Rise of the Machines?
Unless there is a huge building with what could only be called an "uncalled-for center" able to commandeer a sizeable number of machines, I suspect the Rise of the Machines has finally begun!
TeamViewer users say their computers were hijacked and bank accounts emptied all while the software company's systems mysteriously fell offline. TeamViewer denies it has been hacked. In the past 24 hours, we've seen a spike in complaints from people who say their PCs, Macs and servers were taken over via the widely used remote …
Well, sorry to disagree, but I'm guessing it is just humans.
Some criminal enterprises in generally poor countries have warehouses filled with people who do nothing but guess CAPTCHAs, weed through discarded mail, or anything else that's done efficiently by large groups of easily exploitable people.
This post has been deleted by its author
This post has been deleted by its author
Sounds pretty bad indeed. If it looks like a breach, smell like a break, squeals like a breach, then...
Actually I hadn't heard of TeamViewer until this lunch time. A colleague was telling me how useful they found it for sorting out their relatives' PCs, etc. Hopefully they've escaped unharmed...
I was quite tempted to give it the once over, see how good it looked. Funnily enough I'm not quite so keen now...
This post has been deleted by its author
"how can companies change this lack of knowledge into real know-how?”
http://forums.theregister.co.uk/forum/1/2016/06/01/brits_dont_want_their_homes_to_be_techtastic/
Apparently its due to your lack of knowledge, can you believe that???...
I disconnected a bunch of Western Digital NAS before really nasty crap started happening (a good thing anyway as they all died within 18 months... Fuck WD)... But with so many downvotes for IoT in every thread... Whose buying this crap, the industry should be on its knees...
There is something far more dangerous than "teamviewer" floating about.
it is called "QQ" yep that Chinese "conferencing app".
it has the capability to port skip and tunnel through fairly much any security/firewall.
oh...... and it comes with a "remote control" function, that allows ANYONE to give access to ANY outside users for remote control of their system.
Think disgruntled EX-employees with FULL access to your corporate systems, external software "support" companies. etc
Likewise here
Do my best to keep the parents out of trouble and used Teamviewer heavily for that purpose.
They reported random activity last week which had them power the machine down double quick and take it to a local PC shop for a once over. No discernible nasties found.
But with this story, suddenly things make a bit more sense. Just been through 15 minutes of torture trying to take them through uninstalling Teamviewer for now.
ARSE!
Firstly, couldn't you have connected via team viewer and uninstalled it? They could just click the OK buttons once you started the process.
Secondly, come on! Install an SSH server on their box, or, better, on yours and get their machine to call yours so they don't need an open firewall. Reverse tunnel! Woo!
OpenSSH (and it's ilk) isn't exactly free of CVEs either and enabling X11 forwarding does significantly increase your attack surface. Granted though that is whole different league of (much smaller) risk compared to running team viewer on a windows machine logged in as a user with admin privileges.
OpenSSH (and it's ilk) isn't exactly free of CVEs either ...
That's surprising. Are you meaning current (eg up to date) OpenSSH, or just talking about people using older versions?
If you're meaning current OpenSSH, please point out the CVE's applicable to it, as there shouldn't be any:
https://www.cvedetails.com/product/585/Openbsd-Openssh.html?vendor_id=97
Yes referring to the past including the one big remote hole in past for the OpenBSD base (plus noticed a binpatch recently for OpenSSH). Just stating the obvious that any remote solution is going to have some security risk. OpenSSH probably still has some zero days today just like it has had in the past.
This post has been deleted by its author
There are two simple ways to combat this problem:
i) Only run TV when needed for a remote connection.
ii) Configure TV so that not only do remote connections have to be approved on request, but remote control has to be manually granted as well.
Admittedly these precautions mean TV can't be set up for unattended use, but any software that allows unattended 24x7 access with remote control is going to be a security threat - when, not if.
I've used TemaViewer. A lot. SOP was to lock down the application. Once with password access for remote connection and second with a different password for config changes to the application itself and then manual approval by end user when activated for connection.
TeamViewer is set to all access and no password required by default although it does ask for this during installation, but it's optional. Sounds like someone figured this out and just trawled IPs.
I suspect the same. You can protect your account with a strong password and two-factor authentication, but that doesn't protect the computers, which can be reached without knowing which account, if any, they belong to.
Getting through two-factor authentication that's protecting the account requires the private key, unless the criminals have found a weakness in TeamViewer's site that allows the need for that to be bypassed. I would hope that TeamViewer does not keep a copy of that private key.
Always make sure that no computer can be accessed without a good password, even if your account is compromised. That password should not be known by TeamViewer or anyone else, so should be different to the password protecting the account. Additionally, disallow the use of PINs.
Finally, there's always a possibility of a vulnerability in the software itself, so keep it up-to-date, and don't have it running without a good reason.
That's not correct - TeamViewer always enables a password by default, and it's not possible to connect to another computer without a password. And hackers are not trawling IPs - that wouldn't work anyway, as TeamViewer uses a unique ID, not an IP address, to connect. Trawling IPs wouldn't tell a hacker what your TeamViewer ID was.
The real problem is users who use the same password on their TeamViewer account as on other web services which have had their user data stolen by hackers (eg. Adobe etc). You can use a service like https://haveibeenpwned.com to check if your email address has been stolen from another web site.
"
The real problem is users who use the same password on their TeamViewer account as on other web services
"
Not sure I see that as a feasible attack vector. How would the attacker be able to marry any of the passwords to the TV I.D.? It's not as if you would use the TV "partner ID" anywhere else, so if someone had found my password because I re-used it on a web site, they would not know what TV host it belonged to.
Not sure I see that as a feasible attack vector. How would the attacker be able to marry any of the passwords to the TV I.D.?
We know the mail address, now we know some passwords going with that mail address from hacked web sites.
Try if one of these works on web-mail for the mail address (everyone has web-mail, right?), if it does work then request a TV password reset, grab the new login from mail, set TV profile to what you need, now log in to users computer via TeamViewer?
It's been happening for at least a fortnight - a friend of mine had it happen to him. I know he has a secure password (11 characters, mixed case, symbols) but he noticed in the morning that user X_X_X_X_X_X_X_X_X had connected and transferred files from his computer. I contacted TeamViewer and I received a stock answer about security.
So Teamviewer are still at the first stage of denial.
So much liability for them to dodge, I bet that a crack team of PR consultants are not going to get much sleep tonight, wonder how it'll be spun by the morning.
Its pretty funny that teamviewer's PR cannot decide at this stage whether to send people to this link:
https://www.teamviewer.com/en/company/press/statement-on-the-appearance-of-the-windows-trojan-backdoor-teamviewer-49
or this one:
https://www.teamviewer.com/en/company/press/statement-on-potential-teamviewer-hackers
Maybe a time out and group hug is in order? Then at least get a story to stick to.
"If I was an network enterprise admin though I would probably be looking for outbound connections to Teamviewer's servers and blocking those for now...."
Probably just as well you aren't then - outbound connections to TV's servers are the only sort permitted by our approved enterprise setup.
It's not as if nobody ever used a DDoS to hide some other attack. In fact it's been the modus operandi for multiple well-known groups it well-documented attacks for some time now. The fact TV don't know this concerns me greatly.
They might genuinely not know; personally it feels like they need to revoke a lot of creds here. I just revoked all the auth for all the systems I have TV installed on but a lot of people might not be aware of the risk.