Slashdot Mirror
TeamViewer Denies Being Hacked, Blames Users, Introduces New Security Measures (betanews.com)
Mark Wilson writes: In the last couple of weeks there have been a huge number of reports from TeamViewer users that their computers have been hijacked. In addition to this, users of the remote access tool have complained of funds being extracted from PayPal and bank accounts. But TeamViewer insists that there has not been a security breach, instead shifting the blame to users.
The company says [users] are in the habit of reusing the same passwords for a number of apps and services. It suggests that recent high profile security breaches -- such as the password dumps from MySpace and LinkedIn -- have allowed cyber criminals to learn TeamViewer log in credentials.
"We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users," reads the company's statement. But they will now notify users whenever a new device logs in to a TeamViewer account, and in the future will also require a new password whenever suspicious account activity is detected.
The company says [users] are in the habit of reusing the same passwords for a number of apps and services. It suggests that recent high profile security breaches -- such as the password dumps from MySpace and LinkedIn -- have allowed cyber criminals to learn TeamViewer log in credentials.
"We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users," reads the company's statement. But they will now notify users whenever a new device logs in to a TeamViewer account, and in the future will also require a new password whenever suspicious account activity is detected.
But people are reporting unique, long passwords on their TV accounts being useless. And at least one case where a person was able to login to a PC even through 2FA authentication.
Either this is just a wide configuration error in the TV client made by unknowing users, or someone is lying.
Back in February, I had Team Viewer running 24/7 on an Ubuntu Desktop. I had a "strong" password, using letters, numbers and symbols. I was at a customer site installing a new Asterisk phone system and suddenly I get notifications from Paypal that I'm buying large amounts of virtual currency with NCSoft. It took me all of 5 minutes to realize what was happening and change my Paypal password and in that time, several grand was spent. It took me a week to get it all fixed, which isn't that bad.
Team Viewer Support couldn't care less. I asked why they wouldn't even notify on an account that's never been accessed from outside the country and they had no answers. Now, what could I have done better? Setup Multi-Factor Authentication for Team Viewer and Paypal. So, some of the responsibility is mine. However, I find it very strange that someone could have hacked or guessed that account's password. I asked if they had a breach and they reported that there were no problems, of course. Notification and confirmation of suspicious activity should have been implemented by them a long time ago.
https://www.reddit.com/r/teamviewer
Consider how many people use auto-login for all sorts of things in their web browser. If you can log in to their system as their user, and access their web browser, you will almost certainly be able to access some of their accounts. No amount of teamviewer security can offset user laziness.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
The fact that they allow users to download old versions of TeamViewer is 1/2 the problem. I entertained a call from someone who was likely Pakistani that asked me to install an old version of TeamViewer from their website. Though I got on Linux and tried to follow their instructions...they didn't know what Linux was. I succeeded in wasting 30 minutes of their time.
Chrome TV plugin asinine defaults to allow remote without password. Add to that plugin installs are synced you could have TV installed on a pc without realising it. Defaulting to *allow* remote access.
At least some "stupid-mitigiation" could have helped.
Things like two factor auth (user still uses stupid password, but also needs token given by smart-phone app, or recieved by 2nd channel)
Or things like public-key authentication (stupid password is used to unlock locally stored file with cryptographic key. Key is only used to sign stuff over wire)
In both case, even in the case of a massive leak (e.g.: like recent LinkedIn's) the stolen passwords can't be used alone to impersonate user identity.
(either an extra token would be needed in addition. Or a file containing the cryptographic key. Both of which stay in the possession of the end-user and never travel the wire).
But no, companies still continue to recommend "secure" passwords.
(Which can still be mitigiated using a decent password manager).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I'm not buying Team Viewers explaination one bit. I know the individual in this article. He's a fellow security expert with whom I've worked. He's no security slouch, quite the opposite in fact. He caught the attackers in the act (yeah, he got lucky there) and took action as it unfolded before his eyes. Team Viewer has some serious 'splainen to do...
https://securityintelligence.c...
Are there any free (libre) alternatives to Team viewer?