Re: VNC Security

[Times Enemy <times () krr org>]

Greetings.

In regards to computer network security, it is not a good practice to
offer more than what is necessary, to the public.

The current design of the internet lends itself to a certain level of
trust.  Who is to say that an ISP, or some upstream provider, has not
been compromised?  It only takes a single device along a route to be
compromised, for the communication along that route to be vulnerable. 
Tunnels and other layered security measures attempt to address this, by
lowering the amount of trust given to the internet as a whole, and
hopefully by increasing the resources necessary to successfully attack
the transmissions.

Session replays, and grep'ing passwords are not the only threats.  It
would not be difficult to script something to scan for VNC servers, then
to brute-force them.  There are already applications that brute-force
VNC as it is, though the newer releases of VNC do make this
exponentially more time consuming.  Such activities are not so bound by
the amount of hops, but simply by availability, which would be provided
to them if a VNC server were offered to the wild.

The concept of VNC through an encrypted tunnel is perhaps best founded
on the concept of layering security.  A single security layer, such as
the password on a VNC server may suffice, but to improve security, which
should be the goal of every responsible computer network professional,
additional layers of security should be utilized.  Perhaps a firewall
rule that only allows access to 5900 from a specific IP would work
(RealVNC offers this as a built-in feature).  Perhaps the concept of
port knocking seems interesting.  Maybe some sort of tunneling would be
better.  Perhaps all of these should be used.  Whatever is most feasible
for a particular application/environment, the overall concept of layered
security should be embraced, throughout.

.times enemy


Steve Bostedor wrote:

> I'd like to know if anyone has any working examples of why an
> unencrypted VNC session over the Internet is seen as such a horrible
> security risk.  I understand that unencrypted ANYTHING over the Internet
> lends the chance for someone to decode the packets (assuming that they
> capture every one of them) but in reality, what are the real risks here
> and has anyone successfully captured a VNC session from more than 2
> router hops away and actually gotten any meaningful information from it?
>
> I've captured a big chunk of a LOCAL session using Ethereal and the only
> thing that I can see that is usable is the password exchange.  Agreed
> that this could be a problem if someone just happened to be sniffing
> your local LAN segment at that exact moment and happened to capture your
> encrypted VNC password, he could crack the password and log in himself.
> But how paranoid is it to go through all of the trouble of setting up
> SSH to avoid that when you could just change your VNC password often and
> make sure that your local LAN is reasonably secure from prying eyes?
>
> How about once it gets out on the Internet?  Packets bounce all over the
> place on the Internet.  What are the odds that someone out there will
> pick your VNC packets out of all of the millions of packets running
> through the back bone routers without being noticed, capture enough of
> them to possibly replay a session, and actually have the patience or the
> tools to do so.  I've scoured the web out of this curiosity, looking for
> a tool to put VNC packets together into something useful for a hacker.
> There's nothing.  Nada.  
>
> So, I guess that what I'm asking is; what all of the fuss is about?
> Your POP3 password likely gets passed unencrypted but we're being asked
> to be paranoid about an encrypted VNC password?  This is all coming from
> a discussion that I had with someone over the merits of using SSH with
> VNC over the internet for a 10 minute VNC session.
>
> Does anyone have anything that's not hypothetical?  Is there a tool that
> I'm missing out there that does more than just crack a VNC password?
> Does anyone know of any reported security breaches where VNC was a
> weakness?
>