RE: VNC Security

if the VNC data is unencrypted, *any* password you type during the
session (domain admin to update drivers for example) is also sent
unencrypted. and the attacker would not likely be some random hacker,
but rather someone who is targeting the company already. it isn't that
difficult to connect sniffing hardware to say the T1 line to look for
weak points. after a few days surveillance, everything unencrypted is
then captured and analyzed for login/password information. it isn't so
much "low hanging fruit" as it is simply a chink in the armor that can
be exploited. the fewer chinks the better.

as to odds, here is a more common example of overblown paranoia
surrounding a real possibility (the last time I checked this was a while
ago, it may have shifted some):

due to the technological differences, it is far more likely that someone
will steal your credit card number by eavesdropping on an order placed
by phone than by someone sniffing it from an unencrypted internet
transaction.

please note this only examines an actual sniffing attack. phishing and
spyware are not examined in this.

-----Original Message-----
From: vnc-list-admin <at> realvnc.com [mailto:vnc-list-admin <at> realvnc.com] On
Behalf Of Steve Bostedor
Sent: Tuesday, April 19, 2005 20:57
To: Alexander.Bolante <at> gmail.com
Cc: security-basics <at> securityfocus.com; vnc-list <at> realvnc.com
Subject: RE: VNC Security