1 - their CEO has no real linkedIn history 
2 - they revenue and employment went off the chart just in 2 quarters 
3 - very unclear how they came to this assessment. Especially now that US government is looking for excuses (real or fabricated) to make a case for war with Iran, I look at these evidence with some skepticism.
Am I being over-cynical here?
1 - https://www.linkedin.com/in/charles-yoo-365201165/
2 - https://www.zoominfo.com/c/resecurity-inc/353866377
edit - formating.
Looks like a fish, smells like a fish
Admin IP address: 184.108.40.206, AS196740, Ukraine
Really piling on the confidence here.
Citrix Data Breach – Next is what to do next
"resecurity" kiev ukraine from newsbeezer.com
19 hours ago · KIEV, UKRAINE – 2019/01/ 20: Citrix Systems software ... According to Security Company Resecurity, the attacks were ...
Here's the article's top image sub-text:
Citrix was hit by hackers in attacks that may have exposed large amounts of customer data. KIEV, UKRAINE – 2019/01/20: Citrix Systems software Company logo displayed on a smartphone. (Photo by Igor Golovniov / SOPA Images / LightRocket on Getty Images) Getty
The image is hosted by Forbes:
Why newsbreezer has an article dated an hour earlier in a Google search than the Forbes article which is hosting the image on both sites, and why it's coincidentally sub-texted with KIEV, UKRAINE, I can't explain...
Regardless, it would be irresponsible to trust their attribution claim, especially when no evidence has been presented.
Why The Citrix Breach Matters -- And What To Do Next
"resecurity" kiev ukraine from www.forbes.com
18 hours ago · KIEV, UKRAINE - 2019/01/20: Citrix Systems Software company logo seen ... According to security firm Resecurity, the attacks were perpetrated by ...
Which seems to belong to a russian guy:
Must be a russian speaking Iranian ;-)
This is either an insider joke or a jump back to 2004.
That is a page that I doubt the author would have wanted to be public, and is not linked to from the home page or its descendants. Wasn't that the case against weev?
(IMO, if it is public, it should be legal to post to it, but whatever.)
As you can see, the link is gone now.
Throw it into Google's reverse image search and you'll find the graphic if was cut out of:
The point is that using PRNewswire or Businesswire is hardly “suspicious,” because most businesses that do press releases use one or the other.
The Golden Bridge trophies seem to be available to buy if you've won.
I mean, I don't like tipping. I think it's horrible in many aspects, not the least of which how it taps directly into racial and gender prejudices monetarily (black waiters make less in tips regardless of service level). That said, I tip. I would rather not be known as the guy that doesn't tip (and wages assume tips as of now, so it's a bit unfair to the service people). I'm still free to tip or not, and others are free to judge or misjudge me for it if I do.
Zero evidence, but most Americans didn’t know any personally but knew they had oil money to buy/sell investments.
The articles are summaries of what the government and the companies discovered. Read the indictment linked in the last article or the reports from the companies for details.
Fundamentally though the news requires belief. It is there for the 'capitalist flock' who have a world where the government, democracy as we know it and the laws we have define the world.
With normal religion the real things that happen with celestial bodies get interpreted in some narrative that has to do with some carpenter's son who died a long time ago. A whole new world of god is created which is an abstraction of physical realities. Rather than 'primitive sun worshipping' there is this new religion to believe in, the religion accounts for everything in its own special way.
If you could teleport 500 years into the future and learned about TV news and how people believed it then you would wonder how people disbelieved facts they observed with their own eyes and what they knew to be true by the calling of their own heart and their own sense of reason.
Therefore, at least as a thought experiment, see the news and the nasty things said about people outside capitalist countries as 'religion'. It all becomes clearer then.
But the idea that general IT security companies have a reduced chance of hiring someone based on their information being on social media is... not the case.
Unlikely that they are a front to a US operation. But very likely that it's a start-up that leverages the currently toxic climate in order to get themselves in the news. Making half baked attribution claims is a perfect way to do so. One might even say that not doing so would be leaving money on the table.
I have some contact with cybersec in Europe and it is very common that cybersec professionals in gov and mil positions do not have any social media accounts under their own name, and certainly not linkedin. Social media makes you too much of a target and reveals too much about your org. When promoted to a public-facing position the person then suddenly "appears" from nowhere and the media profile has as little information as possible. Real professionals use those accounts only from designated computers, and if you are high ranking enough (head of...) in fact never use them at all, but rather have someone else using them for you. All in the name of keeping your own actions and locations away from the curious.
It's effectively malware though at least they display it up-front, which is more than can be said for most.
Generous interpretation - they're brand new (first Tweet 2/13/2019, first blog 2/19/2019).
Would love to know if those logos & awards are legit (quick search of the awards makes some look like pay to win).
One answer is: Sponsor the Cybersecurity Excellence Awards
There's a voting scheme, but the FAQ does state: The popular vote will only be considered if two or more nomination are tied for an award
At some point, Occam's razor will favor that this company is having its strings pulled by some larger entity that doesn't want to be revealed.
Too many times we are led into disaster and tragedy by secrets.
which was apparently uploaded last month...
But there were many more. So please don't spread unsubstantiated falsehoods and doubt.
They do confirm that chemical weapons were used. Who used them, is not determined, and even the reports themselves state that the provenance of the chemicals is out of scope of the FFM.
It states that Sarin and chlorine-based weapons were used - but the FFM was not able to visit the site directly and relied on samples collected by third parties and provided to the FFM for the purposes of their investigation. The only conclusion is: chemical weapons were used.
It does not, in any way, state that the Syrian government were responsible for the attack.
Indeed, the Syrian government themselves requested this mission proceed to determine the use of these chemical weapons - why would they do that if they knew they'd used the chemical weapons?
>But there were many more. So please don't spread unsubstantiated falsehoods and doubt.
If you have further evidence that supports the claim that the Syrian government used these weapons, please provide it. Thus far, you have failed to apply your own demand for evidence.
They can be used to make a conclusion. We don't need the mandate, and we can think for ourselves, no? In both cases the munitions were reportedly dropped from the air. Once from the airplane, and second time from helicopters.
Rebel groups don't have airplanes or heliopters, so Khan-Sheikoun attack was most likely made by the Assad regime. Douma can be speculated about somewhat more, but dropping the chlorine containers from the air was not excluded, and was quite likely, based on previous documented droppings of chlorine canisters from helicopters, that used the same mounting technology.
It was also not unprecedentend, dropping chlorine canisters from helicoters by Assad regime was docummneted previously on multiple occasions. The same canisters, and mounting technology for dropping from helicopters. The same goes for Sarin use. (look up other Sarin uses OPCW investigated)
I mean what's so surprising about this? Assad regime has been procuring chemical weapons for decades. They do it just for fun? It's a very expensive hobby.
> Indeed, the Syrian government themselves requested this mission proceed to determine the use of these chemical weapons - why would they do that if they knew they'd used the chemical weapons?
How would I know.
You can obviously kill people and request an inestigation at the same time. There's nothing that prevents that.
It's pointless to speculate on motives. But hey: Because they don't care? Because nothing's gonna happen anyway? Because they were scared of non-cooperation? Because Russia wanted them to? Because it's good optics in the war propaganda - it seems like they have nothing to hide? Calculated risk? (noone's gonna invade them for chlorine use, and they would have had to know that Sarin was not used in Douma, so why not?)
Even if Sarin would have been used, most likely nothing would have happened to them, like many times before. There were several other recent Sarin uses that went unpunished. US is not there for a regime change, and Assad has an upper hand, except for Idlib, and SDF areas. Chemicals are a great weapon for terrorizing civilian population. So why not use them after calculating some risks?
Just look at some WWI documentaries. People/leaders can get completely crazy under a war situation, and justify pretty much anything - even sacrificing almost 30000 soldiers in one day in pointless attacks. It's pointless to speculate on motives now.
I mean, yes, USA foreing policy is a mess. But we should still be bothered by facts.
Socialists and Shiites were obviously occasionally funded and armed by the USA, and I even alluded to this - Saddam was a socialist, and the new government of Iraq was a Shiite government. However, that doesn’t negate what I said - read it carefully. Far more mainstream sources than me have pointed this out:
The right Audience for such message that can digest are minority.
I would say, don't count on having any kind of support from such places (HN, reddit, facebook, twitter, Quora etc). US has the media and already online media too.
Keep pushing <3
It's just too easy to do this.
I wouldn't put personal data I am not willing to lose online or on an intranet at all anymore. No amount of money and engineering seems to be able to keep up, and companies prove over and over that they are negligent, naive, or simply a few steps too far behind.
Anymore? Not trusting the internet used to be the default.
A few years ago, I soughed at it, poking fun at it.
Now, it's not a bad idea.
Perhaps we should be using formal proof systems? Perhaps we should just admit that computers are bad at holding secrets, and instead make everything on a computer public.
In the old days, we used to have big books where you’d get crossed off after you were identified. This naturally takes a lot of time, so today we print a little bar code on the piece of paper that we mail every adult citizen at every election. This means that we can scan you instead of manually crossing you off in a book.
We still have queues at prime time, but they are 10-15 minutes instead of two hours.
The actual voting is done with paper, so that there is a paper trail.
This is the only thing that makes sense. Especially when you look at the business side of things. We reduce the hassle for citizens (our customers of sorts) and we maintain security. Sure we could provide results faster if we counted votes digitally, and you could frankly also provide a paper trail if the machine printed you vote, but does speed of counting really matter? Financially digital vote counting would be insanely more expensive, because public IT systems are insanely expensive and paying staff a little extra to count votes isn’t.
I mean, the registration system is really expensive as well, but at least it benefits the citizens, so that is a reasonable sacrifice to us. But digital voting? That’s as you put it, insane.
It’s not a democratic process if you don’t have the physical votes and a system which makes sure they aren’t tampered with.
We are due for a new election before july, so I will probably just save the queue and vote by mail, if I elect to vote at all.
Although my local polling booth didn't have a bbq going which was kind of disappointing.
Have Ballots with a unique identifier. People come to a polling station, get a ballot, fill in their vote.
The ballot goes through a scanner to tally the vote, and then goes into a standard vote bin.
At the end of voting, you cross-check a random sample (both ways) and check the total number of votes matches between the scanner and bin.
If all goes well, scanner results get electronically combined. If the sampling shows an error, count by hand.
One extra addition. Your ballot is filled out by a separate printer. This ensures proper readability at the scanner, and allows placing the unique ID after someone gave you the ballot (to keep your vote secret). Any tampering with non-unique IDs is detectable by the random sampling.
The ID here is meant to identify a ballot, not a voter. It should probably be something like a UUID. The aim of this system is to allow cross-checking between the scanner and the physical ballots.
I got that, but you can still kind of prove it. Your know your ID + your-vote. This is likely the only valid ID+vote combination you can know before results are counted. That's when I'd "ask" you and late verify it.
If you want to verify the machine is working, just put the ballot in the standard bin and add those IDs in the counting phase. That seems fine in principle and make it easy to check the tech is working as intended. You'd end up with having list of all individual votes available, maybe even to the public. I'd be worried about people throwing statistical algorithms at that. You better also find a near perfect method to randomize order...
That'd probably work. You'd need to somehow ensure the scanner that ads the IDs doesn't double IDs
That's a great question. The answer depends a little bit on how many issues are on the ballot, and a hell of a lot more on whether you're asking the media, or those with a direct stake in the outcome, or those voters. Your system is optimized to serving voters.
I came across an interesting slide deck one time that had various examples of social engineering used in corporate settings to acquire data online and in person. A clever individual can get their hands on just about anything if they try.
I kinda wonder. How do you do that in our modern age? Is the computer you store the data on connected to the internet? If the answer is yes, your data can be accessed. If the answer is no, is that computer on the same network as any other device you use to connect to the internet? If the answer is yes, your data can be accessed. If the answer is no, you might be secure, but then I have a question, who the hell are you that you run a disconnected, private network just to store some personal data?
It is considered a bit overzealous by most but I believe that passwords should have been done away with a long time ago in favor of cryptographic keypair logins - we have already found the "2FA" in practice like emails and cellphone text messages not an adequate replacement. I'm aware there are other problems with storing your keys and loss but I believe that is a better approach for anything that needs security. I wish I could get my bank accounts to use key based logins.
> Why were you hacked
> Weak passwords
> What are you going to do about it
> We've forced all systems and employees to regenerate passwords and service keys
Now lets try this again without an honest answer
> How were you hacked
> No idea
> What are you going to do? Are you still vulnerable?
> No idea. We'll have to do an extensive audit. No one knows how long this will take. There's not even an inventory of systems or data flow
> Could they have installed backdoors
And same as I said previously: If the bad actors can brute force weak passwords, the company itself should be able to do it too and force those with weak passwords to update them.
I think businesses with critical infrastructure should use hardware keys (e.g. yubikeys) to provide at least one of the factors needed to log in to a server. Using a yubikey as an authentication key for ssh is not that difficult and I do it for my own hobby stuff.
For web based stuff one can now use webauthn to provide key based authentication (in addition to whatever other factors one would like). This requires the enterprise to run up to date browser however.
Why is this so hard?!? I agree with you, but this sentence rang so true it was sad. I've been forced to work with/around unbelievably out-of-date browsers in order to install current firmware updates on systems at almost every place I've worked.
Depressingly often, these things are installed as part of a box ticking exercise to pass an audit or meet another form of compliance. however they never get set up right from the outset or the security professionals who were there leave and never get replaced.
In this case, if they’re talking about infrastructure available on the public internet with password only authentication then I’d wager any skilled professionals they may or may not have had, had already left. Because no security minded engineer would have okayed that practice. Which means even if they did have an IDS, I’m highly doubtful that would have been managed properly either.
We aren't getting the whole story from Citrix.
Putting aside the fact this security company seems to have never been heard of before; Citrix’s appears to have buried their heads in the sand until the Feds came knocking.
If it’s true that the company was tipped off in December then the ‘I know nothing’ defence is truly shocking.
Ouch. The winner of "The worst position to be in today".
No notice from Citrix ShareFile to its customers about a breach yet, though. Thanks.
Also please note the '?' marks for unverified sources.
I don't know where to draw a line, but I don't think a single data breach, even minor one, should mean a death sentence to business. Maybe some sort of audit/certification should be mandatory after breach.
For example, with regards to search engines, what if I go on Google and it tells me "hey, Google has had 3 data breaches that have effected users like you". And then I go on DuckDuckGo and it says "DDG has never had a data breach". Not everyone will switch from Google to DDG, but some people will, and I don't think that's a bad thing.
We can't completely control hacker attacks. We should treat them more like software bugs or service outages. It just happens, we should focus on minimizing potential damage and proper response.
I'm not sure this is the analogy you are looking for. If you are concerned with how a hurricane might impact your livelihood, it's generally a much better idea to live in Colorado than on the coast of California.
Except unlike hurricanes, we absolutely can prevent hacks that leak a lot of user information.
First you said the latter, now you're saying the former.
Own up to your mistakes.
But I didn't say HIBP doesn't have these data. My point is these data isn't enough to give recommendations or warnings to site visitors.
We use ShareFile as a client portal for secure document delivery.
I use ShareFile for secure document delivery and they forced a password reset with stricter requirements in January, the month after the first breach, and two months before the FBI notification.
No notice of breached documents to its customers yet.
Gotta have deniability for the NSA. Given that it's a military agency, with ~no overt domestic role.
If this impacted their software development, it could include source for current and older but still in use products, which could potentially be analyzed looking for potential exploits. It may include internal bug trackers that may include information on unpatched exploits or on exploits quietly patched only as part of updates and so potentially still in the wild. Heck, it may include some of their internal product security testing information and whatever might be in that.
An awful lot of large companies and healthcare systems now have Citrix portals available to the world rather than having annoying-to-manage-and-support VPN connections - are there undisclosed vulnerabilities in any of those?
Even going outside the technical side, if there's sensitive HR information they may have materials that can be leveraged for blackmail purposes to attempt to maintain long-term access.
And all of that is just talking about the Citrix remote access piece that I still think of when I hear the name. There's also XenApp/XenDesktop for virtualization, the ShareFile sharing site that others have mentioned, their endpoint management product, etc. There might even be holdover stuff - what would a copy of out-of-date source code to GoToMyPC be worth?
A lot will depend on the ability of whoever got it to capitalize on it, but assuming this was indeed a nation expect that they'll be able to spend at least some resources.
That seems uncalled for. Are Indian blogs (as opposed to non-Indian blogs) known for this kind of thing?
Now it could be that this is just purely because because there's more Indian blogs, making the percentage of spam blogs higher, or because there's three or four people spamming their useless blogs everywhere, but I do hesitate to click blogs with the .in TLD these days.
Probably just a few assets ruining for the whole group, but in my circle Indian blogs do tend to have a bad rep.
I agree the jargon isn’t great, I’ve seen “attacker” and “malicious user” used in pentest reports and neither of those seems quite right either.
"Threat actor" is actually more specific; it refers to someone behaving in a threatening manner without regard to their legal status or jurisdiction.