back to article X-ray scanners, CCTV cams, hefty machinery ... let's play: VNC Roulette!

X-ray equipment, farm machinery, electricity generators. Security cameras, desktops with browsers logged into Facebook, stock inventory software. Sales registers, home alarm equipment ... the list goes on. All this and more on VNC Roulette: a website that popped up this week to remind us of the kinds of sensitive systems …

Silver badge

Fun to scan through

From the looks of it, there are quite a few copier systems in hotels (at various prices) that are exposed.

My fun would be to setup something that would be like the WOPR and have "Global Thermonuclear War" on it just to see who takes the bait.

Then again it could be quite subtle: "White House Access Control", but that would be redundant (*SIGH*).

6
0

Thanks Chris.

"VNC lets people share their desktops over networks so they can access software and files from other computers. This is handy if you want to check into your home PC or some equipment on the other side of a site while away"

I always wondered what VNC was.

May as well buy the Daily Mail for my tech news.

6
45
(Written by Reg staff) Silver badge

Re: Thanks Chris.

I'm writing a few pieces about parallel programming, Intel CPUs, and OpenCompute servers. Maybe they'll be more up your street.

C.

27
0

Re: Thanks Chris.

Maybe, yes.

I come here to learn and get informed opinion,

Cut the dumbed down stuff out and I'll be much more on message :-)

5
37
Silver badge

Re: Thanks Chris.

I didn't know what VNC was for a long time, because I'm a unix sort, and VNC is a mostly Windows thing.

I'd much rather have "random TLA" be quickly explained, even if I know it, than have to stop and Google it if I don't.

51
7
Bronze badge

Re: Thanks Chris.

It would be useful to have acronyms and abbreviations expanded--even at some length--via balloons/tooltips/flyovers, etc.. I've mentioned it before, and even tried it (unsuccessfully) in the comments. A little pre-processing, perhaps. A little grep joy-riding across the site. Who knows? Probably could be done. And, being relatively unobtrusive, this approach would leave the information accessible (practically on-screen), but won't slow down anyone already in-the-know, but unknowingly hurrying to their appointment with the underside of a bus.

As for VNC Roulette: a UI Horrors Roll if every I saw one.

10
1

Re: Thanks Chris.

Funny that... VNC is way more popular on linux because it is the only thing available to share your desktop (and is easy to setup). Windows users use remote desktop that is part of windows and is vastly superior.

(NX is getting there but only recently)

8
2
Anonymous Coward

Re: Thanks Chris.

"because I'm a unix sort, and VNC is a mostly Windows thing."

What !

13
0
Silver badge

Re: Thanks Chris.

"VNC is way more popular on linux because it is the only thing available to share your desktop (and is easy to setup)."

Interesting. So the rdp session I've got running at the moment from my OpenSUSE laptop to a raspberry pi is just a figment of my imagination. Admittedly I've just installed the pi end and not exercised it much yet but it is working.

Thank you for the incentive to try.

10
3

This post has been deleted by its author

Silver badge

Re: Thanks Chris.

MS RDP is the "Windows Thing", VNC is cross platform and often on Linux by default, you have to add it to Windows.

It's usually a connection to an existing running local desktop*, unlike running X over a network, nothing is "lost" if connection is dropped, you just reconnect. So unlike X the desktop resolution is what ever it is on your target machine, the client opens a window to it, so having higher "resolution" client than remote helps.

https://en.wikipedia.org/wiki/Virtual_Network_Computing

Using a VPN to the VNC server is another idea.

[*No, I don't know how to set up a VNC server on a computer with no graphics card, though the target's keyboard, screen and mouse could be disconnected (or off), I suppose.]

2
0
Silver badge

Re: Thanks Chris.

Even nerds get rusty. I first though it was some random acronym that resembled that connection software, before realising that VNC was indeed VNC.

3
0
Silver badge

Re: NX is getting there but only recently

What, you mean to say administering a *NIX system over an SSH command terminal is new?

Or maybe using ssh -X to allow running an X-windows program’s GUI on your local machine tunnelled over a secured link is also "recent"?

3
1

Re: NX is getting there but only recently

No, I mean taking over an existing desktop (ie shadowing in NX terms). Been available as payware fro a while but I just recently saw it got working in X2go

As for RDP mentioned above: and when did that take off? Granted, I don't check every month how some tech advances, I sometimes have work to do ;)

2
0
Anonymous Coward

Re: Thanks Chris.

Any key.

0
0
Bronze badge

Re: NX is getting there but only recently

VNC is promoted as 'easy'. The problem is that the only easy thing about it is the 'getting hacked' part. In my experience SSH is easier and better, so it is hard to fathom why people keep messing with VNC.

0
3
Silver badge

Re: NX is getting there but only recently

"As for RDP mentioned above: and when did that take off? Granted, I don't check every month how some tech advances, I sometimes have work to do ;)"

Version I'm using seems to be ~Nov 2013, but there are several later versions

0
0
Bronze badge

how to set up a VNC server on a computer with no graphics card

Last millennium, IIRC, there was an "Embedded VNC server" (Open Source, vanilla C) that one could use with whatever your widget already used to paint into a bitmap style display. Details vague, but you just had to add a socket library and a few hooks for it into your draw/expose code.

2
0
Silver badge
Happy

Re: Thanks Chris.

It seems to me that the problem is that this field of ours is now so vast that most of us only spend our lives grazing in a small part of it. We spend so much time trying to avoid the cowpats in our own little bit that we have little or no time to explore the whole field.

However much we want to broaden and expand our horizons.

That's why I find sites like this so useful. It doesn't treat us all as idiots - it'd very swiftly loose most of its readership if it did - but it is prepared to give the less knowledgeable amongst us a bit of help. It's a fine line to draw, but generally I think it succeeds well.

It's not just articles which give me the opportunity to learn something new or different, this site has attracted an "interesting" commentardery.

Some people here are obviously very experienced (not just in IT) and that knowledge shared is invaluable - especially when it can be debated in a mature and open forum.

And it's nice to have a bit of fun.

9
1
Silver badge

Re: NX is getting there but only recently

>n my experience SSH is easier and better, so it is hard to fathom why people keep messing with VNC.

SSH with a text terminal is great over a WAN, ssh -X ... not so much. The display compression VNC adds makes it more usable. Also, I see a Mac VNC session in the example. Mac XWin is truly awful in speed terms.

Just a thought... is the problem VNC, some sort of network PnP port forwarding (they didn't meant to share outside the local lan) on the routers or people who genuinely didn't realise that port forwarding wasn't a good idea without hardened services? I didn't think we had too many hosts connected to the internet directly with modems any more, so this indicates firewalling issues. Running insecure services on a small local lan often isn't a problem - it isn't a good idea, but most people wouldn't expect it to be a large problem.

Or maybe its people who have already been hacked and VNC is being used a backdoor?

1
0
Silver badge

Re: NX is getting there but only recently

VNC is promoted as 'easy'. The problem is that the only easy thing about it is the 'getting hacked' part. In my experience SSH is easier and better, so it is hard to fathom why people keep messing with VNC.

It has its uses. Mostly I use ssh because all I need is a terminal window and that will do pretty much what I want. Where VNC comes in handy is where you need to set up a GUI application for a remote user, such as my father, who can be a tech support nightmare. I can set up a VNC session as him and either see what error he's getting on a GUI program or configure it properly for him. While it's theoretically possible to set up Thunderbird (as an example) entirely with text files, it's a lot faster with a GUI.

That doesn't mean I dispense with ssh - I need that to get in to the machine and start the VNC session, which then gets taken down when I've finished with it.

1
0

Re: Thanks Chris.

"VNC is way more popular on linux because it is the only thing available to share your desktop "

Nope. There's an RDP server for linux and its been around four some time. Which is useful because it allows you to control your linux machine from somebody else's Windows machine without installing a client.

However just don't see the need in this day and age to remote control your desktop, whatever the OS.

0
2
Silver badge

Re: Thanks Chris.

"However just don't see the need in this day and age to remote control your desktop, whatever the OS."

Well apart from a collection of raspberry pies, I also access my fileserver, mostly by ssh or fish but often by ssh/VNC

1
0

College lecture room?

That software looks interesting. Anyone know what it is?

2
0
Silver badge

Re: College lecture room?

Sniffs bespoke to me.

0
0

Re: College lecture room?

The major players in audio visual control systems are AMX, Crestron and Extron. Often the system integrator prefers one brand of control system over the others and with some systems the integrator is the only one with access to the source materials or ability to update the controls (usually through badly written contracts that don't mandate access to those materials).

Most of them have a way of controlling or monitoring the system remotely and it's all too easy to make the system publicly accessible and/or with default credentials available to connect to them.

0
0
Silver badge

Or a simpler (than SSH) solution

Don't use default ports on private services. There was an experiment done a while back putting up two honeypots running completely unpatched (MS) web servers. One was on port 80 and would be pwned within minutes. The other was on port 81 and sat there quite happily for weeks on end.

This solution isn't recommended for really sensitive stuff, but should be good enough to protect your torrents.

8
1
Silver badge

Re: Or a simpler (than SSH) solution

"This solution isn't recommended for really sensitive stuff, but should be good enough to protect your torrents."

It certainly cuts down the amount of attempted accesses : I've had a ssh port open to the internet for years but on a non-standard port ( and with tight authentication etc ) and I've only ever had 1 attempt on the non-standard port.

7
0
Silver badge

Re: Or a simpler (than SSH) solution

I use port 80 for VPN on my system, on the basis that some random place that has Internet access doesn't block port 80 outgoing and I don't run a public facing web server at home (I have hosting for those).

2
0
Thumb Up

Re: Or a simpler (than SSH) solution

I used the trick on one of my servers. It was constantly being hit with login attempts over ssh. None ever succeed, but I didn't like it. I changed ssh port away from 22 and problem solved.

I tried denyhosts, but occasionally locked myself out trying to remember the right password. Not an insurmountable problem, but it's not (or wasn't, maybe) trivial to unblock an ip address.

0
0

This post has been deleted by its author

Silver badge

Re: Or a simpler (than SSH) solution

You are basically arguing the merits of security through obscurity there...

3
0

Re: Or a simpler (than SSH) solution

@Adam1

>You are basically arguing the merits of security through obscurity there...

The rationale is not so much for security as considerably reducing log-file sizes (and increasing readability), plus taking some load off system resources by sidestepping continuous brute-force onslaughts.

9
0
Silver badge

Re: Or a simpler (than SSH) solution @Adam 1

The actual connections is likely using the same SSH standards everyone else is using. Perhaps using non-standard port is security through obscurity, but since it works his argument is valid.

3
0
Silver badge

Re: Or a simpler (than SSH) solution

"You are basically arguing the merits of security through obscurity there..."

No (if you mean me ) I'm arguing for using every means possible to increase security. Using a non-standard port doesn't stop anyone specifically targetting you but it does reduce the noise. I still use password on ssh but they're 20 chars hard passwords and only one user with a very unusual name is allowed access and that to a very limited account and that to limited times of the day if I'm feeling paranoid !

4
0
Anonymous Coward

Re: Or a simpler (than SSH) solution

Better on 8443. You sometimes get networks that try to transparently proxy port 80, but they usually leave 8443 alone and unmolested.

0
0
Anonymous Coward

Re: Or a simpler (than SSH) solution

"You are basically arguing the merits of security through obscurity there..."

Only in the same way a password is just security through obscurity. Diff. is that you can make passwords long and difficult ( how many are !) but there's only so many ports that can be used.

1
0
Silver badge

Re: Or a simpler (than SSH) solution

It may be what you meant but it isn't what was written and what I responded to

> Or a simpler (than SSH) solution

This implies that the proposed solution is a replacement.

I simply suggested that for me to accept such advice, I would have to then accept security through obscurity on equal argument.

Note that I am not arguing that obscurity doesn't have a part to play. When I was younger and actually went bush walking, we would often park the 4wd off the fire trail behind some shrubs or an embankment where it wouldn't be easily visible from the said fire trail. It didn't substitute for locking your doors, but it did reduce risk from the opportunist smash and grab. By all means, run on non-default ports or use port knocking; but call it a suplementary measure not a solution in its own right.

0
0
Silver badge

Re: Or a simpler (than SSH) solution

> but there's only so many ports that can be used.

65536 to be precise.

So as a password it is comparable to a 3 to 4 digit numerical PIN; or comparable to a password made up of a single English word that is in common use. It just isn't enough as a substitute method.

0
0
Silver badge

Re: Or a simpler (than SSH) solution @Adam 1

"65536 to be precise."

65535 to be precise. Port 0 is really unusable.

1
0
Silver badge

Re: Or a simpler (than SSH) solution

"65536 to be precise.

So as a password it is comparable to a 3 to 4 digit numerical PIN"

Not quite sure the point you are making. I've already said that moving ports doesn't stop a determined attacker. After all in ~12 years of having sshd open on a unusual port I have had 1 attempt that found that port. Any number of attacks go for port 22. I take that as reasonable evidence that shifting ports has a noticeable effect.

I was merely pointing out that much of what we call security is in fact by obscurity. and passwords are no exception - that's why they need to be long and non-obvious.

Almost everything helps confuse or slow an attacker - hence I use a very unusual username and very hard password* , just one account is available and then for a couple of hours a day

*Example would be QspSbitjfphxtfjt1eUu which is never written down or remembered but generated from a memorized passphrase by a little c program and pasted. Of course I only use that sort of thing for important passwords like banking or ssh.

1
0
Silver badge

Re: Or a simpler (than SSH) solution

@chemist

Wasn't quoting your post so not quite sure why you would take my comment to be about you and your process.

I was quoting AC whose argument seemed to be that because people (not you obviously) choose crap passwords then running on a non default port gave the same security. I worked out the equivalent entropy it gave to point out that you really need a bad password for that to be equivalent.

I thought my post was pretty clear that this does not preclude taking additional steps such as non default ports or port knocking or timed activation for ports. That will improve your security or at worse make no difference and doesn't really make your life harder so go ahead with my blessing. It is a great additional step, not a replacement.

0
0
Silver badge

One should not that this is not the fault of VNC

Most of those things are perfectly well examples for when to use VNC. For example having VNC access to a GUI running on a device saves you from having special client software which will be useless in a couple of years. Since it's a comparatively simple protocol, there are multiple implementations and most platforms have at least one to choose from. Since it's trivial compared to HTML/CSS/JS it's likely to have _much_ less implementation errors. It probably would even be a good alternative for web services.

The problem here is that some people put such services on the Internet without any authentication.

17
0
Silver badge

I work in schools. In one of them, we had VNC-like vision of every client PC.

We had a wall of displays, and four-to-a-screen sessions of every machine on campus. We never "watched" it - people are even more boring when they are on a computer than in real life - but it was interesting how quickly your brain picked up on something "wrong" just by glancing at it. Because it was a really rough school, the kids played games like "Who can print out porn before IT stop it" and things like that.

And the number of systems online is scary - one school I worked for had boilers controlled by app that included things like pump duty cycle and pressure, and could have caused all kinds of mischief. Access control. CCTV. Digital signage. There's no amount of things that are connected these days.

Even at a (infinitely better) school, there are any number of systems that I remote into all the time. We do put passwords on EVERYTHING though, but you can see how things can be overlooked, but how they become remote-accessible? That's just laziness.

One of the first things I did at my current place was knock off every port-forward except mail and Remote Desktop (because our users use it for everything). I was amazed how much there was. Straight port-forwards to servers, to clients (in the finance office no less!), to the phone system, to the web filter, to lots of internal web services, etc. etc. etc. I replaced it with a Smoothwall that reverse-proxies all the web content, and performs IDS/IPS on all the exposed services (mail, Remote Desktop, etc.). The amount of login attempts and other things it detected in the first week was enough to tell me that I'd done the right thing.

I'd quite like to do something that I've seen online, though. Given that we have a compulsory webfilter already, I think it would be a good idea to have a "wall of images" that go through the filter. As we specifically say the system is for school-use only (staff and pupil), I'm not that concerned about the odd Facebook or whatever popping through but I am concerned about quite what the kids are seeing and looking for, and I think a semi-public (i.e. well-known and visible but able to be turned off) display of every image that is being requested from the filter might reinforce correct use of it. It would wake people up a bit, because I do tell them that "in theory" I can see everything they do even if takes a lot of reconstruction, but they don't seem to care what they go looking for.

People... make sure your gateway is secure. Nothing should be accessible remotely. If you want to do that, use VPN and open ONLY the VPN ports and make sure you log and monitor access to it. And then start realising that even your users can do a port-scan / Bonjour discovery and hit quite a lot of things that you don't want them to. And start passwording and IP-limiting those things.

Hell, even printers. The system where I work, we have NO NEED to ever access a printer by any other protocol than SMB or by any other system than the print server. But those options are all open to everyone by default. Switch them off and use ACL's on your printer shares to control access. Especially if you have billed printing!

5
1
Bronze badge

You haven't heard of driftnet?

0
3
Silver badge

+1 for smoothwall. I moved to another school that had 10pct of the budget so i needed to smoothwall on the cheap (squid and diladele) but i did the same as i had from the smoothwall school. The network i inherited was flat with cctv, 814 boiler, denford milling machines, laser cutters, the door pass system and various pc vnc monitoring systems all accessible. Luckily externally there wasnt much but still a lot of exposed web servers with http logons.

Madness what some people find acceptable.

1
0
Angel

One of the first things I did at my current place was knock off every port-forward except mail and Remote Desktop (because our users use it for everything). I was amazed how much there was. Straight port-forwards to servers, to clients (in the finance office no less!), to the phone system, to the web filter, to lots of internal web services, etc. etc. etc. I replaced it with a Smoothwall that reverse-proxies all the web content, and performs IDS/IPS on all the exposed services (mail, Remote Desktop, etc.). The amount of login attempts and other things it detected in the first week was enough to tell me that I'd done the right thing.

+1 for the smoothwall reference :)

kind wish there was a way to +more for the other good things you did, too...

0
0
Boffin

Midwest Screen Shot

That screen shot from the midwest looks like a sewage treatment plant to me. I'll bet its a honey pot. Nobody would put their sewage plant controls on the Internet. Would they?

4
0
Silver badge
Childcatcher

Holy shit

There's an awful lot of SCADA systems left open to world + dog. I've just seen what looks like a building climate control system on VNC Roulette.

... and I've just seen a Spanish banking system ...

3
0

Not just VNC

This reminds me of a time a few years ago when I was looking for something to do with one of our laser printers at work. Having typed a phrase from the web interface into Google, I was shocked (but not that surprised) when the search results included links to dozens of similar printers with internet-facing web interfaces. I tried half a dozen random ones and found that they all used the default username & password.

I could have printed documents to incriminate the owners, changed settings to make them do 100 copies of everything or even uploaded PostScript code or modified firmware to siphon off (possibly sensitive) documents that were being printed to them.

I did toy with the idea of printing a warning message to them, alerting the owners that their printers were insecure and giving them step-by-step instructions on how to change the password and a suggestion that getting a firewall would be a good idea but didn't bother in the end.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017