Tight VNC: Safe? Malware?

AggieMike88

Touchdown! Greaser!
Joined
Jan 13, 2010
Messages
20,804
Location
Denton, TX
Display Name

Display name:
The original "I don't know it all" of aviation.
A data service company that I wish to transact with desires to install an upload utility that utilizes Tight VNC.

In the past, I had heard anecdotes of suspicious activity with Tight VNC and so I don't entirely trust this bit of software. I am concerned this can become a hole in the castle wall that could be exploited by a third party.

What say the gallery?

Additional info: Workstation is mine at my office and also holds my accounting package. Data service company is a corporation that purchases several types of auto parts as cores. Now available is a service that takes my inventory data through their cloud app and tells me what items in my inventory they want, what they pay. Because it's my inventory data file, the app makes it simple to see locations and stock numbers so I can quickly find the parts and add to their gaylord box. It is a desirable service, but I don't want to sacrifice computer security for it.
 
TightVNC is a remote control utility, not an upload utility. Basically, you are ceding control of your machine to them. I would think there is a much better way to share data.
 
Yeah, that's weird. I'd expect a little FW VPN for real time or an SFTP client for batch. Can you get technical docs that explain how their technology works? You have the right to know. No third party provider cares as much about your data as you do. Kudos for asking.
 
TightVNC is a remote control utility, not an upload utility. Basically, you are ceding control of your machine to them. I would think there is a much better way to share data.

I agree. I would refuse. In fact, I'd probably tell them to go away and stay gone. It's a pretty insulting request to make.

Rich
 
1) I would stay far far away from such suspicious behavior.
2) I would ask them what they plan to do with full access to your machine.
3) I would stay far far away from such suspicious behavior.
4) I would stay far far away from such suspicious behavior.
 
I agree. I would refuse. In fact, I'd probably tell them to go away and stay gone. It's a pretty insulting request to make.

Rich

Unless they're asking him to install the client so that he can access a remote machine of theirs. Which is more likely IMHO, we do it all the time. Easier to support and control.
 
To answer some questions/speculation...

Rich: This is the best paying auto core buyer out there... so I'm not willing to provide directions to the lake and jumping instructions, I want his money.


Remote Control: I'm not trying to control their machine. I think what the logic for them is is a "lazy" way of having my machine launch a task in the middle of the night to upload the data. Likely there is a better way, but they are not providing it.


The general question has been answered... I will be telling them that if they want my info, they need to provide a different means of getting it there without the use of Tight VNC.
 
TightVNC is a remote control utility, not an upload utility. Basically, you are ceding control of your machine to them. I would think there is a much better way to share data.

Exactly. Once they connect, TightVNC (or any VNC/remote desktop) allows them full rights and privileges of the user logged in.

*If* you had a copy of the inventory data (original stored elsewhere) on a separate computer (i.e. no other applications, especially accounting, on it) and the inventory data were read-only & the other stuff locked down, then maybe. But it does open a whole boatload of risk to you (and them, too).

The big Target breach was the result of similar remote access software.
 
To answer some questions/speculation...

Rich: This is the best paying auto core buyer out there... so I'm not willing to provide directions to the lake and jumping instructions, I want his money.


Remote Control: I'm not trying to control their machine. I think what the logic for them is is a "lazy" way of having my machine launch a task in the middle of the night to upload the data. Likely there is a better way, but they are not providing it.


The general question has been answered... I will be telling them that if they want my info, they need to provide a different means of getting it there without the use of Tight VNC.

Tell them to call me. If they're trying to get you to install a VNC server on your computer, they're ****ing morons. If they're trying to get you ton install the tightvnc client to connect to theirs, this is fairl standard. If you want me to see what they're up to, I will.
 
Tell them to call me. If they're trying to get you to install a VNC server on your computer, they're ****ing morons. If they're trying to get you ton install the tightvnc client to connect to theirs, this is fairl standard. If you want me to see what they're up to, I will.

Thanks for the offer of direct help, but I don't think this is gonna get them to change their entrenched ways. Knowing my industry, too many others are not computer security aware and just see the easy way to give away their inventory data and computer access for the nickles and dimes they get selling the cores.

I'll find a different way that is secure. Might be more labor intense, but I won't be risking a hack of my biz computer.
 
*If* you had a copy of the inventory data (original stored elsewhere) on a separate computer (i.e. no other applications, especially accounting, on it) and the inventory data were read-only & the other stuff locked down, then maybe. But it does open a whole boatload of risk to you (and them, too).

I've been contemplating taking one of my retired boxes, updating it to Win7, and making it my upload zombie. There are other vendors besides this that I want my inventory info to go to (including Car-Part.com). I could shift all of that from my workstation to the zombie.

The zombie would only be the upload "gateway" and have no other business softwares on it. Possibly in it's own DMZ.
 
Thanks for the offer of direct help, but I don't think this is gonna get them to change their entrenched ways. Knowing my industry, too many others are not computer security aware and just see the easy way to give away their inventory data and computer access for the nickles and dimes they get selling the cores.

I'll find a different way that is secure. Might be more labor intense, but I won't be risking a hack of my biz computer.

Drop a $200 throw away computer with the data they want on it out there, preferably on another network. Walmart routers can accomplish this.
 
I've been contemplating taking one of my retired boxes, updating it to Win7, and making it my upload zombie. There are other vendors besides this that I want my inventory info to go to (including Car-Part.com). I could shift all of that from my workstation to the zombie.

The zombie would only be the upload "gateway" and have no other business softwares on it. Possibly in it's own DMZ.

Yeah, this. I was going to suggest a virtual machine, but if you have a spare laying around, give 'em that. I use TightVNC all the time, and as far as I know, there's no malware in it (I use the linux version, compiled from source).

Weird request.
 
Thanks for the offer of direct help, but I don't think this is gonna get them to change their entrenched ways. Knowing my industry, too many others are not computer security aware and just see the easy way to give away their inventory data and computer access for the nickles and dimes they get selling the cores.

Not saying you should capitulate, there is indeed a very small level of risk here, but this is a really old and established way of getting data off computers (https://en.wikipedia.org/wiki/Data_scraping) that has been used for decades. I would bet they aren't doing it out of incompetence, and certainly not out of a desire to get malware on your machine, but as a way to get the data they need in the way that requires the least knowledge on the part of their partners.

They should be able to take a daily export of your inventory instead should you wish to go through the trouble of writing a cron job and uploading the file to them.
 
... I want his money. ...
Some variations of the following could minimize your risk, but not take it to zero.

Set up a separate machine on your network through which this company can access your inventory file.

Change the IP Port number used by Tight VNC to some goofy nonstandard number and use a good firewall to block all other ports.

Schedule a start time and a stop time for Tight VNC to suit your buyer's needs. Do not leave it running when it is not going to be used.

Set up a single user on the machine with read-only access to the inventory file and zero access to anything else on the network.

As a variation, you might have a daily scheduled job on another computer to copy the inventory file to the isolated machine, then lock the isolated machine user completely out of the network -- giving the buyer access to just the file copy.

Basically the idea is to tightly sandbox the computer that your buyer will have access to, limiting someone's ability to cause trouble.
 
I'll just add to the chorus that would say, "don't do it".

The bastion host (old PC with only the data they want) idea might work if done very carefully.
 
Woohoo....old thread, but.... I've got Wyze cams at the house running RTSP to iSpy on a Win10 computer, recording 24/7 (also the Wyze app for alerts). Would like to access that computer remotely while away from the house via my iPad. Computer geeks....is TightVMC what I want to accomplish this (securely, of course) or....discuss? :)

Thanks!

Jim
 
Jim, I personally use RealVNC which is sort of the same thing but you don't need to know the IP address of your machine. It also has mobile apps to log into your machine and whatnot. I've used it for years and I highly recommend it for your own personal use.

In relation to the start of this thread though, I would never let someone else install it on my machine for their personal use.
 
As others had said VNC is desktop remote control software.

Various variants of it out there wrap the (completely insecure) native VNC protocol in other encryption wrappers like ssl or ssh. They also add things/services like dynamic DNS or bouncing through one of their servers to find machines on changing IP addresses or penetrate firewalls by having the machine behind the firewall maintain an outbound connection to a server on the internet at all times so the connection point can be there.

All of which sounds like massive overkill for a simple (even secured) file transfer. There’s better ways to do that that don’t expose your internal PC to anywhere near that many ways to possibly attack it.

If they don’t need remote control of the machine, installing VNC is a hard no. Absolutely unnecessary. Use a secure file transfer method not remote access software.
 
Thanks guys! Jason, some how I missed your reply last month. Actually, all I really want to do is view the RTSP camera streams from away from the home network without it running thru Wyze, Amazon storage and lord knows who else. Open to ideas... Thanks!

Jim
 
I've been contemplating taking one of my retired boxes, updating it to Win7, and making it my upload zombie. There are other vendors besides this that I want my inventory info to go to (including Car-Part.com). I could shift all of that from my workstation to the zombie.

The zombie would only be the upload "gateway" and have no other business softwares on it. Possibly in it's own DMZ.
Great idea. But make sure the zombie isn't connected to your other systems. I have firewalls not only on the network modem but on each machine, and each is isolated by others using the MAC address. (no, not the Apple stuff). Since the company laptop is remote-access by the company IT dept, I've got it specifically isolated from my other systems.

yes, I'm paranoid. these days if you're not, tsk tsk tsk.
 
Back
Top