A penetration testing firm has warned that popular web conferencing software can be used by hackers to gain direct access to the desktop of any PC on an internal network without detection, provided the hacker can buy the help of a jaded employee.

SecureTest reported yesterday that web conferencing sidesteps every security barrier an organization may have in place such as PKI, digital signatures and SSL encryption and is often not covered by the security policy.

The hacker’s accomplice need have no technical expertise. Anyone with access to a PC can route information out of the organization undetected.

Unlike keylogging or physically downloading data onto a USB key, which requires the insider to know how and where to find sensitive data, web conferencing requires no special equipment or software planting.

To carry out a web conferencing attack, the insider logs on to a vendor portal via a standard internet browser before then connecting to a third party conferencing portal to begin a session. The hacker also connects to the portal, starting the web conference.

The insider then allows the hacker to take remote control of his desktop and the hacker can now use the mouse pointer to open files and directories, much like a terminal services session. He or she can then begin to explore further, using the desktop as a springboard into other systems on the LAN or WAN.

The discerning hacker can then identify which data is of interest and extract it.

Detecting or preventing web conferencing theft is extremely difficult, says SecureTest. There are numerous web conferencing vendors, all offering free trial subscriptions, and they require no client-side software other than a browser with the conferencing ActiveX control.

The software is encrypted in HTTPS so that while the data stream can be seen, it cannot be read, making it impossible to identify the information being transmitted.

Application or content filters which usually inspect traffic coming into the organization cannot decrypt this data and without any logs there is no evidence of the theft having taken place.

The only way of tracing web conferencing would be to detect the source and the destination IP addresses from the conference session logs, but this would require the cooperation of the web conferencing organization.

Alternatively, communications could be inspected using SSL bridging, allowing traffic to be examined before it is encrypted and sent online. However, this would allow the SSL bridge administrator to view all data, causing privacy concerns among employees.

Ken Munro, Managing Director, SecureTest said data theft through web conferencing is a real threat to corporate, government and even military sites.

"It’s a pervasive technology with giants such as Webex and others dominating the field but to our knowledge these vendors haven’t produced solutions to stop this,” he said. “We believe the ramifications are even more significant than the security vulnerabilities posed by Skype and MSN Instant Messaging in the past."

Whereas IM can be blocked at the firewall, or the traffic content inspected by an application firewall, web conferencing remains invisible.