If you haven’t already heard, the code base for Symantec’s pcAnywhere was stolen in 2006, and bad guys are now using that code against the installed base of users in the wild. This sort of compromise really isn’t anything that new or different. But what is different is that Symantec is now telling users to flat out disable pcAnywhere until a fix is released. Which is a good, smart move, but a better move would be to remove pcAnywhere and never, ever start it up again!
I remember the first time I used pcAnywhere; I was working my first helpdesk job and they let me finish part of my shift from home when I was doing mail server work, I could start up the scripts on the server, drive home and finish my work from there. Being pcAnywhere, every couple of times I’d also have to drive back to work because the program would crash, but hey, an 80% success rate wasn’t too bad at the time.
Fast forward a decade (and more) to when I’m a QSA and pcAnywhere is still out there, and in all too many cases, it’s actually the same version I was using, or nearly the same vintage. But it’s not me using it to manage a OS/2 Warp mail server (yes, OS/2 Warp), it’s being used to manage Point of Sales (POS) systems all across the US. You see, mom and pop stores with POS systems don’t have a clue on how to set up a computer, so they find a nice, local service provider who will set up the POS for them, trouble shoot it when they have problems and just generally manage the system for a price.
Herein lies the problem. If you’re a small, local service provider who makes their living servicing these folks, you have to be able to work quickly and cheaply with clients in a large are if you’re going to make a living. You need to be able to get on their systems quickly to troubleshot problems and get them back online. So of course you use a remote desktop client like pcAnywhere and you’re going to leave it directly exposed to the Internet since that’s the easiest way to make sure it’s always available and you don’t have to do a lot of troubleshooting of network equipment. And you probably use the same password on all your clients, since you don’t want to have to rely on having the right password written down somewhere when the client calls screaming that they’re system is down. After all, no one would scan for open pcAnywhere servers, nor would they guess the user name is ‘admin’ and the passphrase is “Let me in!” (at least it has complexity). And you don’t worry about changing passwords when an employee leaves or updating to the latest patch levels. In other words, a security nightmare.
In 2009, when I worked for Trustwave, one of the things that annual security report dug into was some of the repercussions of this type of remote management of POS systems. And no surprise, one of the things they discovered was that remote desktop applications like pcAnywhere were one of the leading causes of small business compromises, especially compromises that involved either small chains or a group of geographically close stores. An attacker would scan for the remote desktop client and then brute force the password and spread out to the other clients of the service provider. Soon you’d have a whole segment of the local merchant community who’d been compromised and didn’t know how or why it’d happened. And things have not gotten better since then.
I doubt things will change, I doubt most of the people who actually use pcAnywhere as a tool are going to even notice or read Symantec’s posting. It’s the only way that the current business model works, not just in the merchant community, but in many other small business communities as well. The service provider model requires remote tools, otherwise the travel time to and from locations kills any chance of making a profit. Which means the folks who want compromise systems and steal credit cards are going to continue to have access to the remote desktop solutions.