Revelation

Duke Senter duke "at" co.kittitas.wa.us
Fri, 23 Oct 1998 01:01:07 +0000


Ah, yes!  All of our installations have the feature/bug of no icons, so =
I'd completely forgotten about being able to get the settings in that =
way. =20

My concern is the same as yours, in that we have approx 200 pc's that =
may or may not be running vnc server at any given point with OUR chosen =
password (the same one).  The janitor getting control of the County =
Commissioner's pc (or HR's) is quite a serious situation.  Now with =
Revelation one only needs to know the port and ip address!!  The port is =
given, and ip address is easily found!

Consider me enlightened and equally concerned!

Duke Senter
Network Administrator
Kittitas County, WA

-----Original Message-----
From:	David Bussenschutt [SMTP:D.Bussenschutt "at" mailbox.gu.edu.au]
Sent:	Thursday, October 22, 1998 4:36 PM
To:	VNC Email List (E-mail)
Subject:	RE: Revelation

At 15:32 22/10/98 -0700, Duke Senter wrote:
>I guess I'm missing how this applies to any security concerns for VNC.  =
I
don't see where the password is cached in the form of asterisks to be
viewed/hacked by revelation. =20
>
>After you type it in the password box revelation will indeed find it, =
but
only after someone who knows the password types it in, but before you =
hit
'ok' to start the session.  If I'm not mistaken, that leaves about a
microsecond between me typing in the password and my hitting OK to start
the session for vulnerability.
>
>Am I missing something?

Yes you are.

If you have the WinVNC Icon in the system tray you double click that to =
get
the settings. If you don't (or even if you do) then=20
start-run- "c:\program files\orl\vnc" -settings=20

This has the password:******* which in conjunction with Revelation =
VOILA!
Shows you your password.

This is particularly an issue for areas such as technical support that =
have
large numbers of machines with the same password.  One user determines
their own passsword, and they instantly have access to "snoop" on any =
other
machine/s in their network.

It is a concern to me, and assuch I will be considering removing WinVNC
from my 250 machines until it is fixed.

Oh, for those of you that are interested - Revelation is quite a good
product for what it is intended to do. - I just trialed it, and it works
great. Now I know what the dial-in password is that I'd forgotten about =
6
months ago.

David.


>
>Duke Senter
>Network Administrator
>Kittitas County, WA
>
>-----Original Message-----
>From:	tech "at" structurex.net [SMTP:tech "at" structurex.net]
>Sent:	Thursday, October 22, 1998 3:01 PM
>To:	VNC Email List (E-mail)
>Subject:	Revelation
>
>I have no problem with the Revelation tool. I don't allow anyone, =
including
>me, to use the viewer tool anywhere. Just another app to clutter up a
>system. Most don't even know it even exists. Everyone uses their =
browser b/c
>most of our network admin tool's are all Web based anyway.
>
>Charles Burton
>Systems Technician A+ MCSE
>Structure (X)
>charles.burton "at" structurex.net
>
>
>
>
>
>
>---------------------------------------------------------------------
>The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
>---------------------------------------------------------------------
>
>---------------------------------------------------------------------
>The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
>---------------------------------------------------------------------
>
>

----------------------------------------------------------------
 David Bussenschutt            D.Bussenschutt "at" mailbox.gu.edu.au
 Health Computing Support. (AIS -2.03)    Phone: (07) 3875 5407
 Information Services. Griffith University, Brisbane, Qld., Aust.
----------------------------------------------------------------

---------------------------------------------------------------------
The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
---------------------------------------------------------------------

---------------------------------------------------------------------
The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
---------------------------------------------------------------------