crp Posted January 9, 2022 Share Posted January 9, 2022 If you use tightVNC as a server on Windows (and probably it's offshoots), make sure File Transfers is disabled. Especially if it reachable via public ip space. There are major security issues concerning File Transfers with tightVNC and Windows. I don't have tightVNC server on a linux box so don't know about that setup. 1 1 Quote Link to comment Share on other sites More sharing options...
crp Posted April 10, 2022 Author Share Posted April 10, 2022 They still haven't fixed the problem over at tightVNC , I don't know if every VNC forked from it has the problem. If you have FileTransfers enabled, then the connecting client can copy any file. Even files in the Windows\System32. And it can do so without logging into a Windows user session. It just needs the vnc connection's password, no need to know any password of a Windows user. What makes the situation a bit worse is that passwords for tightVNC are maxed at 8 characters. Quote Link to comment Share on other sites More sharing options...
zlim Posted April 11, 2022 Share Posted April 11, 2022 I'm looking at my password strength chart and an 8 character password that consists of numbers, upper and lowercase letters and symbols can be broken in 39 minutes! Not much security with that. A good length for a password with numbers, upper and lower case letters and symbols is 11. That takes 34 years to crack. Omit the symbols and it drops to 3 years but at least that is better than minutes. Once I saw that, I looked at my passwords and started lengthening them - if possible. Again, not every thing allows you a length of 11 characters. Sad. Quote Link to comment Share on other sites More sharing options...
crp Posted April 12, 2022 Author Share Posted April 12, 2022 it would take a bit longer than 39 minutes to crack the tightVNC as it times out after 3 misses and then refuses connections from IP address for extended periods of times if it thinks a hack is going on. But I think it would take less than a couple of days if someone was attacking a known target. Quote Link to comment Share on other sites More sharing options...
zlim Posted April 12, 2022 Share Posted April 12, 2022 Same as the 4 digit PIN for ATM machines. If you guess wrong 3 times, I think it eats your card. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.