I mentioned it previously, but just wanted to be sure that everyone has seen this:

• the "standard" VNC protocol does not offer any encryption of the data (ie. using a packet capture you can reconstruct the screen content and the action of the user). There are unofficial extensions, but they are not widely supported
• During "authentication" only the first 8 characters are considered (which makes it quite easy to brute-force)

What you should do:

• tunnel all VNC traffic through something with a stronger encryption (like SSH or VPN)
• make sure that the VNC server is never bound to Internet facing interfaces (only to VPN interfaces or localhost accessed through a SSH tunnel)
• not use VNC at all 🙂