Were you hacked?

Were you hacked?

The website www.VNCRoulette.com is getting a lot of press recently. It is a site that shows screenshots of computers that have the VNC remote connection software installed with the default blank password. If you scroll through the pictures you’ll see a variety of desktops from industrial computers to home and office PC’s. To make matters worse, the site also posts the IP of these computers so once discovered to be vulnerable anybody can connect to them. All of the computers listed on the site were discovered by the same hacker who runs the website.

Reading about this site made me reflect on a few things.

First, VNC software (a free product) should do more than just suggest you set a password. It should be a requirement. However, even when a password is set the data is not sent encrypted so it is still vulnerable to hackers. Both of these problems have been present in the software more more than 15 years. It is one of the many reasons we don’t use VNC and instead invest in quality remote control software that requires complex passwords and encryption.

Second, sites displaying vulnerabilities so anybody can take advantage of them are irresponsible. Imagine how you would feel if somebody placed a sign outside your house that read “This security system’s pin code is 1234”  Sure, many may argue that your choice of pin was unwise but pointing to it makes it worse.

My last reflection is that VNC by itself does not allow connections through your local router or firewall. Somebody had the knowledge to log in to the router, figure out which port VNC is using and open the port for the entire world to see.  Some people whose computers are listed on the roulette may say that they got hacked. But the truth is that their IT person or team let them down. You can’t hack into one of these computers any more than you could break into a house that has no front door installed.

The news about the VNCRoulette website are definitely disturbing in all respects. But the question you should be asking is whether you’re placing your trust on the right IT team.