
Hackers ransack Citrix, make off with 6TB+ of emails, biz docs, secrets - cow9
https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/
======
salimmadjd
The evidence that points to Iran comes from a company named, Resecurity. But
there are some odd stuff about this company.

1 - their CEO has no real linkedIn history [1]

2 - they revenue and employment went off the chart just in 2 quarters [2]

3 - very unclear how they came to this assessment. Especially now that US
government is looking for excuses (real or fabricated) to make a case for war
with Iran, I look at these evidence with some skepticism.

Am I being over-cynical here?

1 - [https://www.linkedin.com/in/charles-
yoo-365201165/](https://www.linkedin.com/in/charles-yoo-365201165/)

2 - [https://www.zoominfo.com/c/resecurity-
inc/353866377](https://www.zoominfo.com/c/resecurity-inc/353866377)

edit - formating.

~~~
keyme
I don't have a LinkedIn page, or any other social media for this matter. Does
that make me a non-trusrworthy person now? This is horrible. (I don't disagree
with your other points).

~~~
rakoo
Are you the CEO of a company that works in computer security, where fame is
probably more important than in other fields?

~~~
deathhand
Fame does not equal trust. While there may not be any security through
obsecurity it is a barrier. As for being a trusted CEO at a certain point its
about who you know and who knows you. Do you think the NSA employees all have
social media profiles?

~~~
raesene9
Fame doesn't equal trust, but if someone with no public background starts
claiming to have been in the NSA/MI6/FSB/whatever, why would you believe them?

------
ehnto
Compromise feels almost inevitable. Perhaps the idea that we can keep data
protected and accessible at the same time using complex software is folly?
Systems get more and more complex, security measures layer on top, patching
over holes as they are found. But we are never in front of the cat and mouse
game by necessity, only ever behind. So it must be that compromise is
inevitable.

I wouldn't put personal data I am not willing to lose online or on an intranet
at all anymore. No amount of money and engineering seems to be able to keep
up, and companies prove over and over that they are negligent, naive, or
simply a few steps too far behind.

~~~
appleiigs
> I wouldn't put personal data I am not willing to lose online or on an
> intranet at all anymore

Anymore? Not trusting the internet used to be the default.

~~~
qrbLPHiKpiux
I was at Barnes and Noble yesterday and on an end, I saw an "internet password
log book" for $5.98.

A few years ago, I soughed at it, poking fun at it.

Now, it's not a bad idea.

------
Nasrudith
Brute forcing weak passwords? Someone is doing something horribly wrong here
on several levels. At the very least anything online of any importance should
have rate limits if not locking for repeated password attempts. For servers
themselves allowing password logins is inexcusably bad.

It is considered a bit overzealous by most but I believe that passwords should
have been done away with a long time ago in favor of cryptographic keypair
logins - we have already found the "2FA" in practice like emails and cellphone
text messages not an adequate replacement. I'm aware there are other problems
with storing your keys and loss but I believe that is a better approach for
anything that needs security. I wish I could get my bank accounts to use key
based logins.

~~~
aboutruby
Same tactic as what's used on Twitter accounts.

And same as I said previously: If the bad actors can brute force weak
passwords, the company itself should be able to do it too and force those with
weak passwords to update them.

~~~
citrixshady
Interestingly enough, Citrix ShareFile forced password resets for everyone in
January.

------
jarym
“Resecurity also said it warned Citrix on December 28...” And then: “Citrix,
meanwhile, said it took action – launching an internal probe and securing its
networks – after hearing from the FBI earlier this week.”

Putting aside the fact this security company seems to have never been heard of
before; Citrix’s appears to have buried their heads in the sand until the Feds
came knocking.

If it’s true that the company was tipped off in December then the ‘I know
nothing’ defence is truly shocking.

------
chx
Citrix... mention that to any Hungarian programmer roughly my age and you will
likely receive a long string of swearing because the incredibly buggy central
system necessary to sign up for courses and exams was only accessible via the
Citrix ICA client and back in the second half of the 90s that, in itself, was
a huge source of problems beyond the server app not being particularly high
quality especially on Linux which was rather important because at this time
practically all sane IT students were running Linux to access the Internet
(remember, we are talking pre-Windows 2000).

~~~
acdha
The amazing part to me is that it still sucks: it’s 2019 and random hangs
requiring a full session restart are still a daily occurrence, and I recently
measured keystroke latency at 130+ms over a LAN. That’s much worse than using
X11 over SSH ever was.

~~~
taurath
It’s been pretty much a law of software for me that once an app is primarily
business to business and gets traction in the Fortune 500 expect the
functionality to stay the exact same or become worse over the next 10 years

------
gesman
>> Earlier today, Citrix chief information security officer Stan Black gave
his company's side of the story. He said that, as of right now, Citrix does
not know exactly which documents the hackers obtained nor how they got in...

Ouch. The winner of "The worst position to be in today".

~~~
citrixshady
And, IMO, they've known about it since January when they abruptly forced
password resets on every ShareFile user. I use ShareFile for secure delivery
of documents containig DOB, SSN, AGI, ...

No notice from Citrix ShareFile to its customers about a breach yet, though.
Thanks.

------
sbhn
A country under certain sanctions, especially in regards to encryption, is
easy to middle man. Iran computers are probably the most easy to hack and
plant evidence on if they depend on US operating systems and network
suppliers.

------
drilldrive
At this point, it is (or should be) absolutely clear that password security is
a top priority for everyone nowadays. The only solution that I have heard of
is password managers, but what if such companies are hacked like this one? I
am curious if we will eventually recommend randomly generating passwords per
website and keeping them under lock and key (physically so such as in a safe).

------
w-ll
haveibeenpwned could/should make a browser extension that tell you if the site
your on has been pwned

~~~
ComodoHacker
HIBP isn't about pwned sites. It's about leaked credentials. The source of
leaked data on HIBP isn't verifiable in most cases.

~~~
fastball
Nope.

[https://haveibeenpwned.com/PwnedWebsites](https://haveibeenpwned.com/PwnedWebsites)

~~~
ComodoHacker
OK, so there's a Yahoo! breach from 2012. Should I not visit Yahoo now?

Also please note the '?' marks for unverified sources.

~~~
Dahoon
Do you have a better solution than not using a service? Not using it is like
voting with your wallet. So yes, I would say stay away from yahoo. Where do we
draw a line otherwise? It is the same boat as "I don't like Facebook
collecting data on me but I'll still use their service".

~~~
ComodoHacker
Yes, it's in the same boat, we (almost) all do it with Google.

I don't know where to draw a line, but I don't think a single data breach,
even minor one, should mean a death sentence to business. Maybe some sort of
audit/certification should be mandatory after breach.

~~~
fastball
I think the idea is more about informing users than it is about trying to drum
up a boycott that results in a "death sentence".

For example, with regards to search engines, what if I go on Google and it
tells me "hey, Google has had 3 data breaches that have effected users like
you". And then I go on DuckDuckGo and it says "DDG has never had a data
breach". Not everyone will switch from Google to DDG, but some people will,
and I don't think that's a bad thing.

~~~
ComodoHacker
We can't inform users how a particular breach affected a particular user
(based on the fact of breach alone). Anything else is just FUD. It's like
saying life in California is dangerous because there were deadly hurricanes
there in the past that took lives.

We can't completely control hacker attacks. We should treat them more like
software bugs or service outages. It just happens, we should focus on
minimizing potential damage and proper response.

~~~
fastball
> It's like saying life in California is dangerous because there were deadly
> hurricanes there in the past that took lives.

I'm not sure this is the analogy you are looking for. If you are concerned
with how a hurricane might impact your livelihood, it's generally a much
better idea to live in Colorado than on the coast of California.

Except unlike hurricanes, we absolutely can prevent hacks that leak a lot of
user information.

------
spappal
I would be interested in knowing how cyber warfare and cyber espionage are
viewed from a perspective of diplomacy or power play between nations (or
corporations). Does anyone know of interesting articles?

~~~
joveian
It has been a while since I read it but the first thing that came to mind is
this talk by Dan Geer (who is closely connected to US intelligence agencies):

[http://geer.tinho.net/geer.blackhat.6viii14.txt](http://geer.tinho.net/geer.blackhat.6viii14.txt)

------
citrixshady
Citrix sent all of our clients an email saying their passwords were
invalidated and everyone needed to set a new one (with stricter requirements)
in January....

We use ShareFile as a client portal for secure document delivery.

Shady.

------
komali2
It says they had to find out from the FBI. At least theoretically, how does
the FBI find out? (unless someone knows the actuality and is willing to share?
Didn't see anything in the article)

~~~
citrixshady
Not so sure about that.

I use ShareFile for secure document delivery and they forced a password reset
with stricter requirements in January, the month after the first breach, and
two months before the FBI notification.

No notice of breached documents to its customers yet.

~~~
detaro
Almost as if they didn't force the reset because of the breach, but because of
the reason they gave back then?

------
waterside81
Potentially stupid question but in instances of hacks, how do companies know
for sure what was and wasn't taken?

~~~
ASalazarMX
They don't, they just try their best to reconstruct the attack with whatever
"footprints" the perpetrators left, along with any independent logging they
might have in place. It's a little nightmare because it's rare to give
absolute certainty.

------
cow9
Shares of Citrix is down after report of hack:

[https://www.cnbc.com/2019/03/08/citrix-tumbles-on-report-
of-...](https://www.cnbc.com/2019/03/08/citrix-tumbles-on-report-of-
unauthorized-access-fbi-investigation.html)

~~~
freehunter
But still higher than they were Dec 24th 2018. Actually higher than they were
at any point prior to April 2018. Because the market knows that major security
breaches that will have long-lasting impact on the victims involved will
ultimately have no impact on the company that was breached.

------
sidcool
I am not very well informed. How serious is this?

~~~
tcd
About as serious as Equifax.

~~~
sidcool
That's quite serious.

------
therealx
Where's the dump?

------
eddywebs
fake news ?

------
hestefisk
“Threat actors”. What’s wrong with the word “perpetrator” or simply
“criminal”?

~~~
xyzzy123
“Threat actor” is super vague but more specific than the words you proposed.

[https://en.m.wikipedia.org/wiki/Threat_actor](https://en.m.wikipedia.org/wiki/Threat_actor)

I agree the jargon isn’t great, I’ve seen “attacker” and “malicious user” used
in pentest reports and neither of those seems quite right either.

~~~
doitLP
Also, they aren’t technically criminals if the attackers are state-sponsored
and conducting an act of war. “Threat-actor” seems exactly like the type of
legalese a government relies on when crafting the story around its own
retaliation or justification for future aggression. I think it’s just entered
the lexicon when talking about these types of incidents.

~~~
buttcoinslol
I agree, there are no criminals at the nation-state level, only other actors.

