How times change .. not
I remember finding similar issues on clients' machines years ago. Though this was unsecured PCAnywhere sessions on dial-up connections.
A scan of the public internet by security researchers has seemingly revealed thousands upon thousands of computers fully accessible via VNC – with no password required. Worryingly, the unsecured systems – from PCs and shopping tills to terminals controlling factories and heating systems – are at the mercy of any passing …
They may all do similar scans... but then exploiting any found vulnerabilities to take screenshots is most definitely of questionable legality in more than one country around the world. Given that any laws would have been broken in the country where the computer is hosted - not from whatever country the scanning was done - it is glib and crass to state with any authority that no laws have been broken unless the legal position has been checked for each country that the vulnerable systems live. As he can't even recognise some of the languages on his screenshots, I think I can authoritatively state he didn't do that...
Which is arguably why it shouldn't have that option during install, people switch off or go for the easiest options. By all means leave it in the software but have it as something you have to do after installation.
I agree though, idiots have nobody to blame but their probably part time/outsourced IT person they had do it for them, or who installed it so they could remote in later to fix printer drivers..
For anyone wondering about the legality of the research, Tentler insisted: "It isn’t [illegal]. Yahoo, Google, Microsoft, Websense, every antivirus vendor in the world, and Shodan – they all do similar scans."
Never heard that one in court before. He might, just might, want to pay for legal advice right now. He could save an awful lot later ....
>When there is no password set, VNC simply connects and shows the desktop. It is therefore available to the general public in exactly the same way that a public website is.
An unlocked car whilst foolish is not an invitation to hop in. An open front door is not an invitation to wander in and take a photo.
I suspect that the researchers are probably (in the IANAL sort of way) OK to establish a connection to these computers, but taking a screenshot is both unnecessary from their research point of view and moves well into privacy violation territory.
And people wonder why the Architecture team screams when some techie suggests "Let's just install VNC"
Don't get me wrong - there's nothing fundamentally wrong with VNC, or most of the other remote control tools - AS LONG AS THEY ARE CONFIGURED AND SECURED PROPERLY
To quote the great Robin Williams - "it's like partial circumcision - you either do it properly or you fucking forget it"
when some techie suggests to enable VNC on an Internet accessible (direct or through a firewall) interface of a PC/server running some industrial control software. That guy should be escorted to the nearest exit door and made sure he will never get close to a computer again for the rest of his life, except maybe for his own home PC.
This is the real failure here, allowing direct access from Internet to these systems. We're in 2014 by now and there is no excuse or justification for this kind of setup.
Question to CxOs, IT managers and any PHBs in the concerned organizations: why are you paying these imbeciles ?
Question to IT security managers: are you not feeling a little incompetent for not spotting/acting on this chain of failures ?
.. My workplace does passwordless vnc too..
If there was a password, it woukd be post-it to the terminal where the session is displayed anyway, and the password popups would be somewhat of a disruption to normal use.
vnc is popular vecause it's easy to setup, mostly works, and no uberhumanky complex licensing that takes 6 manmonths to figure out and purchase, at which time the needs have changed.
First version was done with hdmi and sub repeateds, abd tons of cable..
Oh well, atleast it's all behind NAT
". My workplace does passwordless vnc too..
If there was a password, it woukd be post-it to the terminal where the session is displayed anyway."
Well, unless the "hacker" in eastern Europe has a bloody amazing pair of binoculars, don't think that would be an issue, certainly better than no password.
"password popups would be somewhat of a disruption to normal use."
What password pop ups? The one you use to connect with, but if you have to connect then it's no big deal, surely?
"Oh well, at least it's all behind NAT"
Would that be the one that VNC is punching a bloody great hole in? I'm just guessing as your security seems so piss poor, I guess your firewall rules are just Any/Any...just to make it a bit easier.
". My workplace does passwordless vnc too.."
Might want to look at UltraVNC (also free) then and enable the built in domain authentication. That way your users can get in provided they can remember their own passwords into their pc's.
Back in 2003, there was a virus out that used passwordless VNC's to spread. Once its inside your firewall, it was also kinda hard to stop at that point. This caused me to have to have to build a specific patch for a commercial product (that will go unnamed) to disable VNC if the install detected no password set. I'm flabbergasted that this is still occurring 11 years later...
Here is a forum posting from REALVNC:
(Paris, because she probably has passwordless VNC as well)
VNC is a widely used system for accessing desktops over a network, very much like Microsoft's RDP
Ha! They wish!!! VNC is a horse and cart compared to MS Remote Desktop's Ford Focus.
I cringe whenever someone suggests using VNC to me - gimme RDP, or failing that DameWare MRC any day!
Many security audits use a long list of best practices as a starting point. VNC is one of those checkboxes (protocol flaws, lack of brute force protection, default blank passwords - all from early days and long since resolved in major distros), so you will get something back like
Issue: VNC running on system XYZZY
Best Practice: Remove VNC
If you need the utility, you'll need to provide the analysis showing how those early issues with VNC no longer apply or are mitigated. In a previous company, I did this a few times by requesting the reason for VNC being on the list and then point by point showing how these didn't apply or were mitigated in the version/environment/configuration we had it in. Much of this information to do this you can pull straight from the documentation of your distribution.
Have fun doing this over again at subsequent audits also :-p
A previous employer had one, and they got very upset that developers were allowed in the server room to access development servers, since the production ones were kept there. This was despite the fact that a developer needed an IT bod to walk them in through the cardlock.
So a KVM (called Kaveman) solution was installed. Great. We went from audited controlled access to development machines, to unaudited, and uncontrolled access via KVM. Yes there was a password. One between 10 in the team, and hardly a secret
But this was more secure than before. Apparently. Oh, until 3 year on, when a different outfit was hired. They insisted KVM access was a security risk, and suggested the servers only be accessed physically.
Rinse and repeat.
"But this was more secure than before. Apparently. Oh, until 3 year on, when a different outfit was hired. They insisted KVM access was a security risk, and suggested the servers only be accessed physically."
I wonder what would've happened when the firm was told the servers were in a room with clashing clearances (devs have to to enter a room with IT clearance, meaning a dev could tamper with IT stuff), meaning accessing the servers physically was ALSO a security risk?
"They may all do similar scans... but then exploiting any found vulnerabilities to take screenshots is most definitely of questionable legality"
They are not exploiting a vulnerability. These numptys have their systems open to everyone on the planet with no password.
Anyway, djack beat me to it -- back in "the good old days" (early 1990s), the local hacking group wardialed our area (i.e. all numbers that were not long distance). The number of unpassworded systems was fairly ridiculous. PCAnywhere alone? A hair cutter was wide open; a few unidentifiable desktops were wide open; a climate control/elevator control for a store was wide open. The *police department*? Wide open. Boy that could have been fun 8-) , lucky for them none of the local group were truly blackhats. There were 6 or 8 other systems that were wide open but text-based (besides the couple BBSes and so on that were common knowledge.)
????? This is, of course, quite silly ... the software in question is not the problem, it's people in charge like YOU that are the problem. I write YOU because you apparently lack the intellect to understand what the actual problem is. Go, re-read that article, but only once you have finished with the windows in the boss' office, make them shiny, please.