I was hacked by a VNC user!
stephen.fromm "at" gmail.com
Fri Feb 10 13:38:06 2006
> There's more to session security than simply visibility of key-presses to
> nosey network neighbours. Without proper tanper-proofing, for example,
> possible for an attacker to gain access to a system by listening in on an
> established session & hi-jacking it.
Right, but is it true that the extra security features can prevent this?
On an earlier thread I started, "Session encryption", one respondent said:
"Encryption will not help prevent 'session hijacking'. It's used just to
insure the privacy of your communication. Anything you do over an
un-encrypted VNC connection can be captured, saved and replayed in the
future. That kinda gives me the creeps. :)" Which I perhaps incorrectly
took to mean that (a) the extra security features in the better VNC editions
won't prevent session hijacking, (b) they will prevent decrypting of the
data flowing in the session, (c) if the data aren't confidential and I don't
type e.g. passwords, then (b) doesn't buy me much.
Of course, at that time you replied "The session security provided by VNC
Enterprise & Personal Editions encrypts the data to prevent anyone able to
'snoop' the network from being able to read the session stream, as well as
tamper-proofing to prevent harmful session-rewrite attacks, protection from
brute force attacks, server identity verification, etc."
>From your response, again, the prevention of snooping on the content of the
session stream doesn't buy me much, but the tamper-proofing, protection from
brute force, server ID verification, etc, _does_.
Don't get me wrong; VNC is a great protocol and realVNC is a great product,
and I have nothing against buying licenses. Just wanna know what things do
and don't do.
Related question: I wasn't quite sure from the thread I started on password
security how hard it is for someone to steal the password if the
free/insecure version of realVNC is used. One respondent pointed out that
it uses a challenge-response method, so it's not like the password is being
sent in cleartext. (I'm asking because my users are using VNC to connect to
a solaris system, and they're not fond of having a VNC password and a
solaris login password. I've been loathe to let them make the passwords
identical because I wasn't sure about how secure the VNC password itself is
when it's sent from client to server.)
> Wez @ RealVNC Ltd.
>> -----Original Message-----
>> From: Stephen Fromm [mailto:stephen.fromm "at" gmail.com]
>> Sent: 10 February 2006 11:32
>> To: James Weatherall; vnc-list "at" realvnc.com
>> Subject: Re: I was hacked by a VNC user!
>> > We don't advise use of VNC Free Edition across the Internet
>> except via
>> > some
>> > sort of secure tunnelling protocol. VNC Enterprise &
>> Personal Editions
>> > have
>> > in-built session security for this purpose. All current VNC Server
>> > releases
>> > also support querying the local user to accept connections, which is
>> > advisable if you are concerned that the password you are
>> using is weak or
>> > widely known.
>> But if I don't type any passwords, etc, once my connection is
>> what does the additional protection actually afford me?
>> (Meaning, again, if
>> the datastream itself doesn't need to be protected, but only
>> the password
>> and ability to connect to the server.)
>> Thanks in advance,