
GoToMyPC has been hacked, all customer passwords reset - stephengillie
http://status.gotomypc.com/incidents/s2k8h1xhzn4k
======
magoon
This is not a good suggestion on their part, and has long been proven
ineffective:

    
    
       Substitute numbers for letters that 
       look similar (for example, substitute
       “0” for “o” or “3” for “E”.

~~~
hackuser
> This is not a good suggestion on their part, and has long been proven
> ineffective:

Agreed; that is bad advice.

I tell people: If you think of a trick then the attackers, who have expertise
and think about these issues all the time, have thought of it long ago and
have written it into their password-cracking software. That applies to visual
substitutions (such as GoToMyPC recommended), phonetic substitutions (e.g.,
AmeriKa), patterns on your keyboard, etc.

In a more technical sense, that applies to tricks that can be defeated with an
algorithm and affordable computing resources.

~~~
sandworm101
But if the trick you are using results in sufficient entropy, it shouldn't
matter that the enemy has thought of it too. I'm still a fan of linking common
words together as this results in easily-memorized passwords with very high
entropy. "Catrunningfishhostagelaptop" is a good password these days. it is
easily remember but also difficult to brute force even if you know the trick
by which it was constructed.

(And yes, by putting it out there I realize it is now a bad password.)

~~~
voltagex_
Couldn't I write a bruteforcer that instead of 5 * letters, tried 5 *
dictionary words and get your password easily?

~~~
zo1
The way to compute the amount of possible brute-force combinations:

For a normal 5 letter (alpha-numeric only) password:

36 factorial, which is (36 * 36 * 36 * 36 * 36) = 60 million possible
combinations.

However, for a 5-word password, the calculation is as follows:

Assuming the number of possible words in the English language is 1.025109
million, then:

1,025,109 factorial, which is (1,025,109 * 1,025,109 * 1,025,109 * 1,025,109 *
1,025,109) = _A really big number_.

So, granted, the amount of possible words is much smaller than that. But the
attacker can't know that for sure. To put the number above in scale, just 69
factorial is equivalent to 1.711224524 * 10^98.

~~~
hackuser
I agree with your general point, but I have just a couple of mathematical
points:

> For a normal 5 letter (alpha-numeric only) password: > 36

With the "normal" recommendation of numbers, uppercase and lowercase letters,
and punctuation, it's up around 100.

> factorial

The calculation is X^Y, where X is the number of possibilities per element,
and Y is the number of elements (letters or words in these examples). So using
only only lowercase letters (26) in an 8 character password would be 26^8.
It's not factorial because you can reuse characters (e.g., your password could
be X92m-sXp/)

> the amount of possible words is much smaller than that. But the attacker
> can't know that for sure

They will search the more likely words first. I read someplace that 10,000
words covers most people's vocabulary. That's still 100 times better than
numbers + uppercase + lowercase + punctuation.

~~~
zo1
>" _The calculation is X^Y, where X is the number of possibilities per
element, and Y is the number of elements (letters or words in these examples).
So using only only lowercase letters (26) in an 8 character password would be
26^8. It 's not factorial because you can reuse characters (e.g., your
password could be X92m-sXp/)_"

You're absolutely right, not sure why I got ahead of myself with using
factorial so incorrectly.

~~~
umanwizard
You were probably thinking about the fact that picking, in order, 5 elements
taken from a set of 1000 elements yields (1000 factorial) / (995 factorial)
possible combinations.

------
Hondor
It's sad that this is a service instead of just free software. Did that never
evolve to be user friendly enough? Do ISPs not let you run your own web server
anymore? Maybe it's because of changing IP addresses and domain names? The
cost of this service seems to be slightly more than the cost of maintaining
your own domain name.

~~~
swiley
I run my own web server with a residential ISP and they don't seem to mind.
But in places like an office or with really crappy ISPs you just don't have a
public IP. I've searched for services that just let you forward out a few
ports over SSH but these don't seem to exist. Right now, to get to my laptop I
have a raspberry pi "jump box" that sits on the book shelf and my laptop
connects to it over SSH and forwards out port 80 and 22 so I can get to it
from pretty much any network.

~~~
ams6110
Is it still the case that for most ISPs the uplink is much slower than the
downlink speed? That was one reason running anything other than limited-use
servers from your home wasn't feasible.

~~~
gkop
With the advent of streaming TV and movies, for many of us now the _reverse_
is true.

~~~
chc
How do streaming movies make your uplink faster than your downlink?

~~~
gkop
Other subscribers in the cell consume more downlink than uplink, in a steep
ratio.

------
nikolay
Lame excuses ("a very sophisticated password attack") with no details so that
we can estimate the risk.

~~~
jrockway
What risk is there to estimate? Assume that the attackers have the clear text
of your password, and know that it's your password.

~~~
frozenport
What you're saying is more drastic then what they wrote here. If you used the
same password somewhere else, then you're going to have change all those
passwords.

~~~
jrockway
Of course you do. That's why you don't reuse passwords.

Why would you trust your other accounts to their internal investigation + PR
interpretation anyway?

~~~
frozenport
Because I'm human and can't maintain 30+ passwords?

~~~
tripzilch
> Because I'm human and can't maintain 30+ passwords?

The original question was about GoToMyPC providing more details so someone
could "estimate the risk".

If you're already reusing passwords, that becomes rather easy: Your risk is
dominated by the fact that you reuse passwords across services. No amount of
details from GoToMyPC is going to affect that very much--whether you even used
their service or not.

Seriously, just start using a password manager. It's not that much effort,
even just for the peace of mind that you're finally setting passwords with the
desired strength that you already know is necessary, but couldn't afford to
maintain / memorize.

The hardest part for me was trying to decide which one to use :) I settled on
KeePassX, because it's free and open source, has an Android app, doesn't store
your stuff on their servers (just one encrypted database-file you can safely
keep synced between devices via whatever method/cloud storage you prefer).
I've been keeping an eye on the pro's and cons between various password
manager options, and as far as I've seen the biggest downside to KeepassX was
that one security researcher didn't like the user interface (it's fine, IMO)
whereas the others either keep your stuff on a server somewhere, are not open
source, or both.

------
wsr
As these hacks are becoming more common place, I'd love to hear fellow HN
reader's take on their password strategy/management. Many thanks in advance!

~~~
edent
A unique password, 2FA, AND a unique email address.

I use [https://lastpass.com/](https://lastpass.com/) for generating passwords.
$12/year and works on Linux & Android. Would prefer open source, but nothing
else comes close. I tend to generate 32 char passwords with a mix of upper,
lower, number, and special. Only a few websites insist on shorter passwords -
or have character restrictions.

For 2FA I use either SMS or Authy
[https://www.authy.com/](https://www.authy.com/) Take a look at
[https://www.turnon2fa.com/](https://www.turnon2fa.com/) to see which sites
support 2FA.

It _does_ make logging in to some frequently used sites a bit of a pain
(looking at you PayPal!) but I think it is worth it.

On to unique email addresses. I do this for two reasons.

1\. Allows me to easily see where an email has come from & filter if
necessary. I can tell if your company has leaked / lost / sold my address.

2\. If I have reused a password, a database leak doesn't compromise other
sites. An attacker doesn't know the login details for LinkedIn based on my
GoToMyPC email.

I tend to use something like lnkdn@ mydomain / gtmypc@ ... / twttr@ ... - but
if your mail provider lets you use a catch-all, it can be anything you like.

One word of warning - it _really_ confuses people when you give the email over
the phone! I usually say "I'm creating a unique email address for you so that
the message doesn't go into spam. Ok? _sound of me hitting random keys_ It's
yourcompany@ ...."

~~~
0xmohit
> I use [https://lastpass.com/](https://lastpass.com/) for generating
> passwords. ... Would prefer open source, but nothing else comes close.

On a linux/unix system, one could use /dev/urandom:

    
    
      tr -dc '[[:alnum:][:punct:]]' < /dev/urandom | head -16c
    

would generate a 16 character long _password_.

One could even put the following function in $HOME/.bash_profile or such

    
    
      genpw() {
        tr -dc '[[:alnum:][:punct:]]' < /dev/urandom | head -${1-16}c
      }
    

Now invoking it by saying _genpw_ would generate a pseudorandom string of 16
characters length. You could specify the length by passing a parameter to it,
e.g. _genpw 8_.

~~~
EasyTiger_
Are you implying this comes close to the convenience of LastPass?

~~~
0xmohit
Sorry, haven't used LastPass myself. But as far as generating a random
password goes, this would be pretty effective.

------
rmdoss
They don't really say it has been hacked, just that being a target of an
advanced password attack.

It might mean attackers are using password lists from previous leaks
(linkedin), so they decided to force a pass reset to everyone. Or maybe they
got hacked. Who knows, not very clear.

~~~
yborg
As has been proven many times before, "very sophisticated", "advanced",
"highly complex" etc. actually generally means "our staff was humiliatingly
negligent" in some regard. i.e. they were spearphished and the attacker pulled
a password database from their internal network. It seems very odd that they
resorted to resetting all passwords instead of just affected or potentially
affected accounts as Github did recently.

~~~
throwaway_g2p
Well since its a botnet that is trying to login with lots of different
passwords and lots of different accounts its fairly obvious what the attack
vector is. That's also why its safer to force a password reset than to just
continue to reset passwords after they get compromised.

------
thechut
It doesn't sound like they have been hacked directly. This looks like the same
things as TeamViewer where hackers are using password lists from other
breaches to attempt to compromise the high value remote desktop targets.

------
wepple
There are two things that are rapidly becoming negligent not to offer:

\- 2FA (mobile, yubikey, duo)

\- basic monitoring and notification when login patterns change

These are both relatively simple and effective. You needn't _force_ 2FA, but
please offer it.

A password I shared across a couple of test accounts for various services was
compromised when one of the sites storing cleartext passwords was popped.

A Microsoft account was the winner of the day - they notified me that a login
from $home followed by a login from Brazil looked suspicious, and they were
correct. This is basic and often effective.

------
robogrowth
Why do people keep recommending these incredibly insecure passwords...
replacing vowels with numbers will do little...

Ugh

~~~
0xmohit
Such recommendations leave little to imagination when they say:

    
    
      ... service has been targeted by a very sophisticated password attack

------
tmpanon1234act
The best part about running a cybersecurity company: lots of easy, free
marketing. It's a really good time to be in the industry. It is unfortunate
that people are trusting companies to protect their information and it ends up
being really hard to do properly. Every able-bodied security engineer really
should get in the game since there's money to be made as well as good to be
done.

~~~
nojvek
In a way I'm glad they got hacked. They'll learn the lesson by losing
customers and $$$$. I'm guessing there was someone who said they should invest
in security but management decided to save money.

------
kichuku
What worries me is that this product is owned by Citrix.

Our company uses other products by Citrix extensively like GoToMeeting, Citrix
applications etc. And if those products get compromised, then it will be a
huge enterprise level financial loss.

~~~
danellis
I used to work on the security team at Citrix. It's a very competent team that
does proactive security auditing, threat modeling, pen testing and developer
training as well as response.

However, the "Go To" products (until a year or two ago) were part of Citrix
Online, which operated independently of the rest of Citrix.

So I don't see this as a reflection of the security of Citrix's core products.

------
cm3
Aren't these remote access solutions primarily on demand and therefore coupled
to a one-time password generated each time it's started? Isn't Chrome's remote
access otp only? Maybe it's time to ask friends/family to use that instead.

I mean, if I want permanent remote access, then I'd set up a reasonably secure
VPN solution that also required client side certificates, without the use of a
trusted intermediary/proxy.

Interactive access to remote servers seems also to get less important with
push/pull of configuration/deployment recipes and immutable deployment.

~~~
csydas
Yes and no.

Teamviewer, for example, has a few use-scenarios, one of which is the
unattended access, which is what appeared to be compromised. Essentially there
was an always-on agent process running on the target machine that you could
access with a Teamviewer account you set up; said account could manage any
number of PCs that had always-on unattended access.

Teamviewer also has a "Quick Support" option, in which the application spawns
a computer ID number and a theoretically one-time use password. The complexity
of the password could be set within the application. Their QuickSupport tool,
meant for a one-off support session, generates a unique session ID (in the
past they had a static computer ID and a semi-unique password generated per
client) which can be given to a support rep with the full version of
Teamviewer to access.

I have not yet followed up on the Teamviewer issue so I cannot say exactly
what was compromised there, though last I remember Teamviewer was insistent
their service had not been compromised, but that the unauthorized access was
the result of reused passwords.

GoToMyPC appears to be the former, an agent you install with the intent of
unattended access on a whim. While server access is certainly one use
scenario, access to non-server PCs for whatever reason is also a major part of
these. Barring a breach of the software accounts or incompetently designed
security for the remote access tools, it's probably okay for most people.
Unfortunately, it seems like a breach is exactly what happened here with
GoToMyPC, though as has been noted in the discussion already, the details are
extremely sparse.

~~~
cm3
re Teamviewer: [http://blog.trendmicro.com/trendlabs-security-
intelligence/u...](http://blog.trendmicro.com/trendlabs-security-
intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging/)

It's our responsibility to not configure hard to secure and easy to exploit
remote access on friend/family computers but use on demand solutions instead.

If you need always-on remote access, then it's a requirement to secure it
properly, and I will argue there's no need for always-on remote access on
friend/family machines. Those aren't usually online anyway, so there's no
hurdle to know beforehand and exchange the access token.

That said, I don't understand why anyone would trust an intermediary with
access to their computer. Do they have a contract in place to expect a certain
level of support and security? If not, there's no explanation I can think of.

------
tim333
The headline seems a bit inaccurate. It looks like someone is trying to hack
their customer accounts rather than GoToMyPC itself.

------
nojvek
I'm so glad I dropped gotomypc and went with rdp gateway. Their customer
service is subpar. I tried reporting bugs and no one ever got back to me. I
contact them on Twitter and email. Chirps! One day I had it enough and
completely cancelled the service. There are better alternatives out there.

------
vt240
I wonder if this is the same group which targeted the other remote desktop
service a few weeks ago?

------
fareesh
How user friendly is guacamole? Anyone have any experience setting it up for
non techies?

~~~
csydas
While I have not set it up personally, it seems if you were to get it up and
running for them and have a relatively easy to remember domain, it shouldn't
be too hard.

However, not having used it for a prolonged period, I don't know what the time
investment for maintenance will be.

------
riobard
If you do it right, you don't need to reset all customers' passwords.

------
smegel
Of all the things to be hacked...

~~~
camoby
Just wait until IFTTT gets hacked. That has to be a huge target. Think of all
the other services and physical devices on the network they'd potentially have
the keys/access to.

Future Ouch.

------
bx_
Amen

------
graycat
Gee, we have to wonder if some good anomaly detection

[https://news.ycombinator.com/item?id=11880593](https://news.ycombinator.com/item?id=11880593)

would have detected that intrusion?

