Depending on the context of the lecture, I would question any security conference that labels VNC as a "hacking tool". It is a remote access tool. Sure being free and, even more so, very lightweight lends itself to nefarious use (as opposed to, say, pcAnywhere). But it is certainly no less valid than pcAnywhere or any other remote access tool. Though I couldn't be too harsh. Adam Cohen of TIME called VNC "spyware":
http://www.time.com/time/covers/1101010702/ Alright. So VNC has a valid reason for being on your network. Is it secure? Kinda. Not really. http://www.uk.research.att.com/vnc/faq.html#q55 VNC does a pretty good job at protecting its password. So it won't be trivial to capture it "on the wire" like telnet or ftp. But you're going to want a strong password - there is a patch that can turn a VNC client in to a brute-force VNC cracker: http://www.securiteam.com/tools/Brute_forcing_VNC_passwords.html But... the rest of VNC traffic is unencrypted. So your session is prone to snooping (although the traffic has to be uncompressed first). You'll note several methods to protect this traffic in the above-mentioned FAQ link. My often-used favorite is a SSH tunnel. SSH will provide better authentication, encryption of the traffic, and even some compression if you need. Finally, if you need a bit more efficient VNC, TightVNC is an excellent off-shoot of the origional VNC project: http://www.tightvnc.org/ I tend to prefer TightVNC as I am never quite sure what kind of network link my laptop will be hanging off of when I need it (which only re-enforces the use of a SSH gateway / tunnel). On Wed, 2002-03-27 at 11:13, Orlando J. Cano wrote: > Hello all, > > I was wondering if most security policies allowed Virtual Network Computing or VNC >to be used in live networks. I remembered attending a security conference once that >identified this tool as a hacking tool. I have a request to do an environmental risk >analysis to allow an installation of this tool in a couple of servers, one in the >DMZ and one r inside our firewall. > > I am looking for some feedback on this issue. > > Thank you in advance to you all security warriors. > > OC > -- .: Paul Hosking . [EMAIL PROTECTED] .: InfoSec .: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9
