A company that has such a reaction is more likely to suffer a breach IMHO because it demonstrates a lack of knowledge, care, or both. If they were smarter they'd say they aren't aware of anything but have launched an investigation and will report back when it is complete.
So I'm going to assume they have been hacked until someone proves otherwise.
Hope they realize they may have just sealed their own graves with their flippant handling of these claims.
I must admit, I didn't add much weight to the opinions of the vast majority on Reddit. It's less of an IT-savvy hub today than it has been in the past and I /wanted/ to believe that the issue was simple reused passwords.
But from the claims made here in Hacker News (who's opinion carries much more weight than the Reddit noise). In addition to the handful of claims where logs have been presnted and users have confirmed use of MFA and complex passwords. I've sincere doubts about the credibility of TeamViewers very, very quick security audit.
Edit: double copy pasta.
What makes you believe they've got any real reason to conduct a security audit? Just because some randoms on reddit said that they got hacked?
For all we know TV knows exactly what's going on here.
You don't need that last sentence.
Also, that kind of language can result in some very real consequences.
TeamViewer has definitely been compromised, and reddit.com/r/teamviewer is replete with reports.
The guy selling the accounts sells hundreds of thousands of them, and obviously doesn't get involved in the fraud itself.
This is why this whole thing is so strange, there's a bunch of people claiming that someone hacked teamviewer and is now using that access for petty paypal fraud instead of targetting the tens (if not hundreds) of thousands of PoS systems teamviewer is used to manage.
>Are they hoping that a small % of their victims won't notice the fraudulent transactions?
No, they certainly don't care if the payments get charged back or not. If they try to send money to their own account, it'll be suspended before they can actually withdraw it out of PayPal.
Instead in this case they seem to be trying to buy itunes gift cards, undoubtedly with the intent to sell them (on sites such as g2a.com) before they get cancelled.
However of course bank funded payments will have some delays. Letting things pull money from your bank account like that is a terrible practice, and people should know better.
It's fine if the recipient's account is still active and they successfully get the money back from their deposits or linked account. But in deliberate fraud cases, their only reclourse would be to to refund you out of their own pocket. Paypal has no incentive to do so. Once the money is beyond their reach (e.g. withdrawn via debit card or transferred to an outside account which is then closed), they will not help, in my experience.
Even if you fund via a credit card, if the payment recipient is beyond their reach, they make you jump through numerous fake loopholes (in one case I had, they claimed they had proof of delivery... and gave tracking data for an item shipped from the wrong state and shipped to a location 2000+ miles from me and to another name). I then contested the charge via my card issuer; the phone rep said that this happens often.
I say this as a user from the year they started business (back when they paid a $5 bounty to sign up) and with over 50,000 Paypal transactions.
Having to reverse the payment is likely not "minutes" when talking to any customer service org.
Although, you wouldn't even really have to call them. You can dispute the charges with like two clicks on your account page. It's just that if you call them, they can instantly settle the dispute in your favor.
If you spin up an exploit pack and can't get 50k hits in a day you're clueless and should consider a career outside of cybercrime.
Unless the reporters have some specific evidence that teamviewer is at fault, it's overwhelmingly likely that many of them were hit by some totally unrelated fraud.
This person formatted the drive a week ago and only had a few things installed. https://www.reddit.com/r/teamviewer/comments/4jr9qn/hacked_t...
The hacking itself should not be surprising. Roughly 99.99% of human beings -- including the vast majority of software developers -- have NO IDEA how to secure a computing device, let alone one that can be accessed remotely by regular people. It's kind of incredible that this type of attack doesn't happen more frequently.
The post-mortem should be quite interesting.
Sounds like reused passwords!
"They remote connected in at 5AM MT, went into my Chrome and used my PayPal to buy about $3k worth of gift cards. And yes, I had two-factor authentication."
I mean, unless the hackers logged in, left the 2FA prompt up and then a user completed the 2FA exchange, but that would be a foolish thing to do anyway...
edit: thanks for the answers; makes sense!
How is it easier to break Teamviewer's 2FA implementation than PayPals?
I (think I) now understand why "and my PayPal has 2FA enabled" points to TV being compromised -- If the PayPal account has 2FA active, and they were still "hacked", then it points to an existing session being hijacked. And a probable cause of that would be a compromised TV session.
So it's not necessarily an indication that TV's 2FA was compromised, but rather that TV was compromised in general, allowing the hacker to hijack TV sessions. (I'm imagining that the TV 2FA happens on their central server, and not on the actual server daemon running on the target remote machine... so if the central server was compromised...)
edit: Obviously this is entirely speculative, I don't know any of what's going down, but it resolves my initial curiosity.
Your paypal account getting hacked isn't a Big Deal, you aren't going to lose any money over it. In fact, managing that is paypals entire business model.
Yet, we've heard from people who have used passwords unique to TeamViewer, who have enabled two-factor authentication, and have found no malware on their computers, losing control of their systems in the past few days via TeamViewer.
Apparently TV disagrees, but in this case I'm inclined to believe their unfortunate users.
I found it a bit odd that every search (including for competing products) brought me to TeamViewer, that all the formerly available alternatives (like *VNC) were defunct or pay-only, and that TeamViewer was not just free but rather aggressively offered. Call me paranoid, but I thought "someone wants to make sure there's a TeamViewer on every box in the world, and is willing to pay for slick, aggressive marketing and to eat the costs of product development and marketing to see to it."
My (otherwise completely unfounded) guess was that a major intelligence agency, maybe the NSA, was behind all that.
I used TV for a few days but ditched it at my earliest opportunity. It just felt too creepy for me to trust it.
So now, maybe, I was right for the wrong reasons. Or not. (shrug)
That would be the teamviewer company. Surprisingly often companies want their product on every desktop, and are willing to eat the marketing and development costs to make it happen.
At least with TeamViewer, it is manual update only, and remote users only have the same permissions and visibility as a desktop user. When you access a locked Windows PC over TeamViewer, you get the Windows login screen. You only have the level of permissions your computer is allowing the user you log in as.
If you lock your PC when you aren't at it, and your password is decent, you haven't a huge security problem with TeamViewer. Arguably, less of one than many other pieces of software that can make administrative-level changes to your PC without your knowledge or permission.
I use Debian GNU+Linux, where TightVNC is one of the best options, and it has worked great for professional pair programming.
Digital Ocean did a great article on how to get set up: https://www.digitalocean.com/community/tutorials/how-to-set-...
You can also script it - I have a Cygwin service that I made that checks a website for a command to trigger a reverse VNC connection.
If both parties are double NAT, then sure, you have a problem, but aside from that; as long the party you are connecting to doesn't -- it should work fine as described.
If you have any questions about security feel free to ask.
Another way we protect hosts is by not allowing random hosts and clients to communicate with each other unless you've given explicit permission to each host/client. This means that Bob can't load up the Jump Desktop client and try to randomly brute force Alice's local account password by trying to connect repeatedly. The cloud server will drop Bob's connection requests to Alice unless Alice has explicitly given Bob permission to connect.
The above applies to our zero setup app, Jump Desktop Connect. Jump Desktop is also a full blown RDP and VNC client (with SSH support) - so you don't really have to use the Jump Desktop Connect app if you don't want to. You can use traditional RDP / VNC-over-SSH to establish secure connections as well.
Not as dynamic, but for instance LastPass will allow you to blacklist or whitelist entire country IP blocks. A system that also monitors (on your end, or maybe alerts the customer) that their machine in Kansas all of a sudden has multiple IPs from China/whatever accessing it (on your end seeing this globally through the network as well) would be great to mitigate events like this. If you go on vacation, you can remove the block.
So far every report I've seen has been Guangzhao/Yangzhao in the access reports. Could easily, easily nip that in the bud. Obviously other proxies could be used but something like a remote access system is something people should be locking down tightly.
I have a certain amount of trust in Google but their Remote Desktop product feels like something that could plausibly be internally understaffed.
A couple others that were mentioned were UltraVNC and IMPCRemote, both VNC-based. There are also many other VNC-based options available as well (e.g. Fog Creek Copilot), but I'm not aware of any that have performance that I'd consider acceptable.
* Ammyy - Tool of scammers everywhere, DO NOT USE
* Splashtop - inexpensive, no-frills. Options for unattended, resellable unattended, and attended/client-initiated but all are separate products. Annual pricing, but cheap. Hosted by them.
* Instant Housecall - active with forums and podcasts as well, includes toolkit based on D7. Subscription, $30/40/75/month. Hosted by them.
* ScreenConnect - former local darling until bought by ConnectWise/LabTech which raised prices. Subscription, $50/month annual, cheaper options available with fewer features. Hosted by them unless you're spending $2200+. Has (had?) active forums and many scripts you could add in for cleaning, etc.
* Simple-Help - pricing similar to ScreenConnect's old pricing ($320/year + 20% annual maint). Self-hosted by you. Discounts may be available including links from here back when ScreenConnect raised their prices. For an extra 50% you get remote monitoring and some tools but I have no experience with them. Never as actively developed as ScreenConnect. If the RMM features are good enough it's surprisingly affordable (under $1/month per endpoint the first year, $0.20/month per endpoint after that, all in blocks of 40 endpoints)
* MSPAnywhere/BeAnywhere - $50/month subscription, purchased by Solarwinds (N-Able) in 2015. I don't think it has integrated tools, but has a good reputation for remote control.
* TeamViewer - Solid product, one-time purchase (plus fees for upgrades) $800+. Has some sort of addon available for support/tools I believe.
* LogMeIn - had many fans here until a few years ago when the price increases started. Not sure anyone here still uses them.
* Chrome Remote Desktop - Free, and you get what you pay for. You can contemplate your errors as you wait for the other end to reconnect you. Again.
* Zoho - VNC based? I know little about it other than being pretty sure it exists.
* AnyDesk - €60/year or has a 6-year license at a discount. More expensive Professional version allows what I think is unattended access with the extra-charge PowerUser option.
I don't expose it to the internet, though. Only thing on my home network that is exposed directly to the internet is an SSH gateway (using public key auth, passwords disabled); from there, I can forward SSH or VNC or whatever I need access to.
Instead they want us to focus on a work/life balance: http://imgur.com/Ujd8ZwA
"No, no, not by the hair on my chinny chin chin."
"Then I'll huff, and I'll puff, and I'll blow your house in."
If one builds their house out of a foundation of sticks, what do they expect to happen?
- TeamViewer has been the primary medium for tech support scams that lock people out of their own PCs for years now. Despite a usage pattern that should be easy to detect, they've seemingly done nothing effective to curb this.
- TeamViewer is blaming insecure configuration, which is probably mostly true, but TeamViewer has refused to do much to encourage or ensure security practices are upheld. (Random six character passwords on by default?)
- TeamViewer has clearly failed to police large scale attempts to test credentials against their server, if they're using password dumps to find people using the same password elsewhere, as many people on Reddit confirmed was likely the case for them.
I strongly suspect the majority of free service TeamViewer usage is currently malicious. I know very few people who HAVEN'T been reached by a malicious party which uses TeamViewer as a communication medium.
I've personally called and asked TeamViewer to consider shuttering their free service to control malicious use. They could introduce an affordable personal use paid tier instead, which would make them a lot of money, and mitigate most abuse cases.
Yes, and they also use join.me and logmein. And with 0 user feedback it's hardly an easy to detect usage pattern.
>- TeamViewer is blaming insecure configuration, which is probably mostly true, but TeamViewer has refused to do much to encourage or ensure security practices are upheld. (Random six character passwords on by default?)
AFAIK by default it requires you to accept any incoming connections, and a random six character alphanumeric pass should be quite sufficient assuming proper ratelimiting. 2238976116 attempts without uppercase and 57731386986 with uppercase letters included isn't gonna happen very fast over the network.
>- TeamViewer has clearly failed to police large scale attempts to test credentials against their server, if they're using password dumps to find people using the same password elsewhere, as many people on Reddit confirmed was likely the case for them.
We really don't know. Reddit speculation isn't very useful as mostly everyone will be in those dumps.
A tech support scam attacker would have many first-time connections to many other first-time TeamViewer users who are generally seniors instructed to run the TeamViewer app over the phone. While they may use a pool of computers/TeamViewer IDs, and a pool of IPs, there's limits to the cost-effectiveness of scaling that variation, and a pattern should definitely be visible.
"Assuming proper rate limiting" seems like a large assumption, given that the possible attack vectors are guessing the random alphanumeric passwords and testing password dumps for account pairs from other services that work with TeamViewer.
Defaulting to accepting any connection from anywhere seems like a great example of poor security configuration by default.
From your comment higher up:
> I know very few people who HAVEN'T been reached by a malicious party which uses TeamViewer as a communication medium.
Do you work in tech support, in some environment prone to these kinds of attacks (e.g., a company the attackers might target)? Otherwise, it's hard to believe we live in the same world - I've heard of these kinds of attacks but I don't think I know anyone who has experienced one.
Attacks of this type on corporate targets are likely much rarer because of corporate network security devices and monitoring tools. That being said, I have heard of similar remote access tools being exploited to attack corporate networks as well.
I don't actually know if you're in SV, but I would say, I often find it hard to believe people from SV live in the same world as I do, so I can understand your query. ;) I frequently find personal experiences of other HN users very different from my own, which is why it's so key to share!
And my experiences with repeatedly calling these guys had different results, that's fine.
>A tech support scam attacker would have many first-time connections to many other first-time TeamViewer users who are generally seniors instructed to run the TeamViewer app over the phone. While they may use a pool of computers/TeamViewer IDs, and a pool of IPs, there's limits to the cost-effectiveness of scaling that variation, and a pattern should definitely be visible.
And then the scammers will just switch to VMs and socks5 proxies. (They probably already use the socks, considering they're buying them in bulk)
>"Assuming proper rate limiting" seems like a large assumption, given that the possible attack vectors are guessing the random alphanumeric passwords and testing password dumps for account pairs from other services that work with TeamViewer.
The mere fact that this all happens over the network is a plenty of ratelimiting.
>Defaulting to accepting any connection from anywhere seems like a great example of poor security configuration by default.
This specifically isn't the default though.
I found this (older) link, which seems to provide an IP range to block, and of course, suggests blocking TeamViewer DNS entries. But I'm not sure how good a block you'll manage on a Windows PC as opposed to a network device of some flavor.
The easiest way to restrict the damage your parents can do to themselves is to make a separate admin user, and make them not an admin. Of course, then you volunteer yourself to install stuff for them too.