If you value convenience over security when using Remote Desktop, VNC, TeamViewer, LogMeIn, etc...
They all become Remote Access Trojans.
Beleaguered remote support tool maker TeamViewer has apologized for blaming its customers for the recent spree of PC and Mac hijackings. While TeamViewer maintains there was "no hack" on its end, public relations head Axel Schmidt told El Reg that the software house was sorry it used the term "careless" to describe folks who …
The biggest problem with this kind of service is that it's centralized! I used to run Timbuktu directly to my home Mac without problems, other than some curious hackers from net 58(China) knocking on my ssh port. When I remapped the port to something other than 22, like 9122, those visits all but stopped. So, remap the connecting port, using a direct service, not a web-app distributed one that is easily compromised, setup strong authentication, and you'll be fine. Stop being frightened of a little access and understand what you are setting up, or don't set the fucking thing up.
At least with VNC & Remote Desktop they are not based on a centralised (or cloud) service as a single or common point of attack. (Okay VNC needs extra security on top, plus it's a poor protocol).
I generally refuse to install third party clients if I'm asked if I can use them. LogMeIn especially as it's hard to get rid all traces of when uninstalling. To me it's a Trojan or at least malware in that it gets its hooks into things it shouldn't.
If all that's needed is remote access, I use Remote Desktop (via VPN). If it's desktop sharing for a meeting, Skype for Business will do.
From a Windows point of view, anything else is just duplicating what is already built in or available as a standard part of Windows or Office.
"Finally, TeamViewer wants customers who were breached to get in touch with it and upload their log files. "
What a wonderful idea! Then TV can hold a central repository of info, coded to individual users, allowing access to things such as login times, usage statistics etc showing (with a little bit of data trawling for stats etc) when the next data breach occurs the badhats will be able to disguise their efforts more effectively.
What could possibly go wrong?..
If they wanted any of the information that you're claiming that they're after, they could actually analyse their own log files. When you login to TeamViewer where do you think your credentials are sent to (for verification)? When you establish a remote connection, which service do you think tells computer A the IP Address of Computer B (and in some cases actually provides a relay for the connection)?
"What we intended to make clear is when you use a tool like TeamViewer you need to take extra care"
Because we certainly did not when we developed our security model or when we deployed our security measures. At this point we want to make it clear that all of the risk resided with you, our beloved users. Please review our hastily rewritten EULA and Terms of Service and click agree about fifty pages below the artfully hidden binding arbitration clause.
A significant number of customers have claimed to be compromised, but they represent an incredibly small portion of our total customers.
An incredibly large number of our customers have been had, probably twice as many have been had and do not know it. The good news is those numbers represent a small percentage of the total number of downloads of our software product since we released v1.0
We want those customers who have been breached to send us their log files, in particular if they were using 2FA.
We would desperately like our customers to send us their log files because ours are incomplete or not properly configured and we really want to know what kind of evidence will be presented against us in the inevitable legal battles to come. There is no way the attorneys will pass that information on once the lawsuits are filed, so be a dear and send that information straight away.
In Microsoft's desperation to get people onto Windows 10, maybe that'll be their next tactic: Ring people claiming they have a problem, get them to install TeamViewer so they can remotely access the computer, then "fix" it by installing Windows 10.
Well, they've tried malware tactics, may as well move on to telephone scammer tactics next.
There are plenty of lessons available for that.
There are also plenty of users who do not heed the message - or maybe even haven't heard the message, ensuring that plenty more examples will undoubtedly be available in the future.
Rinse and repeat for the duration of the human civilization.
It's not quite like password reuse and massive website credential breaches are a new phenomenon.
If even our Overlord the Zuck uses a really dumb password, repeatedly, then a software vendor that operates in as sensitive a context as TV should have taken a long, hard, look at what could go wrong on the user end and plan accordingly.
Blaming the users isn't good PR and in this case user failure of this type should have been anticipated and planned for. Even at the cost of less easy to use processes - a hostile remote logon is just too nasty to risk allowing on anything but the most extreme and unlikely user security mistakes (like telling someone your login credentials outright and then confirming you accept their connection).
IMHO they pretty much deserve their Ashley Madison moment. And hopefully other vendors will learn from it.
If you made your Teamviewer password the same as your Myspace/linkedin/fakebook/gmail/etc password, I'd use a much more colorful adjective than "careless" to describe you.
In fact, if you think that's a peachy thing to do, perhaps you should not even be using teamviewer at all.
You can't be trusted with it.
>I'd use a much more colorful adjective than "careless"
You are preaching to the converted. However, you misunderstood what I was saying.
Far as I understand, TC can be set up to allow remote connections over the internet. Those connections do not a) require TC to be manually started on the user's computer and b) do not require confirmation by the user that she accepts a connection.
Ease of use.
But, given that folks have repeatedly shown that they love 1234 as passwords, then, by default at least, another layer of protection on the user's computer should have been the need for manual user intervention to allow the TV connection to take place, at the time of the session being initialized. I think this is precisely what another poster mentioned wrt this hack - TV can be set up quite securely, it's just not its default mode.
(when I installed something similar on my work machine, the first thing I did was to set it up as launch-on-demand, not as a background service)
I assume (hope) TV had other safeguards in addition to a password, but were they 120% guaranteed never to fail? Apparently not.
Basically, don't trust your users to have good password habits - you know some won't. And you know that they will reuse their passwords. That's just the way it is. Run an attack tree scenario with more than 100 users and see if you don't get a fail on some of them.
Now, of course, that may come across as unfair to us poor IT folks. But what is now the risk to TV, the company, business because they assumed users would know better? This is not a Sony PSN account that they were protecting and trust
is was TV's main business asset.
2FA is the way to go and it should be the default rather than an opt in.
Yesterday, with mixed feelings, I switched from 2FA via google authenticator on my phone to 2FA via a code sent to my email address.
The service in question don't seem have any plan in place for the scenario where I lose my phone.
No single use backup codes for example.
They also don't offer 2FA via SMS.
So now the security of the 2FA is reliant on the 2FA of my email which is SMS based.
I guess that's OK but it doesn't seem ideal somehow.
A lot of companies that should know better are using this for remote support of all kinds of industrial systems too, but for me the red flag has always been the 3rd-party that the traffic goes through. No matter what their reputation, it's one thing you just can't control, whether or not the recent hack was due to TeamViewer being lax.
If you have configured VNC, RDP, etc. correctly, it should be reasonably secure, as it is point-to-point with no "man in the middle." But when you take the extraordinary measures of involving a relay hosted by parties unknown for the convenience of working around NAT, company firewalls, proxies, etc., you kind of end up getting what you get.
Perhaps the biggest shame is how much of our time in IT work, and everyone's personal lives for that matter, is dedicated to locking down everything and then having to work with these restrictions. It makes me really miss the naive frontier days of the late 70s and early 80s with everything being open and free.
My suspicion is that Teamviewer is getting more of the blame than it is due here.
What seems to have happened is that people have registered on e.g. LinkedIn using the same email and
password combination as they use on teamviewer.
Once the password hashes on linked-in were cracked this opened up god knows how many teamviewer accounts.
When you log in to a teamviewer account you have a list of all partner computers with the ones that are ready to receive a connection clearly indicated. Then it's just down to whether a partner computer's teamviewer password was stored as part of its credentials in your account.
I am not the greatest when it comes to taking precautions, I trust some providers way too much for example, but I find the carelessness of many people shocking. I know people who have used the same short passwords for years and when I pull them up on it they laugh and tell me I'm paranoid.
If by the service in question you mean teamviewer then yep they do. When you enable it you get a recovery key:
"If you lose access to your mobile device or to the authenticator app on your device, the recovery key is your last resort to deactivate two-factor authentication. The recovery key allows you to login again with your email and password. The recovery key is very powerful as it allows you to deactivate two-factor authentication. Therefore, it must be kept in a secure place. Consider printing more than one copy in case one copy gets lost or destroyed. Do not send the recovery key unencrypted via email since this could give an unauthorized user access to it. After deactivating two-factor authentication with the recovery code, you can always reactivate two-factor authentication for your user."
TeamViewer is trying to focus our attention on the idea that passwords shouldn't be re-used, and let the reports of attacks with 2FA die in a corner. Before following TeamViewer's advice to blame users, read the actual user reports. Reddit has quite a few.
For example: https://www.reddit.com/r/homelab/comments/4m5gn7/psa_teamviewer_compromised_by_possible/?ref=search_posts
You're missing the entire point, and Team Viewer, i've ended my use of your software completely. We're not supposed to know all this stuff. People just want a tool that works. i use passwords with e-mail, and bank accounts all the time, and have never been breached. So how in THEE world would i know to use some two-tiered password. In fact, after the fact, i still don't even know what you're talking (writing) about? Yes, it's nice if the other posters here understand this, and are really tech savvy, but i'd bet many, many of your users aren't. So Team Viewer, you BLAME US, for your lack of protocol in setting up safety precautions and walking us through it? Again, GREAT if certain users know this computer stuff, but i'd bet that a vast number of your users just signed up for Team Viewer trusting that you had a secure system in place; the same as when we sign up for our online banking, or Paypal, or some e-mail provider. Then we put in a good, secure password, and we begin using the service. In my WILDEST imaginings i would never have expected some company, having had a hacker breach, to then blame me for putting in a secure password. Have you all gone brain dead? This is what end users do. We sign up, create a password, and then use the service. That's what's expected of us, and the service, in this case Team Viewer, is supposed to keep the service safe from hackers. My heart goes out to providers like you when you DO have a hacking scenario, but NOT if you're going to in turn blame ME for using your service. Thus, we're DONE with Team Viewer. Not going to take the blame for your service being hacked, whether it was at your end or my end. Those two-tier systems should have been in place, and you need to COMPLETELY apologize to your customers, and NOT tainted with the distinct undertone of, "But you should have changed your password", or whatever rhetoric you're spreading. If people's money has been stolen in part or all due to your service, make restitution, and stop skirting the point.
We're done with you.
I would say "careless" was being polite.
If they were using their teamviewer password elsewhere then they are utter morons and should not be allowed to have remote access or be providing remote support to anyone. And the scary thing is that a lot of these people are so called it support people. My wife had a guy like that providing the support for her employer, she was more competent than he was. He used the same password for every system, for every client. And for the clients themselves. he set their passwords to be be the same as the username but with a uppercase first letter.
Any IT competent person knows that sites get hacked all the time, and this is why you do not use the same password twice.
There is no excuse for this kind of incompetence or lazyness these days with apps like LastPass or Dashlane to make it easy to deal with unique passwords.