Security Basics mailing list archives
Re: VNC Security
From: Mike Miller <mbmiller () taxa epi umn edu>
Date: Mon, 25 Apr 2005 16:09:11 -0500 (CDT)
On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote:
I have to agree with Steve that this is, for all practical purposes, a non-existent security risk. The only things that could go wrong:a. "Somebody" is sniffing the packet stream while the VNC passwords are being exchanged, and, during that 20 minute interchange, cracks the password and logs onto the VNC server. Of course, we would notice this problem on both ends!
I don't know if it is possible to crack the VNC password, but I don't agree that you would necessarily notice this on both ends. If the attacker were to log into the session when you weren't using it, he could then make some changes to your system (for Windows) that would allow him more access to your machine later. If you were using Windows he could start up another VNC desktop that you might not notice, and he could use a different password if he wanted to (by copying the vnc password file, changing the password, and copying it back).
I hope that it is hard to crack the passwords. I think it is hard to do it but I'd like to hear more about that.
Mike
Current thread:
- VNC Security Steve Bostedor (Apr 19)
- Re: VNC Security Andy Bruce - softwareAB (Apr 19)
- Re: VNC Security Bart Crijns (Apr 20)
- Re: VNC Security Mark Owen (Apr 20)
- Re: VNC Security Zachary Mutrux (Apr 20)
- Re: VNC Security Scott C. Best (Apr 27)
- Re: VNC Security Mike Miller (Apr 26)
- Re: VNC Security Andy Bruce - softwareAB (Apr 26)
- Re: VNC Security Mike Miller (Apr 26)
- Re: VNC Security Alexander Bolante (Apr 20)
- Re: VNC Security Times Enemy (Apr 20)
- Re: VNC Security Zachary Mutrux (Apr 20)
- Windows Remote Access Tools Sagiko (Apr 28)
- Re: Windows Remote Access Tools Adam Jones (Apr 29)
- <Possible follow-ups>
- RE: VNC Security Joshua Berry (Apr 20)
- RE: VNC Security Steve Bostedor (Apr 20)
- Re: VNC Security Alexander Bolante (Apr 20)
(Thread continues...)
- Re: VNC Security Andy Bruce - softwareAB (Apr 19)