I was hacked by a VNC user!

[Stephen Fromm]

> There's more to session security than simply visibility of key-presses to
> nosey network neighbours.  Without proper tanper-proofing, for example, 
> it's
> possible for an attacker to gain access to a system by listening in on an
> established session & hi-jacking it.

Right, but is it true that the extra security features can prevent this?

On an earlier thread I started, "Session encryption", one respondent said: 
"Encryption will not help prevent 'session hijacking'. It's used just to 
insure the privacy of your communication. Anything you do over an 
un-encrypted VNC connection can be captured, saved and replayed in the 
future. That kinda gives me the creeps. :)"  Which I perhaps incorrectly 
took to mean that (a) the extra security features in the better VNC editions 
won't prevent session hijacking, (b) they will prevent decrypting of the 
data flowing in the session, (c) if the data aren't confidential and I don't 
type e.g. passwords, then (b) doesn't buy me much.

Of course, at that time you replied "The session security provided by VNC 
Enterprise & Personal Editions encrypts the data to prevent anyone able to 
'snoop' the network from being able to read the session stream, as well as 
tamper-proofing to prevent harmful session-rewrite attacks, protection from 
brute force attacks, server identity verification, etc."

>From your response, again, the prevention of snooping on the content of the 
session stream doesn't buy me much, but the tamper-proofing, protection from 
brute force, server ID verification, etc, _does_.

Don't get me wrong; VNC is a great protocol and realVNC is a great product, 
and I have nothing against buying licenses.  Just wanna know what things do 
and don't do.

Related question:  I wasn't quite sure from the thread I started on password 
security how hard it is for someone to steal the password if the 
free/insecure version of realVNC is used.  One respondent pointed out that 
it uses a challenge-response method, so it's not like the password is being 
sent in cleartext.  (I'm asking because my users are using VNC to connect to 
a solaris system, and they're not fond of having a VNC password and a 
solaris login password.  I've been loathe to let them make the passwords 
identical because I wasn't sure about how secure the VNC password itself is 
when it's sent from client to server.)

Regards,

S

> Wez @ RealVNC Ltd.
>
>
>> -----Original Message-----
>> From: Stephen Fromm [mailto:stephen.fromm "at" gmail.com]
>> Sent: 10 February 2006 11:32
>> To: James Weatherall; vnc-list "at" realvnc.com
>> Subject: Re: I was hacked by a VNC user!
>>
>> > We don't advise use of VNC Free Edition across the Internet
>> except via
>> > some
>> > sort of secure tunnelling protocol.  VNC Enterprise &
>> Personal Editions
>> > have
>> > in-built session security for this purpose.  All current VNC Server
>> > releases
>> > also support querying the local user to accept connections, which is
>> > advisable if you are concerned that the password you are
>> using is weak or
>> > widely known.
>>
>> But if I don't type any passwords, etc, once my connection is
>> established,
>> what does the additional protection actually afford me?
>> (Meaning, again, if
>> the datastream itself doesn't need to be protected, but only
>> the password
>> and ability to connect to the server.)
>>
>> Thanks in advance,
>>
>> SJF