"and on the latest version of Teamviewer 14 as long as the SecurityPasswordExported key is available."Ī rather important note that the author glossed over: TLDR: this is a little misleading, the password can NOT be retrieved from the registry and decrypted with this key (at least not on the version I tested against), it can however be extracted from the 'TeamViewer_Settings.reg' file that you bundle with the MSI if you're mass deploying TeamViewer with an unattended password. reg file can also be decrypted with the disclosed key, but the password can not be pulled directly from the registry as long as you're running version 10+.Ĭopy/Paste from my comment on the post in /r/netsec below the TLDR. reg file bundled with the MSI, then the password stored in that. For v10+ if you are mass deploying TeamViewer via MSI and you are setting the unattended password using a.On a machine running a TeamViewer v9- the unattended access password can be pulled from the registry and decrypted with the disclosed key.I don't work in security but have worked with enough of them that I don't envy their jobs nor the crap they deal with.ĮDIT: Per commenters over at /r/netsec that did some additional version-specific testing, the issue as described by the researcher only works on version 9 & older. Bad security is either placing very little security in place which makes you vulnerable to compromises, or placing too much security in place making people do things that compromises security. People who see security having no ROI see all the security in place as cumbersome or making it very difficult to doing their job. How many practices do you know can survive a fine north of 10 million dollars? How about a software shop like us? Your ROI is avoiding those fines and consequences as we deal with labs dealing with hundreds or thousands of practices." A HIPAA violation is up to $100k per record. Since it was a medical software company I would tell them "A practice has a few hundred patients, maybe low thousands. At a previous company I worked for this came up a lot. I've gotten this from developers and project managers a lot too. execs deciding what the pain threshold is). security which is not a technical issue but a jellyware decision (i.e. "Proper" security usually means balancing productivity vs. Features pay for software not security which tends to makes security an afterthought. The issue is rarely the tool but how you are using the tool. Teamviewer is multiplatform so I would guess that a design decision was made to handle credential information this way to be platform independent and a decision was made to store the key in the registry with little to no protection. Reversible encryption means you have keys to protect or making sure that the user context being used is protected as best as you can. In Windows you do have secure password storage, but believe it can be machine independent but defaults in tying the store to user/machine an not portable. If you are storing credentials to access another resource, then that becomes a hell of a lot more complicated because there is a lot more to protect and lock down. If you are just checking credentials and don't need to know the password itself, then a hash algorithm should have been used as those are supposed to be one way. Yeah, it's easy to end up with a crap security solution that cripples workflows, and it's easy to decide against security because of fear of crap security that cripples workflows, but again, it's 2020, giving a damn about getting security right should be part of the job of project managers and management chains. Anyone here can probably tell stories about 'well, we have this regulatory framework, so we're going to blindly follow it in ways that hurt security and users'. It doesn't matter who is doing the work, decent security should be on the bloody list, and checked like any other critical aspect of a project.Īnd yet I can pretty much guarantee that anyone posting here can tell horror stories about project managers who don't get it, or who are actively hostile to it. Yes, outsourcing it means that there's nobody from the development side who is going to argue that security should be made a priority.īut it's 2020, security should be a project priority, period.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |