Citing Attack, GoToMyPC Resets All Passwords

Security reporter Brian Krebs writes:GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites. Owned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.

Rename Company To JackMyPC

[zenlessyank]

Free demo now!!

Re:Rename Company To JackMyPC

[snookerdoodle]

Heh. My actual thought after going to their website ("I wonder if it's really cheap"): Whoa! $144 per year for that? No way!

I guess my cheap-butt ways saved me yet again from a hack worse than death. Or not.

Re:Rename Company To JackMyPC

[zenlessyank]

What I don't understand is how companies can sell something that is already free. Windows remote desktop and putty have been free forever. Plus there are other alternatives that I don't feel like listing. If you are dumb enough to pay for something that is free, then you deserve to get jacked!

Re: Rename Company To JackMyPC

Remote Desktop for home users is completely different. It's not for tech support, you can't see what the other guy is doing because they are logged into a different account. And if they log into your account you get logged off. Also it doesn't have the simple random ID/PW login. You have to make an account or give out your password, which is much worse than losing your recycled PW from a 3rd party breach.
Sure Remote Desktop can be used securely, but the average user has no clue. These services thrive on the EZ setup, just run and give the tech the ID/PW that pops up.

Re:Rename Company To JackMyPC

[Ol+Olsoc]

Heh. My actual thought after going to their website ("I wonder if it's really cheap"): Whoa! $144 per year for that? No way!

Hey! Good hacks don't come cheap, ya freeloader!

Re: Rename Company To JackMyPC

TightVNC has been around for eternity and doesn't have any of these problems. I think even RealVNC is free for home use now.

Re: Rename Company To JackMyPC

Which is possibly why Microsoft also made a tool called "Windows Remote Assistance".

Re:Rename Company To JackMyPC

[tlhIngan]

What I don't understand is how companies can sell something that is already free. Windows remote desktop and putty have been free forever. Plus there are other alternatives that I don't feel like listing. If you are dumb enough to pay for something that is free, then you deserve to get jacked!

Ask Microsoft/Apple. I mean, Linux is free, why should anyone use Windows or macOS? Hell, why do people pay RedHat billions of dollars a year for Linux? It's all free, after all.

The answer is, the commercial tools have better support. GoToMyPC, TeamViewer, etc, are all very handy utilities if the person you're dealing with on the other end is having difficulty. If they can get on the internet, GoToMyPC and its ilk work great for remote support. No routers to fiddle with, no complex setup involved - all you have to do is get them to run an executable and enter in a few values and you can diagnose why they can't connect to the corporate LAN over VPN (remote desktop is unencrypted, and unless you port forward, if you can't VPN in, you can't use it).

Hell, paying for a yearly license at $144, that's pretty cheap. If you have to walk a user through the steps of downloading and using puTTY and Remote Desktop, that could easily take at least 2-3 hours in time and untold frustration. $144 is pretty cheap to turn an aggravating time into one that can get people on their way in 10 minutes

Password Managers, people

[PRMan]

If you haven't installed a password manager that generates a unique password for every site, now is a really good time to do it.

Re:Password Managers, people

[PCM2]

Serious question: How's that work for you when you regularly use six different computers?

Re:Password Managers, people

Not quite six, but KeePass2 and Dropbox works pretty well for home and work.

Re: Password Managers, people

[hackwrench]

Both Chrome and Firefox can remember passwords across devices.

Re:Password Managers, people

Sync the password database, or don't use all those accounts everywhere.
For shit websites I use the same password everywhere.
For really important things like email I remember them.
For the rest, I just don't use them unless I'm on a computer I control with my database on it.

Re: Password Managers, people

Your PW database syncs with the smartphone app.

Re:Password Managers, people

Mod parent up, I have the exact same setup.

Re:Password Managers, people

[Syberz]

My encrypted password DB is in my Google drive so I can access it from my computer or directly from an app on my phone when I'm not in front of my PC but need a password. This requires wifi or a data connection but otherwise it's been working great so far.

I did this using KeePass and a Google drive plugin, but there are other plugins available as well.

It may be time

It may be time for these sorts of companies to issue passwords to end users, and forcibly change them every 3-6 months.

These sorts of "hacks" have shown users are simply stupid and untrustworthy, so you remove them from being able to create passwords.
Yes most will write it down, but I challenge anyone in China to hack a post-it note.
At least this way for critical systems, password reuse can be minimised (except for the idiots who go on to use it elsewhere so they only have to remember one password....sigh)

Re:It may be time

[butchersong]

How would the new password be communicated to the user in a secure manner every 3-6 months?

Perhaps...

... some of these people doing bulk password resets should collect statistics on how many people simply reuse the previous password. Perhaps they don't want to insinuate that their user base is made up mostly of idiots, so I suppose I can forgive them for not doing so.

This improves TeamViewer creditibility/Need FIDO?

When TeamViewer users where impacted, the initial reaction was TeamViewer itself had been hacked. They responded with the claim that users' reuse of passwords where to blame and TeamViewer security had not been breached. The fact an independent remote access software company is exhibiting the same issues seems to indicate that TeamViewer was probably correct that user behavior regarding poor handling of passwords is to blame.

While both TeamViewer and Citrix seem to now be pushing two-factor authentication, they both seem to be using solutions they created themselves rather than contribute to an industry standard method which is consistent for the user across websites. It would be nice as this problem becomes more common that more companies join the FIDO Alliance as this should provide a single method for the user to learn which them works the same across all U2F compliant sites.

There still is a second password

I use GoToMyPC.

To access an actual PC through GoToMyPC you need a second "access code" stored on the PC or a RADIUS server.

This password is not stored by GoToMyPC and can only be reset locally. One-time tokens are permitted.

But nothing stops someone from reusing a different password for the access code. And they still could mess up your online account.

Insecure services

People at my company wonder why I ban all services such as these. Because you really have no idea who is in control there, and what might be going on behind the scenes. Use the VPN service we have available where we track and know who is connected when and restrict where they can go.

Re:Sighting Attack

You can't possibly be this stupid, can you?

Re:This improves TeamViewer creditibility/Need FID

[Cerlyn]

GoToMyPC was first released in 1998.

TeamViewer was first released sometime around 2005.

Since then there have been a number of proposed common first-level login standards (OpenID, SAML..) along with second-factor ones (Symantec VIP, U2F...). Phone-based authentication seems to be popular at the moment.

How are companies supposed to figure out if the standard they choose will last? Companies have embraced various standards, only to abandon them a year or two later.

In short: the current state of things is a mess.

Re:Sighting Attack

Not citing.

Citation needed.

Re:Sighting Attack

[MobileTatsu-NJG]

Sightation needed.

I think there needs to be a public database

[BlueCoder]

Full of exposed user information. Once the cat is out of the bad it's out of the bag and it needs to be acknowledged. You should be able to look up yourself and all your past exposed password so that you can never ever use them again. In fact you should be able to add to the list yourself.

Re: I think there needs to be a public database

"Once the cat is out of the bad it's out of the bag and it needs to be acknowledged."

I've never heard this phrase before and it's very confusing.

There is that haveibeenpwned website. It doesn't list passwords and I think that's a good thing. It just says if your email address was included in a leak, if what was leaked included passwords then that would be your clue.

Re:Hopefully we can buy Chinese chips soon

[fsckinhippies]

wooooooooooooosh We want 3rd world in this piece. Gimme DRE. It was trolling. Move on to the next episode.

Err, correction to the headlines

[luis_a_espinal]

Owned by Santa Clara, Calif. based networking giant Citrix Err, Citrix is based in Ft. Lauderdale, and with the recent layoffs in Santa Clara, it is become clearer Citrix is circling its wagons back to South Florida (for better or worse, time will tell.)

Dropbox and security?

[dbIII]

Normally when Dropbox is mentioned and the topic is security it's referring to one of their many spectacular fuckups.
Able to download the files of others by knowing the filename and hash - that was Dropbox when people used this bug as an alternative to bittorrent for a while.
Able to login to other people's accounts without a password - Dropbox was wide open one day with that massive fuckup.
Using the interface to revoke other people's access to your files, getting told that it had worked, then those other people found they could still get the files - Dropbox again.


And that's just the stuff that has had dedicated articles about it on Slashdot.
If you don't want your worst enemy, a potential thief, or your mother to see something then don't put it on Dropbox.

Re:Dropbox and security?

Afaik, the keepass DB is always encrypted on drive. So long as your master key is strong enough, putting up the DB should be relatively safe.

Re:This improves TeamViewer creditibility/Need FID

[dbIII]

GoToMyPC was first released in 1998. ... How are companies supposed to figure out if the standard they choose will last?

SSH was first released in 1995.

Re:This improves TeamViewer creditibility/Need FID

[mwvdlee]

SSH is now 21 years old.

Back in 1994, Telnet (released in 1969) was 25 years old.

Can you guarantee that SSH will still be around in 5 years?

Social Engineering again.

HEY WE LOOK REALLY SECURITY CONSCIOUS CHECK US OUT ON THE NEWS

Meanwhile their software sucks and nobody cares.

There are far better ways to administer client PC's. (#1 way is don't use Windows)

Hmm.

So let me get this straight. Some other users are fucktards who use the same passwords on multiple sites, (and I'm guessing their passwords are things like Password1, or ILoveCats or some other stupid shit like that, and now * I * have to go through the pain in the ass of changing my password, even though it was "H2$a-0ad-{u>a¥r#¥©Gp" ?!?

Oh, wait, I don't have to do that, because I don't USE GoToMyPC. I use GetTheFuckAwayFromMyMAC! which is a much better service in that in the first place, it requires a Mac, which means it's being used by an altogether better, smarter, more compassionate group of people in the first place, with not as many people trying to set the place on metaphorical FIRE by doing stupid shit like reusing passwords.

On that note, I have an idea: Instead of having stupid, arbitrary security rules for passwords, let users use whatever passwords they like, and have a password cracker CONSTANTLY working on the password hash list. When it finds a password, it immediately marks the password as expired; meaning you have to change your password when next you log in. Don't want to have to change your password every few days? Pick better passwords, ones that are harder to guess, and then you won't have to change them every few days, (or hours!)

What are you trying to say?

[dbIII]

I do not get your point. Telnet is still around in situations where it would make more sense for it not to be around. Just the other day there was an article here about EOL licence hassles with medical record software that users were connecting to using Microsoft's version of telnet.
There are plenty of old systems in use. In five years there will still be a lot of current systems in use so it's a given that SSH will still around even if something much better is available.