OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Any issues with WinVNC
From: C-Naptik Phire (c-naptikMINDSPRING.COM)
Date: Mon Jun 26 2000 - 16:36:23 CDT


Chris;

The WinVNC product looks good, but have you considered other free software? Everyone always mouths off about hacker tools, but your simple, one workstation needs seem to fit BO2K. Small, free, able to encrypt, able to edit listening port to non-standard, able to password protect.
  Or, if those products are lacking somehow, I would say trying out WinVNC could not hurt too much. It is free, and seems to have good documentation.

If you check out WinVNC's FAQ, they indicate they are not encrypted, and instruct you on how to do so using whatever SSH you want to implement.

See
  "Q53 How secure is VNC?" on http://www.cam-orl.co.uk/vnc/faq.html#q53
  <<After that the data is unencrypted and could, in theory, be watched by other malicious users, though it's a bit harder to snoop a VNC session than, say, a telnet, rlogin, or X session. Since VNC runs over a simple single TCP/IP socket, it is easy to add support for SSL or some other encryption scheme if this is important to you, or to tunnel it through something like SSH or Zebedee.>>

and compare
  "Making VNC more secure using SSH" on http://www.cam-orl.co.uk/vnc/sshvnc.html
chriscameronaa.com wrote:
  <<We therefore recommend that if security is important to you, you 'tunnel' the VNC protocol through some more secure channel such as SSH.
>>

On the flip side, I hate when companies lie, and this sounds like hyperbole to me:
  <<There may well be bugs in WinVNC, but we know of people running it on thousands of machines without problems, so please ...>>
                     (http://www.cam-orl.co.uk/vnc/faq.html#q53)
when compared with
  <<please remember that VNC has hundreds of thousands of users, and we cannot, in general, respond to individual queries. >>
                     (http://www.cam-orl.co.uk/vnc/winvnc.html)
  Which is it, mmmm? ;-}

Overall, thanks for pointing it out. I'll keep it in mind for my own sack-o-tools.

> All,

This afternoon, I was introduced to a product called WinNVC. It allows you
to take remote control of a Windows Workstation (I only know that it works
on NT Server, because that's all I have tested).

Are there any security risks with this program.

It can be found at:
http://www.cam-orl.co.uk/vnc/winvnc.html

Any information would be great.

Regards,
Chris

--------------------------------------------
Chris Thornberry, MCP
Systems Engineer
Cameron & Associates, Inc.
E-mail: chriscameronaa.com
--------------------------------------------