Re: vnc security flaw?
I can tell you exactly how this is different, but first I want to thank Mike Miller who pointed out that you need to disable vnc connection from hosts other than local host. I skipped that part as being an obvious one but it probably is not that obvious. The difference of running ssh vs running plain vnc is that you can secure ssh in various ways and you can't secure vnc alone. For instance if you are a bit paranoid you can disable password authentication and use public/private key to authenticate. This method while a bit inconvenient is extremely hard to break. That is what should be used on any half way important system. VNC free edition is using simple challenge response with password length up to 8 characters (according to security faq). ssh can support much larger password. ssh also prevents man in the middle attacks where session can be intercepted. Free edition of vnc has no protection other than password authentication. Given that most peoples' computers not worth this kind of attacks you still are susceptible ssh also supports tcp wrappers and I am not sure if vnc does. This allows you to further limit systems that attack you. You can run something like DenyHosts or a utility that I wrote for myself called BanHosts. You can lookup both of them on google. Ether utility will limit number of unsuccessful connection attempts from any given host blocking any further attempts. I am sure if I try I can provide more examples for you but just these should be sufficient answer to your question. Regards, Alex Jaroslaw Rafa wrote: Alex Pelts napisal(a): [Charset iso-8859-1 unsupported, filtering to ASCII...] IMHO running VNC server exposed to the Internet is a bad idea in the first place. Why? What is different in running a VNC server exposed to the Internet from running a SSH (or even a telnet!) server exposed to the Internet, for example? And there are many such servers out there... It's like any remote access service - you run it, if you need it. Of course, if you run such a service, you should be fully aware what you're doing. Regards, Jaroslaw Rafa [EMAIL PROTECTED] ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Alex Pelts napisal(a): I can tell you exactly how this is different, but first I want to thank Because of top-quoting is it unclear WHAT is different... After scrolling down the entire message I find out that it refers to my previous posting: What is different in running a VNC server exposed to the Internet from running a SSH (or even a telnet!) server exposed to the Internet, for example? And there are many such servers out there... It's like any remote access service - you run it, if you need it. Of course, The difference of running ssh vs running plain vnc is that you can secure ssh in various ways and you can't secure vnc alone. For instance [...] I am sure if I try I can provide more examples for you but just these should be sufficient answer to your question. I already know all the things you wrote. Did you notice that I mentioned telnet in my original posting? I did it for a purpose, because I think plain VNC is approximately as secure (or insecure) as telnet. And there still are people who DO run telnet servers - moreover, they HAVE to run telnet servers for compatibility, because they must support some users who don't want to use a ssh client. Same applies for VNC. There are circumstances where running a VNC server open to the Internet has sense. As I wrote - you have to know what (and why) you are doing. Regards, Jaroslaw Rafa [EMAIL PROTECTED] -- Spam, wirusy, spyware... masz do6f? Jest alternatywa! http://www.firefox.pl/ --- http://www.thunderbird.pl/ Szybciej. #atwiej. Bezpieczniej. Internet tak jak lubisz. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Hi guys, I just had that experience. However, I have Zone Alarm installed so when the intruder tried to download the trojan file, my Zone Alarm blocked it. Still, the intruder caused certain programs not to function correctly but I could just re install them. I signed up for a mail list in VNC, the annoucer mail list. I hope this is the mail list for announcing new updates. Peter Zheng ENSC SFU On Tue, 06 Jun 2006 10:15:42 -0700 [EMAIL PROTECTED] wrote: It's really not realistic or reasonable to expect every PC user to be their own ever-vigilant security expert. I try to keep up on these things, and I had barely noticed. I doubt that 10% of VNC users read either slashdot or vnc-list, much less never miss anything important there. Two things that occur to me that ought to have happened, which might have increased the visibility. 1) vnc should maintain it's own list, reserved for security flash alerts only, and strongly encourage anyone who installs vnc to sign up. 2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
On Tuesday 06 June 2006 13:15, Dave Dyer wrote: It's really not realistic or reasonable to expect every PC user to be their own ever-vigilant security expert. Yes and no. It depends on how important security is to you. As pointed out, the flaw was posted on this list. I find that just reading Slashdot (http://slashdot.org) is enough to keep me informed of security issues when I need to know about them. I also use Debian Linux (Stable, whether it's Woody, Sarge, or Etch or whatever), which means a program has to be really stable to be finally classified as eligible for the Stable branch. That means most of the security problems are gone by then. In addition, a one line cron job (for the uninformed, cron is easily configured to run programs at any time) updates my system every night, getting only security fixes and needed updates. While you probably use different methods for safety, my point is that I use a system that is known for secure updates and other issues are easily flagged on Slashdot, which is one site. There are better sites for security issues, but I'm just giving one example. I try to keep up on these things, and I had barely noticed. I doubt that 10% of VNC users read either slashdot or vnc-list, much less never miss anything important there. I noticed it was blasted all over any news source that keeps track of open source software. Were you actually keeping up with any news? Guess what? Software has flaws. I doubt there is a single piece of published software without bugs and without security flaws that will be discovered one day. If you use it, it is up to you to keep up with that. For example, if you use Windows, there are frequent serious issues. Some users ignore the situation. (They're the ones with so much malware they can barely use their computers.) Some users get automatic updates, but this is risky because sometimes Windows updates hose the system. Then there are the aware users that know that for safety, they need to keep up with all the security issues and that many times there are 3rd party patches/fixes out before MS issues fixes. Two things that occur to me that ought to have happened, which might have increased the visibility. 1) vnc should maintain it's own list, reserved for security flash alerts only, and strongly encourage anyone who installs vnc to sign up. 2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. Symantec and the other companies keep up with this stuff. Personally, I don't use them, since I use other security measures (and wouldn't be caught dead using Windows, other than testing my software for my clients). They know about it when exploits are published, and this one was published through all or most (that I saw) appropriate channels. As I said, I don't use Symantec or McAffee products, but I'm not sure that they can protect from issues like this. They can watch for malware and viruses, and will watch for whatever is in their definitions, but I don't think they go out of their way to protect you from flaws in other programs. With that in consideration, any malware known to attack RealVNC or other programs would end up in their database as soon as possible and would be downloaded to your system with your next regular update. (You do update daily, don't you?) I'm not trying to be a pain, but, in the long run, the security of your computer is YOUR responsibility. Maybe this will help, in the long run, by alerting you to the fact that you do have to find ways to ensure your systems' safety. Hal ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Dave Dyer wrote: 1) vnc should maintain it's own list, reserved for security flash alerts only, and strongly encourage anyone who installs vnc to sign up. That is not such a bad idea but this security problem only happened once since I started using VNC(as far as I recall), and I started using VNC back when it was part of ATT. When you connected to the internet you are by definition not secure. It is funny how everyone expecting nothing bad to happen. 2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. This one is never going to happen for countless reasons. No company will make your box secure if you won't. IMHO, VNC people did all they could to fix the problem and post the update. It is up to the users to make sure they are up to date. If you do not like RealVNC security record you are always free to run any other software. There are really many choices you can make: 1. Run VPN with strong authentication and use your VNC over VPN. 2. Run ssh and tunnel over ssh, which is really equivalent to #1 3. Keep your VNC up to date if you insist on exposing it to the net. 4. Run any other software that you deem more secure. These are your choices. Regards, Alex ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Alex Pelts napisal(a): [Charset iso-8859-1 unsupported, filtering to ASCII...] IMHO running VNC server exposed to the Internet is a bad idea in the first place. Why? What is different in running a VNC server exposed to the Internet from running a SSH (or even a telnet!) server exposed to the Internet, for example? And there are many such servers out there... It's like any remote access service - you run it, if you need it. Of course, if you run such a service, you should be fully aware what you're doing. Regards, Jaroslaw Rafa [EMAIL PROTECTED] -- Spam, wirusy, spyware... masz do6f? Jest alternatywa! http://www.firefox.pl/ --- http://www.thunderbird.pl/ Szybciej. #atwiej. Bezpieczniej. Internet tak jak lubisz. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Dave Dyer wrote: It's really not realistic or reasonable to expect every PC user to be their own ever-vigilant security expert. I try to keep up on these things, and I had barely noticed. I doubt that 10% of VNC users read either slashdot or vnc-list, much less never miss anything important there. I see it as their fault for being ignorant, on two points. A) They expect to be completely safe when exposed to the Internet, especially in consideration of how powerful VNC is. If you don't like the fact that you're always going to be, to some degree, vulnerable, unplug. B) They expect that a program is going to be one hundred percent perfect from the get-go. I'm not knocking on RealVNC's developers, but nothing is perfect. It's a good goal, but you could test something forever and forever and not find every possible bug. It's in the hands of the user to be vigilant in protecting themselves. The company should be held responsible if the users aren't willing to help themselves. 1) vnc should maintain it's own list, reserved for security flash alerts only, and strongly encourage anyone who installs vnc to sign up. If people actually care, how about they sign up on the list already provided and take, I don't know, 60 seconds out of their day to scan the list for anything important or interesting? 2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. You want unrealistic? Bingo. That sort of thing take time, money, and resources. Not something that a string of companies are going to throw out so that customers for a different product are protected. Ideally, yeah, something like this would be in place, but in the real world, it's but a pipe dream. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. This one is never going to happen for countless reasons. No company will make your box secure if you won't. Why do you think it will never happen? I think it's inevitable. I pay for virus protection; there's real money to be made providing a better service. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Dave Dyer wrote: Why do you think it will never happen? I think it's inevitable. I pay for virus protection; there's real money to be made providing a better service. I don't think you can, by any means, compare your proposition to an antivirus solution. The complexities of protecting a person from protecting their own ignorance, not in a demeaning sense, are so multifaceted. It would literally be impossible to stay on top of every single threat, and to cross-network all that information. But hey, if you think it's possible, go for it. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
I don't think you can, by any means, compare your proposition to an antivirus solution. The complexities of protecting a person from protecting their own ignorance, not in a demeaning sense, are so multifaceted. It would literally be impossible to stay on top of every single threat, and to cross-network all that information. But hey, if you think it's possible, go for it. It is simply impossible to protect a person from himself. At this time pretty much anyone should know that clicking on attachments is bad yet everyone still does it. With amount of scams going on you wold thing that people would be suspicions of emails asking them to type in their user name and password AND credit card number AND expiration date in to some website that looks like their bank. And yet lots of money changed their owner based on various scams. Probably the way to protect people from doing stupid things is to electrocute them any time they are clicking on attachment to develop a reflex. Regards, Alex ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Well, Let say if you pay money to Symantec why don't you ask them to protect your pc? What is RealVNC has to do with it? I pay money to RealVNC people for EE and I got my email notifying me about security update. So I have no beef with RealVNC as they provide the service I pay for. I think 2) will not happen because there is no money in it for RealVNC only for Symantec and companies like them. RealVNC provides a free version with community support and that means you have to do your homework. If you want real support pay for it and you will get it. Some people are running VNC v3.x and asking questions about it. That means people don't bother to update for various reasons. Sometimes these are good reasons some times they are not. In general out of two things you mentioned VNC people did at least one: they notified this list about available update as well as sent emails to their paying customers. There is also announce list which was notified as well. That is a very low email volume list to which anyone running RealVNC should subscribe. So what I am trying to say RealVNC provided all needed information in a timely manner to prevent most of the users running their software from getting in trouble. If some of the users failed to use this information it is not exactly RealVNC fault. Regards, Alex Dave Dyer wrote: 2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. This one is never going to happen for countless reasons. No company will make your box secure if you won't. Why do you think it will never happen? I think it's inevitable. I pay for virus protection; there's real money to be made providing a better service. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Alex Pelts wrote: It is simply impossible to protect a person from himself. At this time pretty much anyone should know that clicking on attachments is bad yet everyone still does it. With amount of scams going on you wold thing that people would be suspicions of emails asking them to type in their user name and password AND credit card number AND expiration date in to some website that looks like their bank. And yet lots of money changed their owner based on various scams. Probably the way to protect people from doing stupid things is to electrocute them any time they are clicking on attachment to develop a reflex. I work in computer troubleshooting, and honestly some of the stuff I've seen that people do to their machines, even /watched/ them do, is ridiculous. I guess common sense got lost somewhere between the dawn of time and now. But hey, the electrocution thing sounds promising. Business opportunity, eh? :) Chris ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: vnc security flaw?
[EMAIL PROTECTED] wrote on Tuesday, June 06, 2006 5:11 PM: It is simply impossible to protect a person from himself. [snip] Probably the way to protect people from doing stupid things is to electrocute them any time they are clicking on attachment to develop a reflex. (BOFH Mode=ON) Hmm... I *like* that idea. Evil Grin (BOFH Mode=OFF) Seriously, some people almost *deserve* what they get if they ignore warnings not to do stuff like that. Or if they ignore the security updates, etc. Unfortunately, taking that attitude leads to worse problems on the corporate network. *sigh* Oh, well... Back to troubleshooting PCs. ;-) ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
John Aldrich wrote: [EMAIL PROTECTED] wrote on Tuesday, June 06, 2006 5:11 PM: Probably the way to protect people from doing stupid things is to electrocute them any time they are clicking on attachment to develop a reflex. (BOFH Mode=ON) Hmm... I *like* that idea. Evil Grin (BOFH Mode=OFF) see http://www.youtube.com/watch?v=ry7u6JF_B1c - hehehe :-) GTi ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
On Tue, 6 Jun 2006, Alex Pelts wrote: IMHO, VNC people did all they could to fix the problem and post the update. It is up to the users to make sure they are up to date. If you do not like RealVNC security record you are always free to run any other software. There are really many choices you can make: 1. Run VPN with strong authentication and use your VNC over VPN. 2. Run ssh and tunnel over ssh, which is really equivalent to #1 3. Keep your VNC up to date if you insist on exposing it to the net. 4. Run any other software that you deem more secure. These are good ideas, but we should note that #1 and #2 above would not protect you from attack unless VNC was not accepting connections from outside SSH or VPN. You must set the RealVNC server to Only accept connections from the local machine: http://www.realvnc.com/products/free/4.1/winvnc.html Then use SSH port forwarding in combination with that so that an attacker would have to connect by SSH to get access to VNC. Otherwise, your use of SSH would have protected you from snooping, but it did not protect you from the major vulnerability that was discovered last month. Mike ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
On Tuesday 06 June 2006 16:40, Dave Dyer wrote: 2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. This one is never going to happen for countless reasons. No company will make your box secure if you won't. Why do you think it will never happen? I think it's inevitable. I pay for virus protection; there's real money to be made providing a better service. I think that very statement shows a complete misunderstanding of the nature of fighting viruses and malware. It's not going to happen because it's not possible. Face it, if you want to keep your computer secure and you keep it hooked up to the Internet, the bottom line is that the security of your system is your responsibility. THAT IS FACT. You can either face that face or face malware. It's up to you. Hal ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Jaroslaw Rafa wrote: Why? What is different in running a VNC server exposed to the Internet from running a SSH (or even a telnet!) server exposed to the Internet, for example? And there are many such servers out there... It's like any remote access service - you run it, if you need it. Of course, if you run such a service, you should be fully aware what you're doing. Well, that's sort of what he's saying; I myself have three VNC'd computers constantly exposed to the Internet, BUT they're locked down inside the Hamachi network, with three medium-strength passwords between them and the world. And additionally, VNC was not initially designed for security -- I mean, you do know have the 1024-bit cipher or whatever it is now -- but SSH, like the name implies, was created to be secure. It's like trying to use a bicycle pump on your car tires -- it'll work, but that's not what it was intended to do. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Re: vnc security flaw?
As a newbie to all of this, I just want to say that I really appreciate this discussion and have learned quite a bit (Its been quite entertaining as well). I downloaded the free version of RealVNC but I have decided to upgrade and purchase it so that I can receive the proper support and learn as much as I can to minimize any security threats. Thanks everyone. Glenda Harris From: Hal Vaughan [EMAIL PROTECTED] Date: 2006/06/06 Tue PM 02:13:51 EDT To: vnc-list@realvnc.com Subject: Re: vnc security flaw? On Tuesday 06 June 2006 13:15, Dave Dyer wrote: It's really not realistic or reasonable to expect every PC user to be their own ever-vigilant security expert. Yes and no. It depends on how important security is to you. As pointed out, the flaw was posted on this list. I find that just reading Slashdot (http://slashdot.org) is enough to keep me informed of security issues when I need to know about them. I also use Debian Linux (Stable, whether it's Woody, Sarge, or Etch or whatever), which means a program has to be really stable to be finally classified as eligible for the Stable branch. That means most of the security problems are gone by then. In addition, a one line cron job (for the uninformed, cron is easily configured to run programs at any time) updates my system every night, getting only security fixes and needed updates. While you probably use different methods for safety, my point is that I use a system that is known for secure updates and other issues are easily flagged on Slashdot, which is one site. There are better sites for security issues, but I'm just giving one example. I try to keep up on these things, and I had barely noticed. I doubt that 10% of VNC users read either slashdot or vnc-list, much less never miss anything important there. I noticed it was blasted all over any news source that keeps track of open source software. Were you actually keeping up with any news? Guess what? Software has flaws. I doubt there is a single piece of published software without bugs and without security flaws that will be discovered one day. If you use it, it is up to you to keep up with that. For example, if you use Windows, there are frequent serious issues. Some users ignore the situation. (They're the ones with so much malware they can barely use their computers.) Some users get automatic updates, but this is risky because sometimes Windows updates hose the system. Then there are the aware users that know that for safety, they need to keep up with all the security issues and that many times there are 3rd party patches/fixes out before MS issues fixes. Two things that occur to me that ought to have happened, which might have increased the visibility. 1) vnc should maintain it's own list, reserved for security flash alerts only, and strongly encourage anyone who installs vnc to sign up. 2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. Symantec and the other companies keep up with this stuff. Personally, I don't use them, since I use other security measures (and wouldn't be caught dead using Windows, other than testing my software for my clients). They know about it when exploits are published, and this one was published through all or most (that I saw) appropriate channels. As I said, I don't use Symantec or McAffee products, but I'm not sure that they can protect from issues like this. They can watch for malware and viruses, and will watch for whatever is in their definitions, but I don't think they go out of their way to protect you from flaws in other programs. With that in consideration, any malware known to attack RealVNC or other programs would end up in their database as soon as possible and would be downloaded to your system with your next regular update. (You do update daily, don't you?) I'm not trying to be a pain, but, in the long run, the security of your computer is YOUR responsibility. Maybe this will help, in the long run, by alerting you to the fact that you do have to find ways to ensure your systems' safety. Hal ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
[__ __] napisal(a): [Charset ISO-8859-1 unsupported, filtering to ASCII...] Dave Dyer wrote: Why do you think it will never happen? I think it's inevitable. I pay for virus protection; there's real money to be made providing a better service. I don't think you can, by any means, compare your proposition to an antivirus solution. The complexities of protecting a person from protecting their own ignorance, not in a demeaning sense, are so multifaceted. It would literally be impossible to stay on top of every single threat, and to cross-network all that information. Hm... exploiting this vulnerability is a well-defined form of attack that can (and probably will) be included in databases uses by IDS'es. I think that is the key point of the Norton, Mcafee etc. proposition - to put this attack into such a database. The problem for the author of this proposition is that these Norton, Mcafee etc. products are not - and probably never will be - IDS'es (Intrusion Detection Systems). They are in fact very simple tools - they search for known signatures of specific malware (virus/trojan/spyware) files and connection attempts from/to known blacklisted Internet addresses. They can also block specific ports and/or applications from Internet access, providing you a firewall functionality (again, this is a very simple firewall - I'm not sure if it's even stateful, or is it only a simple packet filter). However, realtime analysis of incoming packets and detection of possible attack patterns is far beyond their capabilities. If you want a real IDS, think about spending ten or twenty times the amount of money you are currently paying for anti-virus protection. Maybe such a device (since it's almost always a separate piece of hardware, not simply an application you can install on your computer) will protect you from similar vulnerabilities instantly from the moment they become known (and - of course - are included in the database, and pushed by the manufacturer to all devices). Regards, Jaroslaw Rafa [EMAIL PROTECTED] -- Spam, wirusy, spyware... masz do6f? Jest alternatywa! http://www.firefox.pl/ --- http://www.thunderbird.pl/ Szybciej. #atwiej. Bezpieczniej. Internet tak jak lubisz. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Last night, while inactive and unattended, my machine picked up a trojan of the firefly family of remote control trojans. http://www.sophos.com/virusinfo/analyses/trojfireflyb.html Since the trojan's init file contained my vnc server password, I suspect that vnc was somehow related to the event. I was running 4.1.1 free edition. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
I let my norton expire for a few days, and noiced in my event viewer anumber of connections to VNC from various other countries. however I didn't notice the icon turning black as it would in a conneciton mode. so I was wondering if I am being connected to, via some trojan. I did a scan today after updating norton and found one trojan and one or two other website deposited remote access files anyone ever see conneciton instances in their event logs? - Original Message - From: Dave Dyer [EMAIL PROTECTED] To: vnc-list@realvnc.com Sent: Monday, June 05, 2006 3:37 PM Subject: Re: vnc security flaw? Last night, while inactive and unattended, my machine picked up a trojan of the firefly family of remote control trojans. http://www.sophos.com/virusinfo/analyses/trojfireflyb.html Since the trojan's init file contained my vnc server password, I suspect that vnc was somehow related to the event. I was running 4.1.1 free edition. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Darkman wrote: I let my norton expire for a few days, and noiced in my event viewer anumber of connections to VNC from various other countries. however I didn't notice the icon turning black as it would in a conneciton mode. so I was wondering if I am being connected to, via some trojan. I did a scan today after updating norton and found one trojan and one or two other website deposited remote access files anyone ever see conneciton instances in their event logs? - Original Message - From: Dave Dyer [EMAIL PROTECTED] To: vnc-list@realvnc.com Sent: Monday, June 05, 2006 3:37 PM Subject: Re: vnc security flaw? Last night, while inactive and unattended, my machine picked up a trojan of the firefly family of remote control trojans. http://www.sophos.com/virusinfo/analyses/trojfireflyb.html Since the trojan's init file contained my vnc server password, I suspect that vnc was somehow related to the event. I was running 4.1.1 free edition. Both of you need to keep up on your software -- a new version was recently released to solve severe security flaw in the v4.x line. The trojans you got obviously exploited this flaw. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Both of you need to keep up on your software -- a new version was recently released to solve severe security flaw in the v4.x line. The trojans you got obviously exploited this flaw. I can't argue with that, but this security flaw and the need for updating didn't get a lot of airplay. I'm just trying to raise the level Of awareness - that its not just a theoretical vulnerability - it's being actively exploited. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
Dave, The fix was posted next day after the flaw was discovered. At that time there was no exploits or they were not prevalent. I am not so sure what VNC team could do to better inform people. Discovery of flaw was published on slashdot and this list. I am not trying to tell that this is your fault but just wondering what do you want VNC team to do. IMHO running VNC server exposed to the Internet is a bad idea in the first place. Regards, Alex Dave Dyer wrote: Both of you need to keep up on your software -- a new version was recently released to solve severe security flaw in the v4.x line. The trojans you got obviously exploited this flaw. I can't argue with that, but this security flaw and the need for updating didn't get a lot of airplay. I'm just trying to raise the level Of awareness - that its not just a theoretical vulnerability - it's being actively exploited. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security flaw?
It's really not realistic or reasonable to expect every PC user to be their own ever-vigilant security expert. I try to keep up on these things, and I had barely noticed. I doubt that 10% of VNC users read either slashdot or vnc-list, much less never miss anything important there. Two things that occur to me that ought to have happened, which might have increased the visibility. 1) vnc should maintain it's own list, reserved for security flash alerts only, and strongly encourage anyone who installs vnc to sign up. 2) word should have been passed to norton, mcaffee, etc so they could target vulnerable versions of vnc on behalf of their customers. I don't know if this mechanism exists, but it ought to. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security patches
James Weatherall wrote: Some important security patches have been made to VNC server software. We strongly recommend that users of VNC 4 series servers upgrade as soon as possible. http://www.realvnc.com/upgrade.html Where's the source? Coming soon I hope? (: -- Rex ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security
Is there a good FAQ or HOWTO on ssh with vnc? what is the url Thanks - Original Message - From: John Aldrich [EMAIL PROTECTED] To: '-Paul' [EMAIL PROTECTED]; vnc-list@realvnc.com Sent: Tuesday, May 09, 2006 1:00 PM Subject: RE: vnc security -Paul wrote on : When I loaded the realvnc onto my WinME computer I got an additional warning about security that I didn't get on my WinXP computers. Something about the passwords not being secure? A potential intruder would still have to type my password correctly to gain entry thru the 5902 port (the port I used) wouldn't they? If its a bunch of random letters and numbers wouldn't that still be kind of difficult? I suppose I could check the box that says the local user will be prompted to allow the connection. That would mean I couldn't access that computer unless someone was there, but if that improves security, that would be a reasonable tradeoff. Paul: If you're really wanting to increase security, you should go with some sort of encryption, either through tunnelling through SSH or using Personal/Enterprise version of RealVNC which has encryption built-in. That being said, what the warning is really saying is that, theoretically, someone could decrypt the password if they had access to the local console. On the other hand, if they've got access to the local console, you've got more important security problems than someone being able to decrypt the scrambled password. :-) ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security
google is you friend (maybe if they don't cooperate with federal government too much.) Regards, Alex Eric wrote: Is there a good FAQ or HOWTO on ssh with vnc? what is the url Thanks - Original Message - From: John Aldrich [EMAIL PROTECTED] To: '-Paul' [EMAIL PROTECTED]; vnc-list@realvnc.com Sent: Tuesday, May 09, 2006 1:00 PM Subject: RE: vnc security -Paul wrote on : When I loaded the realvnc onto my WinME computer I got an additional warning about security that I didn't get on my WinXP computers. Something about the passwords not being secure? A potential intruder would still have to type my password correctly to gain entry thru the 5902 port (the port I used) wouldn't they? If its a bunch of random letters and numbers wouldn't that still be kind of difficult? I suppose I could check the box that says the local user will be prompted to allow the connection. That would mean I couldn't access that computer unless someone was there, but if that improves security, that would be a reasonable tradeoff. Paul: If you're really wanting to increase security, you should go with some sort of encryption, either through tunnelling through SSH or using Personal/Enterprise version of RealVNC which has encryption built-in. That being said, what the warning is really saying is that, theoretically, someone could decrypt the password if they had access to the local console. On the other hand, if they've got access to the local console, you've got more important security problems than someone being able to decrypt the scrambled password. :-) ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: vnc security
Hi Paul, The message indicates that the password cannot be stored security under Windows 95/98/Me systems. If you're using VNC Password Authentication, then the password is stored in an obfuscated format in the computer's registry, and any program that has access to the registry could in principle just read the password straight out of it - they wouldn't need to crack it. On Windows NT4/2K/XP, etc, the password is stored with appropriate permissions set, to avoid this issue. Cheers, Wez @ RealVNC Ltd. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of -Paul Sent: 09 May 2006 20:09 To: John Aldrich Cc: vnc-list@realvnc.com Subject: Re: vnc security John Aldrich wrote: That being said, what the warning is really saying is that, theoretically, someone could decrypt the password if they had access to the local console. On the other hand, if they've got access to the local console, you've got more important security problems than someone being able to decrypt the scrambled password. :-) Ok, thanks for clearifying that for me. I'm less worried about that. I think if someone broke into my house they would more likely just carry off all my computers rather than sit there and see if they can figure out how to crack the password to access my local network. ~Paul ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: vnc security
-Paul wrote on : When I loaded the realvnc onto my WinME computer I got an additional warning about security that I didn't get on my WinXP computers. Something about the passwords not being secure? A potential intruder would still have to type my password correctly to gain entry thru the 5902 port (the port I used) wouldn't they? If its a bunch of random letters and numbers wouldn't that still be kind of difficult? I suppose I could check the box that says the local user will be prompted to allow the connection. That would mean I couldn't access that computer unless someone was there, but if that improves security, that would be a reasonable tradeoff. Paul: If you're really wanting to increase security, you should go with some sort of encryption, either through tunnelling through SSH or using Personal/Enterprise version of RealVNC which has encryption built-in. That being said, what the warning is really saying is that, theoretically, someone could decrypt the password if they had access to the local console. On the other hand, if they've got access to the local console, you've got more important security problems than someone being able to decrypt the scrambled password. :-) ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: vnc security
John Aldrich wrote: That being said, what the warning is really saying is that, theoretically, someone could decrypt the password if they had access to the local console. On the other hand, if they've got access to the local console, you've got more important security problems than someone being able to decrypt the scrambled password. :-) Ok, thanks for clearifying that for me. I'm less worried about that. I think if someone broke into my house they would more likely just carry off all my computers rather than sit there and see if they can figure out how to crack the password to access my local network. ~Paul ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security and Privacy
You can have view only clients (e.g. a demo) or possibly someone is just showing you something but you may have left your password stored in the clipboard. (not that i store my passwords somewhere where I can cut and paste them ;) --Angelo On 8/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I hope this does not get mailed more than once, had a wee problem with my registered address. I am curious, the documentaion from the VNC page has the following; Send clipboard updates to clients SendCutText=true/false This option, if unticked, prevents the VNC Server from informing clients of changes to its local clipboard contents. This can be useful when untrusted clients are to be allowed to connect to the VNC Server, since it prevents any private data being accidentally leaked via the clipboard. The above refers to untrusted clients connecting to the server, why would you allow an untrusted client to connect anyway. Geoff Lane Welwyn Hatfield Computer Club www.whcc.co.uk http://www.whcc.co.uk ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
In message [EMAIL PROTECTED], mbrown [EMAIL PROTECTED] writes We are behind a firewall, but want to get VNC to allow consultants we trust to have remote access to our computers (and vice versa). Past posts to this list convinced me that opening a port in the firewall for specific users is a secure activity, but our IT guys are now saying that it doesn't necessarily protect our systems from worms or viruses that may already inhabit the trusted user's computers. That's correct, in that if there was a weakness in VNC it could be exploited through the open port. There are ways of reducing the risk though. The firewall can be configured to only forward packets coming from a specific IP address. That limits the risk. Anyone probing the port from a different address wouldn't be able to tell that there was a VNC server there. To find that out they would need to sniff all of the network traffic to see what addresses were in use. If they succeeded in doing that they would also harvest the password. Alternatively it's possible to configure VNC to only accept connections from localhost. This requires a VPN to be set up between the remote and local machines. That can use any type of encryption your IT guys think is required. Even if the blackhats sniff the network traffic it won't get them in. As a former IT guy I prefer this approach. But you also have to decide whether your IT guy's objection is just a subtle way of saying we're busy, and we have better things to do with our time. If that's so then you need to establish a compelling business case that justifies the extra effort required to configure and maintain a link. If you can't do that then expect the next objection from the IT guys to be less subtle. Bear in mind that every extra service across the firewall increases the risk to a greater or lesser degree, and they are the ones that get the pink slip if it goes wrong. Does anyone have a response to this? It seems logical. Would we want to require that any remote user that traverses our firewall via VNC have an acceptable virus scan before doing so? Are there particular VNC products that would be best for both us and our clients? Can our clients use the free version? The free version will work over a VPN. If you are going to set up a VPN then your IT guys should talk to their IT guys and make sure that both sides can trust each other's security precautions. -- ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security
Mike, Neither worms nor viruses can propagate via a VNC connection, since the protocol contains no scripting or executable elements. The main issues with opening a firewall to allow VNC access are to do with session snooping, tampering and impersonation attacks, which are pretty rare. VNC Enterprise and Personal Editions (http://www.realvnc.com) have in-built security to protect from such attacks, or you can tunnel your VNC connections via a secondary protocol such as SSH. Regards, Wez @ RealVNC Ltd. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mbrown Sent: 16 August 2005 20:04 To: vnc-list@realvnc.com Subject: VNC security We are behind a firewall, but want to get VNC to allow consultants we trust to have remote access to our computers (and vice versa). Past posts to this list convinced me that opening a port in the firewall for specific users is a secure activity, but our IT guys are now saying that it doesn't necessarily protect our systems from worms or viruses that may already inhabit the trusted user's computers. Does anyone have a response to this? It seems logical. Would we want to require that any remote user that traverses our firewall via VNC have an acceptable virus scan before doing so? Are there particular VNC products that would be best for both us and our clients? Can our clients use the free version? Mike Brown Salt Lake City ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security
Bernard et al, specific users is a secure activity, but our IT guys are now saying that it doesn't necessarily protect our systems from worms or viruses that may already inhabit the trusted user's computers. That's correct, in that if there was a weakness in VNC it could be exploited through the open port. No, it isn't. They are talking about viruses/worms propagating, which is not possible via the RFB protocol. VNC server there. To find that out they would need to sniff all of the network traffic to see what addresses were in use. If they succeeded in doing that they would also harvest the password. This is not true. The authentication scheme used by VNC Free Edition uses a challenge-response protocol to protect the password. Session data is not protected, however, unless you use VNC Personal or Enterprise Edition at both ends. Regards, Wez @ RealVNC Ltd. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security
Bernard, Alternatively it's possible to configure VNC to only accept connections from localhost. This requires a VPN to be set up between the remote and local machines. That can use any type of encryption your IT guys think is required. Even if the blackhats sniff the network traffic it won't get them in. As a former IT guy I prefer this approach. You would configure VNC to accept connections only from localhost if you were tunnelling via something like SSH, not when accessing systems via a VPN. A VPN will typically appear to the two computers as a distinct network interface, through which the other computer is accessible. This is *precisely* the sort of configuration that Mike *deosn't* want, since it means that the two computers are effectively then exposed to each other directly, and viruses can easily propagate using security loop-holes such as those often found in Windows File Sharing. Regards, Wez @ RealVNC Ltd. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
Mike: Heya; fortunately, your IT guys are wrong about this. VNC is simply a remote desktop application, not a Virtual Private Network application. Unlike the latter (in which a remote PC does traverse your firewall and effectively becomes part of the LAN), a remote desktop connection cannot be used to transfer viruses, worms or other malware from the Viewer to the Server PC. Of course, once someone has remote control of your PC, they can easily/mistakingly cause viruses or malware to become installed -- just like any other other -- but that's the whole point of having good anti-virus software on the PC to begin with. Lastly, VNC does allow you to restrict connections, so that they will only be accepted from specific Internet addresses. If you always know where allowed connections come from, you can use this capability to control access more securely. All versions of VNC support this capability, even the free ones. hope that helps, Scott We are behind a firewall, but want to get VNC to allow consultants we trust to have remote access to our computers (and vice versa). Past posts to this list convinced me that opening a port in the firewall for specific users is a secure activity, but our IT guys are now saying that it doesn't necessarily protect our systems from worms or viruses that may already inhabit the trusted user's computers. Does anyone have a response to this? It seems logical. Would we want to require that any remote user that traverses our firewall via VNC have an acceptable virus scan before doing so? Are there particular VNC products that would be best for both us and our clients? Can our clients use the free version? ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security
A while back, we had a pretty long running and informative thread on VNC security. The only VNC that had real encryption built in was the Enterprise version of RealVNC. UltraVNC had a DSM plug-in but it was pretty nasty to get working and was suffering from compatibility problems. On top of that, it was very difficult to deploy the UltraVNC encryption remotely. I believe that the solution to this on the Windows side is in the new version of VNCScan at http://www.vncscan.com. While I believe that this version of VNC Scan makes UltraVNC encryption very easy to deploy and use, I'd like to fire up this debate again to see if the ease of encryption changes anyone's view on the security of VNC. I would also like to know if there are any security concerns with the UltraVNC DSM plug-in. Is the encryption with this method considered as secure to you as, say, running VNC through an SSH tunnel? Just for the record, I don't want to take any credit for the UltraVNC encryption. The people working on the open source UltraVNC are awesome and they deserve a huge pat on the back for this plug-in. The contribution that is made with VNC Scan is to make the plug-in very easy to deploy and use. :) The scenario that I'd like to see people test against would be a Windows XP or Windows 2000 computer running UltraVNC 1.0.0 server using MS Windows authentication for VNC and employing the UltraVNC encryption. If you choose to use VNC Scan to deploy this, these are simply check boxes in the deployment wizard. I am very interested in hearing if any security concerns are still out there despite this new encryption scheme. Thank you! Steve Bostedor http://www.vncscan.com The Leader in VNC and Terminal Server Management ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security, and can free VNC connect to paid VNC?
Mike, Question: If we buy the VNC version that is advertised as more secure, will it really be more secure? Yes. Wez @ RealVNC Ltd. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security, and can free VNC connect to paid VNC?
On Fri, 27 May 2005, Erik Soderquist wrote: To be clear, the VNC viewer that uses encryption is free, but but you cannot use the older viewer. not according to realvnc's web page: http://www.realvnc.com/products/features.html according to that, the free one does not include encryption I don't see any information about the viewer on that page. The viewer for the Enterprise and Personal editions is freely available. Just download the trial version of Enterprise and keep the viewer. That's what I have done and I have not paid for it. I use it with both old and new (free and paid) versions of the server and it works great. Go here... http://www.realvnc.com/cgi-bin/download.cgi ...click Proceed to Downloads (you don't have to enter Your Details everytime). Note that the first few entries on the next page require licenses (those are the servers) but the *viewer* do not require licenses. There are versions for Windows, Solaris 7, HP/UX, and Linux. I'm not sure of how the Windows Enterprise Edition Viewer differs from the Windows Personal Edition Viewer. I would guess that the Enterprise viewer works for both types of servers, but wouldn't mind hearing from the development team on that! Mike ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security, and can free VNC connect to paid VNC?
that will depend entirely on your security settings on the vnc server side. if you set the server side to require encryption, clients that don't support encryption (free edition) will fail to connect. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mbrown Sent: Thursday, May 26, 2005 12:21 To: vnc-list@realvnc.com Subject: VNC security, and can free VNC connect to paid VNC? We've used the free VNC for awhile to view machines outside our office, but our IT guys are too nervous about punching through our firewall to allow others to view our machines. I think they're too cautious. Question: If we buy the VNC version that is advertised as more secure, will it really be more secure? Also, can others who have the free VNC use it to connect to our paid VNC server? Thanks, Mike Brown Salt Lake ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security, and can free VNC connect to paid VNC?
We've used the free VNC for awhile to view machines outside our office, but our IT guys are too nervous about punching through our firewall to allow others to view our machines. I think they're too cautious. Question: If we buy the VNC version that is advertised as more secure, will it really be more secure? Also, can others who have the free VNC use it to connect to our paid VNC server? On Thu, 26 May 2005, Erik Soderquist wrote: that will depend entirely on your security settings on the vnc server side. if you set the server side to require encryption, clients that don't support encryption (free edition) will fail to connect. To be clear, the VNC viewer that uses encryption is free, but but you cannot use the older viewer. To answer the other question, yes, the secure versions of VNC use strong encryption and are secure. Mike ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security
if the VNC data is unencrypted, *any* password you type during the session (domain admin to update drivers for example) is also sent unencrypted. and the attacker would not likely be some random hacker, but rather someone who is targeting the company already. it isn't that difficult to connect sniffing hardware to say the T1 line to look for weak points. after a few days surveillance, everything unencrypted is then captured and analyzed for login/password information. it isn't so much low hanging fruit as it is simply a chink in the armor that can be exploited. the fewer chinks the better. as to odds, here is a more common example of overblown paranoia surrounding a real possibility (the last time I checked this was a while ago, it may have shifted some): due to the technological differences, it is far more likely that someone will steal your credit card number by eavesdropping on an order placed by phone than by someone sniffing it from an unencrypted internet transaction. please note this only examines an actual sniffing attack. phishing and spyware are not examined in this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Bostedor Sent: Tuesday, April 19, 2005 20:57 To: [EMAIL PROTECTED] Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: RE: VNC Security Thank you for the reply, Alexander. I understand exactly what you're trying to say. I'm not sure if you fully understand what I was saying and its probably my fault for not making it clear enough. You seemed to concentrate on how easy it is to do things with the VNC packets once you've sniffed the packets. You say that you've sniffed the packets before but have you ever sniffed packets from a network outside of your own LAN? How about on your LAN but on another switch port? What I was trying to discuss is how real the threat is that someone outside of your network will actually get to sniff enough of and the correct sequence of your packets to do the things that you where able to do by sniffing the packets on your local segment. You're basically breaking into your own house by using your own keys in the scenario that you provided. How realistic is it for someone in India to sniff my packets going from a server in Detroit, MI to a server in Jackson, MI? How realistic is it for him to actually get usable data? It's Easy to say that if there's a way into your network, you're insecure but there's a way into your house .. is your house insecure? Is VNC really the low hanging fruit in my scenario. I know that you all are very specific and technical, so I'll spell out an exact scenario which happens to be the most common usage of VNC in companies. * John Doe is getting an error message on his computer and calls the help desk a city away for help. * Helpdesk tells John to double-click on the VNC icon on his desktop that starts the server * Helpdesk connects to Johns computer and takes about 10 minutes to resolve the problem * Helpdesk person kills the VNC server on the remote computer and the connection is terminated --- I understand that Security is very important but it's also very important to not go Barney Fife and start drawing the gun on everything that moves if you get what I mean. What are the odds that some guy in Florida is going to sniff that 10 minute session and get into the network? My answer is 1 in at least 10 million. The guy in Florida would have to have already compromised a computer on either of the networks that happened to be plugged into a HUB (Not a switch) that either of the computers are plugged into ~OR~ he would have had to hack one of the routers close to either one of them to send packets to him as a man in the middle attack of sorts. Both of these are a bit extreme for VNC data theft, don't you think? If you do all of that, isn't there a bunch of much bigger prizes at your fingertips than VNC data?! Now are you starting to see what I'm saying? The successful exploits that must be done to get someone's VNC packet stream would land you access to things far greater than just the VNC data and who would waste the time with VNC data at that point? Go for the gold, you're already in someplace pretty good at that point. The only EASY way that I know of to sniff someone's packets are to either be on a hub with the remote computers or to have a Trojan on one of the computers. Does someone know of an easy way other than that? Easier than just hacking into the company other ways that do not involve VNC? - Steve -Original Message- From: Alexander Bolante [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 6:25 PM To: Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security IMHO NOTE: For obvious reasons that VNC provides remote access to your machine, Security is key (period). I'm assuming this thread does NOT pertain to your COMPANY LAN, because if it does, the answer
RE: VNC Security
alternative method: you have listening viewer available to the internet when helping someone, someone installs VNC (in 3.3.7 if you don't put a password in, it refuses incoming connections) and adds you as a client. no VNC password is even needed at that point, and the server is never exposed to the internet if it is behind a NAT router. (also saves the port forwarding troubles) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Bruce - softwareAB Sent: Monday, April 25, 2005 19:47 To: Mike Miller Cc: Steve Bostedor; security-basics@securityfocus.com; VNC List Subject: Re: VNC Security First--I believe we're talking apples and oranges. VNC is not an appropriate solution for a true corporate network unless a firewall and a secure link is available (and even then is dodgy). My scenario is this: a. Random user in cyberspace has a problem. b. User installs VNC under direction of tech support: i. strong password ii. not installed as service iii. temporary port forwarding only c. User allows remote person to login, generally for 20-30 mins. d. User stops VNC server process and disables port forwarding My point was that, for all practical purposes, this scenario has zero risk. Let's talk about what happens if an attacker does happen to be watching data packets and does manage to break the password during that session: 1. The attacker is still subject to limitations of the VNC data protocol. For the attacker to gain real hidden control, he would have to have the VNC server software accept his own third-party program via remote copy and execute. 2. Unless the attacker had that type of attack, he would have access only to mucking with the primary (zero) desktop in Windows, so no danger of a hidden desktop there. (VNC simply doesn't support anything other than primary desktop, as my remote users with Fast User Switching have found to their chagrin.) To take control of the situation, the hijacker would have to send keyboard/mouse commands to that desktop to activate some process during the hijack process. Therefore, I most certainly would notice it. The only exception is if the attacker simply mucked with the Windows registry, perhaps to navigate to a tainted Web site upon next login. That's a larger issue than whether VNC is secure. 3. As stated above, I explicitly instruct my users not to install VNC as a service, and then to stop the server process when we're done (and then turn off port forwarding). So, even if the attacker did get into the machine and cause a password reset--it won't help. The VNC service won't be running when the user next boots the machine. And if it was running, the port forwarding and Windows firewall would prevent the attacker from getting access to it again. Only Wez and the user community can let me know if there are any security flaws in VNC that allow the remote system to execute physical programs simply based on passed data packets commands. I was under the impression that the only way that the VNC client executes programs is by sending keystrokes/mouse clicks to the remote system. (In other words, no type of exec function built into the protocol.) Therefore, the VNC server itself isn't ever executing any software via API calls--instead, VNC simply passes keyboard/mouse input to the OS and it's the OS that's does the execution. And the user is watching the desktop on at least one side of the connection. So--while the effort to trap/break in to a VNC server may be well worth the effort for a corporate network with access to a rich mine of data, in my example it doesn't apply. Andy Mike Miller wrote: On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote: I have to agree with Steve that this is, for all practical purposes, a non-existent security risk. The only things that could go wrong: a. Somebody is sniffing the packet stream while the VNC passwords are being exchanged, and, during that 20 minute interchange, cracks the password and logs onto the VNC server. Of course, we would notice this problem on both ends! I don't know if it is possible to crack the VNC password, but I don't agree that you would necessarily notice this on both ends. If the attacker were to log into the session when you weren't using it, he could then make some changes to your system (for Windows) that would allow him more access to your machine later. If you were using Windows he could start up another VNC desktop that you might not notice, and he could use a different password if he wanted to (by copying the vnc password file, changing the password, and copying it back). I hope that it is hard to crack the passwords. I think it is hard to do it but I'd like to hear more about that. Mike ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman
Re: VNC Security
---BEGIN CUT--- In all of these scenarios, you do the setup before hand. All of these scenarios are easily installed, and configured as a tech, and are as simple as 1-3 clicks for a user, no config, because everything (ssh keys, vpn preshared keys, etc) are all saved and stored in advance. A moment of setup in advance saves you hours of support later. ---END CUT--- I couldn't agree more. However, in my case I don't have access to these remote users PCs. They don't work for me or any particular company. In the usual case, they call in with a problem out of the blue. Sometimes I can help them without logging in. Sometimes I can't. For our internal boxes, I happen to use either the full Cygwin package or at least openssh for the users I work with. Then they just open port 22 (I normally don't want them to keep even that open) and I login and get work done. While I wouldn't call getting an SSH daemon setup on windows *correctly* a moment (google sshd problems windows for why...) it's well worth the effort. Public/private keys are even better. It's just that in many situations it's not possible to do the setup before hand. Regards, Andy ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote: I have to agree with Steve that this is, for all practical purposes, a non-existent security risk. The only things that could go wrong: a. Somebody is sniffing the packet stream while the VNC passwords are being exchanged, and, during that 20 minute interchange, cracks the password and logs onto the VNC server. Of course, we would notice this problem on both ends! I don't know if it is possible to crack the VNC password, but I don't agree that you would necessarily notice this on both ends. If the attacker were to log into the session when you weren't using it, he could then make some changes to your system (for Windows) that would allow him more access to your machine later. If you were using Windows he could start up another VNC desktop that you might not notice, and he could use a different password if he wanted to (by copying the vnc password file, changing the password, and copying it back). I hope that it is hard to crack the passwords. I think it is hard to do it but I'd like to hear more about that. Mike ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
First--I believe we're talking apples and oranges. VNC is not an appropriate solution for a true corporate network unless a firewall and a secure link is available (and even then is dodgy). My scenario is this: a. Random user in cyberspace has a problem. b. User installs VNC under direction of tech support: i. strong password ii. not installed as service iii. temporary port forwarding only c. User allows remote person to login, generally for 20-30 mins. d. User stops VNC server process and disables port forwarding My point was that, for all practical purposes, this scenario has zero risk. Let's talk about what happens if an attacker does happen to be watching data packets and does manage to break the password during that session: 1. The attacker is still subject to limitations of the VNC data protocol. For the attacker to gain real hidden control, he would have to have the VNC server software accept his own third-party program via remote copy and execute. 2. Unless the attacker had that type of attack, he would have access only to mucking with the primary (zero) desktop in Windows, so no danger of a hidden desktop there. (VNC simply doesn't support anything other than primary desktop, as my remote users with Fast User Switching have found to their chagrin.) To take control of the situation, the hijacker would have to send keyboard/mouse commands to that desktop to activate some process during the hijack process. Therefore, I most certainly would notice it. The only exception is if the attacker simply mucked with the Windows registry, perhaps to navigate to a tainted Web site upon next login. That's a larger issue than whether VNC is secure. 3. As stated above, I explicitly instruct my users not to install VNC as a service, and then to stop the server process when we're done (and then turn off port forwarding). So, even if the attacker did get into the machine and cause a password reset--it won't help. The VNC service won't be running when the user next boots the machine. And if it was running, the port forwarding and Windows firewall would prevent the attacker from getting access to it again. Only Wez and the user community can let me know if there are any security flaws in VNC that allow the remote system to execute physical programs simply based on passed data packets commands. I was under the impression that the only way that the VNC client executes programs is by sending keystrokes/mouse clicks to the remote system. (In other words, no type of exec function built into the protocol.) Therefore, the VNC server itself isn't ever executing any software via API calls--instead, VNC simply passes keyboard/mouse input to the OS and it's the OS that's does the execution. And the user is watching the desktop on at least one side of the connection. So--while the effort to trap/break in to a VNC server may be well worth the effort for a corporate network with access to a rich mine of data, in my example it doesn't apply. Andy Mike Miller wrote: On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote: I have to agree with Steve that this is, for all practical purposes, a non-existent security risk. The only things that could go wrong: a. Somebody is sniffing the packet stream while the VNC passwords are being exchanged, and, during that 20 minute interchange, cracks the password and logs onto the VNC server. Of course, we would notice this problem on both ends! I don't know if it is possible to crack the VNC password, but I don't agree that you would necessarily notice this on both ends. If the attacker were to log into the session when you weren't using it, he could then make some changes to your system (for Windows) that would allow him more access to your machine later. If you were using Windows he could start up another VNC desktop that you might not notice, and he could use a different password if he wanted to (by copying the vnc password file, changing the password, and copying it back). I hope that it is hard to crack the passwords. I think it is hard to do it but I'd like to hear more about that. Mike ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
On Mon, 25 Apr 2005, Mike Miller wrote: If you were using Windows he could start up another VNC desktop that you might not notice... Sorry -- I meant to say if you were using UNIX. I assume this would not be possible in Windows. Mike ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security
No, there is no built in encryption for the free VNC builds. UltraVNC attempts to use a DSM plug-in but it doesn't always work right. Lazy? Like not reading the response to Alexander? ;) You seem to be still operating under the same assumptions. -Original Message- From: Joshua Berry [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 9:41 AM To: Steve Bostedor; Andy Bruce - softwareAB Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: RE: VNC Security Just because some people and applications perform things insecurely does not mean that you should or have to do so. VNC allows full GUI access to a box, FTP, POP3, IMAP, etc do not. And yes, I do not use FTP, I use SSH SFTP because it is secure. I would hope that people on a security mailing list attempt to do things more securely. This sounds like an issue of laziness, someone that doesn't want to take the extra step to ensure their (or customers) security. Where I work this would be a huge problem because of different regulations requiring data encryption. Besides, I believe that VNC has support for encryption now and if so there is definitely no reason to not utilize that support. -Original Message- From: Steve Bostedor [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 8:03 PM To: Joshua Berry; Andy Bruce - softwareAB Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: RE: VNC Security Joshua, Please see my reply to Alexander. It addresses some of what you said here. I disagree that VNC should be avoided completely, though. It's not THAT insecure! I will go out on a limb and say that about 90% of the pop3 users in the world use plain text passwords. Encrypted passwords aren't really that common and most ISP's don't require that home users encrypt their passwords. Do you use FTP? Maybe you tripple encrypt your FTP data or just avoid FTP completely just like VNC, but I'll go out on a limb again and guess that at least 95% of FTP users in the world send the username and password in plain text and unencrypted. I'll also guess that at least 30% of them use the same username and password for their FTP account as they do for numerous other functions. Maybe even their encrypted Pop3 account. ;) The reply to Alexander explains my question further. -Original Message- From: Joshua Berry [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 6:43 PM To: Andy Bruce - softwareAB; Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: RE: VNC Security To the original poster: It is my *opinion* that using VNC should be avoided completely. The last time that I used VNC it only support a password, and no user name. This leaves only the password to brute-force, considerably lessening the time needed to break in. Also, you are making the assumption that everyone uses plain text POP, I only use POP over SSL, IMAP over SSL or HTTPS to access my email. Also, this is not a good example because POP user accounts/passwords only give you someone's email, a VNC password will give you full access to the server/desktop it is running on. The passwords can be sniffed on your local network or they can be sniffed on the network that the server/desktop you are connecting to resides on. If this is a critical box, then now anyone that can sniff the network can also gain a login to this box to do whatever they want. I believe that VNC includes SSL or some other decent means of encryption now. To the first follow up poster: a. Somebody just needs to get the password in that 20 minute interchange, which is not too hard if they are only sniffing for X sessions. They can just dump that to a file and leave it running until it picks something up. Also, you can setup something to probe the box on that port, so the next time VNC is enabled they can login. I am curious how you would notice someone sniffing the network? I only see this as being possible if the host was running linux/unix and forwarding their syslogs to you, so that you could see when a NIC entered promiscuous mode. Lastly: I have seen several VNC exploits available over the years, so this is just a whole new service that you are exposing to risk that you often don't need to (because if it is Linux you have SSH, and if it is a windows box you have Terminal Services) -Original Message- From: Andy Bruce - softwareAB [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 7:55 AM To: Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security This is a very interesting question to me. In my own case, I do have SSH setup thru Cygwin (http://www.cygwin.com/) for my local network and I use VNC thru that connection when I need to manage my own stuff remotely. However, I have to admit
Re: VNC Security
[In a message on Tue, 19 Apr 2005 21:14:50 EDT, Steve Bostedor wrote:] I am wondering why expose VNC over the internet in the first place, really. Exactly what I said. VNC should *NOT* be exposed to the internet. It's my opinion that VNC is really only good for LAN's. Why not use VPN to sec ure your connection to the remote network before starting VNC sessions? It's much easier to set up on a LAN where you need VNC access to 200 computers than setting up SSH over the Internet! Uh. . . OK, the REALLY nice thing about VNC is that it beats LBX (Low Bandwidth X) as a means of displaying applications remotely. In fact, having tried raw X, LBX, Serial Xpress, Timbuktu and VNC, I can safely say it is the BEST to use over 28K dialup lines. ;-) When you tunnel with SSH, you in effect are creating a VPN to your remote network, only without all the hassled of setting up VPNs. At OsCon this year, they apparently (accidently?) blocked GRE traffic off the wireless network -- of the three people from my (ex) company, I was the only one who could still connect back to the office and fix things. :-) If you REALLY think it's easier to set up VNC to access 200 computers (insane, if you ask me. By the time you get to the high 10s of computers, you had really better have set up alternative administration mechanisms -- which is not to say that using VNC as a diagnostic tool on those same 200 machines isn't a good idea) than setting up an SSH tunnel, well, then, either you just have no experience with SSH or you didn't read the docs well enough. This too can be automated. :-) Of course, if you're implying I set up a VNC connection over SSH for each of 200 computers, yeah, you're right, that's insane. But VNC is MOSTLY good for spot-maintenance. If you want to graphically control 200 machines simultaneously, no, SSH isn't a good fit. I can concede that VNC data should be encrypted in some way when traveling the Internet but why do people set up VNC over SSH on local networks? That reall y makes very little sense to me. If your network is so insecure that you're w orried about your VNC traffic being hacked, you've got some pretty big problem s! OK, let's look at this statement. You work for a large multinational organization, with REAL privacy concerns (HIPPA anyone? Banking? Sarbanes-Oxley?). You have people VNC'ing all over the place. And you have PC's indiscriminately running services on PC's acting as servers that really shouldn't be. Now you have PC's on server networks that can be hacked. You have people running sniffers on their desktops. You have basically *who knows what* between you and the VNC desktop you're controlling. Now, do you NEED encryption? No. Do you REALLY trust the routers and switches to not have their buffers fill up and start broadcasting all packets to every interface? If so, you drank Cisco's Kool-Aid(tm). Just like we completely phased out telnet and rsh (in favor of SSH), why not phase out non-encrypted VNC connections? Frankly, I have to admit, I REALLY don't understand why RealVNC hasn't added either a STARTTLS option to VNC, or otherwise added TLS a an option (OK, yeah, it's a certificate problem, but still, you could incorporate your own CA in your viewer). Basically, if 80% of intrusions come from inside your network (and they do, from your so-called trusted employees) why not do what you can to prevent over-the-wire attacks? It's cheap and easy. I connect to a network via VPN and others I connect using encrypted RDP sessio ns. Once I've made those connections, I can safely use VNC on the remote netw orks. Why waste all of this time with SSH on Windows computers all over the n etwork when VPN and RDP is so easy to set up? Because some of us avoid Windows with a ferver you can only imagine. I don't (I have a mild aversion to Microsoft, thought I abhore all forms of Windows). But I *DO* have to support Suns and Macs and a bunch of other things. And screwing around with a VPN connection from my friends Mac when I'm playing with my band on Tuesday night just doesn't cut it (Hay, dude, can I load this stupid Cisco VNC client on your Mac? Don't worry, it will only take 5 minutes to download, about 10 to set up, about 2 to do what I need, and another 10 or so to remove it). Typing ssh remotehost in the terminal cuts it. And, keep in mind, you can SSH to one host and forward to another. So, you don't need to set up SSH on a Windows computer (Putty on the client is all your need, if you're running Windows -- or, if you don't want that, try MindTerm -- works great from internet cafes ;-)). One unix box on the remote end, and you can connect to anything on the other side. :-) Note, I'm not trying to be snippy here. I know I might sound like it. It's just that I fought (and lost, which is why it's my *ex* company) for allowing SSH in remotely to my company. They idiotically expected every person to have a PC running Windows to connect remotely. I explained
Re: VNC Security
This is a very interesting question to me. In my own case, I do have SSH setup thru Cygwin (http://www.cygwin.com/) for my local network and I use VNC thru that connection when I need to manage my own stuff remotely. However, I have to admit that when I use VNC to aid remote clients (which happens quite frequently) I don't worry about encryption whatsoever. FWIW, here's my approach: 1. I don't even try to explain setting up an SSH daemon to them. I simply have them install the VNC server in user-mode and start it. 2. If I can't explain to them in 5 min or less how to do port forwarding, I just have them connect directly to their cable/dsl modem. 3. Get the debugging and/or support done. 4. Have them stop the VNC server. Since it isn't running as a service, it won't start up next time and so won't be a security risk. 5. Tell them to turn off port forwarding from the router (if they could grok it), or just have them connect their PC back to the router and their router back to the cable/dsl modem. In either case, 5900 isn't available to the outside world so there's no risk even if they were running VNC in service-mode. I have to agree with Steve that this is, for all practical purposes, a non-existent security risk. The only things that could go wrong: a. Somebody is sniffing the packet stream while the VNC passwords are being exchanged, and, during that 20 minute interchange, cracks the password and logs onto the VNC server. Of course, we would notice this problem on both ends! b. I have never captured the data shared between client and server (screen/UI deltas) and so have no idea if these pose a security risk or not. c. While the VNC server is running and they are connected to the internet (port forwarding has the same problem as direct connect) a port sniffer detects that 5900 is available and immediately zooms in thru some VNC security hole. Wez would know a lot more about this possibility than me, though! Am I missing something here? Steve Bostedor wrote: I'd like to know if anyone has any working examples of why an unencrypted VNC session over the Internet is seen as such a horrible security risk. I understand that unencrypted ANYTHING over the Internet lends the chance for someone to decode the packets (assuming that they capture every one of them) but in reality, what are the real risks here and has anyone successfully captured a VNC session from more than 2 router hops away and actually gotten any meaningful information from it? I've captured a big chunk of a LOCAL session using Ethereal and the only thing that I can see that is usable is the password exchange. Agreed that this could be a problem if someone just happened to be sniffing your local LAN segment at that exact moment and happened to capture your encrypted VNC password, he could crack the password and log in himself. But how paranoid is it to go through all of the trouble of setting up SSH to avoid that when you could just change your VNC password often and make sure that your local LAN is reasonably secure from prying eyes? How about once it gets out on the Internet? Packets bounce all over the place on the Internet. What are the odds that someone out there will pick your VNC packets out of all of the millions of packets running through the back bone routers without being noticed, capture enough of them to possibly replay a session, and actually have the patience or the tools to do so. I've scoured the web out of this curiosity, looking for a tool to put VNC packets together into something useful for a hacker. There's nothing. Nada. So, I guess that what I'm asking is; what all of the fuss is about? Your POP3 password likely gets passed unencrypted but we're being asked to be paranoid about an encrypted VNC password? This is all coming from a discussion that I had with someone over the merits of using SSH with VNC over the internet for a 10 minute VNC session. Does anyone have anything that's not hypothetical? Is there a tool that I'm missing out there that does more than just crack a VNC password? Does anyone know of any reported security breaches where VNC was a weakness? ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
Steve Bostedor wrote: [snip] I've scoured the web out of this curiosity, looking for a tool to put VNC packets together into something useful for a hacker. There's nothing. Nada. Fifth hit on Google for: vnc capture playback http://users.tpg.com.au/bdgcvb/chaosreader.html -- William Hooper ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
[In a message on Tue, 19 Apr 2005 10:53:09 EDT, William Hooper wrote:] Steve Bostedor wrote: [snip] I've scoured the web out of this curiosity, looking for a tool to put VNC packets together into something useful for a hacker. There's nothing. Nada. Fifth hit on Google for: vnc capture playback http://users.tpg.com.au/bdgcvb/chaosreader.html Google is your friend. Of course, knowing the right phrase or keywords makes it nice. ;-) That's a very interesting tool, which should put the fear of the Internet in everyone. . . Another reason for tunneling VNC over SSH is this: My firewall only exposes a select few protocols to the outside world. If it weren't for the fact I have to support other people, I'd likely ONLY have SSH exposed to the world. Instead I have to have POP/IMAP, SMTP, etc. . . The fewer things you expose to the outside Big Bad World, the better. Sean ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security
Thank you for the reply, Alexander. I understand exactly what you're trying to say. I'm not sure if you fully understand what I was saying and its probably my fault for not making it clear enough. You seemed to concentrate on how easy it is to do things with the VNC packets once you've sniffed the packets. You say that you've sniffed the packets before but have you ever sniffed packets from a network outside of your own LAN? How about on your LAN but on another switch port? What I was trying to discuss is how real the threat is that someone outside of your network will actually get to sniff enough of and the correct sequence of your packets to do the things that you where able to do by sniffing the packets on your local segment. You're basically breaking into your own house by using your own keys in the scenario that you provided. How realistic is it for someone in India to sniff my packets going from a server in Detroit, MI to a server in Jackson, MI? How realistic is it for him to actually get usable data? It's Easy to say that if there's a way into your network, you're insecure but there's a way into your house .. is your house insecure? Is VNC really the low hanging fruit in my scenario. I know that you all are very specific and technical, so I'll spell out an exact scenario which happens to be the most common usage of VNC in companies. * John Doe is getting an error message on his computer and calls the help desk a city away for help. * Helpdesk tells John to double-click on the VNC icon on his desktop that starts the server * Helpdesk connects to Johns computer and takes about 10 minutes to resolve the problem * Helpdesk person kills the VNC server on the remote computer and the connection is terminated --- I understand that Security is very important but it's also very important to not go Barney Fife and start drawing the gun on everything that moves if you get what I mean. What are the odds that some guy in Florida is going to sniff that 10 minute session and get into the network? My answer is 1 in at least 10 million. The guy in Florida would have to have already compromised a computer on either of the networks that happened to be plugged into a HUB (Not a switch) that either of the computers are plugged into ~OR~ he would have had to hack one of the routers close to either one of them to send packets to him as a man in the middle attack of sorts. Both of these are a bit extreme for VNC data theft, don't you think? If you do all of that, isn't there a bunch of much bigger prizes at your fingertips than VNC data?! Now are you starting to see what I'm saying? The successful exploits that must be done to get someone's VNC packet stream would land you access to things far greater than just the VNC data and who would waste the time with VNC data at that point? Go for the gold, you're already in someplace pretty good at that point. The only EASY way that I know of to sniff someone's packets are to either be on a hub with the remote computers or to have a Trojan on one of the computers. Does someone know of an easy way other than that? Easier than just hacking into the company other ways that do not involve VNC? - Steve -Original Message- From: Alexander Bolante [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 6:25 PM To: Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security IMHO NOTE: For obvious reasons that VNC provides remote access to your machine, Security is key (period). I'm assuming this thread does NOT pertain to your COMPANY LAN, because if it does, the answer to your question, Why should I secure VNC over SSH? is clearly...SOX compliance... OTHERWISE: Bottom line is -- if you DO NOT have any sensitive data to secure, it's your prerogative to determine what lengths you want to take to protect that data. Why do I tunnel VNC over SSH? To deal with the uncertainty of potential security flaws and risks... (SB wrote) What are the real risks of not securing VNC traffic? It depends... The only caveat I see in not securing VNC traffic is...network eavesdropping We already know that all VNC traffic between client and server is unencrypted after authentication. That's a problem if you're moving sensitive data. I've used a sniffer on a VNC session before. The traffic was compressed, so it was still difficult to understand and breakdown the data from the sniffer, BUT data passed in clear text e.g. usernames, birthdate, home address, etc. could be useful ***depending on the malicious user's intentions***. And because we often do NOT know what a malicious user's intentions are, we mitigate that uncertainty by adding another layer of security/defense in depth...tunneling VNC over SSH in order to secure communication and not leave ports open for scanning; using TCP wrappers to provide access control on a per-IP address basis, etc. On 4/19/05, Steve
RE: VNC Security
Joshua, Please see my reply to Alexander. It addresses some of what you said here. I disagree that VNC should be avoided completely, though. It's not THAT insecure! I will go out on a limb and say that about 90% of the pop3 users in the world use plain text passwords. Encrypted passwords aren't really that common and most ISP's don't require that home users encrypt their passwords. Do you use FTP? Maybe you tripple encrypt your FTP data or just avoid FTP completely just like VNC, but I'll go out on a limb again and guess that at least 95% of FTP users in the world send the username and password in plain text and unencrypted. I'll also guess that at least 30% of them use the same username and password for their FTP account as they do for numerous other functions. Maybe even their encrypted Pop3 account. ;) The reply to Alexander explains my question further. -Original Message- From: Joshua Berry [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 6:43 PM To: Andy Bruce - softwareAB; Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: RE: VNC Security To the original poster: It is my *opinion* that using VNC should be avoided completely. The last time that I used VNC it only support a password, and no user name. This leaves only the password to brute-force, considerably lessening the time needed to break in. Also, you are making the assumption that everyone uses plain text POP, I only use POP over SSL, IMAP over SSL or HTTPS to access my email. Also, this is not a good example because POP user accounts/passwords only give you someone's email, a VNC password will give you full access to the server/desktop it is running on. The passwords can be sniffed on your local network or they can be sniffed on the network that the server/desktop you are connecting to resides on. If this is a critical box, then now anyone that can sniff the network can also gain a login to this box to do whatever they want. I believe that VNC includes SSL or some other decent means of encryption now. To the first follow up poster: a. Somebody just needs to get the password in that 20 minute interchange, which is not too hard if they are only sniffing for X sessions. They can just dump that to a file and leave it running until it picks something up. Also, you can setup something to probe the box on that port, so the next time VNC is enabled they can login. I am curious how you would notice someone sniffing the network? I only see this as being possible if the host was running linux/unix and forwarding their syslogs to you, so that you could see when a NIC entered promiscuous mode. Lastly: I have seen several VNC exploits available over the years, so this is just a whole new service that you are exposing to risk that you often don't need to (because if it is Linux you have SSH, and if it is a windows box you have Terminal Services) -Original Message- From: Andy Bruce - softwareAB [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 7:55 AM To: Steve Bostedor Cc: security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security This is a very interesting question to me. In my own case, I do have SSH setup thru Cygwin (http://www.cygwin.com/) for my local network and I use VNC thru that connection when I need to manage my own stuff remotely. However, I have to admit that when I use VNC to aid remote clients (which happens quite frequently) I don't worry about encryption whatsoever. FWIW, here's my approach: 1. I don't even try to explain setting up an SSH daemon to them. I simply have them install the VNC server in user-mode and start it. 2. If I can't explain to them in 5 min or less how to do port forwarding, I just have them connect directly to their cable/dsl modem. 3. Get the debugging and/or support done. 4. Have them stop the VNC server. Since it isn't running as a service, it won't start up next time and so won't be a security risk. 5. Tell them to turn off port forwarding from the router (if they could grok it), or just have them connect their PC back to the router and their router back to the cable/dsl modem. In either case, 5900 isn't available to the outside world so there's no risk even if they were running VNC in service-mode. I have to agree with Steve that this is, for all practical purposes, a non-existent security risk. The only things that could go wrong: a. Somebody is sniffing the packet stream while the VNC passwords are being exchanged, and, during that 20 minute interchange, cracks the password and logs onto the VNC server. Of course, we would notice this problem on both ends! b. I have never captured the data shared between client and server (screen/UI deltas) and so have no idea if these pose a security risk or not. c. While the VNC server is running and they are connected to the internet (port forwarding has the same problem as direct connect) a port sniffer detects
RE: VNC Security
Your plan is pretty typical and is pretty much what I advise to my clients. Keep it off when it's not being used and change the password often. On secured local LANS, it's ok to leave it running 24/7 as long as the remote server has the desktop locked or logged off. This is the REalVNC, though. I'm not sure the UltraVNC file transfer function is still functional if the workstation is locked. I'll have to try that and see. If it is still functional, I'd suggest not usng that on any server that you want to leave VNC running 24/7 on at all. -Original Message- From: Bart Crijns [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 5:15 PM To: Andy Bruce - softwareAB Cc: Steve Bostedor; security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security Andy Bruce - softwareAB wrote: 5. Tell them to turn off port forwarding from the router (if they could grok it), or just have them connect their PC back to the router and their router back to the cable/dsl modem. In either case, 5900 isn't available to the outside world so there's no risk even if they were running VNC in service-mode. Another (very easy) way to make these connections more secure with those users is the following: I'm using UltraVNC, so I'm not certain that everything is possible in other VNC variants. - set a very long and very difficult password for the server (it will never be used anyway in this approach) - disable the 'accept socket connections' checkbox in the server properties (may be UltraVNC only) - when the users need assistance let them start the server, and instead of connecting to their PC, you start the viewer in listen mode - tell them your IP, and have them add a client throug the system tray icon's menu, and have them enter your IP when requested. You'll need to have your router setup for port forwarding to the ports for the listening viewer... That way noone needs to know their password, and with UltraVNC the server isn't even accepting connections in the unlikely event that the password is known by someone. No password is transmitted, and the only thing that could be captured is the data sent during the VNC session, which isn't too much of a problem in most cases when helping someone out. Furthermore, no incoming ports need to be opened on their router, because most users aren't really capable of changing that themselves. Of course, when connecting to my own PC via VNC, I use a SSH tunnel. Am I missing something here? Other than the fact that in the unlikely event of someone malignant actually taking over their PC, you'll be the one who's blamed... no :-) I think the method I described is a bit safer, and also very easy to explain to the person at the other end of the line. If I may have missed something in my plan, please correct me. Kind Regards, Bart Crijns ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security
I am wondering why expose VNC over the internet in the first place, really. It's my opinion that VNC is really only good for LAN's. Why not use VPN to secure your connection to the remote network before starting VNC sessions? It's much easier to set up on a LAN where you need VNC access to 200 computers than setting up SSH over the Internet! I can concede that VNC data should be encrypted in some way when traveling the Internet but why do people set up VNC over SSH on local networks? That really makes very little sense to me. If your network is so insecure that you're worried about your VNC traffic being hacked, you've got some pretty big problems! I connect to a network via VPN and others I connect using encrypted RDP sessions. Once I've made those connections, I can safely use VNC on the remote networks. Why waste all of this time with SSH on Windows computers all over the network when VPN and RDP is so easy to set up? Yea, William did have a better search phrase than I did. That utility does have limitations and flaws, though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sean Kamath Sent: Tuesday, April 19, 2005 4:45 PM To: William Hooper Cc: vnc-list@realvnc.com Subject: Re: VNC Security [In a message on Tue, 19 Apr 2005 10:53:09 EDT, William Hooper wrote:] Steve Bostedor wrote: [snip] I've scoured the web out of this curiosity, looking for a tool to put VNC packets together into something useful for a hacker. There's nothing. Nada. Fifth hit on Google for: vnc capture playback http://users.tpg.com.au/bdgcvb/chaosreader.html Google is your friend. Of course, knowing the right phrase or keywords makes it nice. ;-) That's a very interesting tool, which should put the fear of the Internet in everyone. . . Another reason for tunneling VNC over SSH is this: My firewall only exposes a select few protocols to the outside world. If it weren't for the fact I have to support other people, I'd likely ONLY have SSH exposed to the world. Instead I have to have POP/IMAP, SMTP, etc. . . The fewer things you expose to the outside Big Bad World, the better. Sean ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security - another question
1) Other network vulnerablities assuming the only protocol I am allowing in is for VNC- are there any? OK, so you're stopping all the traffic coming across the vpn to you except vnc. That way they can't do anything else on your network except vnc. Then by using vnc they have full control of a box that sits inside their network from which they can do anything they want on/to your network. 2) What vulnerablities do I create with the box itself that the external company is vnc-ing to? They have full access to your network via the vnc box. You're letting them do anything they want. The next thing you could do is put this box behind it's own firewall (making a dmz) and allow out only the protocols and destinations necessary for them to meet the purposes of you letting them vnc the box in the first place. If they aren't supposed to have any network access at all, then the firewall would only let in the vnc and let nothing out. It all boils down to either you trust them or you don't. And when it's your network and your security you shouldn't trust anyone, not even your own users. So why should you trust them? ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security implications
This has nothing to do with the situation as described by Dave, who is simply connecting from one machine on his LAN to another. The fact that he has an Internet connection is a red herring, provided his firewall is working correctly. Wez @ RealCNC Ltd. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan Watchorn Sent: 20 July 2004 18:49 To: [EMAIL PROTECTED] Cc: VNC List Subject: RE: VNC security implications In a case like this I assume you are using static addresses for both computers (otherwise I am not sure it will work consistently - with dynamic IP's you CAN get a different IP each time (but the address may happen to be the same) and that is like changing your telephone number without having any forwarding message). What the barman says is ceratinly true for static addresses since hackers can be asured your address will not change. What I use to do the same thing (I manage a server with a bunch of users calling in remotely) is a VPN circuit through the Internet. Basically that is an encrypted channel and everyone accesses the server via VPN and then MS Terminal Services or VNC. Just because it is encrypted it is not hacker proof but generally encrypted streams are more hacker resistant - hackers prefer to work on streams of clear data rather than go through the trouble of trying to decrypt it first. Alan Watchorn [EMAIL PROTECTED] (760) 692-4300 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Ho Sent: Tuesday, July 20, 2004 12:40 AM To: [EMAIL PROTECTED] Subject: VNC security implications Hi Folks, I am a bit green when it comes to setting up remote connections to distant PCs. What I was about to try to do was to connect from a PC running WinXP to one running Win98 (both are connected to the internet). I then had a word with the barman in my local pub (who is an ex PCguru) who said do not do that, you will blow holes in you network security, hackers will be able to logon to your server with ease! Help, does anyone have any comments to refute this statement. Cheers Dave H ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security implications
On Tue, 2004-07-20 at 09:39, Dave Ho wrote: Hi Folks, I am a bit green when it comes to setting up remote connections to distant PCs. What I was about to try to do was to connect from a PC running WinXP to one running Win98 (both are connected to the internet). I then had a word with the barman in my local pub (who is an ex PCguru) who said do not do that, you will blow holes in you network security, hackers will be able to logon to your server with ease! The comment here is too generalized... Giving your barman the benifit of the doubt, You obviosly told him more than you told us So as a generalization: 1) You can make your self wide open. 2) You can do it in a secure fashion. So he is right and/or wrong depending what you said to him... Jerry P.S. Did this help? Help, does anyone have any comments to refute this statement. Cheers Dave H ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security implications
Dave, If the XP and 98 boxes are connected directly to the Internet already then VNC is the least of your worries. Are you intending to access one of them from the other *across* the Internet? Wez @ RealVNC Ltd. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Ho Sent: 20 July 2004 08:40 To: [EMAIL PROTECTED] Subject: VNC security implications Hi Folks, I am a bit green when it comes to setting up remote connections to distant PCs. What I was about to try to do was to connect from a PC running WinXP to one running Win98 (both are connected to the internet). I then had a word with the barman in my local pub (who is an ex PCguru) who said do not do that, you will blow holes in you network security, hackers will be able to logon to your server with ease! Help, does anyone have any comments to refute this statement. Cheers Dave H ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security implications
Dave, If both PCs are behind an ADSL router that has a firewall, and if you don't open up the VNC ports in that firewall, then using VNC between the machines is not an issue, because no outside traffic can get to your server. If you are careful never to open up the firewall to let VNC traffic in from the Internet then you don't even need a password to be enable at the VNC Server, either... Of course, if you might change the firewall settings and accidentally open things up then a password is a good precaution! Wez @ RealVNC Ltd. -Original Message- From: Dave Homan [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 10:48 To: 'James Weatherall' Subject: RE: VNC security implications Hi James, Thanks for the quick reply. I have the two PCs interconnected via an ADSL Router which has a firewall. So they are directly connected by internal intranet. What I would like to do is to control the Win98 PC from the XP PC and I was looking for way to achieve this and VNC seemed to be a possibility. I am sorry if this is a bit vague but I new to this game. Many thanks Dave The Homans 36 Greenholm Road, Eltham, SE9 1UH Tel: 00 44 (0)2088590046 MoTel: 00 44 (0)7876543489 e-Mail [EMAIL PROTECTED] -Original Message- From: James Weatherall [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 10:34 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: VNC security implications Dave, If the XP and 98 boxes are connected directly to the Internet already then VNC is the least of your worries. Are you intending to access one of them from the other *across* the Internet? Wez @ RealVNC Ltd. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Ho Sent: 20 July 2004 08:40 To: [EMAIL PROTECTED] Subject: VNC security implications Hi Folks, I am a bit green when it comes to setting up remote connections to distant PCs. What I was about to try to do was to connect from a PC running WinXP to one running Win98 (both are connected to the internet). I then had a word with the barman in my local pub (who is an ex PCguru) who said do not do that, you will blow holes in you network security, hackers will be able to logon to your server with ease! Help, does anyone have any comments to refute this statement. Cheers Dave H ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC security implications
In a case like this I assume you are using static addresses for both computers (otherwise I am not sure it will work consistently - with dynamic IP's you CAN get a different IP each time (but the address may happen to be the same) and that is like changing your telephone number without having any forwarding message). What the barman says is ceratinly true for static addresses since hackers can be asured your address will not change. What I use to do the same thing (I manage a server with a bunch of users calling in remotely) is a VPN circuit through the Internet. Basically that is an encrypted channel and everyone accesses the server via VPN and then MS Terminal Services or VNC. Just because it is encrypted it is not hacker proof but generally encrypted streams are more hacker resistant - hackers prefer to work on streams of clear data rather than go through the trouble of trying to decrypt it first. Alan Watchorn [EMAIL PROTECTED] (760) 692-4300 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Ho Sent: Tuesday, July 20, 2004 12:40 AM To: [EMAIL PROTECTED] Subject: VNC security implications Hi Folks, I am a bit green when it comes to setting up remote connections to distant PCs. What I was about to try to do was to connect from a PC running WinXP to one running Win98 (both are connected to the internet). I then had a word with the barman in my local pub (who is an ex PCguru) who said do not do that, you will blow holes in you network security, hackers will be able to logon to your server with ease! Help, does anyone have any comments to refute this statement. Cheers Dave H ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security - Windows registry
I would like to see a better encryption process for VNC, as I have had a hacker figure out my password schema Besides encrypting the data stream between host and client there is still (IMO) an issue with WinVNC and storing the encrypted password in the registry. RealVNC 4 stores it's settings in HKLM\Software\Real4 and by default users have the ability to read that section of the registry. At first glance it seems possible to remove the user permissions to the key and this stops users from viewing the encrypted password but does not break VNC4. What side effects would this have on other functions of VNC? Regards, Richard This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager via NCC Help Desk (0115) 9772010. This footnote also confirms that this email message has been swept for the presence of computer viruses. Nottinghamshire County Council Legal Disclaimer ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
Jon Lucas said: Dear Sirs: I would like to see a better encryption process for VNC, as I have had a hacker figure out my password schema, and actually caught him in a session of hijacking our server. If someone has your password, what would better encryption get you? -- William Hooper ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
Use SSH... On Sun, 2004-06-27 at 21:33, William Hooper wrote: Jon Lucas said: Dear Sirs: I would like to see a better encryption process for VNC, as I have had a hacker figure out my password schema, and actually caught him in a session of hijacking our server. If someone has your password, what would better encryption get you? ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
If you're using Windows, let alone any server. Consider using a Virtual Private network and a VPN appliance. Actually, you have to be crazy to let VNC server be visible on the Internet. For the company I work for, and manage their I.T. systems, I firstly establish a connection by VPN using a guess account to login to grant me access to the network. I then have to supply a different password to the VNC server I wish to access and every VNC server has a different password, not vulnerable to a dictionary attack. If I need to authenticate to the servers as an administrator then that is yet another user name and password. Intrusion detection is also enforced. Try too many times to connect to the VPN by brute force and there is an account lock out that triggers. You then have to leave the account being attacked alone for a period of time to have the lockout automatically released. Back to VNC, there needs to be a login lockpout implemented on the VNC server. Simple to do (I don't have the time to code it in) and a puzzle why it's never been put in. Should be configurable. For instance, two bad password attempts and VNC server will then give a bad password response even if the password is correct, but then you have to leave VNC server alone for, say 3 minutes, before the lock out is release and another two attempts are allowed. A simple login lockout like this would give a hacker an interesting challenge as it would then take a VERY long time to guess a password, so would it be worth it? The owner of the computer operating VNC server would know very long before anything got cracked that there was a hack attack in progress. Sorry, for to be said, but this is a lack of common sense in leaving such a simple security feature out of VNC. I would be rather locked out from signing on VNC by a hacker then have a hacker gain access and run riot. At 21:52 27/06/2004, Jerome R. Westrick [EMAIL PROTECTED] wrote: Use SSH... On Sun, 2004-06-27 at 21:33, William Hooper wrote: Jon Lucas said: Dear Sirs: I would like to see a better encryption process for VNC, as I have had a hacker figure out my password schema, and actually caught him in a session of hijacking our server. If someone has your password, what would better encryption get you? ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
[EMAIL PROTECTED] said: [snip] Should be configurable. For instance, two bad password attempts and VNC server will then give a bad password response even if the password is correct, but then you have to leave VNC server alone for, say 3 minutes, before the lock out is release and another two attempts are allowed. There is already a limit on the speed of password attempts. http://www.realvnc.com/pipermail/vnc-list/2000-May/014378.html -- William Hooper ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC Security
Would be better if the lock-out policy was implemented like Windows server does. You have so many attempts then the account get's locked out for the nominated duration, but there is also a counter of attempts that only gets zeroed after another set duration. At 00:30 28/06/2004, William Hooper wrote: [EMAIL PROTECTED] said: [snip] Should be configurable. For instance, two bad password attempts and VNC server will then give a bad password response even if the password is correct, but then you have to leave VNC server alone for, say 3 minutes, before the lock out is release and another two attempts are allowed. There is already a limit on the speed of password attempts. http://www.realvnc.com/pipermail/vnc-list/2000-May/014378.html -- William Hooper ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: VNC Security
Here is an article based on 3.? for securing VNC with openssl: http://www.securityfocus.com/infocus/1677 If you are using the latest version of VNC, some of these features are built in (such as local connections only). Thanks, John Ellingsworth Virtual Curriculum AIM: vc2000support http://mail.med.upenn.edu/~jellings/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jon Lucas Sent: Sunday, June 27, 2004 3:00 PM To: [EMAIL PROTECTED] Subject: VNC Security Dear Sirs: I would like to see a better encryption process for VNC, as I have had a hacker figure out my password schema, and actually caught him in a session of hijacking our server. Since then, I have tightened the firewall to only accept specific IPAddresses on 5800 and 5900, but that also constrains access points. Just a thought. Thank you for a great product that makes it a lot easier to live with computers. (barring the bad guys, of course). Jon Lucas [EMAIL PROTECTED] ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
On Wed, Sep 17, 2003 at 01:09:02AM +0200, Bjvrn Persson wrote: Mike Miller wrote: But it might not be a matter of time because it's so much work for so little gain? How little gain exactly? Your company's trade secrets? The administrator passwords to all your servers? All the money in your bank account? And let me point out that the work only needs to be done *once*. Not once for every session. I could write the program and then use it daily for years. Thank you, Bjorn. I agree with you which is why I posted the original. The risk is unlikekly but it is there and needs to be understood. As VNC becomes increasingly more popular, hackers will try to exploit it. ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
Bjorn: Heya. Some comments to your comments: If I wanted to sniff other people's VNC traffic i'd first try to find an existing program to do this. If I couldn't find one I would: 1: use one of the existing programs that can intercept TCP sessions. Maybe I'd have to teach it how to recognize the RFB protocol. That's no big problem. A company I used to work at was founded by this guy who was world-class in coming up with setups such as if you could do this one impossible thing, you could make a *ton* of money. :) Perhaps it's both a great way for entrepreneurs to think of their next company *and* for security-paranoid people to consider their networks. Which is to say...hijacking an arbitrary TCP connection off of the Internet is galatically difficult. As I said in my post, though, stealing packets off of a local network (or capturing a local keyboard) is trivial, even if the data was encrypted across the Internet with 256-bit AES. On the Internet, either you have encryption, or you have *no* security. See, I'm worried that this is misleading. Because even with encryption, you can still be left with no security. I mean, what's the point of 256-bit AES securing my VNC connection if my VNC server has no AuthHosts setting, its password is just password, and the RPC vulnerability CERT announced last month hasn't been patched on my server yet? Or as Chesnick and Bellovin put it in _Firewalls and Internet Security_: But encryption is useless if you cannot trust one of the endpoints. Indeed, it can be worse than useless: the untrusted endpoint must be provided with your key, this compromising it. But it might not be a matter of time because it's so much work for so little gain? How little gain exactly? Your company's trade secrets? The administrator passwords to all your servers? All the money in your bank account? A good rule of thumb here is that you should spend at least as much time protecting your network assets as the Black Hats would spend trying to steal them, and at least as much money as the assets are worth. Part of that solution *of course* involves good encryption. But IMO, encryption is a little like recycling: on its own, it's pretty useless and pretty easy to delude yourself with. Nevertheless, it's also a necessary part of a much larger, much more effective, overall policy. cheers, Scott ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Re: VNC security
Hello, I'm a bit confused. I currently use VNC (the Tight flavour) through an SSH tunnel, so I'm not really concerned, but I thought (from other discussions found in the archives) that VNC was *quite* secure as info/updates was/were sent over the network as images (increasingly compressed, using either Tight or the new VNC 4 encoding). So this assumption is *wrong*, and any text typed in a VNC window is in fact sent as plain text, and so *easily* tapped??? [[ this is what information entered into fields is transmitted as text inside the packet leads me to conclude ]]. Thanks for any definitive light on the subject. Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 16 September 2003 13:00 To: [EMAIL PROTECTED] On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote: On Sat, 13 Sep 2003, Michael Herman wrote: I would like to point out that VNC is not secure. From the realVNC FAQ: Is VNC secure? The only really secure computer is one without a network. VNC requires a password when a viewer tries to connect to a server. This password is encrypted to deter snooping, but the following graphical data, the VNC protocol, is not. In other words, if you are using VNC across the Internet without some sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and information to the world. Please, please, please be careful. Thank you for your concern. I hear that it is possible for someone snooping network traffic to set up a program that will decode the VNC stream and allow them to see what I'm doing. Is that true? I think that most packet sniffing is limited to searching plain text for username/password. Am I wrong? 'Decoding' the packet stream isn't all that difficult. The information entered into fields is transmitted as text inside the packet. Usernames, passwords, credit card information, etc. will all be visible to a hacker who is looking for it. Please don't think I am down on VNC. I think it is a great tool and I use it all the time, both securely and insecurely. I think it is important to remember that VNC does not provide a security mechanism other then the encrypted password. It's also important to remember that most of the Internet (web, email, chat, news, etc) are insecure. You wouldn't give your credit card on the web without HTTPS (encrypted, secure web page) would you? I posted my original e-mail after an off-list discussion with someone who, using Windows 98 on both the client and server, wanted to connect to work. This person appeared to be, from their e-mail signature, an human resources director for a company. HR people generally deal in confidential information and I certainly would want the HR people at the company I work for to not expose any information about me to the web without some security mechanism. -- Michael ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
Michael: Heya. I think I'm willing to split this hair over VNC security. First off, I agree with you that VNC users should try to use a secure-tunnel whenever they VNC across the Internet. That just a inarguable Good Idea. For those using VNC to remotely administer their content-sensitive servers, I'm sure it's one of the first things done. However, I think you oversell this point by comparing giving a credit card over a insecure web browser to using VNC over an non-tunneled connection. First, when you press Send on a web-browser form, all of the data in that form is sent at once, in well-delineated form, making the data relatively easy to identify. In a VNC session, by comparison, every *character* is sent as soon as you type it, along with other RFB info to update the visuals. That will make intercepting the data fundamentally more difficult as it is spread across so many more packets, and mixed in with so much other data. Second, even with a secure-tunnel encrypting your data across the wilds of the Internet, your packets can still be sniff'd/recorded/played-back by a *local* user with malicious intent. Sniffing wild packets off of the Internet is *very* difficult and a federal offense in most countries. Sniffing packets off of an ethernet hub is routine and, possibly, the official *policy* if your network's administrator. Put another way, good network security (and a good network attack strategy) is to go after the biggest holes first. For VNC users, the biggest weakness is usually choosing weak passwords. For *all* Windows, the even-bigger weakness is reading email with Outlook and not keeping up with MSoft's near-weekly release of security patches. Maybe 5th or 6th on my list would be running VNC without a secure-tunnel. Your mileage may vary. :) In closing, as I used to tell my IT clients and I'm sure you know, the Black Hats don't want to break into your PC to steal your credit card numbers. Not their intent. If it were, then the rationalization I heard 90-percent of the time (Oh, I don't keep anything on that computer anyone would want to steal) would make good sense. Instead, though, the Black Hats want to break into your computer so that when they next try to crash EBay's servers, or setup an illegal content reflector, they do it from *your* computer. cheers, Scott On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote: On Sat, 13 Sep 2003, Michael Herman wrote: I would like to point out that VNC is not secure. From the realVNC FAQ: Is VNC secure? The only really secure computer is one without a network. VNC requires a password when a viewer tries to connect to a server. This password is encrypted to deter snooping, but the following graphical data, the VNC protocol, is not. In other words, if you are using VNC across the Internet without some sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and information to the world. Please, please, please be careful. Thank you for your concern. I hear that it is possible for someone snooping network traffic to set up a program that will decode the VNC stream and allow them to see what I'm doing. Is that true? I think that most packet sniffing is limited to searching plain text for username/password. Am I wrong? 'Decoding' the packet stream isn't all that difficult. The information entered into fields is transmitted as text inside the packet. Usernames, passwords, credit card information, etc. will all be visible to a hacker who is looking for it. Please don't think I am down on VNC. I think it is a great tool and I use it all the time, both securely and insecurely. I think it is important to remember that VNC does not provide a security mechanism other then the encrypted password. It's also important to remember that most of the Internet (web, email, chat, news, etc) are insecure. You wouldn't give your credit card on the web without HTTPS (encrypted, secure web page) would you? snip ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
Scott C. Best wrote: First, when you press Send on a web-browser form, all of the data in that form is sent at once, in well-delineated form, making the data relatively easy to identify. In a VNC session, by comparison, every *character* is sent as soon as you type it, along with other RFB info to update the visuals. That will make intercepting the data fundamentally more difficult as it is spread across so many more packets, and mixed in with so much other data. Yes, it's encoded, it's compressed, it's scattered and it's mixed with lots of other data, but _that_does_not_matter_. Reassembling the scattered packets of a TCP session isn't difficult. Every operating system has the code to do that, and lots of monitoring programs too, and TCP is documented in case you really want to write it yourself. Decompressing and decoding the data stream isn't difficult either. VNC knows how to do it. The source code is free, and so is the RFB documentation. If I wanted to sniff other people's VNC traffic i'd first try to find an existing program to do this. If I couldn't find one I would: 1: use one of the existing programs that can intercept TCP sessions. Maybe I'd have to teach it how to recognize the RFB protocol. That's no big problem. 2: feed the keystrokes to a small program that would write them to a log file. If I'd need a translation table I could get one from any VNC server. 3: feed the screen updates to one of those VNC viewers that can record them as a video file. 4: feed the image data to one of the existing programs that perform character recognition on screenshots, and log the character data. Once this was done I could automatically record all VNC sessions on every network link I could get access to, and then I could scan the text logs for interesting tokens such as Password or whatever I'd be looking for. I'd be surprised if no one has done this already, and maybe even put the pieces together to a convenient program, but if not, it's probably just a matter of time. On the Internet, either you have encryption, or you have *no* security. Bjvrn Persson ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
On Tue, 16 Sep 2003, Bjvrn Persson wrote: If I wanted to sniff other people's VNC traffic i'd first try to find an existing program to do this. If I couldn't find one I would: 1: use one of the existing programs that can intercept TCP sessions. Maybe I'd have to teach it how to recognize the RFB protocol. That's no big problem. 2: feed the keystrokes to a small program that would write them to a log file. If I'd need a translation table I could get one from any VNC server. 3: feed the screen updates to one of those VNC viewers that can record them as a video file. 4: feed the image data to one of the existing programs that perform character recognition on screenshots, and log the character data. In other words, it's not worth the effort and it will probably never happen. Does anyone know if this kind of thing has actually been done? Not as a demonstration -- has anyone actually been attacked in this way? I'd be surprised if no one has done this already, and maybe even put the pieces together to a convenient program, but if not, it's probably just a matter of time. But it might not be a matter of time because it's so much work for so little gain? On the Internet, either you have encryption, or you have *no* security. There are degrees. Some things get attacked constantly and some don't. Mike -- Michael B. Miller, Ph.D. Assistant Professor Division of Epidemiology and Institute of Human Genetics University of Minnesota http://taxa.epi.umn.edu/~mbmiller/ ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
Mike Miller wrote: But it might not be a matter of time because it's so much work for so little gain? How little gain exactly? Your company's trade secrets? The administrator passwords to all your servers? All the money in your bank account? And let me point out that the work only needs to be done *once*. Not once for every session. I could write the program and then use it daily for years. Bjvrn Persson ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote: On Sat, 13 Sep 2003, Michael Herman wrote: I would like to point out that VNC is not secure. From the realVNC FAQ: Is VNC secure? The only really secure computer is one without a network. VNC requires a password when a viewer tries to connect to a server. This password is encrypted to deter snooping, but the following graphical data, the VNC protocol, is not. In other words, if you are using VNC across the Internet without some sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and information to the world. Please, please, please be careful. Thank you for your concern. I hear that it is possible for someone snooping network traffic to set up a program that will decode the VNC stream and allow them to see what I'm doing. Is that true? I think that most packet sniffing is limited to searching plain text for username/password. Am I wrong? 'Decoding' the packet stream isn't all that difficult. The information entered into fields is transmitted as text inside the packet. Usernames, passwords, credit card information, etc. will all be visible to a hacker who is looking for it. Please don't think I am down on VNC. I think it is a great tool and I use it all the time, both securely and insecurely. I think it is important to remember that VNC does not provide a security mechanism other then the encrypted password. It's also important to remember that most of the Internet (web, email, chat, news, etc) are insecure. You wouldn't give your credit card on the web without HTTPS (encrypted, secure web page) would you? I posted my original e-mail after an off-list discussion with someone who, using Windows 98 on both the client and server, wanted to connect to work. This person appeared to be, from their e-mail signature, an human resources director for a company. HR people generally deal in confidential information and I certainly would want the HR people at the company I work for to not expose any information about me to the web without some security mechanism. -- Michael ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
In message [EMAIL PROTECTED], Michael Herman [EMAIL PROTECTED] writes I posted my original e-mail after an off-list discussion with someone who, using Windows 98 on both the client and server, wanted to connect to work. This person appeared to be, from their e-mail signature, an human resources director for a company. HR people generally deal in confidential information and I certainly would want the HR people at the company I work for to not expose any information about me to the web without some security mechanism. Let me emphasise this. In Europe there are stringent privacy laws governing personal data. Sysadmins and developers are required to take reasonable steps to protect personal data. If they fail then they (and their employers) could do jail time. -- ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: VNC security
On Sat, 13 Sep 2003, Michael Herman wrote: I would like to point out that VNC is not secure. From the realVNC FAQ: Is VNC secure? The only really secure computer is one without a network. VNC requires a password when a viewer tries to connect to a server. This password is encrypted to deter snooping, but the following graphical data, the VNC protocol, is not. In other words, if you are using VNC across the Internet without some sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and information to the world. Please, please, please be careful. Thank you for your concern. I hear that it is possible for someone snooping network traffic to set up a program that will decode the VNC stream and allow them to see what I'm doing. Is that true? I think that most packet sniffing is limited to searching plain text for username/password. Am I wrong? Mike ___ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list