Hacker News new | comments | show | ask | jobs | submit login
TeamViewer denies hack after PCs hijacked, PayPal accounts drained (theregister.co.uk)
135 points by TheGuyWhoCodes on June 2, 2016 | hide | past | web | favorite | 99 comments



Here's the thing: it simply isn't possible that TeamViewer has done a thorough security audit in such a short amount of time. That means their claims of "no breach" are knee-jerk reactions, not truthful statements.

A company that has such a reaction is more likely to suffer a breach IMHO because it demonstrates a lack of knowledge, care, or both. If they were smarter they'd say they aren't aware of anything but have launched an investigation and will report back when it is complete.

So I'm going to assume they have been hacked until someone proves otherwise.


RIP TeamViewer. Unless they are extremely explicit with what happened and how it won't happen again, any user who hears about this is going to lose all trust in TeamViewer.


Their response has already lost my trust.

Hope they realize they may have just sealed their own graves with their flippant handling of these claims.


Except if what happened was password reuse


It wasn't, people even had 2fa.


xenadu02: you couldn't have said it better.

I must admit, I didn't add much weight to the opinions of the vast majority on Reddit. It's less of an IT-savvy hub today than it has been in the past and I /wanted/ to believe that the issue was simple reused passwords.

But from the claims made here in Hacker News (who's opinion carries much more weight than the Reddit noise). In addition to the handful of claims where logs have been presnted and users have confirmed use of MFA and complex passwords. I've sincere doubts about the credibility of TeamViewers very, very quick security audit.

Edit: double copy pasta.


>Here's the thing: it simply isn't possible that TeamViewer has done a thorough security audit in such a short amount of time. That means their claims of "no breach" are knee-jerk reactions, not truthful statements.

What makes you believe they've got any real reason to conduct a security audit? Just because some randoms on reddit said that they got hacked?

For all we know TV knows exactly what's going on here.


Why don't you read other people's replies like that of lazzlazzlazz? You posted well after he posted his. Then you would not have to ask embarrassingly stupid rhetorical questions.


You might want to re-read dang's (he's a moderator btw) comment to you here: https://news.ycombinator.com/item?id=11839799

You don't need that last sentence.


Perhaps lazzlazzlazz simply said nothing relevant?

Also, that kind of language can result in some very real consequences.


I got hit by this. I had an incredibly long, TeamViewer-specific password, and a family member happened to witness (what was likely a bot) incredibly quickly open Chrome, go to Paypal, login using saved credentials, check the settings page, and then pay an invoice that had been generated moments after viewing the settings page.

TeamViewer has definitely been compromised, and reddit.com/r/teamviewer is replete with reports.


Why did you let Chrome save your paypal password? Doesn't that guarantee that anyone can empty your paypal account if they steal your computer?


Not if you have full disk encryption. Of course they could try a cold boot attack if the computer was found on, but normal criminals don't have that expertise.


Convenience. It was a mistake that I've since reverted. I'll probably switch to a password manager that requires a master password to unlock domain-specific passwords.


I use PayPal only about once or twice a year (try to avoid it if at all possible) and my security routine is to totally close the PayPal account again afterwards.


Why would you care? You can call in and reverse the payment in minutes.


Yes, I just had a look at paypal's user agreement, and this does seem to be the case. That begs the question - why are the hackers even bothering to do this, if all their transactions will be cancelled? Are they hoping that a small % of their victims won't notice the fraudulent transactions?


Most paypal fraud, like credit card fraud happens at a very small scale. A fraudster pays $50 for 50 accounts and then spends a day with them and maybe walks out with $300.

The guy selling the accounts sells hundreds of thousands of them, and obviously doesn't get involved in the fraud itself.

This is why this whole thing is so strange, there's a bunch of people claiming that someone hacked teamviewer and is now using that access for petty paypal fraud instead of targetting the tens (if not hundreds) of thousands of PoS systems teamviewer is used to manage.

>Are they hoping that a small % of their victims won't notice the fraudulent transactions?

No, they certainly don't care if the payments get charged back or not. If they try to send money to their own account, it'll be suspended before they can actually withdraw it out of PayPal.

Instead in this case they seem to be trying to buy itunes gift cards, undoubtedly with the intent to sell them (on sites such as g2a.com) before they get cancelled.


Perhaps targeting a PoS system involves the Secret Service?


If you're doing this then you probably aren't too worried about the secret service.


Easier to script perhaps?


It's a very different process challenging credit-card-funded payments vs. those funded by bank account or funds already in the Paypal account. The former is easy, and you have two levels of challenge (via Paypal and via the credit card issuer).


On PPs end challenging them will be all the same, and generally you'll win the dispute instantly by calling them.

However of course bank funded payments will have some delays. Letting things pull money from your bank account like that is a terrible practice, and people should know better.


Have you actually pursued this process for payments funded by balance or bank transfer beyond a week or so after the charge?

I have.

It's fine if the recipient's account is still active and they successfully get the money back from their deposits or linked account. But in deliberate fraud cases, their only reclourse would be to to refund you out of their own pocket. Paypal has no incentive to do so. Once the money is beyond their reach (e.g. withdrawn via debit card or transferred to an outside account which is then closed), they will not help, in my experience.

Even if you fund via a credit card, if the payment recipient is beyond their reach, they make you jump through numerous fake loopholes (in one case I had, they claimed they had proof of delivery... and gave tracking data for an item shipped from the wrong state and shipped to a location 2000+ miles from me and to another name). I then contested the charge via my card issuer; the phone rep said that this happens often.

I say this as a user from the year they started business (back when they paid a $5 bounty to sign up) and with over 50,000 Paypal transactions.


Best to use LastPass (or equivalent) and require your master password to use the Paypal account.

Having to reverse the payment is likely not "minutes" when talking to any customer service org.


I've been on the phone with PayPal on far too many occasions, and they definitely know how to handle these issues quick.

Although, you wouldn't even really have to call them. You can dispute the charges with like two clicks on your account page. It's just that if you call them, they can instantly settle the dispute in your favor.


I got hit as well, along with a family members computer who was logged into my account. They hit up amazon and PayPal on the other computer due to saved passwords.


I got hit with this too. TeamViewer showed incoming connections from Taipei & Guangzou. What I'm interested in figuring out is how sophisticated the attackers were. I immediately took the breached machine offline & plan on scanning it for negligees etc. I called TeamViewer & their response neither acknowledged or denied the hack. They simply asked me to report to local authorities & promised that they'd be cooperative with lots/etc.


Why do you have remote access set up to a computer that has unencrypted credentials stored on it?


Because it's useful? Tons of people have ssh set up to their servers. Many of those servers might contain api keys for various services. Same thing.


Two factor authentication is the way to go to mitigate these kind of attacks.


Do you have the randomly generated password disabled?


Nah, you got hit by some malware that grabbed your teamviewer credentials.


If so it must have been an extremely wide spread malware because tons of people have been reporting the same thing.


Not really, "tons" in this case isn't even hundreds.


Not everyone affected is going to post on reddit. There are plenty of tech-iliterate victims who don't even know something is wrong.


I'm aware. But even tens of thousands of affected people wouldn't qualify as "an extremely wide spread malware".

If you spin up an exploit pack and can't get 50k hits in a day you're clueless and should consider a career outside of cybercrime.


It may well be a legitimate hack of TV but from a very small pool of thieves.


To expand on this further, most (i.e. not all) of the reddit reports are meaningless as on any given day there's going to be tens of thousands of examples of this kind of fraud.

Unless the reporters have some specific evidence that teamviewer is at fault, it's overwhelmingly likely that many of them were hit by some totally unrelated fraud.


Well it's related to Teamviewer for sure, because it shows up in the people's Teamviewer connection logs. Yeah it could be other malware that is stealing the Teamviewer credentials from their computer. But that seems like more work than necessary, because only a few percent of people have teamviewer installed and running, and they could attack everyone by having them malware install their own remote access service.

This person formatted the drive a week ago and only had a few things installed. https://www.reddit.com/r/teamviewer/comments/4jr9qn/hacked_t...


Shame on TeamViewer for not coming clean. I doubt they will survive the reputational damage.

The hacking itself should not be surprising. Roughly 99.99% of human beings -- including the vast majority of software developers -- have NO IDEA how to secure a computing device, let alone one that can be accessed remotely by regular people. It's kind of incredible that this type of attack doesn't happen more frequently.

The post-mortem should be quite interesting.


There is still no real proof they got hacked either. Too early to assume this. Could be just people trying user ID's and passwords from one of the recent breaches.


That wouldn't explain people who used teamviewer-specific passwords (see comments here, for example).


I haven't had time to follow this as much today (after spending last night either uninstalling TeamViewer or remotely disabling the TeamViewer service on a bunch of systems), but what I was reading yesterday seemed like everyone hit was using a registered account instead of just direct connections using codes. That makes me think that perhaps something's compromised some of their account information (manageable through the website, etc.) rather than the remote control infrastructure itself.


From looking at the Reddit "master thread", everybody reporting they were hacked reports 2FA disabled. Everybody reporting no hack reports 2FA enabled.

Sounds like reused passwords!


TFA has 2FA hacks:

"They remote connected in at 5AM MT, went into my Chrome and used my PayPal to buy about $3k worth of gift cards. And yes, I had two-factor authentication."


How could that even be possible? Short of PayPal having a hole in their 2FA implementation, it's very difficult for me to imagine how this could happen.

I mean, unless the hackers logged in, left the 2FA prompt up and then a user completed the 2FA exchange, but that would be a foolish thing to do anyway...

edit: thanks for the answers; makes sense!


I'm guessing 2FA here refers to TeamViewer's 2FA, not PayPal's 2FA.


> thanks for the answers; makes sense!

How is it easier to break Teamviewer's 2FA implementation than PayPals?


Yeah, sorry, that was confusing. I don't really agree with the comments saying that the comment was referring to TV's 2FA. I agree with fapjacks/ryanlol's comments.

I (think I) now understand why "and my PayPal has 2FA enabled" points to TV being compromised -- If the PayPal account has 2FA active, and they were still "hacked", then it points to an existing session being hijacked. And a probable cause of that would be a compromised TV session.

So it's not necessarily an indication that TV's 2FA was compromised, but rather that TV was compromised in general, allowing the hacker to hijack TV sessions. (I'm imagining that the TV 2FA happens on their central server, and not on the actual server daemon running on the target remote machine... so if the central server was compromised...)

edit: Obviously this is entirely speculative, I don't know any of what's going down, but it resolves my initial curiosity.


Presumably the 2fa is just for the login, and the user would already be logged into paypal on their computer.

Your paypal account getting hacked isn't a Big Deal, you aren't going to lose any money over it. In fact, managing that is paypals entire business model.


This is referring to TeamViewer's 2FA, not Paypal's 2FA


That little "remember me for 30 days" checkbox.


I believe they were saying that they have 2FA on TeamViewer, not on PayPal.


If true, it points to a true compromise of TV servers, not just bruteforce with email/password dumps.


On paypal or TV? Needs clarification.


TFA also has:

Yet, we've heard from people who have used passwords unique to TeamViewer, who have enabled two-factor authentication, and have found no malware on their computers, losing control of their systems in the past few days via TeamViewer.

Apparently TV disagrees, but in this case I'm inclined to believe their unfortunate users.


Tons of people in the reddit thread claimed they never used their Teamviewer password for anything else. If Teamviewer's password database was compromised, that could be one example of a way to explain this.


A couple of years ago I was looking for a remote control app to remote-multibox a couple of PCs for some online game.

I found it a bit odd that every search (including for competing products) brought me to TeamViewer, that all the formerly available alternatives (like *VNC) were defunct or pay-only, and that TeamViewer was not just free but rather aggressively offered. Call me paranoid, but I thought "someone wants to make sure there's a TeamViewer on every box in the world, and is willing to pay for slick, aggressive marketing and to eat the costs of product development and marketing to see to it."

My (otherwise completely unfounded) guess was that a major intelligence agency, maybe the NSA, was behind all that. I used TV for a few days but ditched it at my earliest opportunity. It just felt too creepy for me to trust it.

So now, maybe, I was right for the wrong reasons. Or not. (shrug)


"someone wants to make sure there's a TeamViewer on every box in the world, and is willing to pay for slick, aggressive marketing and to eat the costs of product development and marketing to see to it."

That would be the teamviewer company. Surprisingly often companies want their product on every desktop, and are willing to eat the marketing and development costs to make it happen.


It seems kind of insane to me to trust any 3rd party with full access to your machine.


Really, everyone with any software with administrative rights that has an auto-update feature does it. These days, that's... Windows, Chrome, dozens of other applications with a huge market share.

At least with TeamViewer, it is manual update only, and remote users only have the same permissions and visibility as a desktop user. When you access a locked Windows PC over TeamViewer, you get the Windows login screen. You only have the level of permissions your computer is allowing the user you log in as.

If you lock your PC when you aren't at it, and your password is decent, you haven't a huge security problem with TeamViewer. Arguably, less of one than many other pieces of software that can make administrative-level changes to your PC without your knowledge or permission.


Alternatives to TeamViewer?


VNC. It requires some manual setup (a server as well as clients), but it is free (as in freedom) software, so unlike TeamViewer there are no restrictions on how you use it.

I use Debian GNU+Linux, where TightVNC is one of the best options, and it has worked great for professional pair programming.

Digital Ocean did a great article on how to get set up: https://www.digitalocean.com/community/tutorials/how-to-set-...


Yes but that does you very little good when you need to provide remote tech support to your parents. VNC doesn't help you forward ports through router firewalls or provide dyndns so you can actually find the IP address of the computer you installed it on.


If you have a forward on your firewall, you can tell the remote party "right-click on the VNC icon in the lower right, add new client, and punch in $MY_IP_ADDRESS" Their VNC service will connect to your VNC viewer.

You can also script it - I have a Cygwin service that I made that checks a website for a command to trigger a reverse VNC connection.


Doesn't work when your family is behind double NAT.


Why wouldn't it? It only relies on the ability to create a single outbound TCP connection; surely double NAT doesn't impede that?

If both parties are double NAT, then sure, you have a problem, but aside from that; as long the party you are connecting to doesn't -- it should work fine as described.


Check out Jump Desktop: https://jumpdesktop.com. It has a zero setup client that you can install - no need to port forward etc, works across firewalls and easy enough for your parents to install. It's secure - we use WebRTC underneath the covers (connections are encrypted end-to-end). It has iOS, Android, Mac and PC clients. We're also beta testing a free PC to PC+Mac version here: https://support.jumpdesktop.com/entries/109741706-Jump-Deskt...

If you have any questions about security feel free to ask.


How do I know that you can't access the host or client computers?


We've tried to make sure the host and clients don't completely trust our cloud servers. For example the "Jump Desktop Connect" app on the host always requires credentials for a valid local account on the computer before it allows incoming connections through. It won't let accounts with blank passwords through. Also the credential transfer always happens over an end-to-end encrypted connection between the two devices - which means our cloud servers don't get to see or have access to your local computer's creds. This way, if someone gets a hold of your Jump Desktop account, they won't be able to get through unless they also know your local computer's creds.

Another way we protect hosts is by not allowing random hosts and clients to communicate with each other unless you've given explicit permission to each host/client. This means that Bob can't load up the Jump Desktop client and try to randomly brute force Alice's local account password by trying to connect repeatedly. The cloud server will drop Bob's connection requests to Alice unless Alice has explicitly given Bob permission to connect.

The above applies to our zero setup app, Jump Desktop Connect. Jump Desktop is also a full blown RDP and VNC client (with SSH support) - so you don't really have to use the Jump Desktop Connect app if you don't want to. You can use traditional RDP / VNC-over-SSH to establish secure connections as well.


Do you have a system to block, mitigate or monitor for "strange" IP blocks accessing systems they've never accessed before? It's a great idea if not. We have, unfortunately, had to do this in webhosting/billing for a long time due to the amount of fraud from specific blocks.

Not as dynamic, but for instance LastPass will allow you to blacklist or whitelist entire country IP blocks. A system that also monitors (on your end, or maybe alerts the customer) that their machine in Kansas all of a sudden has multiple IPs from China/whatever accessing it (on your end seeing this globally through the network as well) would be great to mitigate events like this. If you go on vacation, you can remove the block.

So far every report I've seen has been Guangzhao/Yangzhao in the access reports. Could easily, easily nip that in the bud. Obviously other proxies could be used but something like a remote access system is something people should be locking down tightly.


I like the demo video, but if it is tied to the play store (can't even download it direct from you) or I have to login to an unknown server such as jumpdesktop, never gonna happen my fiend.


Chrome Remote Desktop [1] from Google.

[1] https://chrome.google.com/webstore/detail/chrome-remote-desk...


Has anyone done any security analysis of this? I use it but after this TeamViewer debacle I'm a little nervous.

I have a certain amount of trust in Google but their Remote Desktop product feels like something that could plausibly be internally understaffed.


If you're using Chrome, I've had good luck with Chrome Remote Desktop.


This is a partial list I posted on a site for IT techs, so it's geared toward the use of these packages for remote support more than for remote access. The packages in question are the ones most often mentioned on that and a few other sites.

A couple others that were mentioned were UltraVNC and IMPCRemote, both VNC-based. There are also many other VNC-based options available as well (e.g. Fog Creek Copilot), but I'm not aware of any that have performance that I'd consider acceptable.

------------------

* Ammyy - Tool of scammers everywhere, DO NOT USE

* Splashtop - inexpensive, no-frills. Options for unattended, resellable unattended, and attended/client-initiated but all are separate products. Annual pricing, but cheap. Hosted by them.

* Instant Housecall - active with forums and podcasts as well, includes toolkit based on D7. Subscription, $30/40/75/month. Hosted by them.

* ScreenConnect - former local darling until bought by ConnectWise/LabTech which raised prices. Subscription, $50/month annual, cheaper options available with fewer features. Hosted by them unless you're spending $2200+. Has (had?) active forums and many scripts you could add in for cleaning, etc.

* Simple-Help - pricing similar to ScreenConnect's old pricing ($320/year + 20% annual maint). Self-hosted by you. Discounts may be available including links from here back when ScreenConnect raised their prices. For an extra 50% you get remote monitoring and some tools but I have no experience with them. Never as actively developed as ScreenConnect. If the RMM features are good enough it's surprisingly affordable (under $1/month per endpoint the first year, $0.20/month per endpoint after that, all in blocks of 40 endpoints)

* MSPAnywhere/BeAnywhere - $50/month subscription, purchased by Solarwinds (N-Able) in 2015. I don't think it has integrated tools, but has a good reputation for remote control.

* TeamViewer - Solid product, one-time purchase (plus fees for upgrades) $800+. Has some sort of addon available for support/tools I believe.

* LogMeIn - had many fans here until a few years ago when the price increases started. Not sure anyone here still uses them.

* Chrome Remote Desktop - Free, and you get what you pay for. You can contemplate your errors as you wait for the other end to reconnect you. Again.

* Zoho - VNC based? I know little about it other than being pretty sure it exists.

* AnyDesk - €60/year or has a 6-year license at a discount. More expensive Professional version allows what I think is unattended access with the extra-charge PowerUser option.


RDP(no additional install needed) or anydesk(low latency codec)


RDP for wide Internet use is a sketchy choice, IMHO. Configuration is a pain, particularly if you live in DHCP land like most home users. It doesn't perform very well in that environment from my experience either.


IME RDP performance is fine these days if you've got even a halfway decent upstream connection-- the newer clients and servers are much better about tolerating low bandwidth/high latency connections than they used to be (they finally ditched the naive "forward the GDI calls" approach they used to take and do lossy compression much like VNC now).

I don't expose it to the internet, though. Only thing on my home network that is exposed directly to the internet is an SSH gateway (using public key auth, passwords disabled); from there, I can forward SSH or VNC or whatever I need access to.


RDP at home is certainly difficult, but I have to disagree on the performance bit. In fact, RDP is probably by far the best such protocol in use right now.


iPad or other tablet with facetime or skype. Open a chat session, ask parents to point camera at laptop screen. Then guide them thru steps (click on this, click on that etc). Bit more time (and patience) intensive but has the side effect of making parents/relatives more familiar with doing new things on the computer as well as satisfaction of some level of self sufficiency :) . Only useful for this type of remote support use cases only though.


Google Remote Desktop, maybe?


See this post from yesterday

https://news.ycombinator.com/item?id=11815079


LogMeIn


Expensive (nearly £1k/agent/year) and afaik only works on Windows (for the agent viewer)


and of course, nothing on their blog or main website about this.

Instead they want us to focus on a work/life balance: http://imgur.com/Ujd8ZwA


"Little pig, little Pig, let me come in."

"No, no, not by the hair on my chinny chin chin."

"Then I'll huff, and I'll puff, and I'll blow your house in."


Seriously, downvotes?

If one builds their house out of a foundation of sticks, what do they expect to happen?


Is it that TV got hacked because passwords were compromised and reused? I fail to see security in an ap that uses uknown servers to connect to a personal setup. Somehow I think TV did get hacked and they just don't want to be honest about it. ?? I've used nomachine with good results from my lan but have never used it outside that.


I honestly feel that as much of a fan of TeamViewer I was in the past, it should be considered harmful and filtered out by ISPs and flagged by AV.

- TeamViewer has been the primary medium for tech support scams that lock people out of their own PCs for years now. Despite a usage pattern that should be easy to detect, they've seemingly done nothing effective to curb this.

- TeamViewer is blaming insecure configuration, which is probably mostly true, but TeamViewer has refused to do much to encourage or ensure security practices are upheld. (Random six character passwords on by default?)

- TeamViewer has clearly failed to police large scale attempts to test credentials against their server, if they're using password dumps to find people using the same password elsewhere, as many people on Reddit confirmed was likely the case for them.

I strongly suspect the majority of free service TeamViewer usage is currently malicious. I know very few people who HAVEN'T been reached by a malicious party which uses TeamViewer as a communication medium.

I've personally called and asked TeamViewer to consider shuttering their free service to control malicious use. They could introduce an affordable personal use paid tier instead, which would make them a lot of money, and mitigate most abuse cases.


>- TeamViewer has been the primary medium for tech support scams that lock people out of their own PCs for years now. Despite a usage pattern that should be easy to detect, they've seemingly done nothing effective to curb this.

Yes, and they also use join.me and logmein. And with 0 user feedback it's hardly an easy to detect usage pattern.

>- TeamViewer is blaming insecure configuration, which is probably mostly true, but TeamViewer has refused to do much to encourage or ensure security practices are upheld. (Random six character passwords on by default?)

AFAIK by default it requires you to accept any incoming connections, and a random six character alphanumeric pass should be quite sufficient assuming proper ratelimiting. 2238976116 attempts without uppercase and 57731386986 with uppercase letters included isn't gonna happen very fast over the network.

>- TeamViewer has clearly failed to police large scale attempts to test credentials against their server, if they're using password dumps to find people using the same password elsewhere, as many people on Reddit confirmed was likely the case for them.

We really don't know. Reddit speculation isn't very useful as mostly everyone will be in those dumps.


Of the hundreds of support requests I've responded to post-attack, all except one attack was carried out over TeamViewer.

A tech support scam attacker would have many first-time connections to many other first-time TeamViewer users who are generally seniors instructed to run the TeamViewer app over the phone. While they may use a pool of computers/TeamViewer IDs, and a pool of IPs, there's limits to the cost-effectiveness of scaling that variation, and a pattern should definitely be visible.

"Assuming proper rate limiting" seems like a large assumption, given that the possible attack vectors are guessing the random alphanumeric passwords and testing password dumps for account pairs from other services that work with TeamViewer.

Defaulting to accepting any connection from anywhere seems like a great example of poor security configuration by default.


> hundreds of support requests

From your comment higher up:

> I know very few people who HAVEN'T been reached by a malicious party which uses TeamViewer as a communication medium.

Do you work in tech support, in some environment prone to these kinds of attacks (e.g., a company the attackers might target)? Otherwise, it's hard to believe we live in the same world - I've heard of these kinds of attacks but I don't think I know anyone who has experienced one.


I've provided home tech support to a large number of primarily senior citizens. But I also know lawyers, teachers, and other professionals who have fallen prey to TeamViewer-based remote support scams.

Attacks of this type on corporate targets are likely much rarer because of corporate network security devices and monitoring tools. That being said, I have heard of similar remote access tools being exploited to attack corporate networks as well.

I don't actually know if you're in SV, but I would say, I often find it hard to believe people from SV live in the same world as I do, so I can understand your query. ;) I frequently find personal experiences of other HN users very different from my own, which is why it's so key to share!


>Of the hundreds of support requests I've responded to post-attack, all except one attack was carried out over TeamViewer.

And my experiences with repeatedly calling these guys had different results, that's fine.

>A tech support scam attacker would have many first-time connections to many other first-time TeamViewer users who are generally seniors instructed to run the TeamViewer app over the phone. While they may use a pool of computers/TeamViewer IDs, and a pool of IPs, there's limits to the cost-effectiveness of scaling that variation, and a pattern should definitely be visible.

And then the scammers will just switch to VMs and socks5 proxies. (They probably already use the socks, considering they're buying them in bulk)

>"Assuming proper rate limiting" seems like a large assumption, given that the possible attack vectors are guessing the random alphanumeric passwords and testing password dumps for account pairs from other services that work with TeamViewer.

The mere fact that this all happens over the network is a plenty of ratelimiting.

>Defaulting to accepting any connection from anywhere seems like a great example of poor security configuration by default.

This specifically isn't the default though.


In the Windows world, 10 specifically, is there a way to blacklist the sites so regardless of browser my parents cannot get to this kind of software?


Unfortunately, one of TeamViewer's best features is how easily it works without firewall configuration. Often you can use it in schools and corporate environments. It is likely at least a little irritating to successfully block.

I found this (older) link, which seems to provide an IP range to block, and of course, suggests blocking TeamViewer DNS entries. But I'm not sure how good a block you'll manage on a Windows PC as opposed to a network device of some flavor.

http://mediarealm.com.au/articles/2014/10/block-teamviewer-n...

The easiest way to restrict the damage your parents can do to themselves is to make a separate admin user, and make them not an admin. Of course, then you volunteer yourself to install stuff for them too.


An easy way would be to route teamviewer's site to 127.0.0.1 in the hosts file, but that isn't fool proof.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: