The Graham Cluley website today had an article with the most appropriate title I’ve seen regarding this subject. “Don’t believe everything bad you read on the internet.” I’d like to follow that up myself with a little piece of advice from a professional in the field (me.) “Don’t use Reddit as a source for news, ever.”
Two major companies hacked in the same day? Not likely.
The stealing of user data from companies happens so much these last few years it doesn’t even rate the front-page of the HuffP anymore, and that’s saying something; those guys will publish anything.
The “teamviewer hack” however actually had consequences far and beyond anything the normal user would know to be afraid of. In fact it’s the ONLY kind of hack that keeps companies such as ours awake at night with nightmares. What would happen if something like Teamviewer or LogMeIn, or any of the other reputable remote-access firms suffered a data breach? Not only would a smart hacker gain access to remote control to thousands of computers across the globe, they could potentially gain access to OUR client account, and from there gain access to even MORE incredibly sensitive computer systems and networks. After all, we have administrative access to doctor’s offices, billing centers, financial records and applications, medical records, and other sensitive information for thousands of users rolled up into our accounts.
I’ll respond to that in detail in a few moments and tell you why that can’t happen, but even if it didn’t happen and Teamviewer WERE hacked, we would be forced to contact all our customers within a very short window and advise them of the possibility of their information being compromised. That would result in the increased frustration felt by our customers as well as a loss of faith from our users in our ability to prevent the one thing we charge them each month to prevent!
So what did happen?
Teamviewer and Dropbox are suffering from a major case of guilt-by-association-to-stupid-people. Really, that’s actually what happened. Hundreds of users on Reddit and across other social media platforms have spent the last two days yammering that they’ve had their paypal accounts drained, purchased eBay items they didn’t know about, written online checks they didn’t actually write, had their credit and debit cards compromised, all through the use of Teamviewer. Is it true? Absolutely. It’s totally true.
Did TeamViewer get hacked? No. YOU did. Congratulations, you got hacked. And as much as it’s hard to stomach, it’s your own fault. How do I know? Well it’s fairly simple to explain, but hard to understand without a technical background in cryptography, but I’ll give you a 5-second primer on the concept. TeamViewer (and many many other reputable large-scale companies) utilize a protocal known as SRP. It stands for Secure Remote Password protocol. If you want to learn more about SRP, read it here on Wiki.
What is important to know is that unlike MySpace, Tumblr, and other sites that have been hacked lately, there is no massive database of usernames and passwords sitting around on the TeamViewer servers with a “passwords-stored-here” warning label on it. The protocol works by verifying the identity of the user without having a password sitting on the server. It’s one of the most common password security protocols in place on the web right now and by its very design is immune to these kinds of hacks.
So if no one could have hacked teamviewer’s passwords, who else is left to be hacked?
I’m going to sit here and wait until you figure it out.
Did you figure it out yet? It was the users that got hacked.
How it happened:
The process for the TeamViewer and Dropbox hacks are identical and anyone with any modicum of computer skill could do it to another person. The thing that makes this stand out is that it happened to so many people, literally tens of thousands of them, that people are screaming it must be someone else’s fault. Want me to show you an incredibly easy way for any semi-qualified hacker to gain access to your system, wipe out your Paypal account, even hack into your online banking records and write checks to themselves or steal money by transferring it elsewhere? It’s really easy!
There are two main ways to steal this data:
First: Stupid people with stupid passwords.
Remember the Yahoo, Gmail, Outlook email hack from a week or two ago? Hundreds of millions of usernames and passwords were released into the wild on the darkweb. Was yours one of them?Could have been, sure. It absolutely could have been.
If your teamviewer password or dropbox password was the same as your email password, or even similar enough to be calculated by a fairly intelligent hacker with time on his hands, then you’re seeing where this is going.
Who cares that you only used teamviewer once 2 years ago. Did you remember to take it off your computer? I’m guessing not. A simple trial and error against the TeamViewer servers with your login and password would tell a hacker that you have an active account and what the password is. Once they do that, they’re in your computer.
Second: People that click things they shouldn’t.
The second, and probably equally as effective method, is malware. Either users clicked an infected advertisement somewhere, clicked a link for a “free” game they shouldn’t, decided to play on one of those Coupon-Bar websites, etc. There are hundreds of places to get infected with drive-by malware. The end result is the same. Once they have a backdoor into your computer with a piece of malware (assuming you don’t have a good antivirus solution in place) then they can remote into your machine, install TeamViewer themselves.
Either of these methods results in the fact that they are now sitting at a remote desktop with full access to your computer. What could they do now? Here is a test to see if you’re a likely victim:
- When you login to Facebook on your computer, does it automatically log you in or does it prompt you EVERY time with a login screen? If it doesn’t, then you have auto-login enabled. Bad user.
- When you login to your bank, does it already have your username and password sitting there in the prompt, already typed for you and ready for you to press the login button? If so, bad user. That’s not even hacking… that’s just taking advantage of someone’s stupidity.
- Does your Twitter make you login every time you visit it? How about your gmail? Do you log out of gmail EVERY time you leave it and go visit another website? Are your logins or passwords stored for quick access to your Gmail? Probably.. most people have it that way. Congratulations… you’re predisposed to be a victim because you have poor security habits. Who cares that you have a 47 character password if you have it stored in your browser.
- Do you have it setup to text you a confirmation code every time you login to Facebook, your bank, Gmail, Twitter, Tumblr, Dropbox, Logmein, TeamViewer? If not, you’re basically asking to be hacked. People like me have been screaming at users to enable two-factor authentication for the last five years. Why haven’t you done it yet?
How do I make myself a harder target?
First, you ALWAYS utilize two-factor authentication. This means entering your username, password, and a randomly generated code sent to your cell phone each time you want to login to a website.
- My bank doesn’t offer two-factor authentication. What do I do?
Your bank sucks. Change banks. That’s a headache? Sorry. Pick one… easy banking or secure banking? Your call. - I don’t want to have to type a login every time I want to read my email.
Tough. Treat it like your car. When you’re not using it, take the keys out and lock the door. Don’t walk off and leave it with the keys in it and the engine running. You’re asking for it.
Second, you don’t EVER use the same password for multiple services. Ever ever ever. And don’t reply with “I use different passwords” if what you really mean is that you add a “1” at the end of a password and call it a different password. You really want to know how long it would take me to run a dictionary attack on every four number combination if I already knew your email address and the root word of your common passwords? About 4 minutes if I was on a slow connection…
Lastly, if you’re going to take some of these pieces of advice to heart then you begin with dumping your internet history, clearing ALL cookies, dumping ALL saved passwords, and disabling the option to save passwords on your browsers, and yes, that means all browsers; Chrome, IE, Edge, Firefox, Opera, Safari, and whatever other ones you use.
How to recover your accounts if you were hacked:
If your Dropbox account, TeamViewer account or ANY account is hacked, here are the steps you should follow, and be sure to do it in this order.
- Assume if one password is compromised then they all are.
- Enable two-factor authentication on your email account. (this means anyone monitoring your email can’t do anything else unless they’re also holding your cell phone in their hands.)
- Change your email password that the account is connected to before you change anything other passwords. Don’t use a password you’ve ever used before, ever.(Changing your Facebook password first just means that the hacker sees it come in your email and can block your attempt or gain the new password as well.)
- Change the password on your infected account. Don’t use a password you’ve ever used before, ever.