Automated "damage control" PR too
They've also put an automated spam bot in place on Twitter responding to every new Tweet containing "@teamviewer":
@yourname - Please see our statement on account security http://bit.ly/2891hI3
It's not helping.
TeamViewer is whacking anti-hacker protections into its remote-desktop tool – as its customers continue to report having their PCs and Macs remotely hijacked by criminals. Two new security checks in TeamViewer will warn users when a new device or location attempts to log into their TeamViewer account and remotely manage any …
the easiest way to fix is Set A windows password and have it set to 5 minuets on your screen saver and if your remotely logging in tick the lock box when ending the session (it remembers it)
i would recommend disabling file transfers as well and remote recording (not tested if they still work when at the windows lock screen (i would assume they don't but i set them to deny any way)
The criminals have gone to this much effort, I'm sure they can afford a VPN in the targets country so the locale matches. They would be doing that anyway to hide their IP, all it means is they have to pick the right VPN in their list...
Secondly the notifications that someone has logged in from a new device. Well these attacks are happening at 5am in the morning when everyone has their phone on silent...
"Secondly the notifications that someone has logged in from a new device. Well these attacks are happening at 5am in the morning when everyone has their phone on silent..."
Which means they won't get permission. It's more than notifications. Well, hopefully... Maybe whenever we get the big public 'mea culpa' they'll throw in a 'mea copro'
If not all the horses have left, it still makes sense to close the barn door. I'm afraid quoting that metaphor suggests that it's too late to fix the problem and TV shouldn't bother.
I haven't been hacked yet and I'd just as soon not be. Please close the barn door before any other houses escape. Thank you.
It is odd that within just days of these hacks (or in TVs case, alleged hack) that all these companies seem to suddenly find the resources to improve security. Surely in light of the continuous headline data breaches all over the world these people should *already* be shoring up their defences.
Steam already does what they promised to do, validating over email any logins from new devices and even web browsers. Since, I don't know, years ago? Kinda sad that this is only to buy video games while Teamviewer has the family jewels.
Just to reiterate, I was never a fan. Back when it mattered, I used VNC and some kind of free dynamic DNS provider with some updater or other. Also TV is a bit too cloudy for my taste.
"We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users,"
And in another breath... 'it's your problem customers".
In a nutshell.. there's what's wrong with the world. It's someone else's problem if your site/product is being used as an attack vector.
There are many reports about it also affecting people using 2FA. Password re-use can't be the root cause of the entire problem.
Additionally, someone on Reddit mentioned it looks like at least some versions of the TeamViewer protocol are very weak:
https://www.reddit.com/user/re1jo
The thing is, 2FA does not save you from connections from 3rd person who manages to find your server ID. They can brute force you all day long and just wait out the bruteforce protection of TV to fall off. Assuming that the default 4 digit passcode is enabled, all combinations can be tested inside 24 hours.
Looks like this is going to suck for a large number of people.
I don't normally read Reddit. But the stuff I read yesterday on Reddit was like a bunch of petulant children that have already made their minds up that TeamViewer (you know, the company that's been giving away a fabulously useful, stable and reliable product to people for years now) is the Big Evil Satan.
As for the snippet you quoted: TV's new permission notification thing should stop any bruteforcing dead in its tracks.
Also do not forget that there was a trojan discovered last month that exploited the TeamViewer client by bundling it with the trojan and using it to create a proxy reflector. TV might want to look into how they can harden their client to make it more difficult for it to be exploited in that way.
I don't think I'm a fan of this denial first attitude. It's the same attitude that caused the storm in the first place - it's entirely *possible* they could have had a breach and not know about it and instead of properly investigating they just flatly deny it when there's some good evidence suggesting there's an issue. Teamviewer is a legal back-door that breaks open most system (and firewall) security with credentials, if there's a wiff of a problem you revoke first and ask questions later - their attitude has been deny first and ask limited questions. They've obviously been attacked and they should be figuring out if that attack was cover for something more serious, and yes; giving people tools to secure their accounts.
We've been here before and we'll be here again - if it's 2016 and you can't give people the tools to convince themselves their systems are safe you're (rightly) going to have a trust problem.
"Speaking directly to The Register and in announcements to customers, TeamViewer has denied that the crime spree is due to any compromise of its own servers. Rather, it claims, the victims of the attacks had reused their TeamViewer login passwords on other websites that have been breached, such as LinkedIn and Tumblr. Armed with copies of those leaked passwords and email addresses, TeamViewer claims, thieves then log into people's TeamViewer accounts and access connected PCs."
Did they ever produce the slightest shred of evidence that their position on how this happened is correct? Did anyone ask them to (and it seems like an oversight if journalists were to interview them on this, and just take their assertions at face value)?
(And the 'denying the compromise of its own servers' part: had anyone asserted this, or was this just TV's straw man?)
Or is it ' this is a convenient thing for us to believe, so we are believing it...whatcha mean evidence? Of course we don't need evidence. We've got an explanation that suits us.'
Agreed! I was one of the first victims, my home network was broken into via TeamViewer in January, long before the current fuss. I reported it right away, and after the automated acknowledgement it took TWO WEEKS before TeamViewer contacted me to ask for logs - which I provided, and then never heard anything more. I was not impressed.
Did some experimentation last night: me with a linux box and my father's machine on W7, with the 'use as required' executable. Neither of us have an account at TV.
1/ until the remote end is executed, my end advises me that the remote is unavailable (I have the remote user number from previous sessions)
2/ when the far end wakes up, I get the request for his passcode, delivered by phone
3/ at this point, I can drive his machine
4/ while connected, there are three TV services running in the windows running program list (I forget what it's called)
5/ after disconnecting and closing the remote end, there is still one TV service running.
6/ trying to kill that service appears to re-spawn it
So what's going on here then? It looks as if there's something running (though my father may well be misreporting!) which isn't announcing availability but doesn't want to go away.
On my linux box, once the program is stopped, there's nothing left showing in ps -ax
If you want to stop a running service, the correct way to do that is to go into the services control panel (run->services.msc), select the service, and click stop (and change the startup type, if you so desire). Killing the process from task manager is not how it's done. If it still restarts, then you've probably got a teamviewer browser plugin or something like that running that requires it.
People would randomly phone places claiming to be from Microsoft and other organisations, would claim they could tell a persons computer had a virus, and would claim to help them fix it. They would then talk the person through installing LogMeIn or other remote control software, which they would use later to raid bank accounts (they'd already have your credit card details from when you paid them for "helping" you).
I don't recall TV ever being used in this manner at the time however, and from the articles and forums on this current issue it sounds like some other means has been used to get into the computers as many of those hit would not fall for such scams.
There is always a possibility of something like this happening when you leave remote control server directly accessible from the internet. If you need 24/7 remote control access you should run OpenVPN or similar VPN server and allow outside connections only through the VPN tunnel.
Ironically, the very technique (hole punching to circumvent routers) that makes Teamviewer faster to set up the normal way makes it more involving to set it up a safer way that allows access only through VPN.
One of the problems is the use by "We are phoning from Microsoft and we have noticed a problem with your computer scammers" This is not my field but surely there could make it more difficult for the scammers. e.g. have the IP address of any remote access to be logged by TeamViewer with a block on using anonymising etc. Also a simple warning "Warning if you are using this as result of an unsolicited call it probably is a scam" that users need to answer with at least three key presses YES to.... I'm sure better brains than mine could improve things a lot.
Last time "Microsoft Support" got me to install TeamViewer I managed to keep them on the phone for over half an hour before they twigged I was on to their scam.
"We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users"
"My goodness gracious!!! We are shocked; shocked, I tell you. Honestly, we had no idea that criminals could use the internet! Why didn't someone tell us about this sooner?!? What is this world coming to?"
Oh Please,
I am astounded at the level of accusation leveled at TeamViewer. From where I sit, and I have corporately licensed this product since version 4 and will continue to do so going forward, the only error that TV GmbH has made was to provide free versions that allowed idiots with pathetic password security to commit gross stupidity. After having done so the same fools who used common creds everywhere including in their Browser cached creds to access PayPal and Amazon, used those same creds to access TV configured to start on boot with those creds for remote access.
This is somehow TV's fault? Are you fucking NUTS.
I have many hundreds of end users who have taken up TV's freebie offer and been stupid about how they did it. I don't like the freebie policy, but thats TV's business choice. You could maybe make a case of TV having a sloppy PR department, but putting this responsibility on them is close to accusing a rope manufacturer because some idiot hung himself!