont and something fails or reboot outside maintenance windows, we get penalized in $$$)

 

Why am I saying this?

If I want to run LT in house I would do it (I run F5 LTM, Solarwinds NPM, two different SIEMs and a lot of other tools), in house

I dont agree with your approach, because "Cloud" and "Hosted" doesnt mean the provider should change "certain" things.

They CAN, but they should not, and when they change critical features, they deserved to be pushed back.

 

Example: The fact that Bank of America owns the computer system where your private data is stored, dont give them rights to one day eliminate HTTPS or change the system so all accounts are public, without passwords.

Yes, they can, and yes you can change banks, but you know why you can change banks? because there are like 1000 banks in the US with the same services,, but how many LTs are?,,, and what happen if you have bank accounts, investment, mortgage, business loans, car loans, CC on Bank of America, and imagine if you have the investment portfolios, with a lot of money and information from your customers also with Bank of America and one day they make the changes without telling you? and next day you find that someone could easily get access to yours and your customers financials, how long it will take you to switch all your instruments to another bank?,, and how will you feel if someone tells you "is a hosted version, they can do whatever they want, and you can take your business somewhere else"

You will go happy without saying anything to anybody? really?

Because if that happens to me, I would go to the CEO’s golf club and wait until he gives me an explanation. No because of my data, but because of my customer’s data.

 

LT disabled a feature that protects the customer's privacy, and THAT is a deal breaker.

I know you run in house, and probably you did your homework and have 2FA on the SC Web, or even better, use it via VPN or just inside your network, but SC hosted doesnt have any of that, the web is available over the Internet and doesnt even has 2FA or even IP whitelist, unless you explicitly do it (dont tell me I should have done that, because Bank of America doesnt ask you when you sign up "do you want your account, hackable, secure, super secure or ultra-secure?, and if you want anything else than ‘hackable’ this is the paperwork that you have to fill up".

 

So, please do me a favor, imagine for a second that you are running SC like that, for whatever reason, and imagine telling your customers, "Hello Mr CEO of 'ABC Capital', I know you trust me with accessing remotely your PC any day or night (which I always advise you against to), but just letting you know, that my admin web GUI is not protected from Brute Force Attacks and if anybody breaks the security over a weekend, we are not responsible for information leaks".

Suuuureeee,, he will keep you as provider next day.

 

For the record, I used to manage a server platform on Solaris, holding every cellphone number in the states and Canada, I was the SaaS, how would you feel if if you were an ISV with few millions invested on developing an app that securely use my API, spent few hundred grands on marketing telling your customers how well they are protected and all of the sudden I change my password policy to require only 5 digits and over HTTP and you realize a week after, on a customer meeting, when a junior network admin tells you "hey, did you know that you are authenticating over non-encrypted links ? and yesterday I used Wireshark and saw all the passwords from all our users in clear text, and by the way, they are only 5 digits length"

 

Then you could come back and complain, and I would tell you "Yes, you can run my software on premises and put your own certificate, dont worry, let me give you a quote so you forget about how you just received a "high tech humiliation" and just give me a big juicy check to make up for my lack of technical vision"

 

I dont mind LT changing the way we do scripts, or the way the buttons work, on the look and feel, or even if the app is slower, or sometimes buggy, I DO CARE ABOUT PRIVACY and protecting my customer's data.

 

By the way, after no few push backs with Labtech, they agreed to revert my SC hosted instance to 5.5 and keep the functionality as it was before.

And they agreed to not upgrade, until the functionality is back.

 

They did the right thing.

I dont sell the "this is the what it is" services, so I dont buy the "this is the what it is software" either, especially if the functionality was there when I signed up.

 

And yes, I dont trust companies that change direction on critical items without notifying the implications and confirming with customers.

 

I bet if any end user of yours read my paranoia and position, they will agree with me, after all thats what I get paid for, because I dont get paid to "give them whatever I get"

My customers are my most important asset, I get paid to protect them, even from myself, and I take this seriously.

 

Next time SC scares me out, I will remove it, and I will switch away from LT, even to patch manually in the meantime if I have to. We do for servers, so we can do for desktops too.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×