Internet crime, Privacy, Security

TeamViewer: security risk

Leave a comment

The free-for-personal-use remote control software TeamViewer is currently under intense scrutiny. Large numbers of users are reporting unauthorized access to their computers, theft of login credentials, and in some cases, access to online financial systems and theft of funds.

It remains unclear exactly how these unauthorized intrusions are happening. TeamViewer officials are so far denying that the software has been hacked, insisting that the current surge in TeamViewer-based attacks are the result of password re-use, combined with the recent publication of several databases of stolen credentials.

Until we know for sure what’s going on, we recommend removing TeamViewer from all computers on which it is installed.

If removal is not an option, as may the case for some support setups, then you should configure TeamViewer to not start with Windows, only start it when asked to do so by support staff, and then close it when their work is complete.

TeamViewer General Settings
Recommendation: disable the option that starts TeamViewer with Windows.

You should also avoid using fixed, personal passwords, relying instead on the temporary passwords TeamViewer generates when it is started, or at least make sure that your personal passwords are strong and unique. Oddly, there’s no way to disable a fixed, personal password, once it’s set up, so your only option in that case is to set it to something very long and random.

TeamViewer Security settings
Recommendations: set the personal password to something very long, complex, and unique, then don’t use it. Avoid the ‘Grant easy access’ feature. Change password strength of random passwords to 10 characters.

Criticism of TeamViewer is building, and the company’s response to this issue has been somewhat less than stellar. If they are convinced that the problem is re-used passwords, why have they not forced a password change for all TeamViewer accounts?

TeamViewer’s makers also seem unwilling to consider the notion that the software itself has been hacked in some way, instead focusing on TeamViewer accounts. An account is not required to use TeamViewer, and exists only as a master address book for people who use TeamViewer to access many different computers. If your TeamViewer account is compromised, an attacker will then have full access to all computers in your account.

To their credit, Teamviewer is working to add new features to the software that should beef up its security. But the new features only affect TeamViewer accounts. If you don’t have a TeamViewer account, you won’t see any benefit.

Update 2016Jun06: TeamViewer management continues to insist that the problem only affects TeamViewer accounts, not the TV desktop client. We recommend avoiding TV accounts if possible. If that’s not an option, make sure you enable two factor authentication (2FA) for the account, and use a complex, unique password.

There’s a lot of discussion about this over on Reddit. One post contains reports from users who have experienced TeamViewer-related intrusions. Another provides instructions for determining whether your computer has been accessed via unauthorized use of TeamViewer.

Meanwhile, we’re wondering whether it might be helpful if TeamViewer showed a large red warning when setting up an account, like this:
WARNING: if there's only one site or service where you use a strong password, let it be your TeamViewer account. Because if someone gets access to your TeamViewer account, they will also have full access to all of the computers you access through your account.

Vivaldi

Vivaldi: not ready to replace Firefox

1 Comment

Well, I tried. I used Vivaldi as my main web browser for a month, and while there’s a lot to like, I found I had to change the way I work to get around its limitations and problems.

The biggest problem is Vivaldi’s inconsistent and confusing handling of links, bookmarks, and tabs. The Vivaldi developers have apparently failed to grasp that links should behave differently, depending on their context.

The bookmark editor is extraordinarily clunky, which is surprising, given that it should be a simple feature to code.

A lot of basic functionality that I take for granted in Firefox and other browsers is still missing from Vivaldi. Dragging and dropping bookmarks (eg. from the address bar to the bookmark sidebar) doesn’t work. Hovering the mouse over a bookmark doesn’t show the full URL. There’s no way to edit bookmarks directly in the bookmark toolbar. The right-click context menu for images doesn’t include a ‘Properties’ option. And so on.

Vivaldi’s developers seem to be aware of these issues, and have been working on them in developer ‘snapshot’ versions of the browser. I started using the snapshot versions in the hope that I’d get some relief from the problems I mentioned, but instead ran into even more problems.

Meanwhile, I’ve switched back to Firefox. I’m still optimistic about Vivaldi, but for now I’m only using it experimentally.

Hardware

Latest Hard Drive reliability report from BackBlaze

Leave a comment

Backblaze provides online backup services. The core of their service is an enormous collection of hard drives of various makes, capacities and models. Backblaze tracks the reliability of the hard drives in their systems, and publishes their findings yearly.

This year’s report shows that HGST (Hitachi) drives are still the most reliable, but also shows substantial improvement in Seagate drives over previous years.

Microsoft, Patches and updates, Windows 7, Windows 8.x

Relief for Windows 7 update headaches

Leave a comment

As if in response to my recent post about the joys of updating new Windows 7 installs, Microsoft has just announced a solution. It’s effectively Service Pack 2 for Windows 7, but Microsoft is calling it the Windows 7 SP1 convenience rollup.

The new package will install all post-SP1 updates up to April 2016. After you install Windows 7 with Service Pack 1, you need only install the April 2015 servicing stack update for Windows 7 (KB3020369), a prerequisite for the rollup, then install the rollup, then install any updates published after April 2016.

I haven’t yet tried the new rollup, but it’s difficult to imagine how it could fail to be an improvement.

Microsoft also plans to provide monthly non-security update rollups for Windows 7 and 8.1.

Microsoft, Patches and updates, Windows 10

Windows 10 Insider Preview build 14342

Leave a comment

I’ve been running build 14342 for a few days now on my test PC. I haven’t experienced any new problems, and it seems to have resolved at least one annoying networking problem left over from the previous build.

What’s New in Build 14342

User Account Control prompts now look different, but their functionality hasn’t changed. There are enhancements for Microsoft Edge, and improvements for the new BASH shell integration. A new setting, Settings > System > Apps for websites doesn’t work yet, but will in the future allow you to designate an app to open specific web sites. The Feedback Hub was also improved in this build.

Build 14342 contains fixes for numerous issues in previous builds, including problems with media playback, Cortana, displays, login, the user interface, apps, location, and anti-virus software compatibility.

Interestingly, the Wi-Fi Sense feature has been disabled. There’s been a lot of debate about the security of this feature since Windows 10 was released. Microsoft says the feature was disabled because nobody was using it. The Verge has more about this, as does Brian Krebs.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.