Re: VNC Security
From: Alexander Bolante (alexander.bolante_at_gmail.com)
Date: 04/20/05
- Previous message: Steve Bostedor: "RE: VNC Security"
- In reply to: Steve Bostedor: "RE: VNC Security"
- Next in thread: Steve Bostedor: "RE: VNC Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Apr 2005 19:24:08 -0700 To: Steve Bostedor <Steveb@tshore.com>
I stand corrected. I misread/misunderstood your original posting. To
clarify, I have never used/had to use a sniffer outside of my own
subnet for that matter.
Now I agree with you. It's not very realistic nor likely that UserX in
India will be sniffing, eavesdropping, hijacking, MITM, etc. a session
between a client in Detroit, MI to a server in Jackson, MI. And even
if UserX was, you're right, UserX would have already acquired access
to a machine(s) on that shared LAN. Should UserX even care about open
VNC sessions if UserX has already compromised a machine on the LAN?
Who knows; what are UserX's intentions? The answer could be...MAYBE.
I mean, I completely understand why you question having to secure VNC
if an outsider/unwanted intruder cannot (or probably would not) sniff
a VNC session. That's fine and I hear you loud and clear. I'm not
arguing with you.
BUT from a Security standpoint, what about your internal Employees?
Sure, it's convenient for me to single out Employees as a threat to
security, but it's still REALITY these days.
Now I do not have any solid proof that actual-usable-life-threatening
data can be obtained from sniffing a VNC session. It's all
"hypothetical" -- maybe EmployeeZ can obtain corporate pwds or entry
keys from sniffing a VNC session...MAYBE.
Or think about this -- the default VNC authentication mechanism uses a
challenge-response method. Based on a one-way hash algorithm, it's
practically impossible (or way too complicated) to reverse engineer by
sniffing packets.
BUT this is the 21st century. If EmployeeZ can sniff your
authentication packets, maybe EmployeeZ can also sniff the VNC data
stream and "theoretically" see what you're seeing...MAYBE.
The point I'm driving here is -- I personally prefer to tunnel VNC
over SSH to handle these "uncertainties" and (I'd rather not use this
term, but for lack of better terms) to build defense in depth for
remote access.
Clearly, my justification is completely subjective. And that probably
won't satisfy your original request since you're looking for tangible
evidence and solid proof/facts. When you find what you need, I'm
interested in hearing what you discovered.
Really, we all have different security requirements. You may only want
a fence, a deadbolt and lock on your door. I, on the other hand, want
what you want PLUS an outstanding Doberman Pinscher roaming my yard.
Good luck...
On 4/19/05, Steve Bostedor <Steveb@tshore.com> wrote:
> Thank you for the reply, Alexander. I understand exactly what you're trying to say. I'm not sure if you fully understand what I was saying and its probably my fault for not making it clear enough.
>
> You seemed to concentrate on how easy it is to do things with the VNC packets once you've sniffed the packets. You say that you've sniffed the packets before but have you ever sniffed packets from a network outside of your own LAN? How about on your LAN but on another switch port?
>
> What I was trying to discuss is how real the threat is that someone outside of your network will actually get to sniff enough of and the correct sequence of your packets to do the things that you where able to do by sniffing the packets on your local segment.
>
> You're basically breaking into your own house by using your own keys in the scenario that you provided. How realistic is it for someone in India to sniff my packets going from a server in Detroit, MI to a server in Jackson, MI? How realistic is it for him to actually get usable data?
>
> It's Easy to say that if there's a way into your network, you're insecure but there's a way into your house .. is your house insecure? Is VNC really the low hanging fruit in my scenario.
>
> I know that you all are very specific and technical, so I'll spell out an exact scenario which happens to be the most common usage of VNC in companies.
> --------
> * John Doe is getting an error message on his computer and calls the help desk a city away for help.
>
> * Helpdesk tells John to double-click on the VNC icon on his desktop that starts the server
>
> * Helpdesk connects to Johns computer and takes about 10 minutes to resolve the problem
>
> * Helpdesk person kills the VNC server on the remote computer and the connection is terminated
>
> -------
>
> I understand that Security is very important but it's also very important to not go Barney Fife and start drawing the gun on everything that moves if you get what I mean. What are the odds that some guy in Florida is going to sniff that 10 minute session and get into the network? My answer is 1 in at least 10 million.
>
> The guy in Florida would have to have already compromised a computer on either of the networks that happened to be plugged into a HUB (Not a switch) that either of the computers are plugged into ~OR~ he would have had to hack one of the routers close to either one of them to send packets to him as a man in the middle attack of sorts.
>
> Both of these are a bit extreme for VNC data theft, don't you think? If you do all of that, isn't there a bunch of much bigger prizes at your fingertips than VNC data?!
>
> Now are you starting to see what I'm saying? The successful exploits that must be done to get someone's VNC packet stream would land you access to things far greater than just the VNC data and who would waste the time with VNC data at that point? Go for the gold, you're already in someplace pretty good at that point.
>
> The only EASY way that I know of to sniff someone's packets are to either be on a hub with the remote computers or to have a Trojan on one of the computers. Does someone know of an easy way other than that? Easier than just hacking into the company other ways that do not involve VNC?
>
> - Steve
> -----Original Message-----
> From: Alexander Bolante [mailto:alexander.bolante@gmail.com]
> Sent: Tuesday, April 19, 2005 6:25 PM
> To: Steve Bostedor
> Cc: security-basics@securityfocus.com; vnc-list@realvnc.com
> Subject: Re: VNC Security
>
> IMHO
>
> NOTE:
> For obvious reasons that VNC provides remote access to your machine,
> Security is key (period). I'm assuming this thread does NOT pertain to
> your COMPANY LAN, because if it does, the answer to your question,
> "Why should I secure VNC over SSH?" is clearly...SOX compliance...
>
> OTHERWISE:
> Bottom line is -- if you DO NOT have any sensitive data to secure,
> it's your prerogative to determine what lengths you want to take to
> protect that data. Why do I tunnel VNC over SSH? To deal with the
> uncertainty of potential security flaws and risks...
>
> (SB wrote) What are the real risks of not securing VNC traffic? It depends...
> The only caveat I see in not securing VNC traffic is...network eavesdropping
>
> We already know that all VNC traffic between client and server is
> unencrypted after authentication. That's a problem if you're moving
> sensitive data. I've used a sniffer on a VNC session before. The
> traffic was compressed, so it was still difficult to understand and
> breakdown the data from the sniffer, BUT data passed in clear text
> e.g. usernames, birthdate, home address, etc. could be useful
> ***depending on the malicious user's intentions***.
>
> And because we often do NOT know what a malicious user's intentions
> are, we mitigate that uncertainty by adding another layer of
> security/defense in depth...tunneling VNC over SSH in order to secure
> communication and not leave ports open for scanning; using TCP
> wrappers to provide access control on a per-IP address basis, etc.
>
> On 4/19/05, Steve Bostedor <Steveb@tshore.com> wrote:
> > I'd like to know if anyone has any working examples of why an
> > unencrypted VNC session over the Internet is seen as such a horrible
> > security risk. I understand that unencrypted ANYTHING over the Internet
> > lends the chance for someone to decode the packets (assuming that they
> > capture every one of them) but in reality, what are the real risks here
> > and has anyone successfully captured a VNC session from more than 2
> > router hops away and actually gotten any meaningful information from it?
> >
> > I've captured a big chunk of a LOCAL session using Ethereal and the only
> > thing that I can see that is usable is the password exchange. Agreed
> > that this could be a problem if someone just happened to be sniffing
> > your local LAN segment at that exact moment and happened to capture your
> > encrypted VNC password, he could crack the password and log in himself.
> > But how paranoid is it to go through all of the trouble of setting up
> > SSH to avoid that when you could just change your VNC password often and
> > make sure that your local LAN is reasonably secure from prying eyes?
> >
> > How about once it gets out on the Internet? Packets bounce all over the
> > place on the Internet. What are the odds that someone out there will
> > pick your VNC packets out of all of the millions of packets running
> > through the back bone routers without being noticed, capture enough of
> > them to possibly replay a session, and actually have the patience or the
> > tools to do so. I've scoured the web out of this curiosity, looking for
> > a tool to put VNC packets together into something useful for a hacker.
> > There's nothing. Nada.
> >
> > So, I guess that what I'm asking is; what all of the fuss is about?
> > Your POP3 password likely gets passed unencrypted but we're being asked
> > to be paranoid about an encrypted VNC password? This is all coming from
> > a discussion that I had with someone over the merits of using SSH with
> > VNC over the internet for a 10 minute VNC session.
> >
> > Does anyone have anything that's not hypothetical? Is there a tool that
> > I'm missing out there that does more than just crack a VNC password?
> > Does anyone know of any reported security breaches where VNC was a
> > weakness?
> >
>
> --
> "I know nothing" -- Alexander.Bolante@gmail.com
>
-- "I know nothing" -- Alexander.Bolante@gmail.com
- Previous message: Steve Bostedor: "RE: VNC Security"
- In reply to: Steve Bostedor: "RE: VNC Security"
- Next in thread: Steve Bostedor: "RE: VNC Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
