AnyDesk has announced that, following a security audit, they found their production systems have been compromised. Here’s what this should tell you about why a truly secure remote access solution is an imperative.
The AnyDesk breach: What do we know so far?
According to an incident response by AnyDesk, a security audit found some of the company’s systems have been compromised. The incident is said to not be related to ransomware.
AnyDesk has downplayed the incident, claiming that the situation is under control. However, users have been urged to reset their passwords if also used elsewhere. The timing of maintenance in the days before the public announcement, as well as the late Friday afternoon press release from AnyDesk, would indicate that the breach occurred several days before public acknowledgment was given.
BleepingComputer has discovered that the attackers stole source code and private code signing keys.
To make things even worse, a recent report from Resecurity suggests that AnyDesk user credentials have made their way onto the Dark Web.
Why should you take the AnyDesk attack seriously?
If you’re an AnyDesk user, you should take this news very seriously. And even if you’re using another remote access solution, this needs to make you challenge its security credentials.
Unfortunately, this is not the first time that something like this has happened. As we said at the time of the GoTo security incident, when security is not the first priority, customers are the ones who end up suffering.
RealVNC: The commitment to security
At RealVNC, security is at the heart of everything we do. We do our best to mitigate such risks, and to keep your data as secure as possible. Here are some of the things we do to make sure that your data never ends up in the wrong hands.
RealVNC's ISO27001 certification: managing data security risks
Our security experts understand the implications of stringent security requirements.
Our ISO27001 certification is our commitment to uphold the highest standards of information security management. When we say that our systems are fortified, we are not speaking lightly. This certification means we engage in continuous risk assessment, employ comprehensive security controls throughout all areas of operations in our company, and ensure that our staff is trained in best practices for information security.
What sets an ISO27001 certified provider apart in today’s digital landscape? It shows that we have a proactive approach to data protection throughout the entire company. We don’t just respond to threats; we anticipate them and prepare for them.
If your remote access provider doesn’t have this certification, question them on it!
RealVNC's fundamental security principles
Our security principles are essential to the service we provide to you. They ensure that your data is as secure as possible, at all times:
- High-trust services – this means that you don’t have to trust RealVNC as a company to trust our software and services.
- Secure data storage – RealVNC doesn’t record your sessions. Your data can’t be decrypted, either. Not now, not ever.
- Secure environment – we treat every connection as if it is made in an hostile environment.
- Connection control – the one ultimately deciding who is able to connect is the owner of the remote computer.
These principles serve as a guideline for everything we do, ensuring the security of your data.
Here’s a quick example of how these principles work in practice. The username/password you use to log into our portal cannot by itself be used to gain access to remote machines.
Each remote machine will have a further, separate set of credentials (usually platform-native authentication, like Active Directory etc). You are required to enter this before taking control.
Having at least two sets of credentials required to make a connection does, admittedly, cause slight UI/UX friction. However, it’s something we hold dear, as it means that we don’t ever store the credentials that ultimately give you access to a remote device on our systems. Also, the portal credentials we do store are never stored in plaintext, and are one-way hashed.
The importance of independent security audits
This is another one of RealVNC’s many security initiatives, designed to keep your data secure. An extensive white-box security audit, done by respected Berlin-based firm Cure53, has confirmed RealVNC’s strong security stance.
We’ve urged the industry to confirm its software’s security with more than just words ever since. As we said numerous times, when this doesn’t happen, the end users are the ones paying the price.
Your data - in safe hands with RealVNC
We would also like to take this opportunity to confirm for our users that everything security-related at RealVNC is working as intended. We are unaffected by any data breaches and we can assure you that your data is in safe hands. We will continue to work hard to keep it that way.
This is what RealVNC CEO Adam Greenwood-Byrne had to say:
I’m proud of RealVNC’s unblemished security record, and we continue to invest in systems and services that ensure we remain on the strongest footing. Customers who have been with us for years, including government departments around the world, recognise the value of our security stance just as well as we recognise the trust they place in us as their remote access vendor of choice.
We value those relationships tremendously at RealVNC and our team works tirelessly to ensure our customers have what they need to feel safe. The Internet is a much more dangerous place than it was 20 years ago and we are committed to evolving and adapting accordingly.
Also, if the events of the last few days have made you considered switching to a truly secure remote access solution, get in touch!