The Lesson You Need To Learn From The TeamViewer Hack

Don't use easy-to-guess passwords!

Don’t re-use the same password over and over.

TeamViewer is in the news this week because of a nasty ongoing security problem. It might not be TeamViewer’s fault, and with luck it won’t affect any of you, my loyal and much-loved readers. But the story illustrates an important basic security principle: Don’t re-use the same password over and over.

TeamViewer is a well-known program that provides remote access to your computer, just like LogMeIn. After LogMeIn killed its free service two years ago, TeamViewer became more popular because it is still free for home users. (TeamViewer is not free for you to use to connect to your office computer. It has an odd, expensive license to sell you if you’re using it to get work done, and it’s likely to turn off the program if it thinks you’re a business user. Take a look at Splashtop if you want remote access to an office computer.)

For about a month, reports have been circulating that make it appear that TeamViewer has been hacked. Imagine that you’ve installed TeamViewer on your home computer so you can connect from the road. You’re sitting at the home computer playing solitaire. All of a sudden, the TeamViewer panel appears in the lower right corner and your mouse starts moving of its own accord. Terrifying, eh? Numbers are hard to come by but this has happened to many people – hundreds? thousands? Last week the reports escalated sharply on Twitter and Reddit.

What’s more, some of the people whose computers were taken over in haunted TeamViewer sessions quickly had their bank accounts and Paypal accounts drained by the bad guys.

TeamViewer says flatly that their systems have not been hacked – period, end of story. They suggest an explanation that seems plausible.

Here’s the way this happens.

1) Passwords are hacked

LinkedIn suffered a catastrophic hack in 2012. If you had a LinkedIn account in 2012, there’s a 98 percent chance that your LinkedIn password has been hacked. Several million LinkedIn passwords started circulating in hacker circles in 2012. Recently, though, the full password dump appeared online, approximately 175 million passwords.

At the end of May, 360 million more passwords were leaked online, allegedly from a MySpace hack in 2013.

And that’s not all. In the last month, more passwords became available from years-old hacks of Tumblr and other sites. By one estimate, 642 million passwords have appeared online since the beginning of May.

It’s worth noting that the hackers did not just download a spreadsheet full of passwords from LinkedIn or MySpace. All the companies have the passwords encrypted, which was believed to keep them relatively safe until recently. When hackers break into a corporate system, they download the encrypted database, then set to work attempting to decrypt the database and expose the passwords. Thanks to increased computer power but mostly our sloppy password habits, they can successfully unlock almost all of the passwords. This article has a good explanation of how the hackers have become so good at cracking hashed passwords, written by one of the professional password crackers who worked on the LinkedIn database.

2) The hackers try using the same credentials in other places in case you used the same password over and over

TeamViewer claims that the breaches in the last month have all occurred because people used the same password for TeamViewer that they used for LinkedIn, MySpace, or one of the other hacked services. This is part of TeamViewer’s official statement:

“As you have probably heard, there have been unprecedented large scale data thefts on popular social media platforms and other web service providers. Unfortunately, credentials stolen in these external breaches have been used to access TeamViewer accounts, as well as other services.

“We are appalled by the behaviour of cyber criminals and are disgusted by their actions towards TeamViewer users. They have taken advantage of common use of the same account information across multiple services to cause damage.”

This is your vulnerability if you use the same password repeatedly. When the bad guys get an email address and password from somewhere, they routinely will test it against a long list of other websites – shopping, banks, anything that might allow them to steal from you.

3) The bad guys log into your computer with TeamViewer and immediately steal the passwords stored in your web browser

If you’re not using LastPass, then you probably have Google Chrome or Internet Explorer save your password when you log into a website. Very convenient! So convenient, in fact, that the bad guys can download all of those saved passwords to their computers within seconds after they connect to a computer with TeamViewer. Not long after that, other accounts are under attack. According to one article:

“The vast majority of users claim their accounts have been hacked. Once access is gained, the hackers move through a list of targets attempting to spend or transfer money. Some commonly accessed accounts include:

  • PayPal
  • eBay
  • Amazon
  • Yahoo!
  • Walmart

“Some users have reported losing thousands of dollars, while others have seen numerous eGift cards sent to various locations around the world. Purchases made online usually had gibberish shipping names, being sent to a variety of locations around the globe with a significant number of users reporting attempted logons from Chinese or Taiwanese IP addresses.”

4) TeamViewer adds additional security features – better late than never

TeamViewer has added two welcome improvements to its service to slow down the bad guys. From Neowin:

“Firstly, the new ‘trusted devices’ feature will require verification of any new device attempting to login to a TeamViewer account for the first time. The verification will be in the form of an e-mail sent to the registered email account which will contain a link to approve the device.

“The second measure, called ‘data integrity’, automatically monitors accounts for unusual activity, which may include logins from new locations. In such an event, the affected account will be flagged for an enforced password reset with instructions supplied via email.”

With any luck, the new measures will be sufficient to cause the TeamViewer attacks to die down. They’ll be replaced soon with some other security outrage.

I hope none of you are directly exposed to the TeamViewer breach. But focus on that second step above. Using the same password over and over is an invitation to disaster. If the bad guys crack that password at any one of the places you’ve used it, they will test it at other sites, making a bad situation so much worse.

In the next article, I’ll give you some password tips. The first and best tip is obvious: use Lastpass. Lastpass is the best-known and most secure password manager. Don’t save passwords in your web browser. (Lastpass will remove them during installation.) Once you understand Lastpass, you can use a unique password on every website.

Bruceb Consulting clients: my monitoring service, Bruceb Remote Management, installs a customized version of TeamViewer on your computer, using the name “Take Control.” To the best of my knowledge, it is not vulnerable to this hack or any other. I believe it is completely safe.

Be careful out there!