Risk of VNC

[pol098]

This is really more of a general VNC question than UltraVNC, but I ask it here as I am using UltraVNC and there could possibly be specific issues.

It is said to be risky to expose a machine running VNC to the Internet at large in case of hacking, being safer to use a Virtual Private Network or other secure connection.

There would appear to be two risks:

1 Somebody finding an open VNC port and making a connection. As I see it, a sensible password should be very good protection against this; nobody is likely to connect if the password is erj4r85#ekr74j or 4hezajollygoodfella9.

2. Interception of unencrypted data. I don't know how real a problem this is in a non-critcal network. I can envisage a user checking a confidential client list over a VNC connectioin. An unauthoried interceptor could work out that this is a VNC connection, but would then have to find out what encodig was used; and would have to identify the user's competitiitors to sell them the client list. Frankly, if I wanted to know Acme Industries' secrets it would be easier to seduce or bribe the CEO's PA. But maybe I underestimate the problem?

The reason for this question: I have quickly compared performance of VNC over an open and a VPN connection. over 512/256kbps ADSL. A zipped file transfers at about 29/26 kB/sec (10% performance hit, which is acceptable to me). But viewing a Windows screen is MUCH more responsive over an open than a VPN connection.

How do we weight the increased performance against the increased risk?

[Mr Faber]

Just use the 128 Bit RC4 encryption plugin. http://home.comcast.net/%7Emsrc4plugin/
This plugin encrypt the whole transfered data so nobody can analyze it.
If you change your 128 Bit Key from time to time it should be very secure if the algorith is implemented correctly.
Don't forget to secure your RC4 key. Don't send it unencrypted per Mail or over Internet. The best way is to create it on the server and copy it on a usb stick or floppy disk. If you want to connect to your remote desktop put the medium in your client pc load the key with the viewer and connect.
Needless to say, if you use your client pc on your own and have no trojans or other telephoning programs installed you can store it on your disk.

CU
Mr Faber

[howard]

Hi All, I am not a user of this programmes. But my boss installed it on my desktop. I wonder if he can retrieve my files or some private files secretly. Anyone can tell how to observe and get aware if my pc is "hacked".
Thanks a lot!

[DodgeV83]

Well if he installed the server on your desktop, then you can set/change the password required to join. Right click on the icon on the bottom right of the screen and change the password. This way he won't be able to connect without asking you for permission and having you give him the password.

[howard]

Dear DodgeV83, thank for your suggestion. As he is my boss, I cannot set any own password but I will try. On the other hand, I just want to get known if he really copied / opened / retrieved any of my desktop. Anyway can be checked and got these details?

[Marscha]

In the UltraVNC properties window, you find an option "Display query window", which requires you to accept or deny any incoming connection.

[Guest]

The reason for this question: I have quickly compared performance of VNC over an open and a VPN connection. over 512/256kbps ADSL. A zipped file transfers at about 29/26 kB/sec (10% performance hit, which is acceptable to me). But viewing a Windows screen is MUCH more responsive over an open than a VPN connection.

How do we weight the increased performance against the increased risk?

Defense in depth. Simply use VNC over the VPN connection. it's encryped and quicker than a file copy.

[pol098]

Somebody commented:

> Defense in depth. Simply use VNC over the VPN connection. it's encryped and quicker than a file copy.

We have come full circle from my original post. Remote control over UltraVNC 18 is much less responsive over a VPN than it is over a straight connection to the remote IP, although file transfer is only 10% slower. In fact, I have people who insist on using an open (not VPN) connection for this reason. Having a VNC server waiting for someone, anyone, to login makes me nervous; but, in practice, is a VNC server visible on the internet but with a good password seriously at risk?

[lenisham]

Having a VNC server waiting for someone, anyone, to login makes me nervous; but, in practice, is a VNC server visible on the internet but with a good password seriously at risk?

Wide open. VNC has been used by crackers and script kiddies once they have taken over the system. All that needs to happen is for a packet caspture to chatch your login and they can crack the password.

So if your comfortable with telnet over the Internet, and have not considered ssh...

Well cross your fingers. BTW there is an OpenSSH for windows and Cygwin also includes OpenSSH. Both support OpenSSH services that allow you to ssh into your windows systems.

Leonard Isham, CISSP
Ostendo non ostento.

[bradstar]

so if you are using the rc4 key to enrypt the traffic you are saying that the traffic can be captured and analyzed to determine what the login password is easier than if ssh or a vpn is used?

[pol098]

As the original poster, many thanks:

> Wide open. VNC has been used by crackers ...

A useful reminder.

>... ssh...OpenSSH ...

I have been using Draytek Vigor routers which have Virtual Private Networking (VPN) support built in (as distinct from passed through, so no machine need to run VPN server software).

[lenisham]

so if you are using the rc4 key to enrypt the traffic...

Well you are more secure if you change the key periodically. It takes time to break the encryption, but once you do you have the key, you have everything until the key is changed.

P.S. if you use a broken key to send a new key the person that broke the first key would have the new key.