Is the use of remote access software viable?

[WWGD]

TL;DR

Concern about security issues related to programs that allow/provide remote access. Thinking mostly about the likes of RDP and Team Viewer 12

Hi,
The issue of granting/using remote access to a computer came about today re the topic of RDP ( Remote Desk Protocol) and Team Viewer. Obviously some security measures are needed to prevent 3rd party access . Any comments on the level of security needed for a stand alone PC? How about for add ins that provide the remote access but are not the actual RDP?
Edit: I also am considering whether its worthwhile shelling out some extra money for Windows Office ( instead of home) since office includes RDP while home does not. I am considering using it as a client.

 

[jedishrfu]

Many corporations routinely use remote desktop software like RDP or VNC. If proper security protocols are followed it would be difficult to crack them.

As an example, some companies have an airgapped internal network and use remote desktop sw to access external company computers connected to the internet.

 

[MikeeMiracle]

If your not really a techy then Teamviewer may be the easier path to follow. RDP required an inbound connection from the internet and depending on how you configure this at the router's end, you may be unwittingly opening up your home computer to more than you bargained for.

Teamveiwer does not need an inbound connection I believe. It forms an outbound connection to Teamviewer's network and when you connect you do so via Teamviwer's network so you do not need to change anything on your router configuration. Teamviewer when installed properly and not just run in portable mode starts with your computer so you can restart the computer remotely and re-connect to it afterwards.

If your technically minded I would configure a VPN on your home router and VPN into your home network. From there you could just open a regular RDP connection to your home computer, that's the way I do it.

 

[f95toli]

RDP is typically used with a VPN.
We've used TeamViewer when we've had customer owned equipment on-site and needed a way for their engineers to access it; our IT department (which are very security conscious) seemed to be happy with this solution as long as the customer's equipment was connected to our "guest" network,

 

[harborsparrow]

Remote Desktop and VPN. Remote client may need to know IP of PC on remote LAN. Also, the remote user's Windows account must specifically be given permission on that PC for remoting in.

 

[WWGD]

Thank you all. Is Team Viewer as bad as I've heard in terms of security gaps?

 

[MikeeMiracle]

Not heard anything specifically bad with regard to Teamviewer. All programs have undiscovered holes in the programming but as Teamviewer is under constant support and frequently upgraded I see no reason not to use it, many companies do.

 

[WWGD]

Tt

Not heard anything specifically bad with regard to Teamviewer. All programs have undiscovered holes in the programming but as Teamviewer is under constant support and frequently upgraded I see no reason not to use it, many companies do.

Thanks, forgot @f95toli had. endorsed it too.

 

[MikeeMiracle]

I use it on mobile also, have it installed on my Mum's phone and Tablet so I can remote in and sort out any problems.

 

[WWGD]

I use it on mobile also, have it installed on my Mum's phone and Tablet so I can remote in and sort out any problems.

Someone in IT had recommended Google remote as an alternative.

 

[MikeeMiracle]

Even though I use Android I try and avoid Google elseware for privacy reasons, their business model relies on sucking up information about you and using it to feed you adverts. I have no intention of using their services on a PC, I don't even search using Google.com as it tailors results based on what it thinks you want to see.

I use Startpage.com as a browser, they are EU based and keep no data about you or what you search. The plus being they don't index the web themselves, they send the search request off to google so you get back pure unfiltered results. They still have a "filters" section but you can turn off to find all sorts of stuff which Google.com would not show you while still utilising the powerful search facilities of Google's search.

 

[WWGD]

Even though I use Android I try and avoid Google elseware for privacy reasons, their business model relies on sucking up information about you and using it to feed you adverts. I have no intention of using their services on a PC, I don't even search using Google.com as it tailors results based on what it thinks you want to see.

I use Startpage.com as a browser, they are EU based and keep no data about you or what you search. The plus being they don't index the web themselves, they send the search request off to google so you get back pure unfiltered results. They still have a "filters" section but you can turn off to find all sorts of stuff which Google.com would not show you while still utilising the powerful search facilities of Google's search.

Sorry for necropost. Duckduckgo is good too, and does not track you either.

 

[neutrinospin]

Thank you all. Is Team Viewer as bad as I've heard in terms of security gaps?

You are right. For example - https://www.cnn.com/2021/02/10/us/florida-water-poison-cyber/index.html

As for me, I usually use SO Viewer ( https://so-viewer.com/ ) or AnyDesk ( https://anydesk.com ).
But SO Viewer seems to be more secure, I made an investigation, it turns out that it encrypt everything and everywhere on users machine. Also it doesn't provide user to create weak passwords for unattended access, it uses some kind of sophisticated algorithm to generate it's own access passwords.

 

[Tom.G]

But SO Viewer seems to be more secure, I made an investigation, it turns out that it encrypt everything and everywhere on users machine. Also it doesn't provide user to create weak passwords for unattended access, it uses some kind of sophisticated algorithm to generate it's own access passwords.

And when you have a crash are you...?

 

[neutrinospin]

And when you have a crash are you...?

View attachment 299997

Yeah, unfortunately if you want to be secured, sometimes you need to be a bit paranoid.

 

[anorlunda]

Yeah, unfortunately if you want to be secured, sometimes you need to be a bit paranoid.

Tell us what you are trying to protect yourself from? I'll give two choices.

1. The US hates you as much as they hate Edward Snowden. They will unleash the full power of NSA to steal your secrets.
2. Hackers in Russia are looking to steal money by finding 1 million credit card numbers on people's computers.

 

[neutrinospin]

Tell us what you are trying to protect yourself from? I'll give two choices.

1. The US hates you as much as they hate Edward Snowden. They will unleash the full power of NSA to steal your secrets.
2. Hackers in Russia are looking to steal money by finding 1 million credit card numbers on people's computers.

We just stick to our corporate security rules. We have to use highly secured software or have to use nothing. Nobody wants to be in situation like Florida city's water supply was, when they were using TeamViewer. And I bet the hackers (in Florida city's water supply incident) was just script- kiddies without target.

 

[pbuk]

Nobody wants to be in situation like Florida city's water supply was, when they were using TeamViewer. And I bet the hackers (in Florida city's water supply incident) was just script- kiddies without target.

I bet they weren't, and I bet it had nothing to do with TeamViewer either.

All the security breaches I have personal knowledge of were down to some form of phishing or social engineering, or lost or stolen hardware.

 

[anorlunda]

We just stick to our corporate security rules.

OK, but that seems to contradict your earlier statements. Corporate security rules usually give you no choice on what software to use, and they strongly discourage non-cybersecurity staff from conducting security investigations on their own.

As for me, I usually use SO Viewer ( https://so-viewer.com/ ) or AnyDesk ( https://anydesk.com ).

But SO Viewer seems to be more secure, I made an investigation

 

[neutrinospin]

I bet they weren't, and I bet it had nothing to do with TeamViewer either.

All the security breaches I have personal knowledge of were down to some form of phishing or social engineering, or lost or stolen hardware.

I think you are maybe right. But they will not tell us what was really happening there. We can make only theory about that incident.
But I figured it out, many remote desktop software allow user to create simple passwords which every beginner hacker can brute-force via dictionary. It's very bad idea as for me.

 

[neutrinospin]

OK, but that seems to contradict your earlier statements. Corporate security rules usually give you no choice on what software to use, and they strongly discourage non-cybersecurity staff from conducting security investigations on their own.

Yes, that is right. I have direct relation to cybersecurity in my company

 

[WWGD]

But most attacks (75% IIRC) do not elicit a response (meaning legal action) and are dealt with internally. So how can we reliably talk about security of certain programs/resources?

 

[Oldman too]

I bet they weren't, and I bet it had nothing to do with TeamViewer either.

All the security breaches I have personal knowledge of were down to some form of phishing or social engineering, or lost or stolen hardware.

The lesson here seems to be, update and patch, remove outdated programs and don't forget there are plenty of black hats stealing login info and tokens. That is how the solar winds hackers got busted, using a stolen token to register a new device on the attackers network.

Here's a few links on the topic to discuss.
https://itsg.com/cybersecurity/why-cybersecurity-experts-hate-teamviewer/
https://www.cnn.com/2021/02/10/us/florida-water-poison-cyber/index.html
And then there's RDP. (and too many more to mention)
https://www.beyondtrust.com/blog/entry/what-is-rdp-how-do-you-secure-or-replace-it

 

[neutrinospin]

But most attacks (75% IIRC) do not elicit a response (meaning legal action) and are dealt with internally. So how can we reliably talk about security of certain programs/resources?

Exactly! Only we can do here is using the most secure software at current time (it helps to reduce amount of attack vectors) update frequently and always be ready for potential attack.