Re[2]: Who Is Connected
Catelyn Hearne
chearne "at" aemx.com
Wed, 13 Feb 2002 05:30:21 +0000
Yes, I wholeheartedly agree.
However, I have worked with numerous "silly" people who later question
why their respective machines were broken into and tampered with, and
eventually turned over to "the dark side". If VNC is to be used, suitable
passwording is an absolute, along side the securing of a desktop
environment. Without these basis security requirements in place, the
ability for an innocent users workstation to be used for "dark" purposes
is made even easier. As we all know, Win95, 98, 98SE, ME etc do not have
fully securable environments as a standard function within.
Those who do not understand security principals of a desktop environment
need to be even more vigilant when it comes to what is made available
through a VNC connectable workstation. Windows 95, 98 & ME etc. are
extremely vulnerable, as is NT4 and WIN2K, without the necessary security
patches.
The point of my E-Mail was to make people aware of how easy it is to open
yourself to problems, and in many cases without knowing that they have
done so. Cable Internet is the prime issue here in Australia. It is
basically a large Thinnet / Thicknet LAN environment, and DSL fits in
here as well. Unless people introduce a firewall of their own, or various
other means of protection, how many people in this world understand how
open they are making themselves?? A very small percentage from what I
have witnessed to date.
I have been in the IT business since 1979 and have seen people creating
their own security risks. I have also seen people attempt to blame
whatever tools and Server Services for their specific incidents. The
point is don't blame a tool for what people may have not know about in
the first place. VNC is not designed to be a high security remote control
tool. If it was there would be encryption at various levels, at the very
minimum.
I like VNC, and have used it for some time. I do not want to see people
opening themselves to problems of their own making, without being aware
of what the risks are in the process. An audit trail is OK when you are
in a semi-controlled environment or better. It would be nice to be able
to establish user lists within VNC so that an audit trail would become
more meaningful. However, as long as their is only a single user account
that people authenticate to within VNC, where the connectivity came from
is academic and meaningless. It is not who logged in or where. It is how
and why, and a requirement to assist a VNC Manager in closing the
potential loophole that may have presented itself.
Don't stop using VNC!! Use it more because it is an excellent product.
Just beware of the risks that are produced when the utilization of such a
product is upheld. Secure your platforms (HPUX, SCO, Linux, Win32 etc).
VNC is a portal to a particular desktop. Make it difficult for a cracker
to penetrate a workstation, not easy.
Rather than closing the barn door after a horse has bolted, close and
lock it before. This is an excellent policy that all companies should
uphold. An Audit trail is sometimes good after the fact, when the
environment permits. The internet does not allow for this, even if you
are the CIA. We are human and we regularly screw up. But it is so easy to
protect yourself as well, when you know how.
Sincere regards......
-----Original Message-----
From: Paul Gleave <paul.gleave "at" octonet.co.uk>
To: Catelyn Hearne <vnc-list "at" uk.research.att.com>
Date: Sat, 9 Feb 2002 09:47:02 +0000
Subject: Re[2]: Who Is Connected
> Surely this negates the whole point of running VNC?
>
> On 09 February 2002 you wrote:
>
> > My recomendation is that you do not leave such a machine freely
> connectable
> > on the Internet, as this IS going to happen again. With a Win98
> workstation,
> ---------------------------------------------------------------------
> To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
> 'unsubscribe vnc-list' in the message BODY
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------