Re: vnc security flaw?

2006-06-08 Thread Jaroslaw Rafa
Alex Pelts napisal(a):
> I can tell you exactly how this is different, but first I want to thank

Because of top-quoting is it unclear WHAT is different... After scrolling
down the entire message I find out that it refers to my previous posting:

> > What is different in running a VNC server exposed to the Internet from
> > running a SSH (or even a telnet!) server exposed to the Internet, for
> > example? And there are many such servers out there...
> > It's like any remote access service - you run it, if you need it. Of course,


> The difference of running ssh vs running plain vnc is that you can
> secure ssh in various ways and you can't secure vnc alone. For instance
[...]
> I am sure if I try I can provide more examples for you but just these
> should be sufficient answer to your question.

I already know all the things you wrote. Did you notice that I mentioned
telnet in my original posting? I did it for a purpose, because I think plain
VNC is approximately as secure (or insecure) as telnet. And there still are
people who DO run telnet servers - moreover, they HAVE to run telnet servers
for "compatibility", because they must support some users who don't want to
use a ssh client. Same applies for VNC. There are circumstances where
running a VNC server open to the Internet has sense. As I wrote - you have
to know what (and why) you are doing.
Regards,
   Jaroslaw Rafa
   [EMAIL PROTECTED]
-- 
Spam, wirusy, spyware... masz do6f? Jest alternatywa!
http://www.firefox.pl/   ---   http://www.thunderbird.pl/
Szybciej. #atwiej. Bezpieczniej. Internet tak jak lubisz.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-08 Thread Alex Pelts
I can tell you exactly how this is different, but first I want to thank
Mike Miller who pointed out that you need to disable vnc connection from
 hosts other than local host. I skipped that part as being an obvious
one but it probably is not that obvious.

The difference of running ssh vs running plain vnc is that you can
secure ssh in various ways and you can't secure vnc alone. For instance
if you are a bit paranoid you can disable password authentication and
use public/private key to authenticate. This method while a bit
inconvenient is extremely hard to break. That is what should be used on
any half way important system.

VNC free edition is using simple challenge response with password length
up to 8 characters (according to security faq). ssh can support much
larger password.

ssh also prevents "man in the middle" attacks where session can be
intercepted. Free edition of vnc has no protection other than password
authentication. Given that most peoples' computers not worth this kind
of attacks you still are susceptible

ssh also supports tcp wrappers and I am not sure if vnc does. This
allows you to further limit systems that attack you. You can run
something like DenyHosts or a utility that I wrote for myself called
BanHosts. You can lookup both of them on google. Ether utility will
limit number of unsuccessful connection attempts from any given host
blocking any further attempts.

I am sure if I try I can provide more examples for you but just these
should be sufficient answer to your question.

Regards,
Alex

Jaroslaw Rafa wrote:
> Alex Pelts napisal(a):
> [Charset iso-8859-1 unsupported, filtering to ASCII...]
>> IMHO running VNC server exposed to the Internet is a bad idea in the
>> first place.
> 
> Why?
> What is different in running a VNC server exposed to the Internet from
> running a SSH (or even a telnet!) server exposed to the Internet, for
> example? And there are many such servers out there...
> It's like any remote access service - you run it, if you need it. Of course,
> if you run such a service, you should be fully aware what you're doing.
> Regards,
>Jaroslaw Rafa
>[EMAIL PROTECTED]
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Jaroslaw Rafa
[__  __] napisal(a):
[Charset ISO-8859-1 unsupported, filtering to ASCII...]
> Dave Dyer wrote:
> > Why do you think it will never happen? I think it's inevitable.  
> > I pay for virus protection; there's real money to be made providing 
> > a better service.
> 
> I don't think you can, by any means, compare your proposition to an 
> antivirus solution. The complexities of protecting a person from 
> protecting their own ignorance, not in a demeaning sense, are so 
> multifaceted. It would literally be impossible to stay on top of every 
> single threat, and to cross-network all that information.

Hm... exploiting this vulnerability is a well-defined form of attack that
can (and probably will) be included in databases uses by IDS'es. I think
that is the key point of the "Norton, Mcafee etc." proposition - to put this
attack into such a database.
The problem for the author of this proposition is that these Norton, Mcafee
etc. products are not - and probably never will be - IDS'es (Intrusion
Detection Systems). They are in fact very simple tools - they search for
known signatures of specific malware (virus/trojan/spyware) files and
connection attempts from/to known "blacklisted" Internet addresses. They can
also block specific ports and/or applications from Internet access,
providing you a firewall functionality (again, this is a very simple
firewall - I'm not sure if it's even stateful, or is it only a simple packet
filter). However, realtime analysis of incoming packets and detection of
possible attack patterns is far beyond their capabilities.
If you want a real IDS, think about spending ten or twenty times the amount
of money you are currently paying for anti-virus protection. Maybe such a
device (since it's almost always a separate piece of hardware, not simply
an application you can install on your computer) will protect you from
similar vulnerabilities instantly from the moment they become known (and -
of course - are included in the database, and "pushed" by the manufacturer
to all devices).
Regards,
   Jaroslaw Rafa
   [EMAIL PROTECTED]
-- 
Spam, wirusy, spyware... masz do6f? Jest alternatywa!
http://www.firefox.pl/   ---   http://www.thunderbird.pl/
Szybciej. #atwiej. Bezpieczniej. Internet tak jak lubisz.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: Re: vnc security flaw?

2006-06-07 Thread glendaharris
As a newbie to all of this,   I just want to say that I really appreciate this 
discussion and have learned quite a bit (Its been quite entertaining as well).  
I downloaded the free version of RealVNC but I have decided to upgrade and 
purchase it so that I can receive the proper support and learn as much as I can 
to minimize any security threats. 

Thanks everyone.
Glenda Harris
> 
> From: Hal Vaughan <[EMAIL PROTECTED]>
> Date: 2006/06/06 Tue PM 02:13:51 EDT
> To: vnc-list@realvnc.com
> Subject: Re: vnc security flaw?
> 
> On Tuesday 06 June 2006 13:15, Dave Dyer wrote:
> > It's really not realistic or reasonable to expect every PC user to be
> > their own ever-vigilant security expert.  
> 
> Yes and no.  It depends on how important security is to you.  As pointed 
> out, the flaw was posted on this list.  I find that just reading 
> Slashdot (http://slashdot.org) is enough to keep me informed of 
> security issues when I need to know about them.  I also use Debian 
> Linux (Stable, whether it's Woody, Sarge, or Etch or whatever), which 
> means a program has to be really stable to be finally classified as 
> eligible for the Stable branch.  That means most of the security 
> problems are gone by then.  In addition, a one line cron job (for the 
> uninformed, cron is easily configured to run programs at any time) 
> updates my system every night, getting only security fixes and needed 
> updates.
> 
> While you probably use different methods for safety, my point is that I 
> use a system that is known for secure updates and other issues are 
> easily flagged on Slashdot, which is one site.  There are better sites 
> for security issues, but I'm just giving one example.
> 
> > I try to keep up on these 
> > things, and I had barely noticed.   I doubt that 10% of VNC users
> > read either slashdot or vnc-list, much less never miss anything
> > important there.
> 
> I noticed it was blasted all over any news source that keeps track of 
> open source software.  Were you actually keeping up with any news?
> 
> Guess what?  Software has flaws.  I doubt there is a single piece of 
> published software without bugs and without security flaws that will be 
> discovered one day.  If you use it, it is up to you to keep up with 
> that.  For example, if you use Windows, there are frequent serious 
> issues.  Some users ignore the situation.  (They're the ones with so 
> much malware they can barely use their computers.)  Some users get 
> automatic updates, but this is risky because sometimes Windows updates 
> hose the system.  Then there are the aware users that know that for 
> safety, they need to keep up with all the security issues and that many 
> times there are 3rd party patches/fixes out before MS issues fixes.
> 
> > Two things that occur to me that "ought" to have happened, which
> > might have increased the visibility.
> >
> > 1) vnc should maintain it's own list, reserved for security flash
> > alerts only, and strongly encourage anyone who installs vnc
> > to sign up.
> >
> > 2) word should have been passed to norton, mcaffee, etc so they
> > could target vulnerable versions of vnc on behalf of their customers.
> > I don't know if this mechanism exists, but it ought to.
> 
> Symantec and the other companies keep up with this stuff.  Personally, I 
> don't use them, since I use other security measures (and wouldn't be 
> caught dead using Windows, other than testing my software for my 
> clients).  They know about it when exploits are published, and this one 
> was published through all or most (that I saw) appropriate channels.
> 
> As I said, I don't use Symantec or McAffee products, but I'm not sure 
> that they can protect from issues like this.  They can watch for 
> malware and viruses, and will watch for whatever is in their 
> definitions, but I don't think they go out of their way to protect you 
> from flaws in other programs.  With that in consideration, any malware 
> known to attack RealVNC or other programs would end up in their 
> database as soon as possible and would be downloaded to your system 
> with your next regular update.  (You do update daily, don't you?)
> 
> I'm not trying to be a pain, but, in the long run, the security of your 
> computer is YOUR responsibility.  Maybe this will help, in the long 
> run, by alerting you to the fact that you do have to find ways to 
> ensure your systems' safety.
> 
> Hal
> ___
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread ·· ħþø ··

Jaroslaw Rafa wrote:

Why?
What is different in running a VNC server exposed to the Internet from
running a SSH (or even a telnet!) server exposed to the Internet, for
example? And there are many such servers out there...
It's like any remote access service - you run it, if you need it. Of course,
if you run such a service, you should be fully aware what you're doing.


Well, that's sort of what he's saying; I myself have three VNC'd 
computers constantly exposed to the Internet, BUT they're locked down 
inside the Hamachi network, with three medium-strength passwords between 
them and the world. And additionally, VNC was not initially designed for 
security -- I mean, you do know have the 1024-bit cipher or whatever it 
is now -- but SSH, like the name implies, was created to be secure. It's 
like trying to use a bicycle pump on your car tires -- it'll work, but 
that's not what it was intended to do.

___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Hal Vaughan
On Tuesday 06 June 2006 16:40, Dave Dyer wrote:
> >> 2) word should have been passed to norton, mcaffee, etc so they
> >> could target vulnerable versions of vnc on behalf of their
> >> customers. I don't know if this mechanism exists, but it ought to.
> >
> >This one is never going to happen for countless reasons. No company
> > will make your box secure if you won't.
>
> Why do you think it will never happen? I think it's inevitable.
> I pay for virus protection; there's real money to be made providing
> a better service.

I think that very statement shows a complete misunderstanding of the 
nature of fighting viruses and malware.

It's not going to happen because it's not possible.

Face it, if you want to keep your computer secure and you keep it hooked 
up to the Internet, the bottom line is that the security of your system 
is your responsibility.

THAT IS FACT.

You can either face that face or face malware.  It's up to you.

Hal
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Mike Miller

On Tue, 6 Jun 2006, Alex Pelts wrote:


IMHO, VNC people did all they could to fix the problem and post the
update. It is up to the users to make sure they are up to date. If you
do not like RealVNC security record you are always free to run any other
software. There are really many choices you can make:
1. Run VPN with strong authentication and use your VNC over VPN.
2. Run ssh and tunnel over ssh, which is really equivalent to #1
3. Keep your VNC up to date if you insist on exposing it to the net.
4. Run any other software that you deem more secure.


These are good ideas, but we should note that #1 and #2 above would not 
protect you from attack unless VNC was not accepting connections from 
outside SSH or VPN.  You must set the RealVNC server to "Only accept 
connections from the local machine":


http://www.realvnc.com/products/free/4.1/winvnc.html

Then use SSH port forwarding in combination with that so that an attacker 
would have to connect by SSH to get access to VNC.  Otherwise, your use of 
SSH would have protected you from snooping, but it did not protect you 
from the major vulnerability that was discovered last month.


Mike
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread virus

John Aldrich wrote:

[EMAIL PROTECTED] wrote on Tuesday, June 06, 2006 5:11 PM:

Probably the way to protect people from doing stupid
things is to electrocute them any time they are clicking
on attachment to develop a reflex.


(BOFH Mode=ON)
Hmm... I *like* that idea. 
(BOFH Mode=OFF)


see http://www.youtube.com/watch?v=ry7u6JF_B1c - hehehe :-)

GTi
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: vnc security flaw?

2006-06-07 Thread John Aldrich
[EMAIL PROTECTED] wrote on Tuesday, June 06, 2006 5:11 PM:

>
> It is simply impossible to protect a person from himself.
>[snip]
> 
> Probably the way to protect people from doing stupid
> things is to electrocute them any time they are clicking
> on attachment to develop a reflex.
> 
(BOFH Mode=ON)
Hmm... I *like* that idea. 
(BOFH Mode=OFF)

Seriously, some people almost *deserve* what they get if they ignore
warnings not to do stuff like that. Or if they ignore the security updates,
etc. Unfortunately, taking that attitude leads to worse problems on the
corporate network. *sigh* Oh, well... Back to troubleshooting PCs. ;-)
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread ·· ħþø ··

Alex Pelts wrote:

It is simply impossible to protect a person from himself. At this time
pretty much anyone should know that clicking on attachments is bad yet
everyone still does it. With amount of scams going on you wold thing
that people would be suspicions of emails asking them to type in their
user name and password AND credit card number AND expiration date in to
some website that looks like their bank. And yet lots of money changed
their owner based on various scams.

Probably the way to protect people from doing stupid things is to
electrocute them any time they are clicking on attachment to develop a
reflex.


I work in computer troubleshooting, and honestly some of the stuff I've 
seen that people do to their machines, even /watched/ them do, is 
ridiculous. I guess common sense got lost somewhere between the dawn of 
time and now.


But hey, the electrocution thing sounds promising. Business opportunity, 
eh? :)



Chris
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Alex Pelts
Well,
Let say if you pay money to Symantec why don't you ask them to protect
your pc? What is RealVNC has to do with it?

I pay money to RealVNC people for EE and I got my email notifying me
about security update. So I have no beef with RealVNC as they provide
the service I pay for.

I think 2) will not happen because there is no money in it for RealVNC
only for Symantec and companies like them. RealVNC provides a free
version with community support and that means you have to do your
homework. If you want real support pay for it and you will get it.

Some people are running VNC v3.x and asking questions about it. That
means people don't bother to update for various reasons. Sometimes these
are good reasons some times they are not.

In general out of two things you mentioned VNC people did at least one:
they notified this list about available update as well as sent emails to
their paying customers. There is also announce list which was notified
as well. That is a very low email volume list to which anyone running
RealVNC should subscribe.

So what I am trying to say RealVNC provided all needed information in a
timely manner to prevent most of the users running their software from
getting in trouble. If some of the users failed to use this information
it is not exactly RealVNC fault.

Regards,
Alex

Dave Dyer wrote:
>>> 2) word should have been passed to norton, mcaffee, etc so they
>>> could target vulnerable versions of vnc on behalf of their customers.
>>> I don't know if this mechanism exists, but it ought to.
>> This one is never going to happen for countless reasons. No company will
>> make your box secure if you won't.
> 
> Why do you think it will never happen? I think it's inevitable.  
> I pay for virus protection; there's real money to be made providing 
> a better service.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Alex Pelts
> I don't think you can, by any means, compare your proposition to an
> antivirus solution. The complexities of protecting a person from
> protecting their own ignorance, not in a demeaning sense, are so
> multifaceted. It would literally be impossible to stay on top of every
> single threat, and to cross-network all that information.
> 
> But hey, if you think it's possible, go for it.

It is simply impossible to protect a person from himself. At this time
pretty much anyone should know that clicking on attachments is bad yet
everyone still does it. With amount of scams going on you wold thing
that people would be suspicions of emails asking them to type in their
user name and password AND credit card number AND expiration date in to
some website that looks like their bank. And yet lots of money changed
their owner based on various scams.

Probably the way to protect people from doing stupid things is to
electrocute them any time they are clicking on attachment to develop a
reflex.

Regards,
Alex
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread ·· ħþø ··

Dave Dyer wrote:
Why do you think it will never happen? I think it's inevitable.  
I pay for virus protection; there's real money to be made providing 
a better service.


I don't think you can, by any means, compare your proposition to an 
antivirus solution. The complexities of protecting a person from 
protecting their own ignorance, not in a demeaning sense, are so 
multifaceted. It would literally be impossible to stay on top of every 
single threat, and to cross-network all that information.


But hey, if you think it's possible, go for it.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Dave Dyer
>> 2) word should have been passed to norton, mcaffee, etc so they
>> could target vulnerable versions of vnc on behalf of their customers.
>> I don't know if this mechanism exists, but it ought to.
>
>This one is never going to happen for countless reasons. No company will
>make your box secure if you won't.

Why do you think it will never happen? I think it's inevitable.  
I pay for virus protection; there's real money to be made providing 
a better service.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread ·· ħþø ··

Dave Dyer wrote:
It's really not realistic or reasonable to expect every PC user to be 
their own ever-vigilant security expert.  I try to keep up on these things,

and I had barely noticed.   I doubt that 10% of VNC users read either
slashdot or vnc-list, much less never miss anything important there.


I see it as their fault for being ignorant, on two points. A) They 
expect to be completely safe when exposed to the Internet, especially in 
consideration of how powerful VNC is. If you don't like the fact that 
you're always going to be, to some degree, vulnerable, unplug. B) They 
expect that a program is going to be one hundred percent perfect from 
the get-go. I'm not knocking on RealVNC's developers, but nothing is 
perfect. It's a good goal, but you could test something forever and 
forever and not find every possible bug. It's in the hands of the user 
to be vigilant in protecting themselves. The company should be held 
responsible if the users aren't willing to help themselves.



1) vnc should maintain it's own list, reserved for security flash
alerts only, and strongly encourage anyone who installs vnc
to sign up.


If people actually care, how about they sign up on the list already 
provided and take, I don't know, 60 seconds out of their day to scan the 
list for anything important or interesting?



2) word should have been passed to norton, mcaffee, etc so they
could target vulnerable versions of vnc on behalf of their customers.
I don't know if this mechanism exists, but it ought to.


You want unrealistic? Bingo. That sort of thing take time, money, and 
resources. Not something that a string of companies are going to throw 
out so that customers for a different product are protected. Ideally, 
yeah, something like this would be in place, but in the real world, it's 
but a pipe dream.

___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Jaroslaw Rafa
Alex Pelts napisal(a):
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> 
> IMHO running VNC server exposed to the Internet is a bad idea in the
> first place.

Why?
What is different in running a VNC server exposed to the Internet from
running a SSH (or even a telnet!) server exposed to the Internet, for
example? And there are many such servers out there...
It's like any remote access service - you run it, if you need it. Of course,
if you run such a service, you should be fully aware what you're doing.
Regards,
   Jaroslaw Rafa
   [EMAIL PROTECTED]
-- 
Spam, wirusy, spyware... masz do6f? Jest alternatywa!
http://www.firefox.pl/   ---   http://www.thunderbird.pl/
Szybciej. #atwiej. Bezpieczniej. Internet tak jak lubisz.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Alex Pelts
Dave Dyer wrote:
> 1) vnc should maintain it's own list, reserved for security flash
> alerts only, and strongly encourage anyone who installs vnc
> to sign up.

That is not such a bad idea but this security problem only happened once
since I started using VNC(as far as I recall), and I started using VNC
back when it was part of ATT.

When you connected to the internet you are by definition not secure. It
is funny how everyone expecting nothing bad to happen.

> 
> 2) word should have been passed to norton, mcaffee, etc so they
> could target vulnerable versions of vnc on behalf of their customers.
> I don't know if this mechanism exists, but it ought to.

This one is never going to happen for countless reasons. No company will
make your box secure if you won't.

IMHO, VNC people did all they could to fix the problem and post the
update. It is up to the users to make sure they are up to date. If you
do not like RealVNC security record you are always free to run any other
software. There are really many choices you can make:
1. Run VPN with strong authentication and use your VNC over VPN.
2. Run ssh and tunnel over ssh, which is really equivalent to #1
3. Keep your VNC up to date if you insist on exposing it to the net.
4. Run any other software that you deem more secure.

These are your choices.

Regards,
Alex
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread Hal Vaughan
On Tuesday 06 June 2006 13:15, Dave Dyer wrote:
> It's really not realistic or reasonable to expect every PC user to be
> their own ever-vigilant security expert.  

Yes and no.  It depends on how important security is to you.  As pointed 
out, the flaw was posted on this list.  I find that just reading 
Slashdot (http://slashdot.org) is enough to keep me informed of 
security issues when I need to know about them.  I also use Debian 
Linux (Stable, whether it's Woody, Sarge, or Etch or whatever), which 
means a program has to be really stable to be finally classified as 
eligible for the Stable branch.  That means most of the security 
problems are gone by then.  In addition, a one line cron job (for the 
uninformed, cron is easily configured to run programs at any time) 
updates my system every night, getting only security fixes and needed 
updates.

While you probably use different methods for safety, my point is that I 
use a system that is known for secure updates and other issues are 
easily flagged on Slashdot, which is one site.  There are better sites 
for security issues, but I'm just giving one example.

> I try to keep up on these 
> things, and I had barely noticed.   I doubt that 10% of VNC users
> read either slashdot or vnc-list, much less never miss anything
> important there.

I noticed it was blasted all over any news source that keeps track of 
open source software.  Were you actually keeping up with any news?

Guess what?  Software has flaws.  I doubt there is a single piece of 
published software without bugs and without security flaws that will be 
discovered one day.  If you use it, it is up to you to keep up with 
that.  For example, if you use Windows, there are frequent serious 
issues.  Some users ignore the situation.  (They're the ones with so 
much malware they can barely use their computers.)  Some users get 
automatic updates, but this is risky because sometimes Windows updates 
hose the system.  Then there are the aware users that know that for 
safety, they need to keep up with all the security issues and that many 
times there are 3rd party patches/fixes out before MS issues fixes.

> Two things that occur to me that "ought" to have happened, which
> might have increased the visibility.
>
> 1) vnc should maintain it's own list, reserved for security flash
> alerts only, and strongly encourage anyone who installs vnc
> to sign up.
>
> 2) word should have been passed to norton, mcaffee, etc so they
> could target vulnerable versions of vnc on behalf of their customers.
> I don't know if this mechanism exists, but it ought to.

Symantec and the other companies keep up with this stuff.  Personally, I 
don't use them, since I use other security measures (and wouldn't be 
caught dead using Windows, other than testing my software for my 
clients).  They know about it when exploits are published, and this one 
was published through all or most (that I saw) appropriate channels.

As I said, I don't use Symantec or McAffee products, but I'm not sure 
that they can protect from issues like this.  They can watch for 
malware and viruses, and will watch for whatever is in their 
definitions, but I don't think they go out of their way to protect you 
from flaws in other programs.  With that in consideration, any malware 
known to attack RealVNC or other programs would end up in their 
database as soon as possible and would be downloaded to your system 
with your next regular update.  (You do update daily, don't you?)

I'm not trying to be a pain, but, in the long run, the security of your 
computer is YOUR responsibility.  Maybe this will help, in the long 
run, by alerting you to the fact that you do have to find ways to 
ensure your systems' safety.

Hal
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-07 Thread cpz
   Hi  guys,  I  just  had  that  experience.  However, I have Zone Alarm
   installed  so  when the intruder tried to download the trojan file, my
   Zone Alarm blocked it. Still, the intruder caused certain programs not
   to  function  correctly  but I could just re install them. I signed up
   for  a  mail  list  in VNC, the annoucer mail list. I hope this is the
   mail list for announcing new updates.
   Peter Zheng
   ENSC SFU
   On Tue, 06 Jun 2006 10:15:42 -0700 [EMAIL PROTECTED] wrote:
   >  It's  really not realistic or reasonable to expect every PC user to
   be
   >  their  own ever-vigilant security expert. I try to keep up on these
   things,
   > and I had barely noticed. I doubt that 10% of VNC users read either
   > slashdot or vnc-list, much less never miss anything important there.
   >
   >  Two  things  that  occur to me that "ought" to have happened, which
   might
   > have increased the visibility.
   >
   > 1) vnc should maintain it's own list, reserved for security flash
   > alerts only, and strongly encourage anyone who installs vnc
   > to sign up.
   >
   > 2) word should have been passed to norton, mcaffee, etc so they
   >  could  target  vulnerable  versions  of  vnc  on  behalf  of  their
   customers.
   > I don't know if this mechanism exists, but it ought to.
   > ___
   > VNC-List mailing list
   > VNC-List@realvnc.com
   > To remove yourself from the list visit:
   > http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-06 Thread Dave Dyer
It's really not realistic or reasonable to expect every PC user to be 
their own ever-vigilant security expert.  I try to keep up on these things,
and I had barely noticed.   I doubt that 10% of VNC users read either
slashdot or vnc-list, much less never miss anything important there.

Two things that occur to me that "ought" to have happened, which might 
have increased the visibility.

1) vnc should maintain it's own list, reserved for security flash
alerts only, and strongly encourage anyone who installs vnc
to sign up.

2) word should have been passed to norton, mcaffee, etc so they
could target vulnerable versions of vnc on behalf of their customers.
I don't know if this mechanism exists, but it ought to.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-06 Thread Alex Pelts
Dave,
The fix was posted next day after the flaw was discovered. At that time
there was no exploits or they were not prevalent. I am not so sure what
VNC team could do to better inform people. Discovery of flaw was
published on slashdot and this list.
I am not trying to tell that this is your fault but just wondering what
do you want VNC team to do.

IMHO running VNC server exposed to the Internet is a bad idea in the
first place.

Regards,
Alex


Dave Dyer wrote:
>> Both of you need to keep up on your software -- a new version was recently 
>> released to solve severe security flaw in the v4.x line. The trojans you got 
>> obviously exploited this flaw.
> 
> I can't argue with that, but this security flaw and the need for updating
> didn't get a lot of airplay.  I'm just trying to raise the level Of
> awareness - that its not just a theoretical vulnerability - it's being
> actively exploited.
> ___
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-06 Thread Dave Dyer
>Both of you need to keep up on your software -- a new version was recently 
>released to solve severe security flaw in the v4.x line. The trojans you got 
>obviously exploited this flaw.

I can't argue with that, but this security flaw and the need for updating
didn't get a lot of airplay.  I'm just trying to raise the level Of
awareness - that its not just a theoretical vulnerability - it's being
actively exploited.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-06 Thread ·· ħþø ··

Darkman wrote:
I let my norton expire for a few days, and noiced in my event viewer 
anumber of connections to VNC from various other countries. however I 
didn't notice the icon turning black as it would in a conneciton mode. 
so I was wondering if I am being connected to, via some trojan. I did a 
scan today after updating norton and found one trojan and one or two 
other website deposited remote access files

anyone ever see conneciton instances in their event logs?

- Original Message - From: "Dave Dyer" <[EMAIL PROTECTED]>
To: 
Sent: Monday, June 05, 2006 3:37 PM
Subject: Re: vnc security flaw?



Last night, while inactive and unattended, my machine picked
up a trojan of the "firefly" family of remote control trojans.
http://www.sophos.com/virusinfo/analyses/trojfireflyb.html

Since the trojan's init file contained my vnc server password, I 
suspect that

vnc was somehow related to the event.  I was running 4.1.1 free edition.


Both of you need to keep up on your software -- a new version was 
recently released to solve severe security flaw in the v4.x line. The 
trojans you got obviously exploited this flaw.

___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-06 Thread Darkman
I let my norton expire for a few days, and noiced in my event viewer anumber 
of connections to VNC from various other countries. however I didn't notice 
the icon turning black as it would in a conneciton mode. so I was wondering 
if I am being connected to, via some trojan. I did a scan today after 
updating norton and found one trojan and one or two other website deposited 
remote access files

anyone ever see conneciton instances in their event logs?

- Original Message - 
From: "Dave Dyer" <[EMAIL PROTECTED]>

To: 
Sent: Monday, June 05, 2006 3:37 PM
Subject: Re: vnc security flaw?



Last night, while inactive and unattended, my machine picked
up a trojan of the "firefly" family of remote control trojans.
http://www.sophos.com/virusinfo/analyses/trojfireflyb.html

Since the trojan's init file contained my vnc server password, I suspect 
that

vnc was somehow related to the event.  I was running 4.1.1 free edition.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list

___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security flaw?

2006-06-06 Thread Dave Dyer
Last night, while inactive and unattended, my machine picked
up a trojan of the "firefly" family of remote control trojans.
http://www.sophos.com/virusinfo/analyses/trojfireflyb.html

Since the trojan's init file contained my vnc server password, I suspect that 
vnc was somehow related to the event.  I was running 4.1.1 free edition.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security patches

2006-05-15 Thread Rex Dieter

James Weatherall wrote:

Some important security patches have been made to VNC server software.

We strongly recommend that users of VNC 4 series servers upgrade as soon as
possible.

http://www.realvnc.com/upgrade.html


Where's the source?  Coming soon I hope?  (:

-- Rex
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security

2006-05-11 Thread Alex Pelts
google is you friend (maybe if they don't cooperate with federal 
government too much.)


Regards,
Alex


Eric wrote:

Is there a good FAQ or HOWTO on ssh with vnc? what is the url
Thanks


- Original Message - 
From: "John Aldrich" <[EMAIL PROTECTED]>

To: "'-Paul'" <[EMAIL PROTECTED]>; 
Sent: Tuesday, May 09, 2006 1:00 PM
Subject: RE: vnc security



-Paul wrote on :


When I loaded the realvnc onto my WinME computer I got an
additional warning about security that I didn't get on
my WinXP computers. Something about the passwords not
being secure?

A potential intruder would still have to type my password
correctly to gain entry thru the 5902 port (the port I
used) wouldn't they? If its a bunch of random letters and
numbers wouldn't that still be kind of difficult?

I suppose I could check the box that says the local user
will be prompted to allow the connection. That would mean
I couldn't access that computer unless someone was there,
but if that improves security, that would be a reasonable
tradeoff.


Paul:
If you're really wanting to increase security, you should go with some

sort

of encryption, either through tunnelling through SSH or using
Personal/Enterprise version of RealVNC which has encryption built-in.

That being said, what the warning is really saying is that, theoretically,
someone could decrypt the password if they had access to the local

console.

On the other hand, if they've got access to the local console, you've got
more important security problems than someone being able to decrypt the
scrambled password. :-)
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list

___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list

___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security

2006-05-11 Thread Eric
Is there a good FAQ or HOWTO on ssh with vnc? what is the url
Thanks


- Original Message - 
From: "John Aldrich" <[EMAIL PROTECTED]>
To: "'-Paul'" <[EMAIL PROTECTED]>; 
Sent: Tuesday, May 09, 2006 1:00 PM
Subject: RE: vnc security


> -Paul wrote on :
>
> > When I loaded the realvnc onto my WinME computer I got an
> > additional warning about security that I didn't get on
> > my WinXP computers. Something about the passwords not
> > being secure?
> >
> > A potential intruder would still have to type my password
> > correctly to gain entry thru the 5902 port (the port I
> > used) wouldn't they? If its a bunch of random letters and
> > numbers wouldn't that still be kind of difficult?
> >
> > I suppose I could check the box that says the local user
> > will be prompted to allow the connection. That would mean
> > I couldn't access that computer unless someone was there,
> > but if that improves security, that would be a reasonable
> > tradeoff.
> >
> Paul:
> If you're really wanting to increase security, you should go with some
sort
> of encryption, either through tunnelling through SSH or using
> Personal/Enterprise version of RealVNC which has encryption built-in.
>
> That being said, what the warning is really saying is that, theoretically,
> someone could decrypt the password if they had access to the local
console.
> On the other hand, if they've got access to the local console, you've got
> more important security problems than someone being able to decrypt the
> scrambled password. :-)
> ___
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: vnc security

2006-05-10 Thread James Weatherall
Hi Paul,

The message indicates that the password cannot be stored security under
Windows 95/98/Me systems.  If you're using VNC Password Authentication, then
the password is stored in an obfuscated format in the computer's registry,
and any program that has access to the registry could in principle just read
the password straight out of it - they wouldn't need to "crack" it.  On
Windows NT4/2K/XP, etc, the password is stored with appropriate permissions
set, to avoid this issue.

Cheers,

Wez @ RealVNC Ltd.


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of -Paul
> Sent: 09 May 2006 20:09
> To: John Aldrich
> Cc: vnc-list@realvnc.com
> Subject: Re: vnc security
> 
> John Aldrich wrote:
> 
> > That being said, what the warning is really saying is that, 
> theoretically,
> > someone could decrypt the password if they had access to 
> the local console.
> > On the other hand, if they've got access to the local 
> console, you've got
> > more important security problems than someone being able to 
> decrypt the
> > scrambled password. :-)
> 
> Ok, thanks for clearifying that for me.
> I'm less worried about that. I think if someone broke into my house
> they would more likely just carry off all my computers rather than
> sit there and see if they can figure out how to crack the password
> to access my local network.
> 
> ~Paul
> ___
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: vnc security

2006-05-09 Thread -Paul

John Aldrich wrote:


That being said, what the warning is really saying is that, theoretically,
someone could decrypt the password if they had access to the local console.
On the other hand, if they've got access to the local console, you've got
more important security problems than someone being able to decrypt the
scrambled password. :-)


Ok, thanks for clearifying that for me.
I'm less worried about that. I think if someone broke into my house
they would more likely just carry off all my computers rather than
sit there and see if they can figure out how to crack the password
to access my local network.

~Paul
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: vnc security

2006-05-09 Thread John Aldrich
-Paul wrote on :

> When I loaded the realvnc onto my WinME computer I got an
> additional warning about security that I didn't get on
> my WinXP computers. Something about the passwords not
> being secure? 
> 
> A potential intruder would still have to type my password
> correctly to gain entry thru the 5902 port (the port I
> used) wouldn't they? If its a bunch of random letters and
> numbers wouldn't that still be kind of difficult?
> 
> I suppose I could check the box that says the local user
> will be prompted to allow the connection. That would mean
> I couldn't access that computer unless someone was there,
> but if that improves security, that would be a reasonable
> tradeoff. 
> 
Paul:
If you're really wanting to increase security, you should go with some sort
of encryption, either through tunnelling through SSH or using
Personal/Enterprise version of RealVNC which has encryption built-in.

That being said, what the warning is really saying is that, theoretically,
someone could decrypt the password if they had access to the local console.
On the other hand, if they've got access to the local console, you've got
more important security problems than someone being able to decrypt the
scrambled password. :-)
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security and Privacy

2005-08-30 Thread Angelo Sarto
You can have view only clients (e.g. a demo) or possibly someone is just
showing you something but you may have left your password stored in the
clipboard. (not that i store my passwords somewhere where I can cut and
paste them ;)

--Angelo

On 8/30/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
wrote:
>
> I hope this does not get mailed more than once, had a wee problem with my
> registered address.
>
> I am curious, the documentaion from the VNC page has the following;
>
> Send clipboard updates to clients
> SendCutText=true/false This option, if unticked, prevents the VNC Server
> from
> informing clients of changes to its local clipboard contents. This can be
> useful when
> untrusted clients are to be allowed to connect to the VNC Server, since it
> prevents any
> private data being accidentally leaked via the clipboard.
>
> The above refers to untrusted clients connecting to the server, why would
> you allow an
> untrusted client to connect anyway.
>
> Geoff Lane
>
>
>
> Welwyn Hatfield Computer Club
> www.whcc.co.uk 
> ___
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security

2005-08-17 Thread James Weatherall
Bernard,

> Alternatively it's possible to configure VNC to only accept 
> connections 
> from localhost. This requires a VPN to be set up between the 
> remote and 
> local machines. That can use any type of encryption your IT 
> guys think 
> is required. Even if the blackhats sniff the network traffic it won't 
> get them in. As a former IT guy I prefer this approach.

You would configure VNC to accept connections only from localhost if you
were tunnelling via something like SSH, not when accessing systems via a
VPN.

A VPN will typically appear to the two computers as a distinct network
interface, through which the other computer is accessible.  This is
*precisely* the sort of configuration that Mike *deosn't* want, since it
means that the two computers are effectively then exposed to each other
directly, and viruses can easily propagate using security loop-holes such as
those often found in Windows File Sharing.

Regards,

Wez @ RealVNC Ltd.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security

2005-08-17 Thread James Weatherall
Bernard et al,

> >specific users is a secure activity, but our IT guys are now 
> saying that
> >it doesn't necessarily protect our systems from worms or viruses that
> >may already inhabit the trusted user's computers.
> 
> That's correct, in that if there was a weakness in VNC it could be 
> exploited through the open port.

No, it isn't.  They are talking about viruses/worms propagating, which is
not possible via the RFB protocol.

> VNC server there. To find that out they would need to sniff 
> all of the 
> network traffic to see what addresses were in use. If they 
> succeeded in 
> doing that they would also harvest the password.

This is not true.  The authentication scheme used by VNC Free Edition uses a
challenge-response protocol to protect the password.  Session data is not
protected, however, unless you use VNC Personal or Enterprise Edition at
both ends.

Regards,

Wez @ RealVNC Ltd.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security

2005-08-17 Thread James Weatherall
Mike,

Neither worms nor viruses can propagate via a VNC connection, since the
protocol contains no scripting or executable elements.

The main issues with opening a firewall  to allow VNC access are to do with
session snooping, tampering and impersonation attacks, which are pretty
rare.  VNC Enterprise and Personal Editions (http://www.realvnc.com) have
in-built security to protect from such attacks, or you can tunnel your VNC
connections via a secondary protocol such as SSH.

Regards,

Wez @ RealVNC Ltd.


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of mbrown
> Sent: 16 August 2005 20:04
> To: vnc-list@realvnc.com
> Subject: VNC security
> 
> We are behind a firewall, but want to get VNC to allow consultants we
> trust to have remote access to our computers (and vice versa).  Past
> posts to this list convinced me that opening a port in the 
> firewall for
> specific users is a secure activity, but our IT guys are now 
> saying that
> it doesn't necessarily protect our systems from worms or viruses that
> may already inhabit the trusted user's computers.
> 
> Does anyone have a response to this?  It seems logical.  Would we want
> to require that any remote user that traverses our firewall 
> via VNC have
> an acceptable virus scan before doing so?  Are there particular VNC
> products that would be best for both us and our clients?  Can our
> clients use the free version?
> 
> 
> Mike Brown
> Salt Lake City
> ___
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2005-08-17 Thread Bernard Peek
In message 
<[EMAIL PROTECTED]>, mbrown 
<[EMAIL PROTECTED]> writes

We are behind a firewall, but want to get VNC to allow consultants we
trust to have remote access to our computers (and vice versa).  Past
posts to this list convinced me that opening a port in the firewall for
specific users is a secure activity, but our IT guys are now saying that
it doesn't necessarily protect our systems from worms or viruses that
may already inhabit the trusted user's computers.


That's correct, in that if there was a weakness in VNC it could be 
exploited through the open port. There are ways of reducing the risk 
though. The firewall can be configured to only forward packets coming 
from a specific IP address. That limits the risk. Anyone probing the 
port from a different address wouldn't be able to tell that there was a 
VNC server there. To find that out they would need to sniff all of the 
network traffic to see what addresses were in use. If they succeeded in 
doing that they would also harvest the password.


Alternatively it's possible to configure VNC to only accept connections 
from localhost. This requires a VPN to be set up between the remote and 
local machines. That can use any type of encryption your IT guys think 
is required. Even if the blackhats sniff the network traffic it won't 
get them in. As a former IT guy I prefer this approach.


But you also have to decide whether your IT guy's objection is just a 
subtle way of saying "we're busy, and we have better things to do with 
our time." If that's so then you need to establish a compelling business 
case that justifies the extra effort required to configure and maintain 
a link. If you can't do that then expect the next objection from the IT 
guys to be less subtle. Bear in mind that every extra service across the 
firewall increases the risk to a greater or lesser degree, and they are 
the ones that get the pink slip if it goes wrong.



Does anyone have a response to this?  It seems logical.  Would we want
to require that any remote user that traverses our firewall via VNC have
an acceptable virus scan before doing so?  Are there particular VNC
products that would be best for both us and our clients?  Can our
clients use the free version?


The free version will work over a VPN. If you are going to set up a VPN 
then your IT guys should talk to their IT guys and make sure that both 
sides can trust each other's security precautions.




--
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2005-08-16 Thread Scott C. Best

Mike:

Heya; fortunately, your IT guys are wrong about this. VNC
is simply a "remote desktop" application, not a "Virtual Private
Network" application. Unlike the latter (in which a remote PC
does "traverse your firewall" and effectively becomes part of the
LAN), a "remote desktop" connection cannot be used to transfer
viruses, worms or other malware from the Viewer to the Server PC.

Of course, once someone has remote control of your PC,
they can easily/mistakingly cause viruses or malware to become
installed -- just like any other other -- but that's the whole
point of having good anti-virus software on the PC to begin with.

Lastly, VNC does allow you to restrict connections, so that
they will only be accepted from specific Internet addresses. If
you always know where allowed connections come from, you can use
this capability to control access more securely. All versions of
VNC support this capability, even the free ones.

hope that helps,
Scott


We are behind a firewall, but want to get VNC to allow consultants we
trust to have remote access to our computers (and vice versa).  Past
posts to this list convinced me that opening a port in the firewall for
specific users is a secure activity, but our IT guys are now saying that
it doesn't necessarily protect our systems from worms or viruses that
may already inhabit the trusted user's computers.

Does anyone have a response to this?  It seems logical.  Would we want
to require that any remote user that traverses our firewall via VNC have
an acceptable virus scan before doing so?  Are there particular VNC
products that would be best for both us and our clients?  Can our
clients use the free version?

___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC Security

2005-06-28 Thread Steve Bostedor
A while back, we had a pretty long running and informative thread on VNC
security.  The only VNC that had real encryption built in was the
Enterprise version of RealVNC.  UltraVNC had a DSM plug-in but it was
pretty nasty to get working and was suffering from compatibility
problems.  On top of that, it was very difficult to deploy the UltraVNC
encryption remotely.

I believe that the solution to this on the Windows side is in the new
version of VNCScan at http://www.vncscan.com.  While I believe that this
version of VNC Scan makes UltraVNC encryption very easy to deploy and
use, I'd like to fire up this debate again to see if the ease of
encryption changes anyone's view on the security of VNC.

I would also like to know if there are any security concerns with the
UltraVNC DSM plug-in.  Is the encryption with this method considered as
secure to you as, say, running VNC through an SSH tunnel?  

Just for the record, I don't want to take any credit for the UltraVNC
encryption.  The people working on the open source UltraVNC are awesome
and they deserve a huge pat on the back for this plug-in.  The
contribution that is made with VNC Scan is to make the plug-in very easy
to deploy and use.  :)  

The scenario that I'd like to see people test against would be a Windows
XP or Windows 2000 computer running UltraVNC 1.0.0 server using MS
Windows authentication for VNC and employing the UltraVNC encryption.
If you choose to use VNC Scan to deploy this, these are simply check
boxes in the deployment wizard.

I am very interested in hearing if any security concerns are still out
there despite this new encryption scheme.

Thank you!

Steve Bostedor
http://www.vncscan.com
The Leader in VNC and Terminal Server Management
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security, and can free VNC connect to paid VNC?

2005-05-27 Thread Mike Miller

On Fri, 27 May 2005, Erik Soderquist wrote:

To be clear, the VNC viewer that uses encryption is free, but but you 
cannot use the older viewer.


not according to realvnc's web page:
http://www.realvnc.com/products/features.html

according to that, the free one does not include encryption



I don't see any information about the viewer on that page.  The viewer for 
the Enterprise and Personal editions is freely available.  Just download 
the trial version of Enterprise and keep the viewer.  That's what I have 
done and I have not paid for it.  I use it with both old and new (free and 
paid) versions of the server and it works great.


Go here...

http://www.realvnc.com/cgi-bin/download.cgi

...click "Proceed to Downloads" (you don't have to enter Your Details 
everytime).  Note that the first few entries on the next page require 
licenses (those are the servers) but the *viewer* do not require licenses. 
There are versions for Windows, Solaris 7, HP/UX, and Linux.


I'm not sure of how the Windows Enterprise Edition Viewer differs from the 
Windows Personal Edition Viewer.  I would guess that the Enterprise viewer 
works for both types of servers, but wouldn't mind hearing from the 
development team on that!


Mike
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security, and can free VNC connect to paid VNC?

2005-05-27 Thread Erik Soderquist
 ---snip---

> To be clear, the VNC viewer that uses encryption is free, but
> but you  cannot use the older viewer.

not according to realvnc's web page:
http://www.realvnc.com/products/features.html

according to that, the free one does not include encryption

> To answer the other question, "yes," the secure versions of VNC
> use strong encryption and are secure.

definite agreement here

---snip---
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security, and can free VNC connect to paid VNC?

2005-05-27 Thread James Weatherall
Mike,

> Question:  If we buy the VNC version that is advertised as 
> more secure,
> will it really be more secure?

Yes.

Wez @ RealVNC Ltd.
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security, and can free VNC connect to paid VNC?

2005-05-26 Thread Mike Miller
We've used the free VNC for awhile to view machines outside our office, 
but our IT guys are too nervous about punching through our firewall to 
allow others to view our machines.  I think they're too cautious.


Question:  If we buy the VNC version that is advertised as more secure, 
will it really be more secure?  Also, can others who have the free VNC 
use it to connect to our paid VNC server?


On Thu, 26 May 2005, Erik Soderquist wrote:

that will depend entirely on your security settings on the vnc server 
side. if you set the server side to require encryption, clients that 
don't support encryption (free edition) will fail to connect.



To be clear, the VNC viewer that uses encryption is free, but but you 
cannot use the older viewer.


To answer the other question, "yes," the secure versions of VNC use strong 
encryption and are secure.


Mike
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security, and can free VNC connect to paid VNC?

2005-05-26 Thread Erik Soderquist
that will depend entirely on your security settings on the vnc server
side. if you set the server side to require encryption, clients that
don't support encryption (free edition) will fail to connect. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of mbrown
Sent: Thursday, May 26, 2005 12:21
To: vnc-list@realvnc.com
Subject: VNC security, and can free VNC connect to paid VNC?

We've used the free VNC for awhile to view machines outside our office,
but our IT guys are too nervous about punching through our firewall to
allow others to view our machines.  I think they're too cautious.

Question:  If we buy the VNC version that is advertised as more secure,
will it really be more secure?  Also, can others who have the free VNC
use it to connect to our paid VNC server?

Thanks,

Mike Brown
Salt Lake
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC Security

2005-05-02 Thread Erik Soderquist
alternative method: you have listening viewer available to the internet
when helping someone, someone installs VNC (in 3.3.7 if you don't put a
password in, it refuses incoming connections) and adds you as a client.
no VNC password is even needed at that point, and the server is never
exposed to the internet if it is behind a NAT router. (also saves the
port forwarding troubles) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Andy Bruce - softwareAB
Sent: Monday, April 25, 2005 19:47
To: Mike Miller
Cc: Steve Bostedor; security-basics@securityfocus.com; VNC List
Subject: Re: VNC Security

First--I believe we're talking apples and oranges. VNC is not an 
appropriate solution for a true corporate network unless a firewall and 
a secure link is available (and even then is dodgy). My scenario is
this:

  a. Random user in cyberspace has a problem.

  b. User installs VNC under direction of tech support:
  i. strong password
  ii. not installed as service
  iii. temporary port forwarding only

  c. User allows remote person to login, generally for 20-30 mins.

  d. User stops VNC server process and disables port forwarding

My point was that, for all practical purposes, this scenario has zero 
risk. Let's talk about what happens if an attacker does happen to be 
watching data packets and does manage to break the password during that 
session:

1. The attacker is still subject to limitations of the VNC data 
protocol. For the attacker to gain real hidden control, he would have to

have the VNC server software accept his own third-party program via 
remote copy and execute.

2. Unless the attacker had that type of attack, he would have access 
only to mucking with the primary (zero) desktop in Windows, so no danger

of a hidden desktop there. (VNC simply doesn't support anything other 
than primary desktop, as my remote users with Fast User Switching have 
found to their chagrin.) To take control of the situation, the hijacker 
would have to send keyboard/mouse commands to that desktop to activate 
some process during the hijack process. Therefore, I most certainly 
would notice it. The only exception is if the attacker simply mucked 
with the Windows registry, perhaps to navigate to a tainted Web site 
upon next login. That's a larger issue than whether VNC is secure.

3. As stated above, I explicitly instruct my users not to install VNC as

a service, and then to stop the server process when we're done (and then

turn off port forwarding). So, even if the attacker did get into the 
machine and cause a password reset--it won't help. The VNC service won't

be running when the user next boots the machine. And if it was running, 
the port forwarding and Windows firewall would prevent the attacker from

getting access to it again.

Only Wez and the user community can let me know if there are any 
security flaws in VNC that allow the remote system to execute physical 
programs simply based on passed data packets commands. I was under the 
impression that the only way that the VNC client executes programs is by

sending keystrokes/mouse clicks to the remote system. (In other words, 
no type of "exec" function built into the protocol.) Therefore, the VNC 
server itself isn't ever executing any software via API calls--instead, 
VNC simply passes keyboard/mouse input to the OS and it's the OS that's 
does the execution. And the user is watching the desktop on at least one

side of the connection.

So--while the effort to trap/break in to a VNC server may be well worth 
the effort for a corporate network with access to a rich mine of data, 
in my example it doesn't apply.

Andy

Mike Miller wrote:

> On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote:
>
>> I have to agree with Steve that this is, for all practical purposes, 
>> a non-existent security risk. The only things that could go wrong:
>>
>> a. "Somebody" is sniffing the packet stream while the VNC passwords 
>> are being exchanged, and, during that 20 minute interchange, cracks 
>> the password and logs onto the VNC server. Of course, we would notice

>> this problem on both ends!
>
>
>
> I don't know if it is possible to crack the VNC password, but I don't 
> agree that you would necessarily notice this on both ends.  If the 
> attacker were to log into the session when you weren't using it, he 
> could then make some changes to your system (for Windows) that would 
> allow him more access to your machine later.  If you were using 
> Windows he could start up another VNC desktop that you might not 
> notice, and he could use a different password if he wanted to (by 
> copying the vnc password file, changing the password, and copying it 
> back).
>
> I hope that it is hard to crack the passwords.  I think it is hard to 
&

RE: VNC Security

2005-05-02 Thread Erik Soderquist
if the VNC data is unencrypted, *any* password you type during the
session (domain admin to update drivers for example) is also sent
unencrypted. and the attacker would not likely be some random hacker,
but rather someone who is targeting the company already. it isn't that
difficult to connect sniffing hardware to say the T1 line to look for
weak points. after a few days surveillance, everything unencrypted is
then captured and analyzed for login/password information. it isn't so
much "low hanging fruit" as it is simply a chink in the armor that can
be exploited. the fewer chinks the better.

as to odds, here is a more common example of overblown paranoia
surrounding a real possibility (the last time I checked this was a while
ago, it may have shifted some):

due to the technological differences, it is far more likely that someone
will steal your credit card number by eavesdropping on an order placed
by phone than by someone sniffing it from an unencrypted internet
transaction.

please note this only examines an actual sniffing attack. phishing and
spyware are not examined in this.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Steve Bostedor
Sent: Tuesday, April 19, 2005 20:57
To: [EMAIL PROTECTED]
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: RE: VNC Security

Thank you for the reply, Alexander.  I understand exactly what you're
trying to say.  I'm not sure if you fully understand what I was saying
and its probably my fault for not making it clear enough.  

You seemed to concentrate on how easy it is to do things with the VNC
packets once you've sniffed the packets.  You say that you've sniffed
the packets before but have you ever sniffed packets from a network
outside of your own LAN?  How about on your LAN but on another switch
port?

What I was trying to discuss is how real the threat is that someone
outside of your network will actually get to sniff enough of and the
correct sequence of your packets to do the things that you where able to
do by sniffing the packets on your local segment.

You're basically breaking into your own house by using your own keys in
the scenario that you provided.  How realistic is it for someone in
India to sniff my packets going from a server in Detroit, MI to a server
in Jackson, MI?  How realistic is it for him to actually get usable
data?

It's Easy to say that if there's a way into your network, you're
insecure but there's a way into your house .. is your house insecure?
Is VNC really the low hanging fruit in my scenario.

I know that you all are very specific and technical, so I'll spell out
an exact scenario which happens to be the most common usage of VNC in
companies.

* John Doe is getting an error message on his computer and calls the
help desk a city away for help.

* Helpdesk tells John to double-click on the VNC icon on his desktop
that starts the server

* Helpdesk connects to Johns computer and takes about 10 minutes to
resolve the problem

* Helpdesk person kills the VNC server on the remote computer and the
connection is terminated

--- 

I understand that Security is very important but it's also very
important to not go Barney Fife and start drawing the gun on everything
that moves if you get what I mean.  What are the odds that some guy in
Florida is going to sniff that 10 minute session and get into the
network?  My answer is 1 in at least 10 million.  

The guy in Florida would have to have already compromised a computer on
either of the networks that happened to be plugged into a HUB (Not a
switch) that either of the computers are plugged into ~OR~ he would have
had to hack one of the routers close to either one of them to send
packets to him as a man in the middle attack of sorts.

Both of these are a bit extreme for VNC data theft, don't you think?  If
you do all of that, isn't there a bunch of much bigger prizes at your
fingertips than VNC data?!  

Now are you starting to see what I'm saying?  The successful exploits
that must be done to get someone's VNC packet stream would land you
access to things far greater than just the VNC data and who would waste
the time with VNC data at that point?  Go for the gold, you're already
in someplace pretty good at that point.

The only EASY way that I know of to sniff someone's packets are to
either be on a hub with the remote computers or to have a Trojan on one
of the computers.  Does someone know of an easy way other than that?
Easier than just hacking into the company other ways that do not involve
VNC?

- Steve
-Original Message-
From: Alexander Bolante [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 19, 2005 6:25 PM
To: Steve Bostedor
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: Re: VNC Security


IMHO

NOTE:
For obvious reasons that VNC provides remote access to your machine,
Securit

Re: VNC Security

2005-04-26 Thread Andy Bruce - softwareAB
---BEGIN CUT---
In all of these scenarios, you do the setup before hand.  All of these
scenarios are easily installed, and configured as a tech, and are as
simple as 1-3 clicks for a user, no config, because everything (ssh
keys, vpn preshared keys, etc) are all saved and stored in advance.
A moment of setup in advance saves you hours of support later.
---END CUT---
I couldn't agree more. However, in my case I don't have access to these remote 
users PCs. They don't work for me or any particular company. In the usual case, 
they call in with a problem out of the blue. Sometimes I can help them without 
logging in. Sometimes I can't.
For our internal boxes, I happen to use either the full Cygwin package or at least openssh for the 
users I work with. Then they just open port 22 (I normally don't want them to keep even that open) 
and I login and get work done. While I wouldn't call getting an SSH daemon setup on windows 
*correctly* a "moment" (google "sshd problems windows" for why...) it's well 
worth the effort. Public/private keys are even better. It's just that in many situations it's not 
possible to do the setup before hand.
Regards,
Andy
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2005-04-26 Thread Andy Bruce - softwareAB
Beat that horse...
---CUT---
Scenario C is assuming the following points.
1.  A single remote user with a software firewall, who doesn't belong to
a larger corporation, a one person organization.  You're supporting them
as a contractor.
At your location, setup a SSH server available on the internet with
password logins disabled and keys for various users who need your
support.  On their machine a PuTTY configuration (or similar client)
with all the port forwards setup and the connection details configured.
Have the client connect initiate the putty connection (as simple as a
double click) which forwards the port for VNC to the SSH server on a
predestined port.  Connect to this port and take over their machine.
Total user work required, double clicking on a PuTTY connection.
---CUT---
A. the user doesn't have putty installed. Someone (meaning me) has to talk them thru it. 
("now type -L 5900:localhost:5900, oh wait, not the number one, but the letter L ah 
heck...")
B. much of the time, the user can't spell "port forwarding", much less do it. 
Hence in many situations they are connected to internet directly and we just tell them to 
have windows firewall allow VNC server port access.
C. If the user can get this setup without too much assistance, they can setup 
their own SSH daemon and let me come in under RDO or VNC or whatever. So the 
conversation is moot.
Andy
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2005-04-25 Thread Mike Miller
On Mon, 25 Apr 2005, Mike Miller wrote:
If you were using Windows he could start up another VNC desktop that you 
might not notice...
Sorry -- I meant to say "if you were using UNIX".  I assume this would not 
be possible in Windows.

Mike
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2005-04-25 Thread Andy Bruce - softwareAB
First--I believe we're talking apples and oranges. VNC is not an 
appropriate solution for a true corporate network unless a firewall and 
a secure link is available (and even then is dodgy). My scenario is this:

 a. Random user in cyberspace has a problem.
 b. User installs VNC under direction of tech support:
 i. strong password
 ii. not installed as service
 iii. temporary port forwarding only
 c. User allows remote person to login, generally for 20-30 mins.
 d. User stops VNC server process and disables port forwarding
My point was that, for all practical purposes, this scenario has zero 
risk. Let's talk about what happens if an attacker does happen to be 
watching data packets and does manage to break the password during that 
session:

1. The attacker is still subject to limitations of the VNC data 
protocol. For the attacker to gain real hidden control, he would have to 
have the VNC server software accept his own third-party program via 
remote copy and execute.

2. Unless the attacker had that type of attack, he would have access 
only to mucking with the primary (zero) desktop in Windows, so no danger 
of a hidden desktop there. (VNC simply doesn't support anything other 
than primary desktop, as my remote users with Fast User Switching have 
found to their chagrin.) To take control of the situation, the hijacker 
would have to send keyboard/mouse commands to that desktop to activate 
some process during the hijack process. Therefore, I most certainly 
would notice it. The only exception is if the attacker simply mucked 
with the Windows registry, perhaps to navigate to a tainted Web site 
upon next login. That's a larger issue than whether VNC is secure.

3. As stated above, I explicitly instruct my users not to install VNC as 
a service, and then to stop the server process when we're done (and then 
turn off port forwarding). So, even if the attacker did get into the 
machine and cause a password reset--it won't help. The VNC service won't 
be running when the user next boots the machine. And if it was running, 
the port forwarding and Windows firewall would prevent the attacker from 
getting access to it again.

Only Wez and the user community can let me know if there are any 
security flaws in VNC that allow the remote system to execute physical 
programs simply based on passed data packets commands. I was under the 
impression that the only way that the VNC client executes programs is by 
sending keystrokes/mouse clicks to the remote system. (In other words, 
no type of "exec" function built into the protocol.) Therefore, the VNC 
server itself isn't ever executing any software via API calls--instead, 
VNC simply passes keyboard/mouse input to the OS and it's the OS that's 
does the execution. And the user is watching the desktop on at least one 
side of the connection.

So--while the effort to trap/break in to a VNC server may be well worth 
the effort for a corporate network with access to a rich mine of data, 
in my example it doesn't apply.

Andy
Mike Miller wrote:
On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote:
I have to agree with Steve that this is, for all practical purposes, 
a non-existent security risk. The only things that could go wrong:

a. "Somebody" is sniffing the packet stream while the VNC passwords 
are being exchanged, and, during that 20 minute interchange, cracks 
the password and logs onto the VNC server. Of course, we would notice 
this problem on both ends!

I don't know if it is possible to crack the VNC password, but I don't 
agree that you would necessarily notice this on both ends.  If the 
attacker were to log into the session when you weren't using it, he 
could then make some changes to your system (for Windows) that would 
allow him more access to your machine later.  If you were using 
Windows he could start up another VNC desktop that you might not 
notice, and he could use a different password if he wanted to (by 
copying the vnc password file, changing the password, and copying it 
back).

I hope that it is hard to crack the passwords.  I think it is hard to 
do it but I'd like to hear more about that.

Mike
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2005-04-25 Thread Mike Miller
On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote:
I have to agree with Steve that this is, for all practical purposes, a 
non-existent security risk. The only things that could go wrong:

a. "Somebody" is sniffing the packet stream while the VNC passwords are 
being exchanged, and, during that 20 minute interchange, cracks the 
password and logs onto the VNC server. Of course, we would notice this 
problem on both ends!

I don't know if it is possible to crack the VNC password, but I don't 
agree that you would necessarily notice this on both ends.  If the 
attacker were to log into the session when you weren't using it, he could 
then make some changes to your system (for Windows) that would allow him 
more access to your machine later.  If you were using Windows he could 
start up another VNC desktop that you might not notice, and he could use a 
different password if he wanted to (by copying the vnc password file, 
changing the password, and copying it back).

I hope that it is hard to crack the passwords.  I think it is hard to do 
it but I'd like to hear more about that.

Mike
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2005-04-20 Thread Sean Kamath
[In a message on Tue, 19 Apr 2005 21:14:50 EDT,
  "Steve Bostedor" wrote:]
>I am wondering why expose VNC over the internet in the first place, really.

Exactly what I said.  VNC should *NOT* be exposed to the internet.

>It's my opinion that VNC is really only good for LAN's.  Why not use VPN to sec
>ure your connection to the remote network before starting VNC sessions?  It's 
>much easier to set up on a LAN where you need VNC access to 200 computers than
> setting up SSH over the Internet!

Uh. . . OK, the REALLY nice thing about VNC is that it beats LBX (Low
Bandwidth X) as a means of displaying applications remotely.  In fact,
having tried raw X, LBX, Serial Xpress, Timbuktu and VNC, I can safely
say it is the BEST to use over 28K dialup lines. ;-)

When you tunnel with SSH, you in effect are creating a VPN to your
remote network, only without all the hassled of setting up VPNs.  At
OsCon this year, they apparently (accidently?) blocked GRE traffic off
the wireless network -- of the three people from my (ex) company, I
was the only one who could still connect back to the office and fix
things. :-)

If you REALLY think it's easier to set up VNC to access 200 computers
(insane, if you ask me.  By the time you get to the high 10s of
computers, you had really better have set up alternative
administration mechanisms -- which is not to say that using VNC as a
diagnostic tool on those same 200 machines isn't a good idea) than
setting up an SSH tunnel, well, then, either you just have no
experience with SSH or you didn't read the docs well enough. This too
can be automated. :-)

Of course, if you're implying I set up a VNC connection over SSH for
each of 200 computers, yeah, you're right, that's insane.  But VNC is
MOSTLY good for spot-maintenance.  If you want to graphically control
200 machines simultaneously, no, SSH isn't a good fit.

>I can concede that VNC data should be encrypted in some way when traveling the
> Internet but why do people set up VNC over SSH on local networks?  That reall
>y makes very little sense to me.  If your network is so insecure that you're w
>orried about your VNC traffic being hacked, you've got some pretty big problem
>s!

OK, let's look at this statement.  You work for a large multinational
organization, with REAL privacy concerns (HIPPA anyone?  Banking?
Sarbanes-Oxley?).  You have people VNC'ing all over the place.  And
you have PC's indiscriminately running services on PC's acting as
servers that really shouldn't be.  Now you have PC's on server
networks that can be hacked.  You have people running sniffers on
their desktops.  You have basically *who knows what* between you and
the VNC desktop you're controlling.

Now, do you NEED encryption?  No.  Do you REALLY trust the routers and
switches to not have their buffers fill up and start broadcasting all
packets to every interface?  If so, you drank Cisco's Kool-Aid(tm).

Just like we completely phased out telnet and rsh (in favor of SSH),
why not phase out non-encrypted VNC connections?  Frankly, I have to
admit, I REALLY don't understand why RealVNC hasn't added either a
STARTTLS option to VNC, or otherwise added TLS a an option (OK, yeah,
it's a certificate problem, but still, you could incorporate your own
CA in your viewer).

Basically, if 80% of intrusions come from inside your network (and
they do, from your so-called "trusted" employees) why not do what you
can to prevent over-the-wire attacks?  It's cheap and easy.

>I connect to a network via VPN and others I connect using encrypted RDP sessio
>ns.  Once I've made those connections, I can safely use VNC on the remote netw
>orks.  Why waste all of this time with SSH on Windows computers all over the n
>etwork when VPN and RDP is so easy to set up?

Because some of us avoid Windows with a ferver you can only imagine.
I don't (I have a mild aversion to Microsoft, thought I abhore all
forms of Windows).  But I *DO* have to support Suns and Macs and a
bunch of other things.  And screwing around with a VPN connection from
my friends Mac when I'm playing with my band on Tuesday night just
doesn't cut it ("Hay, dude, can I load this stupid Cisco VNC client on
your Mac?  Don't worry, it will only take 5 minutes to download, about
10 to set up, about 2 to do what I need, and another 10 or so to
remove it").  Typing "ssh remotehost" in the terminal cuts it.

And, keep in mind, you can SSH to one host and forward to another.
So, you don't need to set up SSH on a Windows computer (Putty on the
client is all your need, if you're running Windows -- or, if you don't
want that, try MindTerm -- works great from internet cafes ;-)).  One
unix box on the remote end, and you can connect to anything on the
other side. :-)

Note, I'm not trying to be snippy here.  I know I might sound like
it. It's just that I fought (and lost, which is why it's my *ex*
company) for allowing SSH in remotely to my company.  They idiotically
expected every person to have a PC running Windows to connect
r

RE: VNC Security

2005-04-20 Thread Steve Bostedor
No, there is no built in encryption for the free VNC builds.  UltraVNC
attempts to use a DSM plug-in but it doesn't always work right. 

Lazy?  Like not reading the response to Alexander? ;)  You seem to be
still operating under the same assumptions.


> -Original Message-
> From: Joshua Berry [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, April 20, 2005 9:41 AM
> To: Steve Bostedor; Andy Bruce - softwareAB
> Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
> Subject: RE: VNC Security
> 
> 
> Just because some people and applications perform things 
> insecurely does not mean that you should or have to do so.  
> VNC allows full GUI access to a box, FTP, POP3, IMAP, etc do 
> not.  And yes, I do not use FTP, I use SSH SFTP because it is 
> secure.  I would hope that people on a security mailing list 
> attempt to do things more securely.
> 
> This sounds like an issue of laziness, someone that doesn't 
> want to take the extra step to ensure their (or customers) 
> security.  Where I work this would be a huge problem because 
> of different regulations requiring data encryption.  Besides, 
> I believe that VNC has support for encryption now and if so 
> there is definitely no reason to not utilize that support.
> 
> -Original Message-
> From: Steve Bostedor [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 19, 2005 8:03 PM
> To: Joshua Berry; Andy Bruce - softwareAB
> Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
> Subject: RE: VNC Security
> 
> Joshua, Please see my reply to Alexander.  It addresses some 
> of what you said here.  I disagree that VNC should be avoided 
> completely, though. It's not THAT insecure!  I will go out on 
> a limb and say that about 90% of the pop3 users in the world 
> use plain text passwords.  Encrypted passwords aren't really 
> that common and most ISP's don't require that home users 
> encrypt their passwords.  
> 
> Do you use FTP?  Maybe you tripple encrypt your FTP data or 
> just avoid FTP completely just like VNC, but I'll go out on a 
> limb again and guess that at least 95% of FTP users in the 
> world send the username and password in plain text and 
> unencrypted.  I'll also guess that at least 30% of them use 
> the same username and password for their FTP account as they 
> do for numerous other functions.  Maybe even their encrypted 
> Pop3 account. ;)
> 
> The reply to Alexander explains my question further.  
> 
> 
> -Original Message-
> From: Joshua Berry [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 19, 2005 6:43 PM
> To: Andy Bruce - softwareAB; Steve Bostedor
> Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
> Subject: RE: VNC Security
> 
> 
> To the original poster:
> 
> It is my *opinion* that using VNC should be avoided 
> completely.  The last time that I used VNC it only support a 
> password, and no user name. This leaves only the password to 
> brute-force, considerably lessening the time needed to break 
> in.  Also, you are making the assumption that everyone uses 
> plain text POP, I only use POP over SSL, IMAP over SSL or 
> HTTPS to access my email.  Also, this is not a good example 
> because POP user accounts/passwords only give you someone's 
> email, a VNC password will give you full access to the 
> server/desktop it is running on.
> 
> The passwords can be sniffed on your local network or they 
> can be sniffed on the network that the server/desktop you are 
> connecting to resides on.  If this is a critical box, then 
> now anyone that can sniff the network can also gain a login 
> to this box to do whatever they want.
> 
> I believe that VNC includes SSL or some other decent means of 
> encryption now.
> 
> To the first follow up poster:
> a. Somebody just needs to get the password in that 20 minute 
> interchange, which is not too hard if they are only sniffing 
> for X sessions.  They can just dump that to a file and leave 
> it running until it picks something up.  Also, you can setup 
> something to probe the box on that port, so the next time VNC 
> is enabled they can login.  I am curious how you would notice 
> someone sniffing the network?  I only see this as being 
> possible if the host was running linux/unix and forwarding 
> their syslogs to you, so that you could see when a NIC 
> entered promiscuous mode.
> 
> Lastly:
> I have seen several VNC exploits available over the years, so 
> this is just a whole new service that you are exposing to 
> risk that you often don't need to (because if it is Linux you 
> have SSH, and if it is a windows box you have Terminal Services)
> 
> 
> -Original Message-
> From: A

RE: VNC Security

2005-04-19 Thread Steve Bostedor
I am wondering why expose VNC over the internet in the first place, really.  
It's my opinion that VNC is really only good for LAN's.  Why not use VPN to 
secure your connection to the remote network before starting VNC sessions?  
It's much easier to set up on a LAN where you need VNC access to 200 computers 
than setting up SSH over the Internet!

I can concede that VNC data should be encrypted in some way when traveling the 
Internet but why do people set up VNC over SSH on local networks?  That really 
makes very little sense to me.  If your network is so insecure that you're 
worried about your VNC traffic being hacked, you've got some pretty big 
problems!  

I connect to a network via VPN and others I connect using encrypted RDP 
sessions.  Once I've made those connections, I can safely use VNC on the remote 
networks.  Why waste all of this time with SSH on Windows computers all over 
the network when VPN and RDP is so easy to set up?

Yea, William did have a better search phrase than I did.  That utility does 
have limitations and flaws, though.  

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Sean Kamath
Sent: Tuesday, April 19, 2005 4:45 PM
To: William Hooper
Cc: vnc-list@realvnc.com
Subject: Re: VNC Security 


[In a message on Tue, 19 Apr 2005 10:53:09 EDT,
  "William Hooper" wrote:]
>Steve Bostedor wrote:
>[snip]
>> I've scoured the web out of this curiosity, looking for a tool to
>> put VNC packets together into something useful for a hacker. There's
>> nothing.  Nada.
>
>Fifth hit on Google for: vnc capture playback
>
>http://users.tpg.com.au/bdgcvb/chaosreader.html

Google is your friend.  Of course, knowing the right phrase or
keywords makes it nice. ;-)  That's a very interesting tool, which
should put the fear of the Internet in everyone. . .

Another reason for tunneling VNC over SSH is this: My firewall only
exposes a select few protocols to the outside world.  If it weren't
for the fact I have to support other people, I'd likely ONLY have SSH
exposed to the world.  Instead I have to have POP/IMAP, SMTP,
etc. . .

The fewer things you expose to the outside Big Bad World, the better.

Sean
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC Security

2005-04-19 Thread Steve Bostedor
Your plan is pretty typical and is pretty much what I advise to my clients.  
Keep it off when it's not being used and change the password often.  On secured 
local LANS, it's ok to leave it running 24/7 as long as the remote server has 
the desktop locked or logged off.  This is the REalVNC, though.  I'm not sure 
the UltraVNC file transfer function is still functional if the workstation is 
locked.  I'll have to try that and see.  If it is still functional, I'd suggest 
not usng that on any server that you want to leave VNC running 24/7 on at all.

-Original Message-
From: Bart Crijns [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 19, 2005 5:15 PM
To: Andy Bruce - softwareAB
Cc: Steve Bostedor; security-basics@securityfocus.com;
vnc-list@realvnc.com
Subject: Re: VNC Security


Andy Bruce - softwareAB wrote:

> 5. Tell them to turn off port forwarding from the router (if they 
> could grok it), or just have them connect their PC back to the router 
> and their router back to the cable/dsl modem. In either case, 5900 
> isn't available to the outside world so there's no risk even if they 
> were running VNC in service-mode.

Another (very easy) way to make these connections more secure with those 
users is the following:
I'm using UltraVNC, so I'm not certain that everything is possible in 
other VNC variants.
- set a very long and very difficult password for the server (it will 
never be used anyway in this approach)
- disable the 'accept socket connections' checkbox in the server 
properties (may be UltraVNC only)
- when the users need assistance let them start the server, and instead 
of connecting to their PC, you start the viewer in listen mode
- tell them your IP, and have them add a client throug the system tray 
icon's menu, and have them enter your IP when requested.
You'll need to have your router setup for port forwarding to the ports 
for the listening viewer...

That way noone needs to know their password, and with UltraVNC the 
server isn't even accepting connections in the unlikely event that the 
password is known by someone. No password is transmitted, and the only 
thing that could be captured is the data sent during the VNC session, 
which isn't too much of a problem in most cases when helping someone out.
Furthermore, no incoming ports need to be opened on their router, 
because most users aren't really capable of changing that themselves.

Of course, when connecting to my own PC via VNC, I use a SSH tunnel.


> Am I missing something here?

Other than the fact that in the unlikely event of someone malignant 
actually taking over their PC, you'll be the one who's blamed... no :-)
I think the method I described is a bit safer, and also very easy to 
explain to the person at the other end of the line. If I may have missed 
something in my plan, please correct me.


Kind Regards,
Bart Crijns
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC Security

2005-04-19 Thread Steve Bostedor
Joshua, Please see my reply to Alexander.  It addresses some of what you said 
here.  I disagree that VNC should be avoided completely, though.  It's not THAT 
insecure!  I will go out on a limb and say that about 90% of the pop3 users in 
the world use plain text passwords.  Encrypted passwords aren't really that 
common and most ISP's don't require that home users encrypt their passwords.  

Do you use FTP?  Maybe you tripple encrypt your FTP data or just avoid FTP 
completely just like VNC, but I'll go out on a limb again and guess that at 
least 95% of FTP users in the world send the username and password in plain 
text and unencrypted.  I'll also guess that at least 30% of them use the same 
username and password for their FTP account as they do for numerous other 
functions.  Maybe even their encrypted Pop3 account. ;)

The reply to Alexander explains my question further.  


-Original Message-
From: Joshua Berry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 19, 2005 6:43 PM
To: Andy Bruce - softwareAB; Steve Bostedor
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: RE: VNC Security


To the original poster:

It is my *opinion* that using VNC should be avoided completely.  The
last time that I used VNC it only support a password, and no user name.
This leaves only the password to brute-force, considerably lessening the
time needed to break in.  Also, you are making the assumption that
everyone uses plain text POP, I only use POP over SSL, IMAP over SSL or
HTTPS to access my email.  Also, this is not a good example because POP
user accounts/passwords only give you someone's email, a VNC password
will give you full access to the server/desktop it is running on.

The passwords can be sniffed on your local network or they can be
sniffed on the network that the server/desktop you are connecting to
resides on.  If this is a critical box, then now anyone that can sniff
the network can also gain a login to this box to do whatever they want.

I believe that VNC includes SSL or some other decent means of encryption
now.

To the first follow up poster:
a. Somebody just needs to get the password in that 20 minute
interchange, which is not too hard if they are only sniffing for X
sessions.  They can just dump that to a file and leave it running until
it picks something up.  Also, you can setup something to probe the box
on that port, so the next time VNC is enabled they can login.  I am
curious how you would notice someone sniffing the network?  I only see
this as being possible if the host was running linux/unix and forwarding
their syslogs to you, so that you could see when a NIC entered
promiscuous mode.

Lastly:
I have seen several VNC exploits available over the years, so this is
just a whole new service that you are exposing to risk that you often
don't need to (because if it is Linux you have SSH, and if it is a
windows box you have Terminal Services)


-Original Message-
From: Andy Bruce - softwareAB [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 19, 2005 7:55 AM
To: Steve Bostedor
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: Re: VNC Security

This is a very interesting question to me. In my own case, I do have SSH

setup thru Cygwin (http://www.cygwin.com/) for my local network and I 
use VNC thru that connection when I need to manage my own stuff 
remotely. However, I have to admit that when I use VNC to aid remote 
clients (which happens quite frequently) I don't worry about encryption 
whatsoever.

FWIW, here's my approach:

1. I don't even try to explain setting up an SSH daemon to them. I 
simply have them install the VNC server in user-mode and start it.

2. If I can't explain to them in 5 min or less how to do port 
forwarding, I just have them connect directly to their cable/dsl modem.

3. Get the debugging and/or support done.

4. Have them stop the VNC server. Since it isn't running as a service, 
it won't start up next time and so won't be a security risk.

5. Tell them to turn off port forwarding from the router (if they could 
grok it), or just have them connect their PC back to the router and 
their router back to the cable/dsl modem. In either case, 5900 isn't 
available to the outside world so there's no risk even if they were 
running VNC in service-mode.

I have to agree with Steve that this is, for all practical purposes, a 
non-existent security risk. The only things that could go wrong:

a. "Somebody" is sniffing the packet stream while the VNC passwords are 
being exchanged, and, during that 20 minute interchange, cracks the 
password and logs onto the VNC server. Of course, we would notice this 
problem on both ends!

b. I have never captured the data shared between client and server 
(screen/UI deltas) and so have no idea if these pose a security risk or
not.

c. While the VNC server is running and they are connected to the 

RE: VNC Security

2005-04-19 Thread Steve Bostedor
Thank you for the reply, Alexander.  I understand exactly what you're trying to 
say.  I'm not sure if you fully understand what I was saying and its probably 
my fault for not making it clear enough.  

You seemed to concentrate on how easy it is to do things with the VNC packets 
once you've sniffed the packets.  You say that you've sniffed the packets 
before but have you ever sniffed packets from a network outside of your own 
LAN?  How about on your LAN but on another switch port?

What I was trying to discuss is how real the threat is that someone outside of 
your network will actually get to sniff enough of and the correct sequence of 
your packets to do the things that you where able to do by sniffing the packets 
on your local segment.

You're basically breaking into your own house by using your own keys in the 
scenario that you provided.  How realistic is it for someone in India to sniff 
my packets going from a server in Detroit, MI to a server in Jackson, MI?  How 
realistic is it for him to actually get usable data?

It's Easy to say that if there's a way into your network, you're insecure but 
there's a way into your house .. is your house insecure?  Is VNC really the low 
hanging fruit in my scenario.

I know that you all are very specific and technical, so I'll spell out an exact 
scenario which happens to be the most common usage of VNC in companies.

* John Doe is getting an error message on his computer and calls the help desk 
a city away for help.

* Helpdesk tells John to double-click on the VNC icon on his desktop that 
starts the server

* Helpdesk connects to Johns computer and takes about 10 minutes to resolve the 
problem

* Helpdesk person kills the VNC server on the remote computer and the 
connection is terminated

--- 

I understand that Security is very important but it's also very important to 
not go Barney Fife and start drawing the gun on everything that moves if you 
get what I mean.  What are the odds that some guy in Florida is going to sniff 
that 10 minute session and get into the network?  My answer is 1 in at least 10 
million.  

The guy in Florida would have to have already compromised a computer on either 
of the networks that happened to be plugged into a HUB (Not a switch) that 
either of the computers are plugged into ~OR~ he would have had to hack one of 
the routers close to either one of them to send packets to him as a man in the 
middle attack of sorts.

Both of these are a bit extreme for VNC data theft, don't you think?  If you do 
all of that, isn't there a bunch of much bigger prizes at your fingertips than 
VNC data?!  

Now are you starting to see what I'm saying?  The successful exploits that must 
be done to get someone's VNC packet stream would land you access to things far 
greater than just the VNC data and who would waste the time with VNC data at 
that point?  Go for the gold, you're already in someplace pretty good at that 
point.

The only EASY way that I know of to sniff someone's packets are to either be on 
a hub with the remote computers or to have a Trojan on one of the computers.  
Does someone know of an easy way other than that?  Easier than just hacking 
into the company other ways that do not involve VNC?

- Steve
-Original Message-
From: Alexander Bolante [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 19, 2005 6:25 PM
To: Steve Bostedor
Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
Subject: Re: VNC Security


IMHO

NOTE:
For obvious reasons that VNC provides remote access to your machine,
Security is key (period). I'm assuming this thread does NOT pertain to
your COMPANY LAN, because if it does, the answer to your question,
"Why should I secure VNC over SSH?" is clearly...SOX compliance...

OTHERWISE:
Bottom line is -- if you DO NOT have any sensitive data to secure,
it's your prerogative to determine what lengths you want to take to
protect that data. Why do I tunnel VNC over SSH? To deal with the
uncertainty of potential security flaws and risks...

(SB wrote) What are the real risks of not securing VNC traffic? It depends...
The only caveat I see in not securing VNC traffic is...network eavesdropping

We already know that all VNC traffic between client and server is
unencrypted after authentication. That's a problem if you're moving
sensitive data. I've used a sniffer on a VNC session before. The
traffic was compressed, so it was still difficult to understand and
breakdown the data from the sniffer, BUT data passed in clear text
e.g. usernames, birthdate, home address, etc. could be useful
***depending on the malicious user's intentions***.

And because we often do NOT know what a malicious user's intentions
are, we mitigate that uncertainty by adding another layer of
security/defense in depth...tunneling VNC over SSH in order to secure
communication and n

Re: VNC Security

2005-04-19 Thread Sean Kamath
[In a message on Tue, 19 Apr 2005 10:53:09 EDT,
  "William Hooper" wrote:]
>Steve Bostedor wrote:
>[snip]
>> I've scoured the web out of this curiosity, looking for a tool to
>> put VNC packets together into something useful for a hacker. There's
>> nothing.  Nada.
>
>Fifth hit on Google for: vnc capture playback
>
>http://users.tpg.com.au/bdgcvb/chaosreader.html

Google is your friend.  Of course, knowing the right phrase or
keywords makes it nice. ;-)  That's a very interesting tool, which
should put the fear of the Internet in everyone. . .

Another reason for tunneling VNC over SSH is this: My firewall only
exposes a select few protocols to the outside world.  If it weren't
for the fact I have to support other people, I'd likely ONLY have SSH
exposed to the world.  Instead I have to have POP/IMAP, SMTP,
etc. . .

The fewer things you expose to the outside Big Bad World, the better.

Sean
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2005-04-19 Thread William Hooper
Steve Bostedor wrote:
[snip]
> I've scoured the web out of this curiosity, looking for a tool to
> put VNC packets together into something useful for a hacker. There's
> nothing.  Nada.

Fifth hit on Google for: vnc capture playback

http://users.tpg.com.au/bdgcvb/chaosreader.html

-- 
William Hooper
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2005-04-19 Thread Andy Bruce - softwareAB
This is a very interesting question to me. In my own case, I do have SSH 
setup thru Cygwin (http://www.cygwin.com/) for my local network and I 
use VNC thru that connection when I need to manage my own stuff 
remotely. However, I have to admit that when I use VNC to aid remote 
clients (which happens quite frequently) I don't worry about encryption 
whatsoever.

FWIW, here's my approach:
1. I don't even try to explain setting up an SSH daemon to them. I 
simply have them install the VNC server in user-mode and start it.

2. If I can't explain to them in 5 min or less how to do port 
forwarding, I just have them connect directly to their cable/dsl modem.

3. Get the debugging and/or support done.
4. Have them stop the VNC server. Since it isn't running as a service, 
it won't start up next time and so won't be a security risk.

5. Tell them to turn off port forwarding from the router (if they could 
grok it), or just have them connect their PC back to the router and 
their router back to the cable/dsl modem. In either case, 5900 isn't 
available to the outside world so there's no risk even if they were 
running VNC in service-mode.

I have to agree with Steve that this is, for all practical purposes, a 
non-existent security risk. The only things that could go wrong:

a. "Somebody" is sniffing the packet stream while the VNC passwords are 
being exchanged, and, during that 20 minute interchange, cracks the 
password and logs onto the VNC server. Of course, we would notice this 
problem on both ends!

b. I have never captured the data shared between client and server 
(screen/UI deltas) and so have no idea if these pose a security risk or not.

c. While the VNC server is running and they are connected to the 
internet (port forwarding has the same problem as direct connect) a port 
sniffer detects that 5900 is available and immediately zooms in thru 
some VNC security hole. Wez would know a lot more about this possibility 
than me, though!

Am I missing something here?
Steve Bostedor wrote:
I'd like to know if anyone has any working examples of why an
unencrypted VNC session over the Internet is seen as such a horrible
security risk.  I understand that unencrypted ANYTHING over the Internet
lends the chance for someone to decode the packets (assuming that they
capture every one of them) but in reality, what are the real risks here
and has anyone successfully captured a VNC session from more than 2
router hops away and actually gotten any meaningful information from it?
I've captured a big chunk of a LOCAL session using Ethereal and the only
thing that I can see that is usable is the password exchange.  Agreed
that this could be a problem if someone just happened to be sniffing
your local LAN segment at that exact moment and happened to capture your
encrypted VNC password, he could crack the password and log in himself.
But how paranoid is it to go through all of the trouble of setting up
SSH to avoid that when you could just change your VNC password often and
make sure that your local LAN is reasonably secure from prying eyes?
How about once it gets out on the Internet?  Packets bounce all over the
place on the Internet.  What are the odds that someone out there will
pick your VNC packets out of all of the millions of packets running
through the back bone routers without being noticed, capture enough of
them to possibly replay a session, and actually have the patience or the
tools to do so.  I've scoured the web out of this curiosity, looking for
a tool to put VNC packets together into something useful for a hacker.
There's nothing.  Nada.  

So, I guess that what I'm asking is; what all of the fuss is about?
Your POP3 password likely gets passed unencrypted but we're being asked
to be paranoid about an encrypted VNC password?  This is all coming from
a discussion that I had with someone over the merits of using SSH with
VNC over the internet for a 10 minute VNC session.
Does anyone have anything that's not hypothetical?  Is there a tool that
I'm missing out there that does more than just crack a VNC password?
Does anyone know of any reported security breaches where VNC was a
weakness?  
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC Security - another question

2004-07-25 Thread Richard Pickett
> 1) Other network vulnerablities assuming the only
> protocol I am allowing in is for VNC- are there any?
 
OK, so you're stopping all the traffic coming across the vpn to you
except vnc.  That way they can't do anything else on your network except
vnc.  Then by using vnc they have full control of a box that sits inside
their network from which they can do anything they want on/to your
network.

> 2) What vulnerablities do I create with the box
> itself that the external company is vnc-ing to?

They have full access to your network via the vnc box.  You're letting
them do anything they want.  The next thing you could do is put this box
behind it's own firewall (making a dmz) and allow out only the protocols
and destinations necessary for them to meet the purposes of you letting
them vnc the box in the first place.  If they aren't supposed to have
any network access at all, then the firewall would only let in the vnc
and let nothing out.

It all boils down to either you trust them or you don't.  And when it's
your network and your security you shouldn't trust anyone, not even your
own users.  So why should you trust them?
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security implications

2004-07-21 Thread James Weatherall
This has nothing to do with the situation as described by Dave, who is
simply connecting from one machine on his LAN to another.  The fact that he
has an Internet connection is a red herring, provided his firewall is
working correctly.

Wez @ RealCNC Ltd.
  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Alan Watchorn
> Sent: 20 July 2004 18:49
> To: [EMAIL PROTECTED]
> Cc: VNC List
> Subject: RE: VNC security implications
> 
> In a case like this I assume you are using static addresses 
> for both computers (otherwise I am not sure it will work 
> consistently - with dynamic IP's you CAN get a different IP 
> each time (but the address may happen to be the same) and 
> that is like changing your telephone number without having 
> any forwarding message). What the barman says is ceratinly 
> true for static addresses since hackers can be asured your 
> address will not change.
> 
> What I use to do the same thing (I manage a server with a 
> bunch of users calling in remotely) is a VPN circuit through 
> the Internet.  Basically that is an encrypted channel and 
> everyone accesses the server via VPN and then MS Terminal 
> Services or VNC.
> 
> Just because it is encrypted it is not hacker proof but 
> generally encrypted streams are more hacker resistant - 
> hackers prefer to work on streams of clear data rather than 
> go through the trouble of trying to decrypt it first.
> 
> Alan Watchorn
> [EMAIL PROTECTED]
> (760) 692-4300
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Behalf Of Dave Ho
> Sent: Tuesday, July 20, 2004 12:40 AM
> To: [EMAIL PROTECTED]
> Subject: VNC security implications
> 
> 
> Hi Folks, I am a bit green when it comes to setting up remote 
> connections to distant PCs.  What I was about to try to do 
> was to connect from a PC running WinXP to one running Win98 
> (both are connected to the internet). I then had a word with 
> the barman in my local pub (who is an ex PCguru) who said "do 
> not do that, you will blow holes in you network security, 
> hackers will be able to logon to your server with ease"!
> 
> 
> 
> Help, does anyone have any comments to refute this statement.
> 
> 
> 
> Cheers Dave H
> ___
> VNC-List mailing list
> [EMAIL PROTECTED]
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
> ___
> VNC-List mailing list
> [EMAIL PROTECTED]
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security implications

2004-07-20 Thread Alan Watchorn
In a case like this I assume you are using static addresses for both
computers (otherwise I am not sure it will work consistently - with dynamic
IP's you CAN get a different IP each time (but the address may happen to be
the same) and that is like changing your telephone number without having any
forwarding message). What the barman says is ceratinly true for static
addresses since hackers can be asured your address will not change.

What I use to do the same thing (I manage a server with a bunch of users
calling in remotely) is a VPN circuit through the Internet.  Basically that
is an encrypted channel and everyone accesses the server via VPN and then MS
Terminal Services or VNC.

Just because it is encrypted it is not hacker proof but generally encrypted
streams are more hacker resistant - hackers prefer to work on streams of
clear data rather than go through the trouble of trying to decrypt it first.

Alan Watchorn
[EMAIL PROTECTED]
(760) 692-4300

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Dave Ho
Sent: Tuesday, July 20, 2004 12:40 AM
To: [EMAIL PROTECTED]
Subject: VNC security implications


Hi Folks, I am a bit green when it comes to setting up remote
connections to distant PCs.  What I was about to try to do was to
connect from a PC running WinXP to one running Win98 (both are
connected to the internet). I then had a word with the barman in my
local pub (who is an ex PCguru) who said "do not do that, you will
blow holes in you network security, hackers will be able to logon to
your server with ease"!



Help, does anyone have any comments to refute this statement.



Cheers Dave H
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security implications

2004-07-20 Thread James Weatherall
Dave,

If both PCs are behind an ADSL router that has a firewall, and if you don't
open up the VNC ports in that firewall, then using VNC between the machines
is not an issue, because no outside traffic can get to your server.

If you are careful never to open up the firewall to let VNC traffic in from
the Internet then you don't even need a password to be enable at the VNC
Server, either...  Of course, if you might change the firewall settings and
accidentally open things up then a password is a good precaution!

Wez @ RealVNC Ltd.


> -Original Message-
> From: Dave Homan [mailto:[EMAIL PROTECTED] 
> Sent: 20 July 2004 10:48
> To: 'James Weatherall'
> Subject: RE: VNC security implications
> 
> Hi James, Thanks for the quick reply.  I have the two PCs 
> interconnected via an ADSL Router which has a firewall.  So 
> they are directly connected by internal intranet.  What I 
> would like to do is to control the Win98 PC from the XP PC 
> and I was looking for way to achieve this and VNC seemed to 
> be a possibility. I am sorry if this is a bit vague but I new 
> to this game.
> 
> Many thanks Dave
> 
>  
>  
> "The Homans"
> 36 Greenholm Road, Eltham, SE9 1UH
> Tel: 00 44 (0)2088590046
> MoTel: 00 44 (0)7876543489
> e-Mail [EMAIL PROTECTED]
> 
> -Original Message-
> From: James Weatherall [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 20, 2004 10:34 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: VNC security implications
> 
> Dave,
> 
> If the XP and 98 boxes are connected directly to the Internet 
> already then VNC is the least of your worries.
> 
> Are you intending to access one of them from the other 
> *across* the Internet?
> 
> Wez @ RealVNC Ltd.
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Ho
> > Sent: 20 July 2004 08:40
> > To: [EMAIL PROTECTED]
> > Subject: VNC security implications
> > 
> > Hi Folks, I am a bit green when it comes to setting up remote 
> > connections to distant PCs.  What I was about to try to do was to 
> > connect from a PC running WinXP to one running Win98 (both are 
> > connected to the internet). I then had a word with the barman in my 
> > local pub (who is an ex PCguru) who said "do not do that, you will 
> > blow holes in you network security, hackers will be able to 
> logon to 
> > your server with ease"!
> > 
> >  
> > 
> > Help, does anyone have any comments to refute this statement.
> > 
> >  
> > 
> > Cheers Dave H
> > ___
> > VNC-List mailing list
> > [EMAIL PROTECTED]
> > To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC security implications

2004-07-20 Thread James Weatherall
Dave,

If the XP and 98 boxes are connected directly to the Internet already then
VNC is the least of your worries.

Are you intending to access one of them from the other *across* the
Internet?

Wez @ RealVNC Ltd.
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave Ho
> Sent: 20 July 2004 08:40
> To: [EMAIL PROTECTED]
> Subject: VNC security implications
> 
> Hi Folks, I am a bit green when it comes to setting up remote 
> connections to distant PCs.  What I was about to try to do 
> was to connect from a PC running WinXP to one running Win98 
> (both are connected to the internet). I then had a word with 
> the barman in my local pub (who is an ex PCguru) who said "do 
> not do that, you will blow holes in you network security, 
> hackers will be able to logon to your server with ease"! 
> 
>  
> 
> Help, does anyone have any comments to refute this statement.
> 
>  
> 
> Cheers Dave H
> ___
> VNC-List mailing list
> [EMAIL PROTECTED]
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security implications

2004-07-20 Thread Jerome R. Westrick
On Tue, 2004-07-20 at 09:39, Dave Ho wrote:
> Hi Folks, I am a bit green when it comes to setting up remote
> connections to distant PCs.  What I was about to try to do was to
> connect from a PC running WinXP to one running Win98 (both are
> connected to the internet). I then had a word with the barman in my
> local pub (who is an ex PCguru) who said "do not do that, you will
> blow holes in you network security, hackers will be able to logon to
> your server with ease"! 
> 

The comment here is too generalized...
Giving your barman the benifit of the doubt, You obviosly told him more
than you told us

So as a generalization:
1) You can make your self wide open.
2) You can do it in a secure fashion.

So he is right and/or wrong depending what you said to him...

Jerry
P.S.  Did this help?
>  
> 
> Help, does anyone have any comments to refute this statement.
> 
>  
> 
> Cheers Dave H
> ___
> VNC-List mailing list
> [EMAIL PROTECTED]
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security - Windows registry

2004-06-29 Thread Richard Harris
> I would like to see a better encryption process for VNC, as I have had a
hacker figure out my password schema

Besides encrypting the data stream between host and client there is still
(IMO) an issue with WinVNC and storing the encrypted password in the
registry. RealVNC 4 stores it's settings in HKLM\Software\Real4 and by
default users have the ability to read that section of the registry.

At first glance it seems possible to remove the user permissions to the
key and this stops users from viewing the encrypted password but does not
break VNC4. What side effects would this have on other functions of VNC?

Regards,
Richard


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager via NCC Help Desk (0115) 9772010.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

Nottinghamshire County Council Legal Disclaimer
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC Security

2004-06-28 Thread James Weatherall
VNC 4.0 already uses a better scheme than the one you describe.  It provides
exponential lock out of bad hosts, and only zeroes their failed login count
if they successfully login.  This is what is referred to in the
release-notes summary as "Improved and more configurable brute-force
protection".

You can find the VNC documentation at
http://www.realvnc.com/documentation.html

Wez @ RealVNC Ltd.


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: 28 June 2004 01:39
> To: [EMAIL PROTECTED]
> Subject: Re: VNC Security
> 
> Would be better if the lock-out policy was implemented like 
> Windows server does.
> 
> You have so many attempts then the account get's locked out 
> for the nominated duration, but there is also a counter of 
> attempts that only gets zeroed after another set duration.
> 
> 
> 
> At 00:30 28/06/2004, William Hooper wrote:
> >[EMAIL PROTECTED] said:
> >[snip]
> >> 
> >> Should be configurable.  For instance, two bad password 
> attempts and 
> >> VNC server will then give a bad password response even if the 
> >> password is correct, but then you have to leave VNC server 
> alone for, 
> >> say 3 minutes, before the lock out is release and another 
> two attempts are allowed.
> >
> >There is already a limit on the speed of password attempts.
> >
> >http://www.realvnc.com/pipermail/vnc-list/2000-May/014378.html
> >
> >--
> >William Hooper
> >___
> >VNC-List mailing list
> >[EMAIL PROTECTED]
> >To remove yourself from the list visit:
> >http://www.realvnc.com/mailman/listinfo/vnc-list
> ___
> VNC-List mailing list
> [EMAIL PROTECTED]
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: VNC Security

2004-06-27 Thread John Ellingsworth
Here is an article based on 3.? for securing VNC with openssl:

http://www.securityfocus.com/infocus/1677

If you are using the latest version of VNC, some of these features are built
in (such as local connections only).

Thanks,

John Ellingsworth
Virtual Curriculum
AIM: vc2000support
http://mail.med.upenn.edu/~jellings/

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Jon Lucas
Sent: Sunday, June 27, 2004 3:00 PM
To: [EMAIL PROTECTED]
Subject: VNC Security


Dear Sirs:

I would like to see a better encryption process for VNC, as I have had a
hacker figure out my password schema, and actually caught him in a session
of hijacking our server.  Since then, I have tightened the firewall to only
accept specific IPAddresses on 5800 and 5900, but that also constrains
access points.

Just a thought.

Thank you for a great product that makes it a lot easier to live with
computers. (barring the bad guys, of course).

Jon Lucas
[EMAIL PROTECTED]
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2004-06-27 Thread myron_in_da_house
Would be better if the lock-out policy was implemented like Windows server does.

You have so many attempts then the account get's locked out for the nominated 
duration, but there is also a counter of attempts that only gets zeroed after another 
set duration.



At 00:30 28/06/2004, William Hooper wrote:
>[EMAIL PROTECTED] said:
>[snip]
>> 
>> Should be configurable.  For instance, two bad password attempts and VNC
>> server will then give a bad password response even if the password is
>> correct, but then you have to leave VNC server alone for, say 3 minutes,
>> before the lock out is release and another two attempts are allowed.
>
>There is already a limit on the speed of password attempts.
>
>http://www.realvnc.com/pipermail/vnc-list/2000-May/014378.html
>
>-- 
>William Hooper
>___
>VNC-List mailing list
>[EMAIL PROTECTED]
>To remove yourself from the list visit:
>http://www.realvnc.com/mailman/listinfo/vnc-list 
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2004-06-27 Thread William Hooper
[EMAIL PROTECTED] said:
[snip]
> 
> Should be configurable.  For instance, two bad password attempts and VNC
> server will then give a bad password response even if the password is
> correct, but then you have to leave VNC server alone for, say 3 minutes,
> before the lock out is release and another two attempts are allowed.

There is already a limit on the speed of password attempts.

http://www.realvnc.com/pipermail/vnc-list/2000-May/014378.html

-- 
William Hooper
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2004-06-27 Thread myron_in_da_house
If you're using Windows, let alone any server.  Consider using a Virtual Private 
network and a VPN appliance.  Actually, you have to be crazy to let VNC server be 
visible on the Internet.

For the company I work for, and manage their I.T. systems, I firstly establish a 
connection by VPN using a guess account to login to grant me access to the network.  I 
then have to supply a different password to the VNC server I wish to access and every 
VNC server has a different password, not vulnerable to a dictionary attack.  If I need 
to authenticate to the servers as an administrator then that is yet another user name 
and password.

Intrusion detection is also enforced.  Try too many times to connect to the VPN by 
brute force and there is an account lock out that triggers.  You then have to leave 
the account being attacked alone for a period of time to have the lockout 
automatically released.

Back to VNC, there needs to be a login lockpout implemented on the VNC server.  Simple 
to do (I don't have the time to code it in) and a puzzle why it's never been put in.

Should be configurable.  For instance, two bad password attempts and VNC server will 
then give a bad password response even if the password is correct, but then you have 
to leave VNC server alone for, say 3 minutes, before the lock out is release and 
another two attempts are allowed.

A simple login lockout like this would give a hacker an interesting challenge as it 
would then take a VERY long time to guess a password, so would it be worth it?  The 
owner of the computer operating VNC server would know very long before anything got 
cracked that there was a hack attack in progress.

Sorry, for to be said, but this is a lack of common sense in leaving such a simple 
security feature out of VNC.  I would be rather locked out from signing on VNC by a 
hacker then have a hacker gain access and run riot.


At 21:52 27/06/2004, "Jerome R. Westrick" <[EMAIL PROTECTED]> wrote:
>Use SSH...
>
>
>On Sun, 2004-06-27 at 21:33, William Hooper wrote:
>> Jon Lucas said:
>> > Dear Sirs:
>> > 
>> > 
>> > I would like to see a better encryption process for VNC, as I have had a
>> > hacker figure out my password schema, and actually caught him in a
>> > session of hijacking our server.
>> 
>> If someone has your password, what would better encryption get you?
>___
>VNC-List mailing list
>[EMAIL PROTECTED]
>To remove yourself from the list visit:
>http://www.realvnc.com/mailman/listinfo/vnc-list 
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2004-06-27 Thread Jerome R. Westrick
Use SSH...


On Sun, 2004-06-27 at 21:33, William Hooper wrote:
> Jon Lucas said:
> > Dear Sirs:
> > 
> > 
> > I would like to see a better encryption process for VNC, as I have had a
> > hacker figure out my password schema, and actually caught him in a
> > session of hijacking our server.
> 
> If someone has your password, what would better encryption get you?
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC Security

2004-06-27 Thread William Hooper
Jon Lucas said:
> Dear Sirs:
> 
> 
> I would like to see a better encryption process for VNC, as I have had a
> hacker figure out my password schema, and actually caught him in a
> session of hijacking our server.

If someone has your password, what would better encryption get you?

-- 
William Hooper
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-18 Thread Michael Herman
On Wed, Sep 17, 2003 at 01:09:02AM +0200, Bjvrn Persson wrote:
Mike Miller wrote:
But it might not be a matter of time because it's so much work for so
little gain?
How little gain exactly? Your company's trade secrets? The administrator 
passwords to all your servers? All the money in your bank account?

And let me point out that the work only needs to be done *once*. Not once for 
every session. I could write the program and then use it daily for years.

Thank you, Bjorn.  I agree with you which is why I posted the original.  The
risk is unlikekly but it is there and needs to be understood.  As VNC becomes
increasingly more popular, hackers will try to exploit it.
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-17 Thread Scott C. Best
Bjorn:

Heya. Some comments to your comments:

> If I wanted to sniff other people's VNC traffic i'd first try to find
> an existing program to do this. If I couldn't find one I would:
>
> 1: use one of the existing programs that can intercept TCP sessions.
> Maybe I'd have to teach it how to recognize the RFB protocol. That's no
> big problem.

A company I used to work at was founded by this guy who
was world-class in coming up with setups such as "if you could do
this one impossible thing, you could make a *ton* of money". :)
Perhaps it's both a great way for entrepreneurs to think of their
next company *and* for security-paranoid people to consider their
networks.
Which is to say...hijacking an arbitrary TCP connection
off of the Internet is galatically difficult. As I said in my post,
though, stealing packets off of a local network (or capturing a
local keyboard) is trivial, even if the data was encrypted across
the Internet with 256-bit AES.

> On the Internet, either you have encryption, or you have *no* security.

See, I'm worried that this is misleading. Because even with
encryption, you can still be left with no security. I mean, what's
the point of 256-bit AES securing my VNC connection if my VNC server
has no AuthHosts setting, its password is just "password", and the
RPC vulnerability CERT announced last month hasn't been patched on my
server yet? Or as Chesnick and Bellovin put it in _Firewalls and
Internet Security_:

"But encryption is useless if you cannot trust one of the
endpoints. Indeed, it can be worse than useless: the untrusted
endpoint must be provided with your key, this compromising it."

> > But it might not be a matter of time because it's so much work for
> > so little gain?
>
> How little gain exactly? Your company's trade secrets? The administrator
> passwords to all your servers? All the money in your bank account?

A good rule of thumb here is that you should spend at least
as much time protecting your network assets as the Black Hats would
spend trying to steal them, and at least as much money as the assets
are worth. Part of that solution *of course* involves good encryption.
But IMO, encryption is a little like recycling: on its own, it's pretty
useless and pretty easy to delude yourself with. Nevertheless, it's
also a necessary part of a much larger, much more effective, overall
policy.

cheers,
Scott
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-16 Thread Björn Persson
Mike Miller wrote:
> But it might not be a matter of time because it's so much work for so
> little gain?

How little gain exactly? Your company's trade secrets? The administrator 
passwords to all your servers? All the money in your bank account?

And let me point out that the work only needs to be done *once*. Not once for 
every session. I could write the program and then use it daily for years.

Bjvrn Persson
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-16 Thread Mike Miller
On Tue, 16 Sep 2003, Bjvrn Persson wrote:

> If I wanted to sniff other people's VNC traffic i'd first try to find an
> existing program to do this. If I couldn't find one I would:
>
> 1: use one of the existing programs that can intercept TCP sessions.
> Maybe I'd have to teach it how to recognize the RFB protocol. That's no
> big problem.
>
> 2: feed the keystrokes to a small program that would write them to a log
> file. If I'd need a translation table I could get one from any VNC
> server.
>
> 3: feed the screen updates to one of those VNC viewers that can record
> them as a video file.
>
> 4: feed the image data to one of the existing programs that perform
> character recognition on screenshots, and log the character data.


In other words, it's not worth the effort and it will probably never
happen.

Does anyone know if this kind of thing has actually been done?  Not as a
demonstration -- has anyone actually been attacked in this way?


> I'd be surprised if no one has done this already, and maybe even put the
> pieces together to a convenient program, but if not, it's probably just
> a matter of time.

But it might not be a matter of time because it's so much work for so
little gain?


> On the Internet, either you have encryption, or you have *no* security.

There are degrees.  Some things get attacked constantly and some don't.

Mike

-- 
Michael B. Miller, Ph.D.
Assistant Professor
Division of Epidemiology
and Institute of Human Genetics
University of Minnesota
http://taxa.epi.umn.edu/~mbmiller/
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-16 Thread Björn Persson
Scott C. Best wrote:
> First, when you press "Send"
> on a web-browser form, all of the data in that form is sent at
> once, in well-delineated form, making the data relatively easy to
> identify. In a VNC session, by comparison, every *character* is
> sent as soon as you type it, along with other RFB info to update
> the visuals. That will make intercepting the data fundamentally
> more difficult as it is "spread" across so many more packets, and
> mixed in with so much other data.

Yes, it's encoded, it's compressed, it's scattered and it's mixed with lots 
of other data, but _that_does_not_matter_. Reassembling the scattered packets 
of a TCP session isn't difficult. Every operating system has the code to do 
that, and lots of monitoring programs too, and TCP is documented in case you 
really want to write it yourself. Decompressing and decoding the data stream 
isn't difficult either. VNC knows how to do it. The source code is free, and 
so is the RFB documentation.

If I wanted to sniff other people's VNC traffic i'd first try to find an 
existing program to do this. If I couldn't find one I would:

1: use one of the existing programs that can intercept TCP sessions. Maybe 
I'd have to teach it how to recognize the RFB protocol. That's no big problem.

2: feed the keystrokes to a small program that would write them to a log 
file. If I'd need a translation table I could get one from any VNC server.

3: feed the screen updates to one of those VNC viewers that can record them 
as a video file.

4: feed the image data to one of the existing programs that perform character 
recognition on screenshots, and log the character data.

Once this was done I could automatically record all VNC sessions on every 
network link I could get access to, and then I could scan the text logs for 
interesting tokens such as "Password" or whatever I'd be looking for.

I'd be surprised if no one has done this already, and maybe even put the 
pieces together to a convenient program, but if not, it's probably just a 
matter of time.

On the Internet, either you have encryption, or you have *no* security.

Bjvrn Persson
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-16 Thread Scott C. Best
Michael:

Heya. I think I'm willing to split this hair over VNC
security.
First off, I agree with you that VNC users should try to
use a secure-tunnel whenever they VNC across the Internet. That
just a inarguable Good Idea. For those using VNC to remotely
administer their content-sensitive servers, I'm sure it's one of
the first things done.

However, I think you oversell this point by comparing
"giving a credit card over a insecure web browser" to using VNC
over an non-tunneled connection. First, when you press "Send"
on a web-browser form, all of the data in that form is sent at
once, in well-delineated form, making the data relatively easy to
identify. In a VNC session, by comparison, every *character* is
sent as soon as you type it, along with other RFB info to update
the visuals. That will make intercepting the data fundamentally
more difficult as it is "spread" across so many more packets, and
mixed in with so much other data.

Second, even with a secure-tunnel encrypting your data
across the wilds of the Internet, your packets can still be
sniff'd/recorded/played-back by a *local* user with malicious
intent. Sniffing wild packets off of the Internet is *very*
difficult and a federal offense in most countries. Sniffing
packets off of an ethernet hub is routine and, possibly, the
official *policy* if your network's administrator.

Put another way, good network security (and a good network
attack strategy) is to go after the biggest holes first. For VNC
users, the biggest weakness is usually choosing weak passwords. For
*all* Windows, the even-bigger weakness is reading email with
Outlook and not keeping up with MSoft's near-weekly release of
security patches. Maybe 5th or 6th on my list would be "running
VNC without a secure-tunnel". Your mileage may vary. :)

In closing, as I used to tell my IT clients and I'm sure
you know, the Black Hats don't want to break into your PC to steal
your credit card numbers. Not their intent. If it were, then the
rationalization I heard 90-percent of the time ("Oh, I don't keep
anything on that computer anyone would want to steal") would make
good sense. Instead, though, the Black Hats want to break into your
computer so that when they next try to crash EBay's servers, or
setup an illegal content reflector, they do it from *your* computer.

cheers,
Scott


> On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote:
> >On Sat, 13 Sep 2003, Michael Herman wrote:
> >
> >> I would like to point out that VNC is not secure.
> >>
> >> >From the realVNC FAQ:
> >>
> >> > Is VNC secure?
> >>
> >> >The only really secure computer is one without a network. VNC
> >> >requires a password when a viewer tries to connect to a server. This password
> >> >is encrypted to deter snooping, but the following graphical data, the VNC
> >> >protocol, is not.
> >>
> >> In other words, if you are using VNC across the Internet without some
> >> sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and
> >> information to the world.
> >>
> >> Please, please, please be careful.
> >
> >
> >Thank you for your concern.  I hear that it is possible for someone
> >snooping network traffic to set up a program that will decode the VNC
> >stream and allow them to see what I'm doing.  Is that true?  I think that
> >most packet sniffing is limited to searching plain text for
> >username/password.  Am I wrong?
> >
>
> 'Decoding' the packet stream isn't all that difficult.  The information
> entered into fields is transmitted as text inside the packet.  Usernames,
> passwords, credit card information, etc. will all be visible to a hacker who
> is looking for it.
>
> Please don't think I am down on VNC.  I think it is a great tool and I use it
> all the time, both securely and insecurely.  I think it is important to
> remember that VNC does not provide a security mechanism other then the
> encrypted password.  It's also important to remember that most of the Internet
> (web, email, chat, news, etc) are insecure.  You wouldn't give your credit
> card on the web without HTTPS (encrypted, secure web page) would you?

___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


RE: Re: VNC security

2003-09-16 Thread Christopher Mc Carthy
Hello,

I'm a bit confused.

I currently use VNC (the Tight flavour) through an SSH tunnel, so I'm
not really concerned, but I thought (from other discussions found in the
archives) that VNC was *quite* secure as info/updates was/were sent over
the network as images (increasingly compressed, using either Tight or
the new VNC 4 encoding).  

So this assumption is *wrong*, and any text typed in a VNC window is in
fact sent as plain text, and so *easily* tapped??? [[ this is what
"information entered into fields is transmitted as text inside the
packet" leads me to conclude ]].

Thanks for any definitive light on the subject.

Chris

>-Original Message-
>From: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] On Behalf Of 
>[EMAIL PROTECTED]
>Sent: 16 September 2003 13:00
>To: [EMAIL PROTECTED]
On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote:
>On Sat, 13 Sep 2003, Michael Herman wrote:
>
>> I would like to point out that VNC is not secure.
>>
>> >From the realVNC FAQ:
>>
>> > Is VNC secure?
>>
>> >The only really secure computer is one without a network. VNC
>> >requires a password when a viewer tries to connect to a server. This
password
>> >is encrypted to deter snooping, but the following graphical data,
the VNC
>> >protocol, is not.
>>
>> In other words, if you are using VNC across the Internet without some
>> sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and
>> information to the world.
>>
>> Please, please, please be careful.
>
>
>Thank you for your concern. I hear that it is possible for someone
>snooping network traffic to set up a program that will decode the VNC
>stream and allow them to see what I'm doing. Is that true? I think that
>most packet sniffing is limited to searching plain text for
>username/password. Am I wrong?
>

'Decoding' the packet stream isn't all that difficult. The information
entered into fields is transmitted as text inside the packet. Usernames,
passwords, credit card information, etc. will all be visible to a hacker
who
is looking for it. 

Please don't think I am down on VNC. I think it is a great tool and I
use it
all the time, both securely and insecurely. I think it is important to
remember that VNC does not provide a security mechanism other then the
encrypted password. It's also important to remember that most of the
Internet
(web, email, chat, news, etc) are insecure. You wouldn't give your
credit
card on the web without HTTPS (encrypted, secure web page) would you?

I posted my original e-mail after an off-list discussion with someone
who,
using Windows 98 on both the client and server, wanted to connect to
work.
This person appeared to be, from their e-mail signature, an human
resources
director for a company. HR people generally deal in confidential
information and I certainly would want the HR people at the company I
work for
to not expose any information about me to the web without some security
mechanism. 

--
Michael
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-15 Thread Bernard Peek
In message <[EMAIL PROTECTED]>, Michael 
Herman <[EMAIL PROTECTED]> writes


I posted my original e-mail after an off-list discussion with someone who,
using Windows 98 on both the client and server, wanted to connect to work.
This person appeared to be, from their e-mail signature, an human resources
director for a company.  HR people generally deal in confidential
information and I certainly would want the HR people at the company I work for
to not expose any information about me to the web without some security
mechanism.
Let me emphasise this. In Europe there are stringent privacy laws 
governing personal data. Sysadmins and developers are required to take 
reasonable steps to protect personal data. If they fail then they (and 
their employers) could do jail time.

--
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-15 Thread Michael Herman
On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote:
On Sat, 13 Sep 2003, Michael Herman wrote:

I would like to point out that VNC is not secure.

>From the realVNC FAQ:

> Is VNC secure?

>The only really secure computer is one without a network. VNC
>requires a password when a viewer tries to connect to a server. This password
>is encrypted to deter snooping, but the following graphical data, the VNC
>protocol, is not.
In other words, if you are using VNC across the Internet without some
sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and
information to the world.
Please, please, please be careful.


Thank you for your concern.  I hear that it is possible for someone
snooping network traffic to set up a program that will decode the VNC
stream and allow them to see what I'm doing.  Is that true?  I think that
most packet sniffing is limited to searching plain text for
username/password.  Am I wrong?
'Decoding' the packet stream isn't all that difficult.  The information
entered into fields is transmitted as text inside the packet.  Usernames,
passwords, credit card information, etc. will all be visible to a hacker who
is looking for it.  

Please don't think I am down on VNC.  I think it is a great tool and I use it
all the time, both securely and insecurely.  I think it is important to
remember that VNC does not provide a security mechanism other then the
encrypted password.  It's also important to remember that most of the Internet
(web, email, chat, news, etc) are insecure.  You wouldn't give your credit
card on the web without HTTPS (encrypted, secure web page) would you?
I posted my original e-mail after an off-list discussion with someone who,
using Windows 98 on both the client and server, wanted to connect to work.
This person appeared to be, from their e-mail signature, an human resources
director for a company.  HR people generally deal in confidential
information and I certainly would want the HR people at the company I work for
to not expose any information about me to the web without some security
mechanism.  

--
Michael
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list


Re: VNC security

2003-09-14 Thread Mike Miller
On Sat, 13 Sep 2003, Michael Herman wrote:

> I would like to point out that VNC is not secure.
>
> >From the realVNC FAQ:
>
> > Is VNC secure?
>
> >The only really secure computer is one without a network. VNC
> >requires a password when a viewer tries to connect to a server. This password
> >is encrypted to deter snooping, but the following graphical data, the VNC
> >protocol, is not.
>
> In other words, if you are using VNC across the Internet without some
> sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and
> information to the world.
>
> Please, please, please be careful.


Thank you for your concern.  I hear that it is possible for someone
snooping network traffic to set up a program that will decode the VNC
stream and allow them to see what I'm doing.  Is that true?  I think that
most packet sniffing is limited to searching plain text for
username/password.  Am I wrong?

Mike
___
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list