One afternoon, not so long ago, I received a phone call from one of our clients asking LightCube to investigate why a web application hosted on an internal Linux server was so unresponsive. After a little bit of poking around it became apparent what was happening: someone had managed to break into the system and create a rogue account for themselves and was using this account to continually attack other machines! How had this intruder gained access? One word: VNC.

Before I explain further how this happened, let’s step back for a second. Our client is a fairly large company, with skilled IT professionals managing their network infrastructure and services, mostly hailing from the Windows world. When they set about developing an internal web application, however, the low cost of Linux and Open Source was too attractive to ignore. So they grabbed a distro, set it up on a machine and got to work. Coming from a Windows world, the technicians incorrectly (but perhaps understandably) expected an item labeled “Remote Administration” would configure a service that behave like Windows Remote Desktop Connection. Instead, what they configured was a very insecure VNC service on a publicly available machine.

(As a sidenote, to me this well illustrates a very important point. The known stability, reliability and low-to-nil licensing cost of Open Source software means that a lot of people are looking to use it, and these days, basic services can be implemented fairly easily. However, getting secure, reliable, optimized use out of your Open Source still requires someone who knows what they’re doing.)

Back to the story, here’s what happened: One of their administrators logged in remotely to the machine through the VNC connection. As root. (That’s the first mistake, but I won’t really address that too much here. Keep in mind they’re coming from Windows, eh?) Then, when the administrator was done doing what he was doing, he simply closed the VNC window. In the Windows world, that wouldn’t be much of a problem. When connecting again, the Windows server would require that you authenticate. With VNC, not so much. Unless you log out of the remote system, whoever next comes and tries a VNC connection on the default ’0′ session – they get whatever you left open. If you were logged in as root, as was the case here, a full root desktop is what you get. “Come right inside, make yourself at home! Here’s the keys, change anything you like.”

Don’t misunderstand me. This isn’t a case of “Windows has better security than Linux”. I think someone would have a hard time arguing that point. This is a case of someone enabling an insecure protocol on a Linux system without really investigating how it works. To be fair, this particular distro did make it seem like this was a pretty standard way of remotely administering the machine. A little note from the distro about VNC being unencrypted and using poor session handling methods would have been more helpful, though.

We closed up the security holes on their system and ran a full audit. Fortunately, the damage was minimal. Afterwards, we needed to find an alternative for remote desktop management. What we found was NoMachine NX. All the communication takes place over an encrypted SSH connection, so it is secure (well, as secure as your password or public key, but that’s another article). But it’s also fast. NoMachine has taken a different approach to data transmission, such that it outperforms VNC any day. The server currently only runs on Linux or Solaris, but they have clients for all major desktops. If you absolutely must have a GUI running on your remote Linux server, I highly recommend NoMachine NX as a better way to achieve it.

John F. Kennedy High School is located in the Southwestern part of the Bronx, right on the border of Manhattan. Within the past two years, it has seen tremendous growth in the way it makes use of technology as an education tool. To a very large degree, the man behind that growth is Ali Shama. His vision has been driving many of the wonderful things happening at Kennedy recently.

In 2006, Ali brought me in to help implement and maintain the network services he needed in order to achieve his vision. Together, we installed four Apple labs consisting of around 34 iMacs each and an Xserve to handle default settings for those workstations. We then tied them into our existing Windows domain, allowing students access to the same network files and folders they would have when logging into a Windows workstation. We also set up at least 4 PC labs with 34 stations each and configured several network based applications, such as Rosetta Stone, Plato and Microsoft Student for use in those labs.
The impact this work has had on the school has been tremendous.  Students are learning to create, with very professional tools and in a very professional setting, digital video, audio and print. There more details about this in a great write-up Ali received in the New York Daily News.
What has been done at Kennedy, especially in connection with Apple hardware and services, is an example of what LightCube Solutions is offering.  In fact, I believe the work at Kennedy will serve as a springboard for future LightCube work. Thank you, Ali, for the great privilege I have had in working with you.