I have a need to set up a remote connect methodology to allow support folks
here at our headquarters to shadow and potentially guide remote users
through our applications from time to time. I would be connecting to a
SuSE8 device across a WAN ( over 600 probable remote locations) and am
I can tell you exactly how this is different, but first I want to thank
Mike Miller who pointed out that you need to disable vnc connection from
hosts other than local host. I skipped that part as being an obvious
one but it probably is not that obvious.
The difference of running ssh vs running
Alex Pelts napisal(a):
I can tell you exactly how this is different, but first I want to thank
Because of top-quoting is it unclear WHAT is different... After scrolling
down the entire message I find out that it refers to my previous posting:
What is different in running a VNC server exposed
Hi guys, I just had that experience. However, I have Zone Alarm
installed so when the intruder tried to download the trojan file, my
Zone Alarm blocked it. Still, the intruder caused certain programs not
to function correctly but I could just re install them. I signed up
On Tuesday 06 June 2006 13:15, Dave Dyer wrote:
It's really not realistic or reasonable to expect every PC user to be
their own ever-vigilant security expert.
Yes and no. It depends on how important security is to you. As pointed
out, the flaw was posted on this list. I find that just
Dave Dyer wrote:
1) vnc should maintain it's own list, reserved for security flash
alerts only, and strongly encourage anyone who installs vnc
to sign up.
That is not such a bad idea but this security problem only happened once
since I started using VNC(as far as I recall), and I started using
Alex Pelts napisal(a):
[Charset iso-8859-1 unsupported, filtering to ASCII...]
IMHO running VNC server exposed to the Internet is a bad idea in the
first place.
Why?
What is different in running a VNC server exposed to the Internet from
running a SSH (or even a telnet!) server exposed to the
Dave Dyer wrote:
It's really not realistic or reasonable to expect every PC user to be
their own ever-vigilant security expert. I try to keep up on these things,
and I had barely noticed. I doubt that 10% of VNC users read either
slashdot or vnc-list, much less never miss anything important
2) word should have been passed to norton, mcaffee, etc so they
could target vulnerable versions of vnc on behalf of their customers.
I don't know if this mechanism exists, but it ought to.
This one is never going to happen for countless reasons. No company will
make your box secure if you
Dave Dyer wrote:
Why do you think it will never happen? I think it's inevitable.
I pay for virus protection; there's real money to be made providing
a better service.
I don't think you can, by any means, compare your proposition to an
antivirus solution. The complexities of protecting a
I don't think you can, by any means, compare your proposition to an
antivirus solution. The complexities of protecting a person from
protecting their own ignorance, not in a demeaning sense, are so
multifaceted. It would literally be impossible to stay on top of every
single threat, and to
Well,
Let say if you pay money to Symantec why don't you ask them to protect
your pc? What is RealVNC has to do with it?
I pay money to RealVNC people for EE and I got my email notifying me
about security update. So I have no beef with RealVNC as they provide
the service I pay for.
I think 2)
Alex Pelts wrote:
It is simply impossible to protect a person from himself. At this time
pretty much anyone should know that clicking on attachments is bad yet
everyone still does it. With amount of scams going on you wold thing
that people would be suspicions of emails asking them to type in
[EMAIL PROTECTED] wrote on Tuesday, June 06, 2006 5:11 PM:
It is simply impossible to protect a person from himself.
[snip]
Probably the way to protect people from doing stupid
things is to electrocute them any time they are clicking
on attachment to develop a reflex.
(BOFH Mode=ON)
John Aldrich wrote:
[EMAIL PROTECTED] wrote on Tuesday, June 06, 2006 5:11 PM:
Probably the way to protect people from doing stupid
things is to electrocute them any time they are clicking
on attachment to develop a reflex.
(BOFH Mode=ON)
Hmm... I *like* that idea. Evil Grin
(BOFH Mode=OFF)
On Tue, 6 Jun 2006, Alex Pelts wrote:
IMHO, VNC people did all they could to fix the problem and post the
update. It is up to the users to make sure they are up to date. If you
do not like RealVNC security record you are always free to run any other
software. There are really many choices you
On Tuesday 06 June 2006 16:40, Dave Dyer wrote:
2) word should have been passed to norton, mcaffee, etc so they
could target vulnerable versions of vnc on behalf of their
customers. I don't know if this mechanism exists, but it ought to.
This one is never going to happen for countless
Jaroslaw Rafa wrote:
Why?
What is different in running a VNC server exposed to the Internet from
running a SSH (or even a telnet!) server exposed to the Internet, for
example? And there are many such servers out there...
It's like any remote access service - you run it, if you need it. Of
and learn as much as I can
to minimize any security threats.
Thanks everyone.
Glenda Harris
From: Hal Vaughan [EMAIL PROTECTED]
Date: 2006/06/06 Tue PM 02:13:51 EDT
To: vnc-list@realvnc.com
Subject: Re: vnc security flaw?
On Tuesday 06 June 2006 13:15, Dave Dyer wrote:
It's really
[__ __] napisal(a):
[Charset ISO-8859-1 unsupported, filtering to ASCII...]
Dave Dyer wrote:
Why do you think it will never happen? I think it's inevitable.
I pay for virus protection; there's real money to be made providing
a better service.
I don't think you can, by any means,
Last night, while inactive and unattended, my machine picked
up a trojan of the firefly family of remote control trojans.
http://www.sophos.com/virusinfo/analyses/trojfireflyb.html
Since the trojan's init file contained my vnc server password, I suspect that
vnc was somehow related to the event.
: Re: vnc security flaw?
Last night, while inactive and unattended, my machine picked
up a trojan of the firefly family of remote control trojans.
http://www.sophos.com/virusinfo/analyses/trojfireflyb.html
Since the trojan's init file contained my vnc server password, I suspect
that
vnc
:37 PM
Subject: Re: vnc security flaw?
Last night, while inactive and unattended, my machine picked
up a trojan of the firefly family of remote control trojans.
http://www.sophos.com/virusinfo/analyses/trojfireflyb.html
Since the trojan's init file contained my vnc server password, I
suspect
Both of you need to keep up on your software -- a new version was recently
released to solve severe security flaw in the v4.x line. The trojans you got
obviously exploited this flaw.
I can't argue with that, but this security flaw and the need for updating
didn't get a lot of airplay. I'm just
Dave,
The fix was posted next day after the flaw was discovered. At that time
there was no exploits or they were not prevalent. I am not so sure what
VNC team could do to better inform people. Discovery of flaw was
published on slashdot and this list.
I am not trying to tell that this is your
It's really not realistic or reasonable to expect every PC user to be
their own ever-vigilant security expert. I try to keep up on these things,
and I had barely noticed. I doubt that 10% of VNC users read either
slashdot or vnc-list, much less never miss anything important there.
Two things
Some important security patches have been made to VNC server software.
We strongly recommend that users of VNC 4 series servers upgrade as soon as
possible.
http://www.realvnc.com/upgrade.html
--
The VNC team
___
VNC-List mailing list
James Weatherall wrote:
Some important security patches have been made to VNC server software.
We strongly recommend that users of VNC 4 series servers upgrade as soon as
possible.
http://www.realvnc.com/upgrade.html
Where's the source? Coming soon I hope? (:
-- Rex
Is there a good FAQ or HOWTO on ssh with vnc? what is the url
Thanks
- Original Message -
From: John Aldrich [EMAIL PROTECTED]
To: '-Paul' [EMAIL PROTECTED]; vnc-list@realvnc.com
Sent: Tuesday, May 09, 2006 1:00 PM
Subject: RE: vnc security
-Paul wrote on :
When I loaded
@realvnc.com
Sent: Tuesday, May 09, 2006 1:00 PM
Subject: RE: vnc security
-Paul wrote on :
When I loaded the realvnc onto my WinME computer I got an
additional warning about security that I didn't get on
my WinXP computers. Something about the passwords not
being secure?
A potential intruder
] On Behalf Of -Paul
Sent: 09 May 2006 20:09
To: John Aldrich
Cc: vnc-list@realvnc.com
Subject: Re: vnc security
John Aldrich wrote:
That being said, what the warning is really saying is that,
theoretically,
someone could decrypt the password if they had access to
the local console
When I loaded the realvnc onto my WinME computer I got an
additional warning about security that I didn't get on
my WinXP computers. Something about the passwords not being
secure?
A potential intruder would still have to type my password
correctly to gain entry thru the 5902 port (the port I
-Paul wrote on :
When I loaded the realvnc onto my WinME computer I got an
additional warning about security that I didn't get on
my WinXP computers. Something about the passwords not
being secure?
A potential intruder would still have to type my password
correctly to gain entry thru the
John Aldrich wrote:
That being said, what the warning is really saying is that, theoretically,
someone could decrypt the password if they had access to the local console.
On the other hand, if they've got access to the local console, you've got
more important security problems than someone
I hope this does not get mailed more than once, had a wee problem with my
registered address.
I am curious, the documentaion from the VNC page has the following;
Send clipboard updates to clients
SendCutText=true/false This option, if unticked, prevents the VNC Server from
informing clients
You can have view only clients (e.g. a demo) or possibly someone is just
showing you something but you may have left your password stored in the
clipboard. (not that i store my passwords somewhere where I can cut and
paste them ;)
--Angelo
On 8/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:
In message
[EMAIL PROTECTED], mbrown
[EMAIL PROTECTED] writes
We are behind a firewall, but want to get VNC to allow consultants we
trust to have remote access to our computers (and vice versa). Past
posts to this list convinced me that opening a port in the firewall for
specific users is a
] On Behalf Of mbrown
Sent: 16 August 2005 20:04
To: vnc-list@realvnc.com
Subject: VNC security
We are behind a firewall, but want to get VNC to allow consultants we
trust to have remote access to our computers (and vice versa). Past
posts to this list convinced me that opening a port
Bernard et al,
specific users is a secure activity, but our IT guys are now
saying that
it doesn't necessarily protect our systems from worms or viruses that
may already inhabit the trusted user's computers.
That's correct, in that if there was a weakness in VNC it could be
exploited
Bernard,
Alternatively it's possible to configure VNC to only accept
connections
from localhost. This requires a VPN to be set up between the
remote and
local machines. That can use any type of encryption your IT
guys think
is required. Even if the blackhats sniff the network traffic
We are behind a firewall, but want to get VNC to allow consultants we
trust to have remote access to our computers (and vice versa). Past
posts to this list convinced me that opening a port in the firewall for
specific users is a secure activity, but our IT guys are now saying that
it doesn't
Mike:
Heya; fortunately, your IT guys are wrong about this. VNC
is simply a remote desktop application, not a Virtual Private
Network application. Unlike the latter (in which a remote PC
does traverse your firewall and effectively becomes part of the
LAN), a remote desktop connection
A while back, we had a pretty long running and informative thread on VNC
security. The only VNC that had real encryption built in was the
Enterprise version of RealVNC. UltraVNC had a DSM plug-in but it was
pretty nasty to get working and was suffering from compatibility
problems. On top
Mike,
Question: If we buy the VNC version that is advertised as
more secure,
will it really be more secure?
Yes.
Wez @ RealVNC Ltd.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
On Fri, 27 May 2005, Erik Soderquist wrote:
To be clear, the VNC viewer that uses encryption is free, but but you
cannot use the older viewer.
not according to realvnc's web page:
http://www.realvnc.com/products/features.html
according to that, the free one does not include encryption
I
We've used the free VNC for awhile to view machines outside our office,
but our IT guys are too nervous about punching through our firewall to
allow others to view our machines. I think they're too cautious.
Question: If we buy the VNC version that is advertised as more secure,
will it really
Of mbrown
Sent: Thursday, May 26, 2005 12:21
To: vnc-list@realvnc.com
Subject: VNC security, and can free VNC connect to paid VNC?
We've used the free VNC for awhile to view machines outside our office,
but our IT guys are too nervous about punching through our firewall to
allow others to view our machines
We've used the free VNC for awhile to view machines outside our office,
but our IT guys are too nervous about punching through our firewall to
allow others to view our machines. I think they're too cautious.
Question: If we buy the VNC version that is advertised as more secure,
will it
Bostedor
Sent: Tuesday, April 19, 2005 20:57
To: [EMAIL PROTECTED]
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: RE: VNC Security
Thank you for the reply, Alexander. I understand exactly what you're
trying to say. I'm not sure if you fully understand what I was saying
and its
@securityfocus.com; VNC List
Subject: Re: VNC Security
First--I believe we're talking apples and oranges. VNC is not an
appropriate solution for a true corporate network unless a firewall and
a secure link is available (and even then is dodgy). My scenario is
this:
a. Random user in cyberspace has a problem
---BEGIN CUT---
In all of these scenarios, you do the setup before hand. All of these
scenarios are easily installed, and configured as a tech, and are as
simple as 1-3 clicks for a user, no config, because everything (ssh
keys, vpn preshared keys, etc) are all saved and stored in advance.
A
On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote:
I have to agree with Steve that this is, for all practical purposes, a
non-existent security risk. The only things that could go wrong:
a. Somebody is sniffing the packet stream while the VNC passwords are
being exchanged, and, during that 20
First--I believe we're talking apples and oranges. VNC is not an
appropriate solution for a true corporate network unless a firewall and
a secure link is available (and even then is dodgy). My scenario is this:
a. Random user in cyberspace has a problem.
b. User installs VNC under direction
On Mon, 25 Apr 2005, Mike Miller wrote:
If you were using Windows he could start up another VNC desktop that you
might not notice...
Sorry -- I meant to say if you were using UNIX. I assume this would not
be possible in Windows.
Mike
___
VNC-List
Berry [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 20, 2005 9:41 AM
To: Steve Bostedor; Andy Bruce - softwareAB
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: RE: VNC Security
Just because some people and applications perform things
insecurely does not mean
[In a message on Tue, 19 Apr 2005 21:14:50 EDT,
Steve Bostedor wrote:]
I am wondering why expose VNC over the internet in the first place, really.
Exactly what I said. VNC should *NOT* be exposed to the internet.
It's my opinion that VNC is really only good for LAN's. Why not use VPN to sec
I'd like to know if anyone has any working examples of why an
unencrypted VNC session over the Internet is seen as such a horrible
security risk. I understand that unencrypted ANYTHING over the Internet
lends the chance for someone to decode the packets (assuming that they
capture every one of
connect) a port
sniffer detects that 5900 is available and immediately zooms in thru
some VNC security hole. Wez would know a lot more about this possibility
than me, though!
Am I missing something here?
Steve Bostedor wrote:
I'd like to know if anyone has any working examples of why an
unencrypted
Steve Bostedor wrote:
[snip]
I've scoured the web out of this curiosity, looking for a tool to
put VNC packets together into something useful for a hacker. There's
nothing. Nada.
Fifth hit on Google for: vnc capture playback
http://users.tpg.com.au/bdgcvb/chaosreader.html
--
William Hooper
[In a message on Tue, 19 Apr 2005 10:53:09 EDT,
William Hooper wrote:]
Steve Bostedor wrote:
[snip]
I've scoured the web out of this curiosity, looking for a tool to
put VNC packets together into something useful for a hacker. There's
nothing. Nada.
Fifth hit on Google for: vnc capture
: Alexander Bolante [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 19, 2005 6:25 PM
To: Steve Bostedor
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: Re: VNC Security
IMHO
NOTE:
For obvious reasons that VNC provides remote access to your machine,
Security is key (period). I'm
.
-Original Message-
From: Joshua Berry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 19, 2005 6:43 PM
To: Andy Bruce - softwareAB; Steve Bostedor
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: RE: VNC Security
To the original poster:
It is my *opinion* that using VNC
Crijns [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 19, 2005 5:15 PM
To: Andy Bruce - softwareAB
Cc: Steve Bostedor; security-basics@securityfocus.com;
vnc-list@realvnc.com
Subject: Re: VNC Security
Andy Bruce - softwareAB wrote:
5. Tell them to turn off port forwarding from the router
, 2005 4:45 PM
To: William Hooper
Cc: vnc-list@realvnc.com
Subject: Re: VNC Security
[In a message on Tue, 19 Apr 2005 10:53:09 EDT,
William Hooper wrote:]
Steve Bostedor wrote:
[snip]
I've scoured the web out of this curiosity, looking for a tool to
put VNC packets together into something
1) Other network vulnerablities assuming the only
protocol I am allowing in is for VNC- are there any?
OK, so you're stopping all the traffic coming across the vpn to you
except vnc. That way they can't do anything else on your network except
vnc. Then by using vnc they have full control of
Hello - There is a request to allow an external
company to vnc to a box on our network behind a
firewall. In order to do this, I will setup a VPN to
protect all traffic traversing the Internet.
My question is this. Now that all of the traffic is
encrypted, are there other vulnerabilities that I
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan Watchorn
Sent: 20 July 2004 18:49
To: [EMAIL PROTECTED]
Cc: VNC List
Subject: RE: VNC security implications
In a case like this I assume you are using static addresses
for both computers (otherwise I am not sure it will work
Hi Folks, I am a bit green when it comes to setting up remote
connections to distant PCs. What I was about to try to do was to
connect from a PC running WinXP to one running Win98 (both are
connected to the internet). I then had a word with the barman in my
local pub (who is an ex PCguru) who
On Tue, 2004-07-20 at 09:39, Dave Ho wrote:
Hi Folks, I am a bit green when it comes to setting up remote
connections to distant PCs. What I was about to try to do was to
connect from a PC running WinXP to one running Win98 (both are
connected to the internet). I then had a word with the
] On Behalf Of Dave Ho
Sent: 20 July 2004 08:40
To: [EMAIL PROTECTED]
Subject: VNC security implications
Hi Folks, I am a bit green when it comes to setting up remote
connections to distant PCs. What I was about to try to do
was to connect from a PC running WinXP to one running Win98
:[EMAIL PROTECTED]
Sent: 20 July 2004 10:48
To: 'James Weatherall'
Subject: RE: VNC security implications
Hi James, Thanks for the quick reply. I have the two PCs
interconnected via an ADSL Router which has a firewall. So
they are directly connected by internal intranet. What I
would
to decrypt it first.
Alan Watchorn
[EMAIL PROTECTED]
(760) 692-4300
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Dave Ho
Sent: Tuesday, July 20, 2004 12:40 AM
To: [EMAIL PROTECTED]
Subject: VNC security implications
Hi Folks, I am a bit green when it comes
I would like to see a better encryption process for VNC, as I have had a
hacker figure out my password schema
Besides encrypting the data stream between host and client there is still
(IMO) an issue with WinVNC and storing the encrypted password in the
registry. RealVNC 4 stores it's settings in
Dear Sirs:
I would like to see a better encryption process for VNC, as I have had a hacker figure
out my password schema, and actually caught him in a session of hijacking our server.
Since then, I have tightened the firewall to only accept specific IPAddresses on 5800
and 5900, but that also
Jon Lucas said:
Dear Sirs:
I would like to see a better encryption process for VNC, as I have had a
hacker figure out my password schema, and actually caught him in a
session of hijacking our server.
If someone has your password, what would better encryption get you?
--
William Hooper
Use SSH...
On Sun, 2004-06-27 at 21:33, William Hooper wrote:
Jon Lucas said:
Dear Sirs:
I would like to see a better encryption process for VNC, as I have had a
hacker figure out my password schema, and actually caught him in a
session of hijacking our server.
If someone has
If you're using Windows, let alone any server. Consider using a Virtual Private
network and a VPN appliance. Actually, you have to be crazy to let VNC server be
visible on the Internet.
For the company I work for, and manage their I.T. systems, I firstly establish a
connection by VPN using a
[EMAIL PROTECTED] said:
[snip]
Should be configurable. For instance, two bad password attempts and VNC
server will then give a bad password response even if the password is
correct, but then you have to leave VNC server alone for, say 3 minutes,
before the lock out is release and another
Would be better if the lock-out policy was implemented like Windows server does.
You have so many attempts then the account get's locked out for the nominated
duration, but there is also a counter of attempts that only gets zeroed after another
set duration.
At 00:30 28/06/2004, William
://mail.med.upenn.edu/~jellings/
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Jon Lucas
Sent: Sunday, June 27, 2004 3:00 PM
To: [EMAIL PROTECTED]
Subject: VNC Security
Dear Sirs:
I would like to see a better encryption process for VNC, as I have had a
hacker
On Wed, Sep 17, 2003 at 01:09:02AM +0200, Bjvrn Persson wrote:
Mike Miller wrote:
But it might not be a matter of time because it's so much work for so
little gain?
How little gain exactly? Your company's trade secrets? The administrator
passwords to all your servers? All the money in your bank
Bjorn:
Heya. Some comments to your comments:
If I wanted to sniff other people's VNC traffic i'd first try to find
an existing program to do this. If I couldn't find one I would:
1: use one of the existing programs that can intercept TCP sessions.
Maybe I'd have to teach it how to
Hello,
I'm a bit confused.
I currently use VNC (the Tight flavour) through an SSH tunnel, so I'm
not really concerned, but I thought (from other discussions found in the
archives) that VNC was *quite* secure as info/updates was/were sent over
the network as images (increasingly compressed, using
Michael:
Heya. I think I'm willing to split this hair over VNC
security.
First off, I agree with you that VNC users should try to
use a secure-tunnel whenever they VNC across the Internet. That
just a inarguable Good Idea. For those using VNC to remotely
administer their content
Scott C. Best wrote:
First, when you press Send
on a web-browser form, all of the data in that form is sent at
once, in well-delineated form, making the data relatively easy to
identify. In a VNC session, by comparison, every *character* is
sent as soon as you type it, along with other RFB
On Tue, 16 Sep 2003, Bjvrn Persson wrote:
If I wanted to sniff other people's VNC traffic i'd first try to find an
existing program to do this. If I couldn't find one I would:
1: use one of the existing programs that can intercept TCP sessions.
Maybe I'd have to teach it how to recognize the
Mike Miller wrote:
But it might not be a matter of time because it's so much work for so
little gain?
How little gain exactly? Your company's trade secrets? The administrator
passwords to all your servers? All the money in your bank account?
And let me point out that the work only needs to be
On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote:
On Sat, 13 Sep 2003, Michael Herman wrote:
I would like to point out that VNC is not secure.
From the realVNC FAQ:
Is VNC secure?
The only really secure computer is one without a network. VNC
requires a password when a viewer tries
In message [EMAIL PROTECTED], Michael
Herman [EMAIL PROTECTED] writes
I posted my original e-mail after an off-list discussion with someone who,
using Windows 98 on both the client and server, wanted to connect to work.
This person appeared to be, from their e-mail signature, an human resources
On Sat, 13 Sep 2003, Michael Herman wrote:
I would like to point out that VNC is not secure.
From the realVNC FAQ:
Is VNC secure?
The only really secure computer is one without a network. VNC
requires a password when a viewer tries to connect to a server. This password
is encrypted to
sorry for the wrong subject on the last one...
hey...
couple of quick questions... as i was going through past msgs.. and the VNC
docs... couldn't find a suitable answer...
a vnc client app doesn't log the user into the machine. you apparently have
to have a copy of the vncserver running on
91 matches
Mail list logo