Hacker News new | past | comments | ask | show | jobs | submit login
Hackers ransack Citrix, make off with 6TB+ of emails, biz docs, secrets (theregister.co.uk)
530 points by cow9 11 days ago | hide | past | web | favorite | 196 comments





The evidence that points to Iran comes from a company named, Resecurity. But there are some odd stuff about this company.

1 - their CEO has no real linkedIn history [1]

2 - they revenue and employment went off the chart just in 2 quarters [2]

3 - very unclear how they came to this assessment. Especially now that US government is looking for excuses (real or fabricated) to make a case for war with Iran, I look at these evidence with some skepticism.

Am I being over-cynical here?

1 - https://www.linkedin.com/in/charles-yoo-365201165/

2 - https://www.zoominfo.com/c/resecurity-inc/353866377

edit - formating.


1 Resecurity's wordpress site has directory listing turned on. Most content on the website seems to have been uploaded in february. 2 The services that does the press releases looks suspicious. 3 The second service also looks suspicious 4 Golden Bridge Silver and Gold Award winners... Anyone heard of this? Seems they sell thophies

[1] https://resecurity.com/wp-content/uploads/ [2] https://www.prnewswire.com/news-releases/resecurity-names-ia... [3] https://www.businesswire.com/news/home/20190226005414/en/Res... [4] https://goldenbridgeawards.com/store/

Looks like a fish, smells like a fish



“Resecurity Inc., California-Based cybersecurity company”

timezone_string: Europe/Kiev

Admin IP address: 109.207.124.196, AS196740, Ukraine

Really piling on the confidence here.


This one's before the Forbes article:

Citrix Data Breach – Next is what to do next newsbeezer.com "resecurity" kiev ukraine from newsbeezer.com 19 hours ago · KIEV, UKRAINE – 2019/01/ 20: Citrix Systems software ... According to Security Company Resecurity, the attacks were ...

https://newsbeezer.com/zimbabwe/citrix-data-breach-next-is-w...

Here's the article's top image sub-text:

Citrix was hit by hackers in attacks that may have exposed large amounts of customer data. KIEV, UKRAINE – 2019/01/20: Citrix Systems software Company logo displayed on a smartphone. (Photo by Igor Golovniov / SOPA Images / LightRocket on Getty Images) Getty

The image is hosted by Forbes: https://thumbor.forbes.com/thumbor/600x315/https%3A%2F%2Fspe...

Why newsbreezer has an article dated an hour earlier in a Google search than the Forbes article which is hosting the image on both sites, and why it's coincidentally sub-texted with KIEV, UKRAINE, I can't explain...


Way too sloppy for a false flag operation. Probably just some shady company trying to make a buck.

Regardless, it would be irresponsible to trust their attribution claim, especially when no evidence has been presented.


I just did a search for `"resecurity" kiev ukraine` on Google and got some strange results showing news articles from well-known sites stating KIEV, UKRAINE in context with the article's top pic... I'm not sure how to explain that:

Why The Citrix Breach Matters -- And What To Do Next Forbes "resecurity" kiev ukraine from www.forbes.com 18 hours ago · KIEV, UKRAINE - 2019/01/20: Citrix Systems Software company logo seen ... According to security firm Resecurity, the attacks were perpetrated by ...

https://www.google.com/amp/s/www.forbes.com/sites/kateoflahe...

https://www.forbes.com/sites/kateoflahertyuk/2019/03/10/citr...


Nice find. It contains the e-mail address mr.archee@gmail.com

Which seems to belong to a russian guy: https://support.webasyst.ru/forum/4011/filtr-v-vide-select/

Must be a russian speaking Iranian ;-)


Unsecured directory listing of a common php cms that shows uploads, and one of them them is a full DB dump made with phpmyadmin. The only thing missing is execution rights in that directory.

This is either an insider joke or a jump back to 2004.


this is "wordpress-normal" - the funny/sad part is its the wordpress blog of a security company investigating a huge breach...

Unless this is actually not a security company investigating a huge breach.

I've never seen directory listing turned on as a normal part of WP install.

Well, its better to get some wordpress hacked, than it is to have a server onprem get pwned and used as a inadvertent bastion to your internal network.

phpmyadmin is apprx. the only thing i remember about making a website.

Nice. According to the wp_users table there are 3 users, all nearly exactly 1 year old (2018-03-03, 2018-03-05, 2018-03-17).What are the chances that's a coincidence?

Is there any risk you take by posting that?

That is a page that I doubt the author would have wanted to be public, and is not linked to from the home page or its descendants. Wasn't that the case against weev?

(IMO, if it is public, it should be legal to post to it, but whatever.)


Interesting question. Technically, it is public. The user didn’t break anything or use any nefarious techniques. The web server is configured to list directories which in concert with file permissions makes it public. Not sure how/if this might be analogous to “just because a door isn’t locked doesn’t mean you can go in”.

feels like there isnt even a door . . "just because its in my front yard doesnt mean youre allowed to walk in front of my house and look at it sitting there."

This argument is not much different than what the grandparent is referring to. weev was convicted of conspiracy to access a computer without authorization because he advised a guy who discovered a publicly available HTTP API hosted by AT&T that returned email addresses based on guessable ids. The conviction was overturned, but on procedural grounds, not legal ones.

Directory listing wasn't on on the AT&T server.

He accessed “public” URLs that he inferred the existence of but wasn’t supposed to access. So I guess if you can start at the homepage of this site and find a link to a directory, you’re OK.

It was linked from https://resecurity.com/wp-content/uploads/, which is a common and public URL, and anything uploaded there is intended to be public. Of course, whoever uploaded it either wasn't aware or didn't think it through--maybe they thought nobody would ever visit that page.

As you can see, the link is gone now.


This url is now showing a 404.


They took it down. What did it say?

It was an SQL dump of their entire database: https://archive.is/https://resecurity.com/wp-content/uploads...

They also seem to have stolen a number of graphics on their website. If you check their filenames, they have the default filename of when you take a screenshot on OSX. Then take this one for example:

https://resecurity.com/wp-content/uploads/2019/03/Screen-Sho...

Throw it into Google's reverse image search and you'll find the graphic if was cut out of:

https://www.incimages.com/uploaded_files/image/970x450/Finan...


Thanks for finding that. This image from their directory listing (maybe on their site somewhere but I couldn't find it) shows me at least something about their offering - looks like another dark web breach alerting service.

https://resecurity.com/wp-content/uploads/2019/02/slide-3.pn...


FYI, PRNewswire is one of the oldest, respected, and expensive newswire services around. Businesswire is also very well established. Not sure how those seem “suspicious”.

Not sure if that was meant to be sarcastic. They have a pretty clear history of accepting garbage for money. https://www.seroundtable.com/google-panda-pr-newswire-change...

PRNewswire is used by the vast majority of the Fortune 1000, including for releases that are required for SEC compliance. They are probably the oldest and most widely used of all the newswire services.

The point is that using PRNewswire or Businesswire is hardly “suspicious,” because most businesses that do press releases use one or the other.


What's suspicious about PR Newswire / Business Wire? They're the industry standard wire tools in Public Relations.

The Golden Bridge trophies seem to be available to buy if you've won.


I don’t know specifically about Golden Bridge but I have been on the receiving end of other trophy clearinghouses: we were notified we had won a whatever of the year award without even applying for it and that we could purchase the actual trophy for a very reasonable price. Basically these companies’ business is selling overpriced crystal trinkets.

As have I, it's a fairly common racket. However, rights to a trophy / rights to use the logo etc are also sold by perfectly legitimate awards too.

Only fake awards sell trophies. they give the award to everything and make money in trophy sales. See also SuperDoctors, Who's Who, and pay to publish journals with no peer reviews.

It’s absolutely reasonable to be critical of any accusations that “Iran did it” or any other nation that the US considers enemies. Didn’t our security ministers claim North Korea was behind the Sony hacks when Obama was in office? We were never given any proof, so it’s impossible to verify... When you consider the way we lie on international affairs, all statements our government makes must be considered suspect. This is not unique to the US by the way, so treat your own state similarly.

there is one small nuisance here - if we start to treat all governments equally skeptic, we should also "fry live" all large corporations too.

How did we come to this imbalance?

[flagged]


Truly free people are free to keep all the secrets they want.

The only reason to keep secrets is if they aren't free. Otherwise the secret protects nothing. Freedom is broad and self contradictory. Complete freedom for more than one person is impossible.

That's not true. There are any number of subgroups that view certain behavior with distaste that other subgroups do not. Just because there is social and cultural pressure to do or not do things doesn't mean you are unfree. You are just as free to observe the behaviors or not as other people are to judge you by them.

I mean, I don't like tipping. I think it's horrible in many aspects, not the least of which how it taps directly into racial and gender prejudices monetarily (black waiters make less in tips regardless of service level). That said, I tip. I would rather not be known as the guy that doesn't tip (and wages assume tips as of now, so it's a bit unfair to the service people). I'm still free to tip or not, and others are free to judge or misjudge me for it if I do.


.. and they will forever be ruled by them, so: not free.

<sarcasm>Yes. US government should publish it's nuclear launch codes on whitehouse.gov </sarcasm>

Conflating nuclear launch code secrets with war crime secrets: this is the problem with Americans today.

In the sense that free people would still be free if all their secrets are exposed? I can get behind that train of thought.

If you allow your government to keep its own secrets, it will use that right to rule you.

In Liar’s Poker, the author said Wall Street would always blame the Arabs for any unpredicted movement in the finance markets.

Zero evidence, but most Americans didn’t know any personally but knew they had oil money to buy/sell investments.


[flagged]


None of the articles you linked offered any proof but rather just accusations mostly more accusations from American companies too I may add. “While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following: Then it goes into some vague details about how it happened proving nothing. So again we have to take their word this is the truth. Perhaps it is but show us the hard truth. De-classify the documents that show the links. Again it is all “believe us we can link it to North Korea”.

You simply gave a summary of the first article's summary and then falsely claimed there were no details.

The articles are summaries of what the government and the companies discovered. Read the indictment linked in the last article or the reports from the companies for details.


I think it is best to take a wholesale view that the news as we know it is a religion. That sounds a bit odd given that a lot that is in the news is fact oriented and a lot of current affairs is discussed. But in a formal church there is mention and prayers for those caught up in actual events.

Fundamentally though the news requires belief. It is there for the 'capitalist flock' who have a world where the government, democracy as we know it and the laws we have define the world.

With normal religion the real things that happen with celestial bodies get interpreted in some narrative that has to do with some carpenter's son who died a long time ago. A whole new world of god is created which is an abstraction of physical realities. Rather than 'primitive sun worshipping' there is this new religion to believe in, the religion accounts for everything in its own special way.

If you could teleport 500 years into the future and learned about TV news and how people believed it then you would wonder how people disbelieved facts they observed with their own eyes and what they knew to be true by the calling of their own heart and their own sense of reason.

Therefore, at least as a thought experiment, see the news and the nasty things said about people outside capitalist countries as 'religion'. It all becomes clearer then.


I'm not really sure how this is so controversial. Even formal mathematical systems contain axioms. And science is largely based on faith in other people's truthfully reported observations. And news is founded on faith in a whole bunch more different things, and there is sectarian tension between the congregation s of, let's say, Fox and NPR. Even the qualia of physical existence can be considered as a matter of faith , but typically it's only practical for philosophers to worry about that. But, it is practical for everyone to consider the matter of faith in news, given human history.

One could also describe it simply as a tautology. It comes with its own simplified, illusory cause/effect chain and line of reasoning based off of itself, without necessitating the same "feeling" or "spiritual" sensibilities as most religions or cult movements.

I don't have a LinkedIn page, or any other social media for this matter. Does that make me a non-trusrworthy person now? This is horrible. (I don't disagree with your other points).

Are you the CEO of a company that works in computer security, where fame is probably more important than in other fields?

To be fair, conceptually the concept of a CEO of a security company with no social media presence at all is not surprising, speaking from my experience with people in this field.

Interesting, I have little idea how the field really works. I guess there must still be some kind of internet presence, maybe not through a typical social network ?

This is often overlooked. If your kid wants to work in security it will be hard to get a job if his/her info and history can be found on social media.

No it won't, that's a really odd take. Perhaps if you want a job in very specific sub-section of cyber-espionage stuff, you might have a problem with existing on social media (although I doubt it)

But the idea that general IT security companies have a reduced chance of hiring someone based on their information being on social media is... not the case.


Nope, sorry, this isn't accurate at all.

That's a very odd thing to say. There are so many security professionals in the world with LinkedIn profiles.

This is not true.

Fame does not equal trust. While there may not be any security through obsecurity it is a barrier. As for being a trusted CEO at a certain point its about who you know and who knows you. Do you think the NSA employees all have social media profiles?

Fame doesn't equal trust, but trust over time does create recognition (perhaps fame is a bit too strong). My claim is that if no one can vouch for you, how can I trust you?

Fame doesn't equal trust, but if someone with no public background starts claiming to have been in the NSA/MI6/FSB/whatever, why would you believe them?

the point is that there is a LinkedIn page. But all employees are directors or VP's - not a single engineer that works at Rsecurity.

Unlikely that they are a front to a US operation. But very likely that it's a start-up that leverages the currently toxic climate in order to get themselves in the news. Making half baked attribution claims is a perfect way to do so. One might even say that not doing so would be leaving money on the table.


According to 2 companies I interviewed with: Yes. I was pissed because if they didn't trust my resume, why even interview me and waste my time.

You dodged two bullets. Consider yourself lucky.

TLDR; in some jobs, you can't have social media accounts.

I have some contact with cybersec in Europe and it is very common that cybersec professionals in gov and mil positions do not have any social media accounts under their own name, and certainly not linkedin. Social media makes you too much of a target and reveals too much about your org. When promoted to a public-facing position the person then suddenly "appears" from nowhere and the media profile has as little information as possible. Real professionals use those accounts only from designated computers, and if you are high ranking enough (head of...) in fact never use them at all, but rather have someone else using them for you. All in the name of keeping your own actions and locations away from the curious.


Does the entire org appear out of nowhere? No. MI5, CIA, Stasi, etc have been quite public about their existence.

Knowing the organization exists and knowing that someone specifically works the organization are two different things. In fact, this is the defining characteristic of any secret organization (governmental or otherwise: CIA, Stasi, KKK (in the 50s)...) that wants to project power: we exist, we are everywhere but you don’t know who we are.

+1, I also recently deleted my LinkedIn profile. Taking LinkedIn profile as a sign of authenticity is indeed horrible.

Yes, basically. For example, I've used LinkedIn to double check whether I should trust that an online watch buyer is a real person.

I also dont have a LinkedIn page, quite amusing that people find that a problem

Wtf is this "zoominfo" site that, upon clicking "Read More", tries to drive-by download an exe onto my computer? What is this, 2002?

Wow, I read the EULA-thing for that executable.

> I Agree to the Terms of Service and Privacy Policy I understand that I will receive a subscription to Zoominfo Community Edition at no charge in exchange for downloading and installing the ZoomInfo which, among other features involves sharing my business contacts as well as headers and signature blocks from emails that I receive.

It's effectively malware though at least they display it up-front, which is more than can be said for most.


Ah, dang it, I have to actually read these things now?

This is the same as LinkedIn or Facebook slurping your address book.

Given an absence of even other vague data like 'exfiltrated data IP addresses were registered as Iranian' (not conclusive proof in itself given that the end devices could have been compromised) I'd say there is reason to be skeptical until they can provide more evidence.

Given the history of states to lie and manipulate to get into war, and since the USA proved to be particularly ok with it during the last decades, I'd say being cynical should be the default mode for this kind of analysis. If you are wrong, you are being over protective about peace, so what ?

Agreed that something seems off.

Generous interpretation - they're brand new (first Tweet 2/13/2019, first blog 2/19/2019).

Would love to know if those logos & awards are legit (quick search of the awards makes some look like pay to win).


The FAQ page: How Can I Improve my Chances of Receiving an Award?

One answer is: Sponsor the Cybersecurity Excellence Awards

There's a voting scheme, but the FAQ does state: The popular vote will only be considered if two or more nomination are tied for an award


Slightly less cynical explanation, could it be a parallel construction type thing? Something like: The FBI (or whoever) have espionage on whichever groups and heard data from Citrix being discussed, but they don’t want to reveal that espionage so they reveal it through Resecurity.

I wouldn't rule it out completely but both Hanlon's and Occam's razor would point against it. More likely that it's just another cybersec company that has found a way to newsjack itself into a position of fame via premature attribution.

I've looked over their website and I'm confused about what they actually do. They are "trusted by leading Fortune 500 corporations" apparently (with logos for Microsoft and Amazon), but the entire "Interested in our solutions" section is a sign up form. What am I signing up for? It's unusual for a company to barely try to promote their products.

Yes, it makes you wonder, how does a small company pop into existence straight into class-A office space in downtown LA, and within the span of what? two years? claims to have done business with a dozen or so heavyweight companies. And what is their web presence? Vague, inscrutable C-suite-speak about security, and one blockbuster claim in the Citrix break.

At some point, Occam's razor will favor that this company is having its strings pulled by some larger entity that doesn't want to be revealed.


The address "555 West 5th St, Los Angeles, California" has a WeWork space in it.

They’re most famous for their hypervisor and virtualized desktop software.

That's what Citrix is famous for - that's not the company I was talking about.

I think GP is asking about the security company, not Citrix.

Good catch, that is called a 3 letter agency front.

Or just a two bit con artist

Absolutely this. Have encountered them before.

There is almost no information about this company. I did a passive recon and this is what I've got: https://recon.secapps.com/f/EMh9

That's a really cool service. Thanks for sharing.

We most definitely need to see real evidence in these kinds of cases. It is not enough to be told 'the experts say it is so' - the case must be made public.

Too many times we are led into disaster and tragedy by secrets.


The text on the site alone is a red flag. It might as well be Latin gibberish. And the "awards" aren't linked to anything. Some of them are just silly, like this one: https://resecurity.com/wp-content/uploads/2019/02/award-4.pn...

which was apparently uploaded last month...


Neither the US government nor Citrix have implicated Iran. Resecurity came out of the woodwork contacting media companies about its supposed research after Citrix posted a brief statement explaining the FBI had notified it of a breach.

The same company also blamed a hack in Australia on Iran, which the Australian government does not agree with. https://www.itwire.com/security/86141-iran-or-china-competin...

Looks like the Iran connection came from a guy with a history of opportunistically jumping in on big security news stories: https://mobile.twitter.com/imdeaconblues/status/110504680622...

You can hide your linkedin history from people that are not connected to you (or your whole profile). It's a privacy option.

[flagged]


Assad is using chemical weapons against his own people. It was determined by OPCW. You can read full reports of the two well publicized attacks here:

https://www.opcw.org/fileadmin/OPCW/Fact_Finding_Mission/s-1...

https://www.opcw.org/sites/default/files/documents/2019/03/s...

But there were many more. So please don't spread unsubstantiated falsehoods and doubt.


These reports make no such conclusion - that the Syrian government was responsible for the attack.

They do confirm that chemical weapons were used. Who used them, is not determined, and even the reports themselves state that the provenance of the chemicals is out of scope of the FFM.

It states that Sarin and chlorine-based weapons were used - but the FFM was not able to visit the site directly and relied on samples collected by third parties and provided to the FFM for the purposes of their investigation. The only conclusion is: chemical weapons were used.

It does not, in any way, state that the Syrian government were responsible for the attack.

Indeed, the Syrian government themselves requested this mission proceed to determine the use of these chemical weapons - why would they do that if they knew they'd used the chemical weapons?

>But there were many more. So please don't spread unsubstantiated falsehoods and doubt.

If you have further evidence that supports the claim that the Syrian government used these weapons, please provide it. Thus far, you have failed to apply your own demand for evidence.


> These reports make no such conclusion - that the Syrian government was responsible for the attack.

They can be used to make a conclusion. We don't need the mandate, and we can think for ourselves, no? In both cases the munitions were reportedly dropped from the air. Once from the airplane, and second time from helicopters.

https://medium.com/@Brian_Whit/opcws-douma-investigation-poi...

Rebel groups don't have airplanes or heliopters, so Khan-Sheikoun attack was most likely made by the Assad regime. Douma can be speculated about somewhat more, but dropping the chlorine containers from the air was not excluded, and was quite likely, based on previous documented droppings of chlorine canisters from helicopters, that used the same mounting technology.

It was also not unprecedentend, dropping chlorine canisters from helicoters by Assad regime was docummneted previously on multiple occasions. The same canisters, and mounting technology for dropping from helicopters. The same goes for Sarin use. (look up other Sarin uses OPCW investigated)

https://www.gppi.net/2019/02/17/the-logic-of-chemical-weapon...

I mean what's so surprising about this? Assad regime has been procuring chemical weapons for decades. They do it just for fun? It's a very expensive hobby.

> Indeed, the Syrian government themselves requested this mission proceed to determine the use of these chemical weapons - why would they do that if they knew they'd used the chemical weapons?

How would I know.

You can obviously kill people and request an inestigation at the same time. There's nothing that prevents that.

It's pointless to speculate on motives. But hey: Because they don't care? Because nothing's gonna happen anyway? Because they were scared of non-cooperation? Because Russia wanted them to? Because it's good optics in the war propaganda - it seems like they have nothing to hide? Calculated risk? (noone's gonna invade them for chlorine use, and they would have had to know that Sarin was not used in Douma, so why not?)

Even if Sarin would have been used, most likely nothing would have happened to them, like many times before. There were several other recent Sarin uses that went unpunished. US is not there for a regime change, and Assad has an upper hand, except for Idlib, and SDF areas. Chemicals are a great weapon for terrorizing civilian population. So why not use them after calculating some risks?

Just look at some WWI documentaries. People/leaders can get completely crazy under a war situation, and justify pretty much anything - even sacrificing almost 30000 soldiers in one day in pointless attacks. It's pointless to speculate on motives now.


They don't say what you say they do. Saying something happened doesn't mean they said who did it. They did not. Most likely it is false flag.

Most likely based on what? There's zero evidence for that.

What you're saying is impossible; until June, the OPCW didn't have the mandate to assign blame[1], and while they now do, the Duoma expedition still did not[2].

[1] https://www.bbc.com/news/world-europe-44634434

[2] https://www.bbc.com/news/world-middle-east-47424266


Lack of mandate doesn't make it impossible to assign blame based on facts in the report. It's just that OPCW wasn't tasked with it. Though you're right that OPCW didn't blame Assad. I was inaccurate, there.

You're downvoted, because you seem to be whitewashing a few things - from Assad, to Soviets in Afghanistan, in your quest to paint USA blacker. You tell us to take intelligence community with a grain of salt, and then speculate about Kashoggi - where most information comes from Turkey's intelligence aparatus. Also socialists are also funded and armed by USA (see SDF in Syria). Also this guy (armed by USA) - https://en.wikipedia.org/wiki/Nouri_al-Maliki is a Shia.

I mean, yes, USA foreing policy is a mess. But we should still be bothered by facts.


I agree regarding “whitewashing” the Soviet presence in Afghanistan, for example. But it was skipping over that to make a point - we occupied the country and did the exact same thing as the Soviets, for longer than they did, on our own dime, and encountered the same kind of resistance that we formerly supported. Whatever the reasons for the Soviet coup in 1979, our actions post 9/11 combined with our actions then show a schitzophrenic foreign policy.

Socialists and Shiites were obviously occasionally funded and armed by the USA, and I even alluded to this - Saddam was a socialist, and the new government of Iraq was a Shiite government. However, that doesn’t negate what I said - read it carefully. Far more mainstream sources than me have pointed this out:

http://www.cc.com/video-clips/yt7an7/the-daily-show-with-jon...


[flagged]


Most of the discussion oriented places is mostly US (or west) centered, any kind of thoughts or idea that is against it will not be favored and for sure will be discouraged as well by any means (downvoting, labeling, banning, etc...)

The right Audience for such message that can digest are minority.

I would say, don't count on having any kind of support from such places (HN, reddit, facebook, twitter, Quora etc). US has the media and already online media too.

Keep pushing <3


I'm not American, and I downvoted because it's easy to conflate things which were clearly wrong (WMD) and things for which there is plenty of open source intel showing are correct (North Korea Sony hack).

It's just too easy to do this.


Compromise feels almost inevitable. Perhaps the idea that we can keep data protected and accessible at the same time using complex software is folly? Systems get more and more complex, security measures layer on top, patching over holes as they are found. But we are never in front of the cat and mouse game by necessity, only ever behind. So it must be that compromise is inevitable.

I wouldn't put personal data I am not willing to lose online or on an intranet at all anymore. No amount of money and engineering seems to be able to keep up, and companies prove over and over that they are negligent, naive, or simply a few steps too far behind.


> I wouldn't put personal data I am not willing to lose online or on an intranet at all anymore

Anymore? Not trusting the internet used to be the default.


I was at Barnes and Noble yesterday and on an end, I saw an "internet password log book" for $5.98.

A few years ago, I soughed at it, poking fun at it.

Now, it's not a bad idea.


Note that he said "intranet" (not "internet"), which had historically been presumed to be limited to internal access only. I think his point is valid and a little alarming.

For a while I've thought "patch holes as we discover them" is the wrong approach to computer security.

Perhaps we should be using formal proof systems? Perhaps we should just admit that computers are bad at holding secrets, and instead make everything on a computer public.


Now extend that to voting systems too... not just folly, but criminal insanity.

I work with digitisation in the public sector of Denmark. We’ve digitised our elections, but we’ve digitised the part that makes sense, the registration you do before you’re handed you ballot.

In the old days, we used to have big books where you’d get crossed off after you were identified. This naturally takes a lot of time, so today we print a little bar code on the piece of paper that we mail every adult citizen at every election. This means that we can scan you instead of manually crossing you off in a book.

We still have queues at prime time, but they are 10-15 minutes instead of two hours.

The actual voting is done with paper, so that there is a paper trail.

This is the only thing that makes sense. Especially when you look at the business side of things. We reduce the hassle for citizens (our customers of sorts) and we maintain security. Sure we could provide results faster if we counted votes digitally, and you could frankly also provide a paper trail if the machine printed you vote, but does speed of counting really matter? Financially digital vote counting would be insanely more expensive, because public IT systems are insanely expensive and paying staff a little extra to count votes isn’t.

I mean, the registration system is really expensive as well, but at least it benefits the citizens, so that is a reasonable sacrifice to us. But digital voting? That’s as you put it, insane.

It’s not a democratic process if you don’t have the physical votes and a system which makes sure they aren’t tampered with.


In Australia we have the staff still ruling us off in the electoral role. That usually takes a minute or less. The entire voting process (including queuing) depends upon the popularity of the individual voting booth and time of day, but is usually less than 10 minutes. This may be because there are an adequate number of booths and trained staff.But it is also because of compulsory voting. The highly likely attendance numbers per booth and their distribution across the day are known and can be planned for, unlike some other more random systems.

As a Dane, our palementary elections gets about 86-90% participations, and not having voting mandatory means you get an effective signal for how the population feels by how well they attend.

We are due for a new election before july, so I will probably just save the queue and vote by mail, if I elect to vote at all.


And the other great part is the democracy sausage at the event!

Although my local polling booth didn't have a bbq going which was kind of disappointing.


There's another way to use computers to help with voting.

Have Ballots with a unique identifier. People come to a polling station, get a ballot, fill in their vote.

The ballot goes through a scanner to tally the vote, and then goes into a standard vote bin.

At the end of voting, you cross-check a random sample (both ways) and check the total number of votes matches between the scanner and bin.

If all goes well, scanner results get electronically combined. If the sampling shows an error, count by hand.

One extra addition. Your ballot is filled out by a separate printer. This ensures proper readability at the scanner, and allows placing the unique ID after someone gave you the ballot (to keep your vote secret). Any tampering with non-unique IDs is detectable by the random sampling.


IDs on ballots don't make sense. You cannot know your ID without breaking a requirement for good free voting systems: It shall not be possible to prove to others how you voted. This is to prevent forcing or purchasing votes.

If you place the ID after the ballot is handed out (by a printer that is also used to fill in the ballot). Then this systems still doesn't allow proving of votes.

The ID here is meant to identify a ballot, not a voter. It should probably be something like a UUID. The aim of this system is to allow cross-checking between the scanner and the physical ballots.


> The ID here is meant to [..]

I got that, but you can still kind of prove it. Your know your ID + your-vote. This is likely the only valid ID+vote combination you can know before results are counted. That's when I'd "ask" you and late verify it.

If you want to verify the machine is working, just put the ballot in the standard bin and add those IDs in the counting phase. That seems fine in principle and make it easy to check the tech is working as intended. You'd end up with having list of all individual votes available, maybe even to the public. I'd be worried about people throwing statistical algorithms at that. You better also find a near perfect method to randomize order...


> add those IDs in the counting phase

That'd probably work. You'd need to somehow ensure the scanner that ads the IDs doesn't double IDs


This requires you to put the trust with one person/entity.

> does speed of counting really matter?

That's a great question. The answer depends a little bit on how many issues are on the ballot, and a hell of a lot more on whether you're asking the media, or those with a direct stake in the outcome, or those voters. Your system is optimized to serving voters.


We need to make companies criminally liable for this information if it gets stolen. If they can’t secure it, don’t collect it.

This was the approach of the game site GoG at first. The user had no choice to save their payment preference (e.g. credit card) and they explained the reason was that it's impossible for hackers to get the info if they don't store it in the first place. It was a refreshing approach at the time for me (~2007) They've since given the option to save but it's optional.

With social engineering anything can be compromised, online or off. Online just gets more convenient seeing how you never have to leave your location.

I came across an interesting slide deck one time that had various examples of social engineering used in corporate settings to acquire data online and in person. A clever individual can get their hands on just about anything if they try.


"Compromise feels almost inevitable ... I wouldn't put personal data I am not willing to lose online"

I kinda wonder. How do you do that in our modern age? Is the computer you store the data on connected to the internet? If the answer is yes, your data can be accessed. If the answer is no, is that computer on the same network as any other device you use to connect to the internet? If the answer is yes, your data can be accessed. If the answer is no, you might be secure, but then I have a question, who the hell are you that you run a disconnected, private network just to store some personal data?


My counter-point to this would be that we haven't seen significant breaches (at least, not on the scale of this) from the tech giants (FAANG and co). So there are companies that can keep your data safe. They're just vanishingly few.

Wasn’t Google revealed to be getting tapped at unencrypted points in its network by the Snowden leaks? I’m guessing they had way way more than 6tb of emails stolen by that program.

Yes. But it's also true that if you live in a country with a lot of powerful intelligence agencies, and one of those intelligence agencies wants access to your data, they will get it through some means or another. It doesn't really matter how secure your practices are.

By using Google you are defacto tapped. But if you use a small provider, you'll only be tapped if they can be bothered with you, which for the average folk is quite unlikely.

They've definitely had breaches, which while obviously their containment was a bit better, leads me to believe they're not any less susceptible in the long run.

Brute forcing weak passwords? Someone is doing something horribly wrong here on several levels. At the very least anything online of any importance should have rate limits if not locking for repeated password attempts. For servers themselves allowing password logins is inexcusably bad.

It is considered a bit overzealous by most but I believe that passwords should have been done away with a long time ago in favor of cryptographic keypair logins - we have already found the "2FA" in practice like emails and cellphone text messages not an adequate replacement. I'm aware there are other problems with storing your keys and loss but I believe that is a better approach for anything that needs security. I wish I could get my bank accounts to use key based logins.


Could be to avoid liability?

> Why were you hacked

> Weak passwords

> What are you going to do about it

> We've forced all systems and employees to regenerate passwords and service keys

Now lets try this again without an honest answer

> How were you hacked

> No idea

> What are you going to do? Are you still vulnerable?

> No idea. We'll have to do an extensive audit. No one knows how long this will take. There's not even an inventory of systems or data flow

> Could they have installed backdoors

> No idea


Same tactic as what's used on Twitter accounts.

And same as I said previously: If the bad actors can brute force weak passwords, the company itself should be able to do it too and force those with weak passwords to update them.


Interestingly enough, Citrix ShareFile forced password resets for everyone in January.

I suspect some places still only use passwords for server logins because they can simply use active directory for user management and then have servers use ad/ldap for credential checking.

I think businesses with critical infrastructure should use hardware keys (e.g. yubikeys) to provide at least one of the factors needed to log in to a server. Using a yubikey as an authentication key for ssh is not that difficult and I do it for my own hobby stuff.

For web based stuff one can now use webauthn to provide key based authentication (in addition to whatever other factors one would like). This requires the enterprise to run up to date browser however.


> This requires the enterprise to run up to date browser however.

Why is this so hard?!? I agree with you, but this sentence rang so true it was sad. I've been forced to work with/around unbelievably out-of-date browsers in order to install current firmware updates on systems at almost every place I've worked.

/rant


Because large corporations have teams in charge of users desktops that still assume this is the 90s, and most users are idiots. Also, there are a ton of bad internal web applications targetting outdated browsers

Totally agree. My guess — and it’s obviously nothing more than that — is that they don’t fully know yet, but it might seem better and easier to solve than the alternative that there’s very little organizations in this position can ever actually do to prevent sophisticated attacks.

The fact they were unaware about the breach until FBI told them says much. It's not that easy to exfiltrate 6TB of data unnoticed if you have any IDS (automated or just manual) in place.

Having an IDS in place means jack shit if you don’t have skilled personnel managing it.

Depressingly often, these things are installed as part of a box ticking exercise to pass an audit or meet another form of compliance. however they never get set up right from the outset or the security professionals who were there leave and never get replaced.

In this case, if they’re talking about infrastructure available on the public internet with password only authentication then I’d wager any skilled professionals they may or may not have had, had already left. Because no security minded engineer would have okayed that practice. Which means even if they did have an IDS, I’m highly doubtful that would have been managed properly either.


Citrix's secure document delivery product, ShareFile, sent emails to all its document recipients forcing a password reset with stricter requirements in January.

We aren't getting the whole story from Citrix.


“Resecurity also said it warned Citrix on December 28...” And then: “Citrix, meanwhile, said it took action – launching an internal probe and securing its networks – after hearing from the FBI earlier this week.”

Putting aside the fact this security company seems to have never been heard of before; Citrix’s appears to have buried their heads in the sand until the Feds came knocking.

If it’s true that the company was tipped off in December then the ‘I know nothing’ defence is truly shocking.


Citrix... mention that to any Hungarian programmer roughly my age and you will likely receive a long string of swearing because the incredibly buggy central system necessary to sign up for courses and exams was only accessible via the Citrix ICA client and back in the second half of the 90s that, in itself, was a huge source of problems beyond the server app not being particularly high quality especially on Linux which was rather important because at this time practically all sane IT students were running Linux to access the Internet (remember, we are talking pre-Windows 2000).

The amazing part to me is that it still sucks: it’s 2019 and random hangs requiring a full session restart are still a daily occurrence, and I recently measured keystroke latency at 130+ms over a LAN. That’s much worse than using X11 over SSH ever was.

It’s been pretty much a law of software for me that once an app is primarily business to business and gets traction in the Fortune 500 expect the functionality to stay the exact same or become worse over the next 10 years

Sounds like any university Reg system.

>> Earlier today, Citrix chief information security officer Stan Black gave his company's side of the story. He said that, as of right now, Citrix does not know exactly which documents the hackers obtained nor how they got in...

Ouch. The winner of "The worst position to be in today".


And, IMO, they've known about it since January when they abruptly forced password resets on every ShareFile user. I use ShareFile for secure delivery of documents containig DOB, SSN, AGI, ...

No notice from Citrix ShareFile to its customers about a breach yet, though. Thanks.


A country under certain sanctions, especially in regards to encryption, is easy to middle man. Iran computers are probably the most easy to hack and plant evidence on if they depend on US operating systems and network suppliers.

At this point, it is (or should be) absolutely clear that password security is a top priority for everyone nowadays. The only solution that I have heard of is password managers, but what if such companies are hacked like this one? I am curious if we will eventually recommend randomly generating passwords per website and keeping them under lock and key (physically so such as in a safe).

haveibeenpwned could/should make a browser extension that tell you if the site your on has been pwned

HIBP isn't about pwned sites. It's about leaked credentials. The source of leaked data on HIBP isn't verifiable in most cases.


OK, so there's a Yahoo! breach from 2012. Should I not visit Yahoo now?

Also please note the '?' marks for unverified sources.


Do you have a better solution than not using a service? Not using it is like voting with your wallet. So yes, I would say stay away from yahoo. Where do we draw a line otherwise? It is the same boat as "I don't like Facebook collecting data on me but I'll still use their service".

Yes, it's in the same boat, we (almost) all do it with Google.

I don't know where to draw a line, but I don't think a single data breach, even minor one, should mean a death sentence to business. Maybe some sort of audit/certification should be mandatory after breach.


I think the idea is more about informing users than it is about trying to drum up a boycott that results in a "death sentence".

For example, with regards to search engines, what if I go on Google and it tells me "hey, Google has had 3 data breaches that have effected users like you". And then I go on DuckDuckGo and it says "DDG has never had a data breach". Not everyone will switch from Google to DDG, but some people will, and I don't think that's a bad thing.


We can't inform users how a particular breach affected a particular user (based on the fact of breach alone). Anything else is just FUD. It's like saying life in California is dangerous because there were deadly hurricanes there in the past that took lives.

We can't completely control hacker attacks. We should treat them more like software bugs or service outages. It just happens, we should focus on minimizing potential damage and proper response.


> It's like saying life in California is dangerous because there were deadly hurricanes there in the past that took lives.

I'm not sure this is the analogy you are looking for. If you are concerned with how a hurricane might impact your livelihood, it's generally a much better idea to live in Colorado than on the coast of California.

Except unlike hurricanes, we absolutely can prevent hacks that leak a lot of user information.


There is a difference between not liking the OC's idea of an extension, and saying that HIBP does not have the data required to make such an extension.

First you said the latter, now you're saying the former.

Own up to your mistakes.


You are correct, I souldn't be arguing to you on OC's idea. Thank you.

But I didn't say HIBP doesn't have these data. My point is these data isn't enough to give recommendations or warnings to site visitors.


HIBP has an API! Be the change you want to see.

Not the same thing, but 1Password has HIBP integration.

I would be interested in knowing how cyber warfare and cyber espionage are viewed from a perspective of diplomacy or power play between nations (or corporations). Does anyone know of interesting articles?

It has been a while since I read it but the first thing that came to mind is this talk by Dan Geer (who is closely connected to US intelligence agencies):

http://geer.tinho.net/geer.blackhat.6viii14.txt


Citrix sent all of our clients an email saying their passwords were invalidated and everyone needed to set a new one (with stricter requirements) in January....

We use ShareFile as a client portal for secure document delivery.

Shady.


It says they had to find out from the FBI. At least theoretically, how does the FBI find out? (unless someone knows the actuality and is willing to share? Didn't see anything in the article)

Not so sure about that.

I use ShareFile for secure document delivery and they forced a password reset with stricter requirements in January, the month after the first breach, and two months before the FBI notification.

No notice of breached documents to its customers yet.


Almost as if they didn't force the reset because of the breach, but because of the reason they gave back then?

The FBI finds out from the NSA.

Gotta have deniability for the NSA. Given that it's a military agency, with ~no overt domestic role.


Potentially stupid question but in instances of hacks, how do companies know for sure what was and wasn't taken?

They don't, they just try their best to reconstruct the attack with whatever "footprints" the perpetrators left, along with any independent logging they might have in place. It's a little nightmare because it's rare to give absolute certainty.

Shares of Citrix is down after report of hack:

https://www.cnbc.com/2019/03/08/citrix-tumbles-on-report-of-...


But still higher than they were Dec 24th 2018. Actually higher than they were at any point prior to April 2018. Because the market knows that major security breaches that will have long-lasting impact on the victims involved will ultimately have no impact on the company that was breached.

I am not very well informed. How serious is this?

Depending on what was obtained, very serious and with potential for ongoing problems.

If this impacted their software development, it could include source for current and older but still in use products, which could potentially be analyzed looking for potential exploits. It may include internal bug trackers that may include information on unpatched exploits or on exploits quietly patched only as part of updates and so potentially still in the wild. Heck, it may include some of their internal product security testing information and whatever might be in that.

An awful lot of large companies and healthcare systems now have Citrix portals available to the world rather than having annoying-to-manage-and-support VPN connections - are there undisclosed vulnerabilities in any of those?

Even going outside the technical side, if there's sensitive HR information they may have materials that can be leveraged for blackmail purposes to attempt to maintain long-term access.

And all of that is just talking about the Citrix remote access piece that I still think of when I hear the name. There's also XenApp/XenDesktop for virtualization, the ShareFile sharing site that others have mentioned, their endpoint management product, etc. There might even be holdover stuff - what would a copy of out-of-date source code to GoToMyPC be worth?

A lot will depend on the ability of whoever got it to capitalize on it, but assuming this was indeed a nation expect that they'll be able to spend at least some resources.


About as serious as Equifax.

That's quite serious.

Where's the dump?

fake news ?

[flagged]


>> Which The Register didn't bother to credit. I swear, this site is now no worse than an Indian blog.

That seems uncalled for. Are Indian blogs (as opposed to non-Indian blogs) known for this kind of thing?


I assume there's tons of Indian blogs that are just fine, but for some reason most of the time I see blog posts without any depth but full of buzz words being spammed around, they're written by someone from India (and less often Pakistan).

Now it could be that this is just purely because because there's more Indian blogs, making the percentage of spam blogs higher, or because there's three or four people spamming their useless blogs everywhere, but I do hesitate to click blogs with the .in TLD these days.

Probably just a few assets ruining for the whole group, but in my circle Indian blogs do tend to have a bad rep.


“Threat actors”. What’s wrong with the word “perpetrator” or simply “criminal”?

“Threat actor” is super vague but more specific than the words you proposed.

https://en.m.wikipedia.org/wiki/Threat_actor

I agree the jargon isn’t great, I’ve seen “attacker” and “malicious user” used in pentest reports and neither of those seems quite right either.


Also, they aren’t technically criminals if the attackers are state-sponsored and conducting an act of war. “Threat-actor” seems exactly like the type of legalese a government relies on when crafting the story around its own retaliation or justification for future aggression. I think it’s just entered the lexicon when talking about these types of incidents.

I agree, there are no criminals at the nation-state level, only other actors.

In addition to other comments : I guess "threat actors" includes non-human autonomous hacking systems ("AI"), and humans (or organizations) who are neither good or bad intended, but whose actions happen to have negative consequences.

Because increasingly state actors are involved and it's not simple crime.

I don't think that's the reason; if someone who happens to be employed by a government commits a crime in their jurisdiction, they're still a perpetrator and a criminal.

"Threat actor" is actually more specific; it refers to someone behaving in a threatening manner without regard to their legal status or jurisdiction.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: