How to figure out if someone has been using TeamViewer 8 to access my computer when I was not here?
I came to my computer today and have not been here since monday afternoon. I am using windows 7. There were some error messages showing even on the log in screen about memory violations done by spotify and one more (I can't remember), and I just clicked them away, even though it is not normal on my PC. Sometimes it freezes on the login screen and I have to reboot, but this was different. But I did not take a note of the messages as I just didn't care.
After logging in, I noticed that my Teamviewer client was running (the GUI was showing). I thought this was odd, since I haven't been using it lately. I was a bit curious, so I checked the log. I will not include it here, as I don't know how to read it and I do not know what could identify me. It seems that it was an update leading to this, but I am not sure. Probably, but I don't like the fact that the GUI was showing with my ID and password showing. They could have silently updated it or have given me a message...
So, this leads me to the question: How to figure out if someone has been using TeamViewer 8 to access my computer when I was not here? What to look for in logs and perhaps the Windows 7 event logs? And a bonus Q: Is it safe to have TeamViewer 8 running in the background at all?
If you can pull it off one of the best security things you can do with TeamViewer is under the Advanced options change the "connections to this computer" setting from full access to "confirm all". This will require that someone is sitting at the computer in order for TeamViewer to allow any inbound access. Failing that if you only connect to your computer from one or two remote systems there is a blacklist / whitelist option which you can use to restrict only certain TeamViewer IDs to.
Running Teamviewer isn't very secure: read here
To determine who was logged in - look here:
- C:\Program Files\TeamViewer\VersionX\Connections_incoming.txt
hmm. The first file Connections_incoming.txt is not present at all. Not even when searching for it. The second is there but shows nothing suspicous. Could it be that the file is simply not created, because I have never had an incoming connection (as far as I know)?
Did you ever had an incoming connection? Afaik the file will be created with the first connect. But remember: the file simply can be deleted from "evil" guys...
yeah that was also my though. But I think it unlikely in this case. Thank you for the help :)
@Per-ØivinAndersen You tried looking on `Program Files(x86)` instead of `Program Files`?
yes I have. It is not there but I think it is because I have never had an incoming conn.
Or your intruder erased the file knowing the location of the files. You could install the portable version of recuva and see if there are any deleted files you can recover: http://www.piriform.com/recuva/builds
If the intruder is that smart he would only delete his own entry and not the entire file...
If that article was trying to prove that teamviewer is insecure - it failed. Even the conclusion doesn't say it's insecure - it's basically saying you need a better password. Which I could have told you without 3 pages of technical information about the TV protocol.
@NathanAdams Page 3 - MITM, a stronger password wouldn't help. Go check the papers again.
I read the conclusion - he spends a good 2-3 sentences talking about password length. If it can be hijacked from a MITM the conclusion should just say "susceptible to MITM attacks". Then his last sentence talks about using vectors/strings to as a way to reduce the risk.
I agree with @NathanAdams here. Of the blog analysis: good analysis, strange conclusions. "Given the default weak passcode, and the flaws in Encryption, it’s fairly straightforward to MITM the encryption and brute-force the passcode as it is sent on the wire." Those two have nothing to do with each other. Given TV has a built-in brute-force-detection-with-delay, the MITM is the bigger issue.
What blogger meant by "brute-force the passcode as it is sent on the wire", TV sends a challenge to the client which is then hashed with the passphrase to be tried. With MITM he can easily sniff this hashed passcode. Since it's hashed with MD5 it will take very little time to find a 4-character password (he mistakenly assumes digits). A well-equipped HPC could crack an MD5 hash, containing an 8-character password, in a half hour. But again, the real issue is the MITM.
In teamviewer 10 you can check the following files:
C:\Program Files\TeamViewer\Connections_incoming.txt C:\Program Files\TeamViewer\TeamViewer10_Logfile.log
First one provides details about the incoming connections. Second one provides details of the actions performed