Re: VNC Security

[Alexander Bolante <alexander.bolante () gmail com>]

IMHO

NOTE:
For obvious reasons that VNC provides remote access to your machine,
Security is key (period). I'm assuming this thread does NOT pertain to
your COMPANY LAN, because if it does, the answer to your question,
"Why should I secure VNC over SSH?" is clearly...SOX compliance...

OTHERWISE:
Bottom line is -- if you DO NOT have any sensitive data to secure,
it's your prerogative to determine what lengths you want to take to
protect that data. Why do I tunnel VNC over SSH? To deal with the
uncertainty of potential security flaws and risks...

(SB wrote) What are the real risks of not securing VNC traffic? It depends...
The only caveat I see in not securing VNC traffic is...network eavesdropping

We already know that all VNC traffic between client and server is
unencrypted after authentication. That's a problem if you're moving
sensitive data. I've used a sniffer on a VNC session before. The
traffic was compressed, so it was still difficult to understand and
breakdown the data from the sniffer, BUT data passed in clear text
e.g. usernames, birthdate, home address, etc. could be useful
***depending on the malicious user's intentions***.

And because we often do NOT know what a malicious user's intentions
are, we mitigate that uncertainty by adding another layer of
security/defense in depth...tunneling VNC over SSH in order to secure
communication and not leave ports open for scanning; using TCP
wrappers to provide access control on a per-IP address basis, etc.


On 4/19/05, Steve Bostedor <Steveb () tshore com> wrote:
> I'd like to know if anyone has any working examples of why an
> unencrypted VNC session over the Internet is seen as such a horrible
> security risk.  I understand that unencrypted ANYTHING over the Internet
> lends the chance for someone to decode the packets (assuming that they
> capture every one of them) but in reality, what are the real risks here
> and has anyone successfully captured a VNC session from more than 2
> router hops away and actually gotten any meaningful information from it?
>
> I've captured a big chunk of a LOCAL session using Ethereal and the only
> thing that I can see that is usable is the password exchange.  Agreed
> that this could be a problem if someone just happened to be sniffing
> your local LAN segment at that exact moment and happened to capture your
> encrypted VNC password, he could crack the password and log in himself.
> But how paranoid is it to go through all of the trouble of setting up
> SSH to avoid that when you could just change your VNC password often and
> make sure that your local LAN is reasonably secure from prying eyes?
>
> How about once it gets out on the Internet?  Packets bounce all over the
> place on the Internet.  What are the odds that someone out there will
> pick your VNC packets out of all of the millions of packets running
> through the back bone routers without being noticed, capture enough of
> them to possibly replay a session, and actually have the patience or the
> tools to do so.  I've scoured the web out of this curiosity, looking for
> a tool to put VNC packets together into something useful for a hacker.
> There's nothing.  Nada.
>
> So, I guess that what I'm asking is; what all of the fuss is about?
> Your POP3 password likely gets passed unencrypted but we're being asked
> to be paranoid about an encrypted VNC password?  This is all coming from
> a discussion that I had with someone over the merits of using SSH with
> VNC over the internet for a 10 minute VNC session.
>
> Does anyone have anything that's not hypothetical?  Is there a tool that
> I'm missing out there that does more than just crack a VNC password?
> Does anyone know of any reported security breaches where VNC was a
> weakness?


-- 
"I know nothing" -- Alexander.Bolante () gmail com