No, there is no built in encryption for the free VNC builds. UltraVNC attempts to use a DSM plug-in but it doesn't always work right.
Lazy? Like not reading the response to Alexander? ;) You seem to be still operating under the same assumptions. > -----Original Message----- > From: Joshua Berry [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 20, 2005 9:41 AM > To: Steve Bostedor; Andy Bruce - softwareAB > Cc: security-basics@securityfocus.com; vnc-list@realvnc.com > Subject: RE: VNC Security > > > Just because some people and applications perform things > insecurely does not mean that you should or have to do so. > VNC allows full GUI access to a box, FTP, POP3, IMAP, etc do > not. And yes, I do not use FTP, I use SSH SFTP because it is > secure. I would hope that people on a security mailing list > attempt to do things more securely. > > This sounds like an issue of laziness, someone that doesn't > want to take the extra step to ensure their (or customers) > security. Where I work this would be a huge problem because > of different regulations requiring data encryption. Besides, > I believe that VNC has support for encryption now and if so > there is definitely no reason to not utilize that support. > > -----Original Message----- > From: Steve Bostedor [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 19, 2005 8:03 PM > To: Joshua Berry; Andy Bruce - softwareAB > Cc: security-basics@securityfocus.com; vnc-list@realvnc.com > Subject: RE: VNC Security > > Joshua, Please see my reply to Alexander. It addresses some > of what you said here. I disagree that VNC should be avoided > completely, though. It's not THAT insecure! I will go out on > a limb and say that about 90% of the pop3 users in the world > use plain text passwords. Encrypted passwords aren't really > that common and most ISP's don't require that home users > encrypt their passwords. > > Do you use FTP? Maybe you tripple encrypt your FTP data or > just avoid FTP completely just like VNC, but I'll go out on a > limb again and guess that at least 95% of FTP users in the > world send the username and password in plain text and > unencrypted. I'll also guess that at least 30% of them use > the same username and password for their FTP account as they > do for numerous other functions. Maybe even their encrypted > Pop3 account. ;) > > The reply to Alexander explains my question further. > > > -----Original Message----- > From: Joshua Berry [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 19, 2005 6:43 PM > To: Andy Bruce - softwareAB; Steve Bostedor > Cc: security-basics@securityfocus.com; vnc-list@realvnc.com > Subject: RE: VNC Security > > > To the original poster: > > It is my *opinion* that using VNC should be avoided > completely. The last time that I used VNC it only support a > password, and no user name. This leaves only the password to > brute-force, considerably lessening the time needed to break > in. Also, you are making the assumption that everyone uses > plain text POP, I only use POP over SSL, IMAP over SSL or > HTTPS to access my email. Also, this is not a good example > because POP user accounts/passwords only give you someone's > email, a VNC password will give you full access to the > server/desktop it is running on. > > The passwords can be sniffed on your local network or they > can be sniffed on the network that the server/desktop you are > connecting to resides on. If this is a critical box, then > now anyone that can sniff the network can also gain a login > to this box to do whatever they want. > > I believe that VNC includes SSL or some other decent means of > encryption now. > > To the first follow up poster: > a. Somebody just needs to get the password in that 20 minute > interchange, which is not too hard if they are only sniffing > for X sessions. They can just dump that to a file and leave > it running until it picks something up. Also, you can setup > something to probe the box on that port, so the next time VNC > is enabled they can login. I am curious how you would notice > someone sniffing the network? I only see this as being > possible if the host was running linux/unix and forwarding > their syslogs to you, so that you could see when a NIC > entered promiscuous mode. > > Lastly: > I have seen several VNC exploits available over the years, so > this is just a whole new service that you are exposing to > risk that you often don't need to (because if it is Linux you > have SSH, and if it is a windows box you have Terminal Services) > > > -----Original Message----- > From: Andy Bruce - softwareAB [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 19, 2005 7:55 AM > To: Steve Bostedor > Cc: security-basics@securityfocus.com; vnc-list@realvnc.com > Subject: Re: VNC Security > > This is a very interesting question to me. In my own case, I > do have SSH > > setup thru Cygwin (http://www.cygwin.com/) for my local network and I > use VNC thru that connection when I need to manage my own stuff > remotely. However, I have to admit that when I use VNC to aid remote > clients (which happens quite frequently) I don't worry about > encryption > whatsoever. > > FWIW, here's my approach: > > 1. I don't even try to explain setting up an SSH daemon to them. I > simply have them install the VNC server in user-mode and start it. > > 2. If I can't explain to them in 5 min or less how to do port > forwarding, I just have them connect directly to their > cable/dsl modem. > > 3. Get the debugging and/or support done. > > 4. Have them stop the VNC server. Since it isn't running as a > service, > it won't start up next time and so won't be a security risk. > > 5. Tell them to turn off port forwarding from the router (if > they could > grok it), or just have them connect their PC back to the router and > their router back to the cable/dsl modem. In either case, 5900 isn't > available to the outside world so there's no risk even if they were > running VNC in service-mode. > > I have to agree with Steve that this is, for all practical > purposes, a > non-existent security risk. The only things that could go wrong: > > a. "Somebody" is sniffing the packet stream while the VNC > passwords are > being exchanged, and, during that 20 minute interchange, cracks the > password and logs onto the VNC server. Of course, we would > notice this > problem on both ends! > > b. I have never captured the data shared between client and server > (screen/UI deltas) and so have no idea if these pose a > security risk or not. > > c. While the VNC server is running and they are connected to the > internet (port forwarding has the same problem as direct > connect) a port > > sniffer detects that 5900 is available and immediately zooms in thru > some VNC security hole. Wez would know a lot more about this > possibility > > than me, though! > > Am I missing something here? > > Steve Bostedor wrote: > > >I'd like to know if anyone has any working examples of why an > >unencrypted VNC session over the Internet is seen as such a horrible > >security risk. I understand that unencrypted ANYTHING over the > Internet > >lends the chance for someone to decode the packets (assuming > that they > >capture every one of them) but in reality, what are the real > risks here > >and has anyone successfully captured a VNC session from more than 2 > >router hops away and actually gotten any meaningful information from > it? > > > >I've captured a big chunk of a LOCAL session using Ethereal and the > only > >thing that I can see that is usable is the password > exchange. Agreed > >that this could be a problem if someone just happened to be sniffing > >your local LAN segment at that exact moment and happened to capture > your > >encrypted VNC password, he could crack the password and log > in himself. > >But how paranoid is it to go through all of the trouble of > setting up > >SSH to avoid that when you could just change your VNC password often > and > >make sure that your local LAN is reasonably secure from prying eyes? > > > >How about once it gets out on the Internet? Packets bounce all over > the > >place on the Internet. What are the odds that someone out > there will > >pick your VNC packets out of all of the millions of packets running > >through the back bone routers without being noticed, capture > enough of > >them to possibly replay a session, and actually have the patience or > the > >tools to do so. I've scoured the web out of this curiosity, looking > for > >a tool to put VNC packets together into something useful for > a hacker. > >There's nothing. Nada. > > > >So, I guess that what I'm asking is; what all of the fuss is about? > >Your POP3 password likely gets passed unencrypted but we're > being asked > >to be paranoid about an encrypted VNC password? This is all coming > from > >a discussion that I had with someone over the merits of > using SSH with > >VNC over the internet for a 10 minute VNC session. > > > >Does anyone have anything that's not hypothetical? Is there a tool > that > >I'm missing out there that does more than just crack a VNC password? > >Does anyone know of any reported security breaches where VNC was a > >weakness? > >_______________________________________________ > >VNC-List mailing list > >VNC-List@realvnc.com > >To remove yourself from the list visit: > >http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
