Sophos Cloud Optix
There’s a gaping hole in thousands of unsuspecting people’s computers that lets any random internet passerby not only look over their shoulder but reach through to take over their systems.
The hole is caused by a remote access tool: specifically, unsecured use of a product known as Virtual Network Computing (VNC).
VNC is actually a handy application that lets us remotely share our desktops with others – be they colleagues, those giving us software demonstrations, or remote administrators helping us diagnose system problems.
But if VNC isn’t locked down with a strong, unique password, the list of who can remotely view and control our computer systems remotely can also potentially include eavesdroppers or intruders looking to compromise computers.
Also, it can include security engineers assessing what’s exposed on the internet that shouldn’t be.
At Defcon on Sunday, security engineers Dan Tentler and Paul McMillan fit into that last category.
During their 1-hour talk, Tentler and McMillan scanned for computers running remote access software without a password.
In just that brief time, the results poured in as the pair discovered thousands of computers on port 5900 using unsecured VNC for remote access.
According to Forbes’s Kashmir Hill, the total number of unsecured VNC instances the pair discovered in 1 hour likely exceeded 30,000.
On Thursday, McMillan’s Twitter stream was showing an assortment of links to screen grabs that illustrate what things people are leaving wide open.
The tweets included screenshots that seem to pertain to oil or natural gas wells in Texas, another of what looked like the schematic for an Italian hydroelectric plant and this one (blurred by Naked Security) of a Novell ConsoleOne administration window – an application for managing an entire computer network and all its resources:
@PaulM
This would be the one machine you would leave unsecured to the public internet, right?
Forbes’s Hill reports that at Defcon, she also got an eyeful of screenshots that showed people:
- checking Facebook
- playing video games
- watching Ender’s Game
- reading Reddit
- Skyping
- reviewing surveillance cameras
- shopping on Amazon
- reading email
- editing price lists and bills
- watching porn
…as well as access screens for these things:
- pharmacies
- point of sale systems
- power companies
- gas stations
- tech and media companies
- a cattle-tracking company
- hundreds of cabs in Korea
Hill actually called one of the pharmacies. They were reportedly horrified to find out that anybody could review their patients’ prescriptions.
Because this isn’t just about viewing, it’s about people being able to take over those systems and do things like change a power company’s settings or flip through a company’s business records.
I’d like to think that the researchers contacted all the computers’ owners, asked their forgiveness for accessing their computers and private data without permission and then gave them a chance to secure themselves before revealing anything to the world.
That seems highly unlikely, perhaps even impossible, but that is the standard of responsible disclosure that we’ve come to expect of security researchers exposing vulnerabilities.
So how can you minimise your exposure to this kind of backdoor access? The rules are simple:
- If you don’t need it (whatever it is), don’t run it
- If you do need it, protect it with a strong, unique password
- Provide the most restricted access you can get away with
- Use multiple layers of protection
For example if you need to run VNC but only one other person or computer needs access to it, you might use your firewall to allow just one, hard-coded IP address to connect.
If you need to give access to multiple computers, you might restrict access to any computer on your Virtual Private Network (VPN).
Exactly how you lock things down depends on your environment, but the principles to follow are as old as the hills: Defence in Depth and the principle of least privilege.
The pharmacist whom Hill called immediately contacted his software vendor, who was shocked to discover there was a way around the firewall and immediately turned off the VNC settings on the drug terminals.
Unfortunately, the chances that a helpful security reporter or security researcher is going to call to let us know that we’re leaving our systems exposed is slim to none.
Most of us have to strap this stuff down ourselves, and urge others to do the same.
NB. We have to say it: please don’t try this at home. Or at work. Just because you can connect without a password to someone’s computer system doesn’t mean you are allowed to. It’s not like trespass, which in many jurisdictions is a civil matter. Many, if not most, countries have laws making it a criminal offence to access a computer without authorization. Your motivation probably won’t be enough to get you off the hook if someone decides to investigate and you end up facing criminal charges.
Image of people using computer courtesy of Shutterstock.
So what does this mean to an average home computer user? I’ve never heard of VNC. Am I using it –would I know if I am? Can my antivirus, antimalware, firewall protect me?
You should see it in Add/Remove Programs (older Windows version) or Progams and Features in the Control Panel if it was legitimately installed.
If it was sneakily installed by malware (some malware has carried around copies of VNC as a backdoor tool) then a decent anti-virus ought to tell you.
And an anti-virus with Application Control (like Sophos – you can block apps that you might not want for safety/security reasons, as well as outright malware) will very likely offer to stop it running if you never wanted it in the first place.
Hi
How do I find out if any of my computers is running/using the VNC application/software ?
See reply to @Robert.
How does one access the settings for the VNC function?
VNC is only available if you installed it. This isn’t a default Windows setting or anything. It’s a remote access tool used for all kinds of things. If you have no idea how to access it, chances are you haven’t installed it.
That’s a rather narrow perspective. Many people use computers that have been set up by others. Examples: a friend or relative, some geek from IT, a previous owner, or a local computer shop. Trusting to “chances are” isn’t a security-minded response.
This article would be more helpful if there were links to instructions describing how to manage, including how to turn off, VNC.
IIRC there are many implementations of VNC so I don’t think it would be practical to include configuration.
That aside the article, or at least the advice, isn’t about VNC per-se it’s about any and all server software that might be sat on your computer, listening.
This article could just as easily have been written about Remote Desktop Protocol, LogMeIn, web servers, file servers or any number of other things.
If you are in any doubt about what you’re running or what’s listening on your computer then turn on your firewall and block all incoming connections.
You can then work through the things you know you need and enable the firewall to let those things, and only those things, through.
Exactly. I work from home and we regularly use TeamViewer to connect to customer computers. Because that software is technically capable of sharing my own screen, I close it the second I’m finished using it. “If you don’t need it, don’t run it” was good advice.
I think you should consider another article on Remote Desktop and Remote Assistance in Windows. These are built-in to Windows, but it’s hard to find security information on them.
In Windows there is Remote Desktop, Windows Remote Management, and Windows Remote Management – Compatibility mode (HTTP – in). Depends on which version of Windows. These should be turned off, one way is in Windows Firewall.