20
Jun 16

Citing Attack, GoToMyPC Resets All Passwords

GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites.

gtpcOwned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.

“Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack,” reads the notice posted to status.gotomypc.com. “To protect you, the security team recommended that we reset all customer passwords immediately. Effective immediately, you will be required to reset your GoToMYPC password before you can login again. To reset your password please use your regular GoToMYPC login link.”

John Bennett, product line director at Citrix, said once the company learned about the attack it took immediate action. But contrary to previous published reports, there is no indication Citrix or its platforms have been compromised, he said.

“Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” Bennett wrote in an emailed statement. “At this time, the response includes a mandatory password reset for all GoToMyPC users. Citrix encourages customers to visit the  GoToMyPC status page to learn about enabling two-step verification, and to use strong passwords in order to keep accounts as safe as possible. ”

Citrix’s GoTo division also operates GoToAssist, which is geared toward technical support specialists, and GoToMeeting, a product marketed at businesses. The company said it has no indication that user accounts at other GoTo services were compromised, but assuming that’s true it’s likely because the attackers haven’t gotten around to trying yet.

It’s a fair bet that whoever perpetrated this attack had help from huge email and password lists recently leaked online from older breaches at LinkedIn, MySpace and Tumblr to name a few. Re-using passwords at multiple sites is a bad idea to begin with, but re-using your GoToMyPC remote administrator password at other sites seems like an exceptionally lousy idea.

Tags: , ,

40 comments

  1. I wonder if this has any relationship to the current incident report from GoToMeeting citing outages blamed on ISP load balancing issues. http://status.gotomeeting.com/

    • Hey Guys!!! I got mine from Cindy. My blank ATM card can withdraw €2,000 daily. I got it from her last week Wednesday and now I have €7,000 for free. The card withdraws money from any ATM machines and there is no name on it, it is not traceable and now i have money for business and enough money for me and my 4 kids. I am really happy i met Cindy because i met two people before her and they took my money not knowing that they were scams. But am happy now. Cindy sent the card through DHL and i got it in two days. Get one from her now. she is giving it out to help people even if it is illegal but it helps a lot and no one ever gets caught. Cindy’s email address is (cindytedder767@yahoo.com)

      • Sadly, Donna Jane and Cindy have the best comment today.
        If only passwords were as exciting as free money scams from idiots…

  2. Perfect: Exceptionally Lousy Idea. Also to include never changing passwords.

    GoToMyPC is doing the right thing, even if it “inconveniences customers.” Unfortunately even those who aren’t Exceptionally Lousy get inconvenienced undeservedly.

    A good idea would be for providers to find a way to reward users for proper password management, such as occasionally changing them.

    • It would have been nice if GoToMyPC would have only forced users to a new password if the password had not been updated since the leaked password list. That should have been easy to figure out and would have only inconvenienced those with poor password management skills.

    • New Mexico Mark

      Google already rewards users for good security. Look for their annual February giveaway of an (apparently) permanent +2GB Google Drive storage for users who run through their security checkup process. It’s not a huge thing, but I think it is a nice, positive move toward encouraging better security. (Wish list – make it +5GB each year.)

      www[dot]theverge[dot]com/2016/2/9/10940046/google-drive-free-2gb-space-security-checkup

  3. Good thing I don’t use it – I think there are more secure products out there for remote management.

  4. 2 factor!!! I wish this was implemented everywhere..and to have the same password on multiple sites means some people are going to have to get BIT to understand THESE days..there is no REAL security!! I wish someone comes up with a moving target password that changes every 30 secs!!

  5. Yeah. Unfortunately just a password alone is not enough to protect someone’s privacy these days. If someone was stupid enough to reuse their “usual” password for an admin login for a remote access to their system, they are probably also using the same password for their email account. So Citrix can change it as many times as they want, the bad guys will just get it via a breached email account. So yeah… it’s kinda pointless.

    Unfortunately as well, many big name companies, including Citrix, are too dumb, or plain lazy, to implement multi-factor-authentication early on. They usually do it to patch up an already rampant breach when their customers leave in droves, or if they get a public relations nightmare because of the news associated with the breach… too bad!

  6. I use LiteManager it is store all passwords on my local PC, without the threat of loss/reset them

  7. Something doesn’t add up here. First they say that it is a sophisticated password attack and then go on to say actually it was just people trying combinations from all the huge leaks lately, that’s not particularly sophisticated to me.

  8. @brian, you should google RSA or Vasco.

    • or Microcosm’s SmartSign

      • Dennis Kavanaugh

        Or something based on FIDO U2F that can be used across multiple sites. The standards exist, and companies like YubiKey support it. The time has come….

  9. To bad they’re not forcibly resetting the ‘disable 2-factor authentication’ setting, as long as they say they actually care about security enough to force you to change your password. Just sayin’.

  10. I use “Simple-Help” for remote management. Has yet to be targeted since it runs on a separate dedicated Server and uses 2 factor authentication. Why waste the time with LogMeIn, TeamViewer, Screenshare, etc.

    -Ben

    • Warren Warshaw

      The cheapest version of Simple Help is $320.00. Team Viewer has a free version that I have installed on at least 5 computers. It also offers 2 factor authentication.

  11. On a related note SANS ISC is reporting a wave of phishing spam targeting LogMeIn users. I would hope that those who read KrebsonSecurity are smart enough to not fall for this kind of phishing:

    https://isc.sans.edu/forums/diary/LogMeIn+Captain+A+Not+so+Phishy+Phishing+Campaign/21181/

  12. Seems strange the reset password only requires entering the valid email of the user. Meaning, if people are sharing passwords and email is already compromised, how does sending a link to an email account Citrix has on file to reset the account password for GoToMyPC? And this link doesn’t require ANY verification, just enter new password twice. You dont even need to put in the OLD password!? I mean, I think they could have MORE account compromised as a result of this reset.

    If email account of the user is compromised, they still are screwed. Also, if bad guys already had access to your GoToMyPC account and not your email, and they already changed the email account associated with Citrix to their own email address, they are just sending the reset link to the bad guys with no further verification. Odd way to do it in my opinion…

    • 99% of account systems with password reset work this way.

      Sure, there are some which have “password reset questions”, but usually if you forgot your password, you also forgot your reset answers. If you didn’t forget them, then they’re probably public knowledge anyway, and thus add zero protection to your account.

      Here’s the thing:
      1. If your phone is lost or stolen, you need to fix that immediately
      2. If your credit card is lost or stolen, you need to fix that immediately
      3. If your email account credentials have been compromised, you need to fix that immediately. Most mailboxes are configured to retain email (either pop-leave-on-server, or imap, or Exchange), which means that there’s probably enough information about you in your mailbox for someone to figure out anything about your password reset challenges that they don’t already know.

  13. I’d like to see some sort of industry standardization for passwords. Seems counterintuitive when it comes to security, but I think more people would use unique passwords and change them more often if they knew the rules were the same across the board. It’s a P.I.T.A. trying to remember if a particular site is the one that requires special characters (or forbids them) in the password. Password 10 characters exactly, or at least 10 characters, or no more than 10 characters. Arrgghh.

    • https://fidoalliance.org/about/overview/

      «The Mission of the FIDO Alliance is to change the nature of online authentication by:
      * Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
      * Operating industry programs to help ensure successful worldwide adoption of the Specifications.
      * Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.

      … The FIDO (Fast IDentity Online) Alliance is a 501(c)6 non-profit organization nominally formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.»

  14. So they even reset the users that already had 2-factor auth enabled? I didn’t read their whole post but they stated “mandatory password reset for all GoToMyPC users” and then they promote 2FA in the very next statement. That was incredibly dumb. They want everyone to use 2FA but if you do they’ll reset your password anyway when they’re in panic mode. If I was a customer, I’d be very mad about that decision.

    • Yes I can confirm that I had to reset my Goto My PC password, and my account was already setup with 2FA.

    • On the one hand, I agree with you.

      On the other hand, it’s almost certainly easier for them to do what they did, rather than add an extra rule to exclude such users.

      Finally, it is possible for you to intentionally/accidentally disable 2FA in the future. And they don’t want your account to be vulnerable then either.

      So from a hygienic perspective, there’s a bit of logic to it.

      FWIW, Carbonite confirms that you don’t have to update the password for each carbonite client [often you’re allowed 5 seats for a single subscription] (it sounds like each connection is given a token/key). Of course if you periodically browse the carbonite web interface from multiple devices, you’d have to update that for each browser.

      But all in all, this isn’t particularly painful.

  15. Carbonite users have also received a notice today telling them to reset their passwords. Carbonite cites an attacker attempting to reuse credentials from a previous heist.

  16. Got a very similar email from Carbonite today. Evidently they are under attack as well.

    • Same here. The CSR stated that it was a Senior Management decision to “reset” everyone’s password. A basic 90 day password policy would be a minimum standard. But instead, let’s email blast our entire user account database “CLICK HERE” to reset your password. Even my kids when they wher 5 years old know to never click that link!!!

      (14:33:56) Jessica said to you:
      Our senior management decided that this was the best course of action to ensure account security. Again, I have no say in this and you are more than welcome to send an email to privacy@carbonite.com or legal@carbonite.com with your concerns.

  17. good skills to reset passwords

  18. hello everyone…we do not need to go through complications trying to hack our partner’s phone,hacking job is best done by proffessionals…when i needed to hack my partner’s whatsapp,i contacted realghosthack@gmail.com …he did a perfect job for me within 48hrs…you can also contact him for all sorts of hacking job..he is fast and reliable..tell him lara reffered you..he would be willing to help.

  19. hello everyone…we do not need to go through complications trying to hack our partner’s phone,hacking job is best done by proffessionals…when i needed to hack my partner’s whatsapp,i contacted realghosthack@gmail.com …he did a perfect job for me within 48hrs…you can also contact him for all sorts of hacking job..he is fast and reliable..tell him lara reffered you..he would be willing to help.//.

  20. I dislike periodic password changes. Other elements of secure password implementation should be given more weight.

    I was forced to reset this password: lZ0wV8MI9FFPRuWYC$e97UBHz@@8Df3h at a site I use due to their password policy requiring 60 day password resets. That password, never used at any other site by me, had not even reached its half-life in password strength analysis with current and calculated future cracking capabilities.

    As others have pointed out, the password reset implemtenation could create more account takeovers. What if an account of a password re-user did not have a reused password ? What if that password re-user did re-use at their registered e-mail and that had been compromised (recently due to active re-use attacks)? Miscreant now tries GoToMyPC account and voila, password reset access given.

  21. Really interested as to how people feel about Cloud Computing having read this article. Services such as http://www.getnerdio.com, where you can do everything online, are as secure as they can be. Do people think that’s enough? Be happy to hear your thoughts. And thanks for an interesting article.

  22. So sad that people are having do this. So many people out there are going out of their way just to ruin other peoples. It really is sad.