Posted on May 21st, 2019
Originally released for Windows back in 1993, Symantec’s pcAnywhere enabled the user to access a host computer running pcAnywhere remotely. The concept of remote access makes sense from a usability standpoint, but it presents additional security challenges that we must contend with. Similar to the issues we reported with the remote desktop protocol (RDP and VNC), pcAnywhere required that users ensure proper security measures were in place and that access was strictly limited.
pcAnywhere officially lost support back in 2014, leaving users wide open to vulnerabilities that would remain unpatched and open to exploitation by malicious actors. One reported by TrendMicro was particularly damning: a vulnerability was dubbed a “browse-and-get-owned” and attackers could infect users’ machines just from the user browsing a hacked site. Brian Krebs wrote an in-depth article on that particular vulnerability. More recently, VICE reported that a voting machine vendor installed pcAnywhere software on voting machines in the US to enable remote technical support. Our readers can imagine the potential security mayhem that could happen as a result of installing remote access technology onto a voting machine, much less software that hasn’t received a security update in several years.
The inherent risks of remote access technology
For corporate security and IT professionals, remote access is sometimes a necessary evil — your employees may have a legitimate need for the technology, but your adversaries also know it’s low-hanging fruit that becomes a very easy target if not properly secured. Remote access technology is very high risk because any user can gain a foothold into your organization through it.
The result is that remote access technology is regularly targeted with credential stuffingattacks — account takeover via automated web injection. This allows attackers to bypass some of the security measures like identity access management (IAM) and other authentication tools.
Sometimes people will set up a remote access system like pcAnywhere intentionally to get work done remotely, but they are often unaware of IT security rules about remote access technologies. Or they just don’t understand the risks involved to the entire organization because they aren’t security experts themselves and they just installed pcAnywhere because it’s easy and it’s what they’re familiar with as consumers.
Another major reason you should be on the lookout regularly for rogue remote access use in your business is that some products ship with pcAnywhere built in, so that they can perform technical support and troubleshooting tasks. Often this happens without the consumer/users’ knowledge.
In this case, of course, the problem is doubly bad because pcAnywhere is “end of life” (no longer receiving security updates), making it inherently insecure. When a product loses support, you should stop using it as soon as possible and move to a secure alternative with ongoing security patches and updates.
With all of this in mind, it’s critical to inventory your network for access points you didn’t intend to create and don’t audit. So let’s get hunting to make sure you don’t have any individuals or teams using pcAnywhere within your organization.
Searching Censys for Servers Using pcAnywhere Software
Our new pcAnywhere data on port 5632 makes searching for these servers easy. The broad tag search discovers 14,510 servers using pcAnywhere software. One interesting note is that the majority of these servers are located in China, the United States, and Taiwan, accounting for more than 57% of instances.
To find any tied to your domain, one easy way to check is to add a filter to that broad search for (AND 443.https.tls.certificate.parsed.names: yourdomain). Another way is to use the broad search and then add (AND ip:[your network CIDR]).
What to do if you find any pcAnywhere users in your organization
- Block access. pcAnywhere doesn’t offer a reasonable level of security, much less the TLS protections, multi-factor authentication, or account lockout, which we would recommend as requirements for remote access technology.
- If you determine that you do need a remote access solution, modern and secure applications are available. Ensure that the software you’re evaluating enables remote work securely and includes or supports security measures, including:
- Account lockout
- Encryption
- Multi-factor authentication
- Account management capabilities
In an enterprise environment, focus on making it easy for your workforce to work remotely and securely and they’ll be less likely to avoid IT to accomplish this.
If you’re looking for more tips like these on how to use Censys data to keep your business network secure, keep an eye on our blog and subscribe to our Twitter feed @censysio.