I turned off your remote access...

[fencepost]

If you're using something like the Splashtop SOS software, does it even leave anything running? I'd leave the client on their desktop and tell them "Unless you start this program is running nobody can access your system, so the simplest way to prevent access is to only run it when you need me to connect. Once you have it running, only the person with the 9-digit key can access your system and you're giving me that key while I'm on the phone with you."

I have to admit that I'm not a big fan of that 9-digit key for remote access, because I don't know what kind of security controls Splashtop has on their servers - can someone try to brute force those keys?

 

[Mike McCall]

I have to admit that I'm not a big fan of that 9-digit key for remote access, because I don't know what kind of security controls Splashtop has on their servers - can someone try to brute force those keys?

I would think that unlikely. Wouldn't they have to know that the software was installed on a particular machine, decide they want into that particular machine, then start such an attack? It seems more likely to me they would be looking for random open ports. Otherwise, wouldn't they have to go after the SplashTop servers themselves? I'm not an expert in this, but it seems it would be harder that just brute forcing a 9-digit code. I mean, ATM pin #'s are only 4.

 

[fencepost]

I would think that unlikely. Wouldn't they have to know that the software was installed on a particular machine, decide they want into that particular machine, then start such an attack?

Not at all. Depending on what Splashtop's protocol is between their client application (on the support side) and their server, all they have to do is start randomly throwing 9-digit numbers at it. If there's a difference in Splashtop's (or any other company's) response that indicates whether that's a valid client connection number, then you log into the client software and actually attempt to use that number for access. This doesn't give them access to a particular person's computer, just to a computer running Splashtop for remote access.

NOTE: I have seen nothing that makes me believe that Splashtop or any other package (except below) has or has had this kind of vulnerability. They've been around long enough that hopefully if they ever did have this weakness it's long-since been addressed. I'm still going to be a bit paranoid with things that could lead to holes in my clients' security.

As an example of how not to do it both on a company and tech side, I tried out Ammyy once for one session. In the couple minutes between when I had the end user run it and my connecting, someone else connected to that brand-new session (protected only by a numeric key). I don't recall now if I was on the phone or just using text messages, but he said "Oh, I see you on there!" and I freaked since I hadn't connected yet. I think it may have been SMS up to that point, then I called him. Either that person got incredibly lucky, or Ammyy was using (roughly) sequential numbers so all you had to do was get a general range and start plugging numbers in. That was before it became so widely known as being widely used by scammers, but it also ensured that I'd never use it no matter how much they cleaned up their act.

Splashtop doesn't (AFAIK) allow that kind of un-logged-in remote access, but without protocol reassurances or experimentation that I don't have the time or inclination to do, simple 9-digit keys don't have a large-enough address space for me to be comfortable with them.

 

[Mike McCall]

Not at all. Depending on what Splashtop's protocol is between their client application (on the support side) and their server, all they have to do is start randomly throwing 9-digit numbers at it. If there's a difference in Splashtop's (or any other company's) response that indicates whether that's a valid client connection number, then you log into the client software and actually attempt to use that number for access. This doesn't give them access to a particular person's computer, just to a computer running Splashtop for remote access.

NOTE: I have seen nothing that makes me believe that Splashtop or any other package (except below) has or has had this kind of vulnerability. They've been around long enough that hopefully if they ever did have this weakness it's long-since been addressed. I'm still going to be a bit paranoid with things that could lead to holes in my clients' security.

As an example of how not to do it both on a company and tech side, I tried out Ammyy once for one session. In the couple minutes between when I had the end user run it and my connecting, someone else connected to that brand-new session (protected only by a numeric key). I don't recall now if I was on the phone or just using text messages, but he said "Oh, I see you on there!" and I freaked since I hadn't connected yet. I think it may have been SMS up to that point, then I called him. Either that person got incredibly lucky, or Ammyy was using (roughly) sequential numbers so all you had to do was get a general range and start plugging numbers in. That was before it became so widely known as being widely used by scammers, but it also ensured that I'd never use it no matter how much they cleaned up their act.

Splashtop doesn't (AFAIK) allow that kind of un-logged-in remote access, but without protocol reassurances or experimentation that I don't have the time or inclination to do, simple 9-digit keys don't have a large-enough address space for me to be comfortable with them.

Gotcha. I had a very similar experience with AMMYY myself. Couldn't get it off the machine fast enough to suit me. I'm not well versed in such particulars, but SplashTop isn't alone in using a digital code for access. I'm not trying to defend them, I just know they're not the only ones to do so.

I would think that at some level anything that provides unattended access would be a security risk. The only way around it would be on-demand access only.

 

[Markverhyden]

I don't know about Splashtop but I can tell you that TV will block access after failed attempts. Seem to remember that after 3-4 you are locked out. Several lockouts and you loose connection for many hours. This is a common practice in many other situations with high security. I know my account at Schwab does that as do several credit cards. Most of those just lock your account until you call in a provide correct answers to the security questions.

 

[Larry Sabo]

I was concerned that AnyDesk (to which I switched from Ammyy) uses a 7-digit Client ID and no password (when used as a portable app). However, the client gets a pop-up window asking to grant permission for the connection and since I'm talking to him/her during the start-up, it's clear it's me that's asking for permission to connect. With unattended sessions, a balloon pops up on the client's screen to say that I'm now connected, so no surprises there either. Overall, I'm really pleased with AnyDesk.

 

[Mike McCall]

I was concerned that AnyDesk (to which I switched from Ammyy) uses a 7-digit Client ID and no password (when used as a portable app). However, the client gets a pop-up window asking to grant permission for the connection and since I'm talking to him/her during the start-up, it's clear it's me that's asking for permission to connect. With unattended sessions, a balloon pops up on the client's screen to say that I'm now connected, so no surprises there either. Overall, I'm really pleased with AnyDesk.

SplashTop and Zoho both have pop ups flagging my arrival. I also notice that when doing the initial EU agent setup I can have SplashTop ask for the username/password for the client machine, a custom security code (8-20 characters), or require my specific permission if another authorized user (presumably my employee) wants access. I can also come back later and change the agent setting if I wish.

 

[TechLady]

Your memory is working correctly! LOL!!! The same can apply to residential as well. Like was mentioned for some it's a major deal to even launch an app. With my Dad, 91, I have to talk him through it every time. Also, remember that some residential customer's schedules may not fit yours. Basically the same thing as with a business customer.

Precisely. Being able to swoop in and help at all hours, without having to spend twenty minutes trying to explain how to initiate a connection, without having to mesh insane schedules...yeah.

 

[callthatgirl]

I don't even know what it's like to have controls like that. For all the almost 9 years this year...I have to give a code to get in. I don't know how I would even begin to work like you guys/gals who have that type of control

Tell her you will charge more for the "other types" that take more time and cost more???

 

[cypress]

Precisely. Being able to swoop in and help at all hours, without having to spend twenty minutes trying to explain how to initiate a connection, without having to mesh insane schedules...yeah.

If their on a Managed Services plan, unattended is a must. If they are a once in a blue moon client, pay as you go! lol.

But spending 20 mins explaining how to initiate connection? Ahh yes been there so many times!

 

[Larry Sabo]

But spending 20 mins explaining how to initiate connection? Ahh yes been there so many times!

My record is an hour--just to get connected. Customer was in her late-80s and located hundreds of KM away, so we had no choice. (She wouldn't trust anyone local to touch her PC.)

 

[CTL]

I have a few clients who are on managed services, but they always close team-viewer on there computer. Then they email me about an issue as there leaving for lunch or for the day. I go to remote in and cant. I think things like that make my stress level go up now....not servers being down!

Sometimes I put gotoassist and\or logmein on computers as backups.

I don't think there is much you can say to them, except that if the software isn't running you cant get in. I mean sometimes there is rare cases that malware messes with remote software and you cant get in. In such cases i remind them that I am charging to come onsite. (Which sometimes isn't bad, gets me out the office and some face time with customer.)

 

[16bwhitt]

What I started doing instead of putting team viewer on all of my clients computers is installing TeamViewer quick support on their desktop. All they do is launch it, and tell me the code and voila!

 

[TechLady]

Wow, I didn't realize how lucky I was with perpetual God mode on...ha ha.

 

[Bigtek1]

Having a few of these same type of customers on a home user MSP Package I have had to deal with this problem. This is how I get around the problem. I am not saying it is all factual or 100 percent correct but it has solved this issue with over 10 clients.

I have them on Splashtop I explain how the security works. How to hack Splashtop they would have to know they are running Splashtop. Splashtop uses TLS and 256-bit AES encryption. To hack your Splashtop they would need to know first that your running Splashtop and then they would have to attack it through Splashtop to gain access.
Now I am sure if there was a code to all of the gold in California on your system someone would take the time to try and hack your system that way. However 99% will not.
So you are more likely to get hacked from the many emails you get from your friends that are on spam list and forward them all to you and you open them to begin a software package download you did not want and now your infected with malware and a Trojan that gives the hack access to your computer.
Like I said it may not be total factual, it many not be even correct. However it gest me past this issue quickly and without a lot of extra explanation because everyone of them have had the infection after their spammer friends sent them a email. It has just worked well for me.

 

[fastremotehelp.com]

"I turned off your remote access because it felt like I was leaving the door access open to hackers."

Customer now has virus they need cleaned off but of course I can't get in. Anyone have any good points to share with people like this in regard to security fears?

I've had this happen to me. The result was a full-price on-site service call to put things right. Lesson learned, dollars earned.

 

[computerspazzz]

I usually place the icon in a designated spot, and rename it so say something like <Company Name Remote Support> and remind them only to run it for my company that way they don't run it for someone random, and also it doesn't say "teamviewer" anymore so they are less likely to find it and run it for others as well. The designated place for the icon make it easy because I can say, Look for <Icon Name> with the blue and white arrow located at to bottom right of the screen. If they don't find it there I'll have them search elsewhere, or on windows have them hit "Start" and type in "team" and usually teamviewer will be the first thing to show up.

On a different note I'm now trying to figure out which remote software to go with since I have moved and am starting my business over (sold my old business and everything that went with it). Any thoughts?

 

[TechLady]

Yup. Splashtop. Now has same features of Logmein and others for about...oh, 10% of the price.

 

[Markverhyden]

Yup. Splashtop. Now has same features of Logmein and others for about...oh, 10% of the price.

Thanks. I've been waiting for that. $100/year for the on demand remote support. Can't be beat.

 

[Mike McCall]

Yup. Splashtop. Now has same features of Logmein and others for about...oh, 10% of the price.

This last update added a chat feature. Definitely worth it.