What the recent GoTo security incident says about the Remote Access software industry

Further details have emerged on a recent GoTo/LastPass data breach. And the conclusion is painfully clear: everyone thinks about security and knows it’s important. However, companies don’t always practise what they preach. Let’s see what this says about the state of the Remote Access software industry.
GoTo security incident Remote Access software industry hack

The short story of the GoTo/LastPass data breach

GoTo has recently announced that, according to their investigation, “a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.”

An encryption key for a portion of the encrypted backups has also been exfiltrated by a threat actor. Among the affected information could be “account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

GoTo-owned company LastPass also recently announced that an incident back in August 2022 was more serious than previously thought. While initially saying that no user data was affected, LastPass admitted in December that customer data had been compromised. The unauthorized party had accessed a third-party cloud storage service where LastPass was storing data.

What does this tell you about data security?

There’s one essential takeaway from all the above: when security is not the first priority, customers are the ones that end up suffering. Digital trust and data security are essential to us here at RealVNC. We believe that any remote access provider in particular, and software provider in general, needs to take them very seriously. It seems that, in reality, a lot of companies don’t really put their money where their mouth is when it comes to security. Digital trust and data security are essential to us here at RealVNC.

We build our product by putting security first, adhering to our four security principles:

  • You don’t have to trust RealVNC as a company to trust our software and services
  • We do not record your sessions, and data cannot be decrypted now or in the future
  • Every connection is treated as though it is made in a hostile environment
  • The owner of the remote computer ultimately decides who is able to connect

Every single connection is end-to-end encrypted at up to 256-bit AES. We also have 2FA (two-factor authentication) available and we strongly recommend its use.

VNC Connect can prove that it’s secure

Furthermore, we don’t just claim that we’re secure. Our remote access solution is the only one to have been audited by an independent security expert and given the all-clear. Namely, we’ve opened our doors to a comprehensive white-box security audit by Cure53. This is a much more in-depth security review, compared to the traditional annual penetration test, with the auditors getting full access to our source code, internal API documentation and a direct communication line to the developers. We’re very proud of the results, with no critical issues found, that only come to reaffirm our strong security stance. We’ll continue to work hard on maintaining the same high security standards.

We’re also happy to announce that the Android version of VNC Server for Mobile is the first remote access app to successfully undertake the MASA process. We undertook the process for our RealVNC Mobile Server app in November 2022, working together with NCC Group, an authorized MASA lab and a key player in the security industry. Our application flew through this assessment and gained an outstanding result – a PASS in each area on the first run.

RealVNC will continue to challenge the whole industry to take the same route of proving the security of its products. We’ve done this at recent cybersecurity events and will continue to do so in the future.

At RealVNC, we operate from the standpoint that no company should ever take a vendor’s word for it when they claim their software is secure, which is why we chose to complete a white-box audit with a highly regarded security consultancy to prove it.

said our Chief Information Officer, Andrew Woodhouse.

What should you do next?

Check if your software (and especially remote access) provider can show you proof of its security. And don’t just take their word for it! Ask for proof, in the form of a recent independent security audit.

If they can’t do that, there are alternative options out there that comply with your security requirements. Switch to a secure remote access provider that can keep your data secure.

We would be happy to help you switch to VNC ® Connect, just fill in the form below and one of our team will be in touch.

Let's talk

Bogdan Bele

Bogdan Bele

A journalist by formation and experience, and a content writer by trade. I’ve been writing content, both online and offline, for more than 15 years. My focus has always been technology, but I’ve also ventured into fields as diverse as music, football or news. I am RealVNC’s in-house Digital Content Editor, so a lot of what you’re reading on this blog is written by me. I also edit a lot of our content output. When I’m not writing, editing or reading, you’ll probably find me at a concert or watching a Chelsea FC game.

Share this post