Thursday, June 2, 2016

TeamViewer Hacked? Maybe, maybe not - but take precautions

TeamViewer may or may not have been hacked. Regardless, here are some sane precautions for remote control software.

I've seen a lot of noise over the past 24 hours suggesting that TeamViewer - a popular remote control product for computers - is being used by crooks to break into PCs, then use logged-in sessions on those computers to make purchases, transfer money, etc.

TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.

It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.

The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.

Regardless, a few precautions can limit the potential for harm.



What should you do?


If you use TeamViewer (or any remote control product) on any computers in your home or business, here are a few suggestions:
 
  • Enable two-factor authentication for your TeamViewer account. TeamViewer's implementation of two-factor authentication uses a mobile "authenticator app" on your phone or mobile device. The app generates a code that is good for about 30 seconds. To log in, you supply both your password and the current authenticator code. An attacker would need to have your password as well as your phone or device in order to access your account.
     
  • Use unique passwords for every account - and use a password manager to keep track of the passwords. This prevents an incident at one service from revealing a password that you also used on other services.
     
  • Think twice about installing remote control software on computers holding sensitive information. If you can remote control a system, there is potential for someone else to do so as well. I often recommend using a dedicated PC or virtual machine for banking - and never browsing the Internet from that system, to avoid the risk of accidentally downloading malware. Installing TeamViewer on such a system defeats the purpose of keeping it separate.
     
  • Think twice before leaving accounts logged in, or allowing a browser to store passwords, on any computer on which you have installed any remote control software. Many of the incidents reportedly involve an attacker using TeamViewer to log into a victim's computer, then using their browser to purchase items, empty PayPal accounts, or transfer money out of bank accounts. If these accounts are not logged in, it is that much harder for an attacker to carry out the theft. 

A few stories covering this event from different angles:

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen