Citirx’s GoToMyPC remote desktop access has experienced a hacking attack on their systems, with all users required to reset their passwords before logging in to the service. GoToMyPC published a post on their system status page, with the company stating that they had been hit by a very sophisticated password attack.
The Guru spoke to several IT security experts to get their take on the breach.
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS IB.
“I find it hard to believe that anyone is still using GoToMyPC. It was originally developed by ExpertCity and launched in 1998. Citrix purchased ExpertCity in 2004 and kept the brand name. The application and associated service allows remote access to systems protected by a firewall, effectively opening up holes on the firewall itself. Before the invention of the cloud, central data repositories, and online applications, I guess it had some marginal value, but is it still needed today?
One needs to measure the value of the service, vs. the vulnerabilities and risks associated with using it. Did the hack open up a window of increased risk where systems were being accessed without anyone’s knowledge? It would be wise for users to check their activity logs.
Except for network administrators and engineers, does anyone need to remotely access to a personal computer system; especially a work computer from the outside-in? I would find it hard to believe that an auditor would not object to its use in the corporate environment.”
Ed Macnair, CEO, CensorNet:
“The details surrounding the GoToMyPC hack are scarce at the moment, but there’s one thing that’s clear – passwords don’t protect anyone anymore. In fact, all the evidence suggests they now present a significant risk. There are two main failures of the system – too many people re-use passwords across multiple accounts and, despite this being common knowledge, single-factor authentication is still the status quo.
“In this case, it seems these two issues have collided. GoToMyPC’s password database has been stolen, which not only jeopardises its own security but also hundreds of other sites. Cybercriminals can dine out on one big password database breach for a long time and the lack of multi-factor authentication simply makes their job easier. MFA offers a safeguard and means usernames and passwords stop being a risk, and simply become a way to distinguish between users. There will be far fewer sleepless nights for businesses if they stop using a single key to their kingdom and instead add bolts and chains to the door.”
Ivan Maksic, Regional Manager, Western Europe at Infobip
“GoToMyPC was hit by hackers over the weekend. TeamViewer suffered a similar fate last week, and countless other online services have been targeted this year alone. In almost all instances, hackers have been after users’ passwords and email combinations to access to their accounts across the web, relying on the fact that the majority of us recycle the same details over and over again.
“Understandably, many security experts are quick to point out the users’ role in password security, and the dangers of not using a unique password for each online service. But in 2016, there is a better way to go about it.
“Many online services, including GoToMyPC, offer two-factor authentication as an extra layer of security to prevent unwanted access to a user’s account. The problem, however, is that many major services and apps still don’t support 2FA, and therefore represent the missing link in password security across the board.
“GoToMyPC might be the latest in a long line of hacking victims, but it’s also a shining example of why all online services should offer two-factor authentication before they become a target. These days, it’s not only essential to protect users from data breaches that happen on company servers. It’s also necessary to help them mitigate the risks brought about by their own habits and behaviour.
“However, introducing 2FA across the board can come with its own challenges if it’s not rolled out correctly. There’s no doubt that 2FA ticks all the right boxes for a consumer-friendly answer to the security challenges faced by today’s online players. But offering consumers an overly complicated authentication process will not have the desired effect. The extra layer of security simply won’t be used.”
Lisa Baergen, director, NuData Security:
“I sound like a broken record; but here we are again, news of yet another hack attack hits the wire. It’s only been a couple of weeks since TeamViewer user accounts were hijacked, and now GoToMYPC hit by a very sophisticated password attack. No matter how long it takes to come out, the bottom line is that organisations have to stop thinking “what IF” and accepting it should be seen as “ WHEN” we get hit…
Although usernames and passwords can be changed, as being asked here by Citrix, victims of a breach need to understand that every bit of information exposed is important and building out solid packages of identity information on the Dark Web. Fraudsters are creating, selling and buying more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, fraudsters can ultimately do more damage and permeate a lot of these “temporary” points solutions and step up authentication solutions a lot of organisations are putting up.
For example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. Where credit card fraud was all the rage a couple years ago, it is account takeover and new account fraud that is on the dramatic rise. We saw in our own database of billions of behavioural events annually, we’re seeing generally a 10% month-over-month increase in new account fraud.
Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and know and trust it is not the hacker using all of our identity information online. User behaviour analytics can provide victims of this, and other breaches, with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to consumers. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with our legitimate information ripped from all these breaches. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring. The only way to achieve this is by truly being able to identify the IDENTITY of the user behind the device.”
David Gibson, VP of strategy and market development, Varonis:
“The GoToMyPC attack illustrates that data breaches should be considered a real and inevitable possibility – even for the most secure environments. Organisations need to get the basics right when it comes to securing their most valuable data, and disposing of information that is no longer necessary to the business. In this GoToMyPC attack, good corporate citizenship and a fast response enabled everyone to remain relatively safe – as long as everyone remembers to change their passwords. Folks are probably used to that by now, but they may not be following best practices for password hygiene.
For example, ‘dadada’! Even Mark Zukerberg had a reminder earlier this month that you shouldn’t use the same password on multiple sites. From what we know, hackers worked from a list of cracked accounts that came from a 2012 breach at Linkedin, and then reportedly got into his Twitter, Instagram and Pinterest account utilising the same password.
People are bad at coming up with their own passwords. We’re all guilty! For convenience, we make them obvious or short or both, and use them more than once. Hackers are good and getting better all the time at breaking them, either though brute force guessing or dictionary-style attacks if the hackers have access to the password hash.
The ‘correct horse battery staple’ method is a memory trick where each letter of the password represents a word in a story. You can read more about that, here.”