Thursday, June 2, 2016

TeamViewer Hacked? Maybe, maybe not - but take precautions

TeamViewer may or may not have been hacked. Regardless, here are some sane precautions for remote control software.

I've seen a lot of noise over the past 24 hours suggesting that TeamViewer - a popular remote control product for computers - is being used by crooks to break into PCs, then use logged-in sessions on those computers to make purchases, transfer money, etc.

TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.

It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.

The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.

Regardless, a few precautions can limit the potential for harm.

What should you do?

If you use TeamViewer (or any remote control product) on any computers in your home or business, here are a few suggestions:
  • Enable two-factor authentication for your TeamViewer account. TeamViewer's implementation of two-factor authentication uses a mobile "authenticator app" on your phone or mobile device. The app generates a code that is good for about 30 seconds. To log in, you supply both your password and the current authenticator code. An attacker would need to have your password as well as your phone or device in order to access your account.
  • Use unique passwords for every account - and use a password manager to keep track of the passwords. This prevents an incident at one service from revealing a password that you also used on other services.
  • Think twice about installing remote control software on computers holding sensitive information. If you can remote control a system, there is potential for someone else to do so as well. I often recommend using a dedicated PC or virtual machine for banking - and never browsing the Internet from that system, to avoid the risk of accidentally downloading malware. Installing TeamViewer on such a system defeats the purpose of keeping it separate.
  • Think twice before leaving accounts logged in, or allowing a browser to store passwords, on any computer on which you have installed any remote control software. Many of the incidents reportedly involve an attacker using TeamViewer to log into a victim's computer, then using their browser to purchase items, empty PayPal accounts, or transfer money out of bank accounts. If these accounts are not logged in, it is that much harder for an attacker to carry out the theft. 

A few stories covering this event from different angles:

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.