Main Area and Open Discussion > General Software Discussion
TeamViewer hacked?
f0dder:
Hm... the SRP protocol ... Isn't that the one that's supposed to be Dictionary Attack resistant, and perfectly secure even when weak passwords are used because the PW is never actually exchanged with the server?-Stoic Joker (June 06, 2016, 08:20 AM)
--- End quote ---
Isn't the main point of SRP that you're authenticated through establishing proof of you knowing the password, without actually sending the password? There's nothing about that which prevents dictionary attacks or (other forms of) brute-forcing.
Requring a new session per login attempt isn't a bad idea, but it's more important to pad out the first couple of login attempts to several-hundred milliseconds and then do exponential backoff (with some upper limit to avoid people locking you out of your account by sending bad guesses), and perhaps some temporary IP ban after a number of failed attempts. You need to balance user friendliness (and aforementioned malicious lockout) against mitigating brute-force attacks.
Deozaan:
police not going to do anything.
but do push the bank, itunes, and paypal as they have the ability to reverse transactions.
-mouser (June 06, 2016, 02:04 PM)
--- End quote ---
I was a victim of "identity theft" about 10-15 years ago (holy carp has it been so long?). I notified my bank of fraudulent activity, and the bank required me to send them a police report.
AFAIK, even though the police investigated the crime, they never found the perpetrator, who I assume got to keep the stuff he bought with my money1. But the important thing (to me) is that I got my money back.
But the point is that it required a police report to do so.
1 Actually, he didn't spend much of my money because he overdrafted my account (which is how I noticed the fraud so soon), so most of the money he spent wasn't really mine.
IainB:
...Thankfully I do not leave TeamViewer running, and have only used it on occasion when traveling. I have also set a long passphrase, so I should be ok, but I'll probably avoid using TeamViewer for a while just to be safe.
_________________________
-mouser (June 06, 2016, 12:52 PM)
--- End quote ---
I similarly only need to use TeamViewer infrequently, but when I have needed to use it it has always proved itself very useful, so I don't wish to expunge the app. I always considered that it carried a serious potential risk of offerring a wide-open access door to hackers, so I would usually shutdown TV to reduce the risk and the system overhead. However, there is a tenacious TV service that remains active if one forgets to stop it.
After this apparent hack I have blocked TV access in the firewall (using Windows Firewall Control) - merely by making the several TV "Allow" entries "Block". I can always unblock it when I need to use it. I could equally have Disabled them. I should probably have done that at the outset actually, considering the potential risks. :-[
Asudem:
TeamViewer has introduced some new features to make it harder to take over a user's computer from an unauthorized remote computer.
TeamViewer says that they were not hacked, and I tend to believe them. However there is currently a thriving online market in passwords stolen from various sites (LinkedIn, Adobe, etc...), so perhaps the most important step in protecting oneself from hacking is to use significantly different passwords for different sites. Long ones!
-xtabber (June 06, 2016, 02:46 PM)
--- End quote ---
My passwords are created using KeePass. No two passwords are the same. Just throwing my 2 cents into the fray.
Police "Incident" has been filed. No report was made because they said there was nothing they could do, which I went in knowing. They did say, however, if their systems ever got hacked they would contact me... whatever that means? I think they were impressed with my documentation... :Thmbsup:
Stoic Joker:
Hm... the SRP protocol ... Isn't that the one that's supposed to be Dictionary Attack resistant, and perfectly secure even when weak passwords are used because the PW is never actually exchanged with the server?-Stoic Joker (June 06, 2016, 08:20 AM)
--- End quote ---
Isn't the main point of SRP that you're authenticated through establishing proof of you knowing the password, without actually sending the password? There's nothing about that which prevents dictionary attacks or (other forms of) brute-forcing.-f0dder (June 06, 2016, 02:47 PM)
--- End quote ---
I was just having a bit of fun with the bullet point level description of what the protocol does vs. TV description of what was likely to have - couldn't be their fault happened. So preventing it no - I'd already questioned the apparent lack of lockouts earlier. It just strikes me that the way the protocol is designed it inherently mitigates BFing by eating up time with procedural shenanigans, thereby reducing the rate that guesses can be made at.
Requring a new session per login attempt isn't a bad idea, but it's more important to pad out the first couple of login attempts to several-hundred milliseconds and then do exponential backoff (with some upper limit to avoid people locking you out of your account by sending bad guesses), and perhaps some temporary IP ban after a number of failed attempts. You need to balance user friendliness (and aforementioned malicious lockout) against mitigating brute-force attacks.-f0dder (June 06, 2016, 02:47 PM)
--- End quote ---
Totally agree ... I wonder if that type of system could be packaged into a drop-in/plug-in type module for some of the existing web systems currently available?
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version