0

So here I am, sitting at my computer screen on the one day of the week I stayed home from work, checking messages on my phone, when out the corner of my eye I see a browser page being opened. It was PayPal. Luckily for me, I'm not so careless to stay logged-in. Then I noticed a TeamViewer session is running. I of course immediately disabled it and shut down TeamViewer, changing my password in the process. Looking through the logs, there indeed was an incoming connection, and fortunately for me, it seems to have been the first time.

I already contacted TeamViewer support and I am currently waiting for their reply. However, from what I can gather by the logs, they contain the incoming connection's UUID. Can this somehow be used to find more information about the culprit?

techraf
  • 9,141
  • 11
  • 44
  • 62
Handelo
  • 9
  • 1
  • 4
  • 5
    I think you'll have to wait on TeamViewer support for this question since it requires an in-depth knowledge of TeamViewer. – RoraΖ Apr 21 '16 at 12:02
  • Welcome to Information Security! It seems you have a problem with using a specific piece of software. Generally these questions are off-topic for this site, but you might find better luck at [superuser](//superuser.com/tour). Remember to read [their requirements](//superuser.com/help/on-topic) as they are a bit more strict than this site. – Tobi Nary Apr 21 '16 at 12:25
  • I think Teamviewer got BIG problems, either they got hacked or some has found a way to hack useraccounts. Alot of people are reporting same as you! Look at this: TeamViewer has been hacked. They are denying everything and pointing fingers at the users. https://redd.it/4m7ay6 Teamviewer Breach Masterthread - Please post your details and if you were a victim or not. https://redd.it/4m6omd – teecee Jun 03 '16 at 15:34
  • Thanks, teecee. It does seem like someone's accessing computers methodically, immediately checking PayPal to see if you happen to be signed in to that. My password was NOT used anywhere else, like many other users reported, which makes it very plausible that TV's database was hacked. However, I've since enabled 2FA, which is a pretty good security feature, and haven't had any other issues. It's just a shame that a company as big as TV refuse to admit their own mistake and notify their users of the breach and steps on how to secure their account better, at least until after the fact. – Handelo Jun 06 '16 at 08:13

1 Answers1

1

The UUID can be tracked by TeamViewer, but do not expect them to tell you anything as that would likely require a subpoena. But let's take another look at this. So you gain the knowledge that the UUID belongs to say: Drugov Russianomov somewhere in Romania. Now what? Your course of action to minimize the potential of someone 'owning' your TeamViewer sessions should be something to the tune of:

  • Creating a complex password
  • Minimize usage (turning off Team Viewer when not in use)
  • ACLs (firewalls. Allow trusted networks block ALL others)

I fail to see what gathering data via UUID will do. No law enforcement agency I can think of will give you the time of day unless you were the victim of theft to the tunes of hundreds of millions of dollars. Here in the United States, most SAs will listen to you for about five minutes before politely telling you: Nothing to see here moving along.

The issue with Team Viewer and similar software, is right now there is an assumption that the user utilized TeamViewer on their own machine to access yours. The reality is, whomever logged into your machine, likely did so from another compromised machine. To fiddle around with financials (banking, Paypal, etc) one would not point a direct target right back to them. There are the unsophisticated attackers, but again, if this were one, what would be the outcome? Criminal complaint? At this point there is no forensic evidence. Retribution? To whom, what makes you sure you're not attacking a compromised machine. See the dilemmas here?

munkeyoto
  • 8,682
  • 16
  • 31