Citing Attack, GoToMyPC Resets All Passwords

Security reporter Brian Krebs writes:GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites. Owned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.

Rename Company To JackMyPC

[zenlessyank]

Free demo now!!

Re:Rename Company To JackMyPC

[snookerdoodle]

Heh. My actual thought after going to their website ("I wonder if it's really cheap"): Whoa! $144 per year for that? No way!

I guess my cheap-butt ways saved me yet again from a hack worse than death. Or not.

Re: Rename Company To JackMyPC

Remote Desktop for home users is completely different. It's not for tech support, you can't see what the other guy is doing because they are logged into a different account. And if they log into your account you get logged off. Also it doesn't have the simple random ID/PW login. You have to make an account or give out your password, which is much worse than losing your recycled PW from a 3rd party breach.
Sure Remote Desktop can be used securely, but the average user has no clue. These services thrive on the EZ setup, just run and give the tech the ID/PW that pops up.

Re:Rename Company To JackMyPC

[Ol+Olsoc]

Heh. My actual thought after going to their website ("I wonder if it's really cheap"): Whoa! $144 per year for that? No way!

Hey! Good hacks don't come cheap, ya freeloader!

Re:Rename Company To JackMyPC

[tlhIngan]

What I don't understand is how companies can sell something that is already free. Windows remote desktop and putty have been free forever. Plus there are other alternatives that I don't feel like listing. If you are dumb enough to pay for something that is free, then you deserve to get jacked!

Ask Microsoft/Apple. I mean, Linux is free, why should anyone use Windows or macOS? Hell, why do people pay RedHat billions of dollars a year for Linux? It's all free, after all.

The answer is, the commercial tools have better support. GoToMyPC, TeamViewer, etc, are all very handy utilities if the person you're dealing with on the other end is having difficulty. If they can get on the internet, GoToMyPC and its ilk work great for remote support. No routers to fiddle with, no complex setup involved - all you have to do is get them to run an executable and enter in a few values and you can diagnose why they can't connect to the corporate LAN over VPN (remote desktop is unencrypted, and unless you port forward, if you can't VPN in, you can't use it).

Hell, paying for a yearly license at $144, that's pretty cheap. If you have to walk a user through the steps of downloading and using puTTY and Remote Desktop, that could easily take at least 2-3 hours in time and untold frustration. $144 is pretty cheap to turn an aggravating time into one that can get people on their way in 10 minutes

Password Managers, people

[PRMan]

If you haven't installed a password manager that generates a unique password for every site, now is a really good time to do it.

Re:Password Managers, people

[PCM2]

Serious question: How's that work for you when you regularly use six different computers?

Re:Password Managers, people

Not quite six, but KeePass2 and Dropbox works pretty well for home and work.

Re: Password Managers, people

[hackwrench]

Both Chrome and Firefox can remember passwords across devices.

Re:Password Managers, people

[Syberz]

My encrypted password DB is in my Google drive so I can access it from my computer or directly from an app on my phone when I'm not in front of my PC but need a password. This requires wifi or a data connection but otherwise it's been working great so far.

I did this using KeePass and a Google drive plugin, but there are other plugins available as well.

This improves TeamViewer creditibility/Need FIDO?

When TeamViewer users where impacted, the initial reaction was TeamViewer itself had been hacked. They responded with the claim that users' reuse of passwords where to blame and TeamViewer security had not been breached. The fact an independent remote access software company is exhibiting the same issues seems to indicate that TeamViewer was probably correct that user behavior regarding poor handling of passwords is to blame.

While both TeamViewer and Citrix seem to now be pushing two-factor authentication, they both seem to be using solutions they created themselves rather than contribute to an industry standard method which is consistent for the user across websites. It would be nice as this problem becomes more common that more companies join the FIDO Alliance as this should provide a single method for the user to learn which them works the same across all U2F compliant sites.

Re:It may be time

[butchersong]

How would the new password be communicated to the user in a secure manner every 3-6 months?

Re:This improves TeamViewer creditibility/Need FID

[Cerlyn]

GoToMyPC was first released in 1998.

TeamViewer was first released sometime around 2005.

Since then there have been a number of proposed common first-level login standards (OpenID, SAML..) along with second-factor ones (Symantec VIP, U2F...). Phone-based authentication seems to be popular at the moment.

How are companies supposed to figure out if the standard they choose will last? Companies have embraced various standards, only to abandon them a year or two later.

In short: the current state of things is a mess.

Re:Sighting Attack

[MobileTatsu-NJG]

Sightation needed.

I think there needs to be a public database

[BlueCoder]

Full of exposed user information. Once the cat is out of the bad it's out of the bag and it needs to be acknowledged. You should be able to look up yourself and all your past exposed password so that you can never ever use them again. In fact you should be able to add to the list yourself.

Re: I think there needs to be a public database

"Once the cat is out of the bad it's out of the bag and it needs to be acknowledged."

I've never heard this phrase before and it's very confusing.

There is that haveibeenpwned website. It doesn't list passwords and I think that's a good thing. It just says if your email address was included in a leak, if what was leaked included passwords then that would be your clue.

Err, correction to the headlines

[luis_a_espinal]

Owned by Santa Clara, Calif. based networking giant Citrix Err, Citrix is based in Ft. Lauderdale, and with the recent layoffs in Santa Clara, it is become clearer Citrix is circling its wagons back to South Florida (for better or worse, time will tell.)

Dropbox and security?

[dbIII]

Normally when Dropbox is mentioned and the topic is security it's referring to one of their many spectacular fuckups.
Able to download the files of others by knowing the filename and hash - that was Dropbox when people used this bug as an alternative to bittorrent for a while.
Able to login to other people's accounts without a password - Dropbox was wide open one day with that massive fuckup.
Using the interface to revoke other people's access to your files, getting told that it had worked, then those other people found they could still get the files - Dropbox again.


And that's just the stuff that has had dedicated articles about it on Slashdot.
If you don't want your worst enemy, a potential thief, or your mother to see something then don't put it on Dropbox.

Re:This improves TeamViewer creditibility/Need FID

[dbIII]

GoToMyPC was first released in 1998. ... How are companies supposed to figure out if the standard they choose will last?

SSH was first released in 1995.

Re:This improves TeamViewer creditibility/Need FID

[mwvdlee]

SSH is now 21 years old.

Back in 1994, Telnet (released in 1969) was 25 years old.

Can you guarantee that SSH will still be around in 5 years?

What are you trying to say?

[dbIII]

I do not get your point. Telnet is still around in situations where it would make more sense for it not to be around. Just the other day there was an article here about EOL licence hassles with medical record software that users were connecting to using Microsoft's version of telnet.
There are plenty of old systems in use. In five years there will still be a lot of current systems in use so it's a given that SSH will still around even if something much better is available.