Main Area and Open Discussion > General Software Discussion
TeamViewer hacked?
Deozaan:
Small update: TeamViewer still say there is no evidence of a vulnerability on their end. They still think it's due to reused passwords; poor, easy-to-guess passwords; or malware:
The vast majority of the cases that we see have to do with there being a lot of data breaches lately, and whenever we're pointed to potential TeamViewer account abuses, we check internally to determine what we can see. And in virtually every case we see that the passwords and account credentials have been used elsewhere.
Another factor that plays a significant role is that people aren't using very strong passwords. They use the name of a spouse, of a kid, of a pet, or they simply do not have strong enough security measures in place like antimalware, antivirus, the type of thing that belongs on every computer these days.
-http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/
--- End quote ---
They're not denying that TV accounts are being abused, they're just saying it's not due to a hack or vulnerability on their end:
We're not doubting TeamViewer accounts have been abused. It's just this is not because of a TeamViewer weakness. [...] Obviously, what we're not doubting is that yes, people have been ripped off by online criminals and their bank accounts may have been emptied, but again that's not [due to] a TeamViewer vulnerability.-http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/
--- End quote ---
Read more in the Ars Technica interview.
Stoic Joker:
http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/
After reading through the comments there.
Okay, this is getting ugly - where's the popcorn?
With the massive justificational back and forth, the thing that seems to be most consistently appearing is the ability of - the attackers - computer to guess X passwords per second ... which automagically makes most - if not arguably all - passwords less that 20 something characters "easily guessable. And then the "need" for 2FA get's brandished over, and over, and over... *Sigh*
Why does everybody keep glossing right past lockout limits?? I mean WTF - If a system like that is allowing 3+ login attempts per second - like anybody can actually type that fast... - without locking down the account. I don't care how many whoop-de-do factors they have in place, their system is fundamentally flawed...and the fault is theirs.
wraith808:
When things get ugly, there's always time for popcorn.
But yeah, I totally agree Stoic. Anything that allows access to the internet, and controls something so sensitive, but doesn't have lockout limits is pretty stupid.
Stoic Joker:
This Just In from the piss yourself laughing department.
Well, we are not testing any email/password combinations if you think that and we also can't see your passwords, since we use the Secure Remote Password (SRP) protocol and therefore do not store your passwords. What we do is check, if the email addresses used for TeamViewer, have been part of a leak. You can do so yourself using www.haveibeenpwned.com.-TeamViewerOfficial on Reddit
--- End quote ---
Hm... the SRP protocol ... Isn't that the one that's supposed to be Dictionary Attack resistant, and perfectly secure even when weak passwords are used because the PW is never actually exchanged with the server?
Yet TV's primary defense is silly users using easy to guess - er... with a dictionary - passwords.
So they intentionally used a protocol that is designed to compensate for bad user behavior, because it compensates for bad user behavior, and then deflect blame because of bad user behavior ... Really? Is Jack Sparrow writing their PR material?
Above Quote is from here: https://www.reddit.com/r/teamviewer/comments/4mq9a5/badly_worded_sentence_or_can_teamviewer_see_our/
Yes it's a Wikipedia link (sue me): SRP Protocol
mouser:
I'll just add one thing for those who aren't familiar with TeamViewer -- at least when i set up mine by default TeamViewer itself created a random password for remote access (rather thank asking me to type one in) and it was SIX characters long (and i believe it's just uppercase,lowercase,and digits).
So it would be entirely plausible that a brute force attack would be able to guess passwords.
Thankfully I do not leave TeamViewer running, and have only used it on occasion when traveling. I have also set a long passphrase, so I should be ok, but I'll probably avoid using TeamViewer for a while just to be safe.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version