back to article We dunno what's worse: Hackers ransacked Citrix for FIVE months, or that Equifax was picked to help mop up the mess

Back in March, remote desktop specialist Citrix admitted hackers had romped through its core systems, and had purloined internal business documents. Now we're finding out the intrusion was much worse than first thought. A letter [PDF] to the California Attorney General this week, required by law following a hack of this nature …

  1. Tomato42 Silver badge

    Could be worse

    Remember, it always can be worse, it could be PriceWaterhouseCoopers, the "audit" company responsible for "audits" of each of the hacked CAs (including Diginotar)

    1. Matt Ryan

      Re: Could be worse

      What did they audit? The accounts or the security practises?

      1. DJO Silver badge

        Re: Could be worse

        What did they audit?

        A very nice lunch with an excellent claret, and the CEO's word that's everything is fine, after all if you can't trust the CEO what's the point?

        1. David Lewis 2
          Facepalm

          Re: Could be worse

          Just like KPMG did for Carillion. Oh wait ...

        2. CrazyOldCatMan Silver badge

          Re: Could be worse

          A very nice lunch with an excellent claret

          Followed by a very large bill for the audit. Which gets paid promply, thus ensuring that no-one looks too hard at anything other than the share price or the waist circumference..

    2. Crazy Operations Guy Silver badge

      Re: Could be worse

      They could use Arthur Anderson, AKA Accenture for their audits. The geniuses that brought you the outstanding audits for Enron and WorldCom...

  2. Anonymous South African Coward Silver badge

    In the land of the blind, the one-eyed man is king.

    1. tekHedd

      In the land of the blind, the one-eyed man is stoned to death.

      Fixed that for ya.

      1. CrazyOldCatMan Silver badge

        the one-eyed man is stoned to death

        Nah - the stones keep missing..

  3. Alan Bourke

    "Threat actors"

    You're not in a fucking Bourne film, lads.

  4. chivo243 Silver badge
    Go

    Learn from the Experts?

    Equifax seems the logical choice, they've just been through the process of having someone riffle through their unmentionables ;-} They know the drill!

  5. Doctor Syntax Silver badge

    "We identified password spraying, a technique that exploits weak passwords, as the likely method by which the threat actors entered our network."

    This from a company that specialises in ...remind me ... Citrix? .... isn't it networking?

  6. LeahroyNake Silver badge

    Password spraying

    Is that also known as a rainbow table attack or more simply guessing crap passwords?

    1. Gene Cash Silver badge

      Re: Password spraying

      I think that's known as "try to baffle 'em with bullshit"

    2. Anonymous Coward
      Anonymous Coward

      Re: Password spraying

      Crap passwords as a result of crap password policy. When you insist on frequent forced rotation and no re-use, then don't be surprised when the passwords are of the form CrapPassword?1, CrapPassword?2, CrapPassword?3, etc.

    3. Marketing Hack Silver badge

      Re: Password spraying

      Password spraying is the new euphemism for companies that don't like to say they were brute-forced. However, the addition of "spraying" does make it more evocative, rather likening the quality of numerous Citrix employees' passwords to what a sick tomcat sprays around the house.

      1. CrazyOldCatMan Silver badge

        Re: Password spraying

        sick tomcat sprays around the house

        Doesn't have to be sick to spray. Just needs to feel the need to mark his[1] territory..

        [1] Females and neutered males do it too - just not as much and the end result isn't as pungent.

      2. Michael Wojcik Silver badge

        Re: Password spraying

        Password spraying is the new euphemism for companies that don't like to say they were brute-forced

        "Brute-forced" is a general term. "Password spraying" refers to one particular type of brute-force attack: brute-forcing by iterating user IDs against each of a set of commonly-used passwords.

        It's true the technique is considerably older than the term. Google Ngram Viewer doesn't find any instance of the phrase in its corpus, which extends to 2008, so it seems to have been coined within the past decade (and in fact I don't recall hearing it for more than the past year or two). On the other hand, I recall a paper proposing this sort of attack against online banking systems that used short PINs and account numbers for authentication; that was around 2000. I imagine there are earlier examples, and of course there are analogues in physical security such as the use of dates for combination-lock numbers.

    4. JLV Silver badge

      Re: Password spraying

      https://resources.infosecinstitute.com/password-spraying

    5. Amos1

      Re: Password spraying

      "Two-Factor Authentication? We don't need no stinkin' Two-Factor!"

      or

      "Two-Factor Authentication? We use Two-Factor Authentication. We require both a Username AND a Password!"

  7. JohnFen Silver badge

    Equifax? Really?

    It's almost like Citrix is desperate to prove that their security incompetence goes up and down the entire org chart.

    1. Michael Wojcik Silver badge

      Re: Equifax? Really?

      I think this is an Inverse Hanlon: at least as much malice as stupidity.

      The credit-reporting agencies offer these "free credit monitoring" services cheaply to breach victims like Citrix, because the agencies can then try to sell their paid monitoring services to the recipients. Sometimes they just start billing after the free year to see how many people pay without checking what they're paying for.

      It's a scam on both sides. The breached company uses it as a PR move, and the credit bureau gets a marketing opportunity. Presumably Equifax just offered Citrix the best deal.

      Now that credit freezes are free everywhere in the US, the best bet is to ignore credit monitoring services (or if you take one of these free offers, be sure not to end up paying for it later) and freeze your accounts. Freeze with all the agencies, not just the big three; you can find comprehensive lists of them online. (Krebs' blog is one source.) If you have minor children, freeze their accounts too; children are a favorite target of some identity thieves because it's often years before anyone notices.

      Some of the bureaus do a lousy job of handling freezes (shockingly, their security isn't any better here), and they all try to steer customers away from freezes to proprietary "credit protection" offerings that let the bureaus continue to make money off your account. But a real freeze is still your best bet.

  8. Crazy Operations Guy Silver badge

    "discovered and exploited any vulnerabilities in our products or services to gain entry."

    IF you missed an exploitable flaw in your software during QA, what makes you think that you're going to find on a second look? Of course that assumes they even bothered with QA or security testing in the first place...

  9. Anonymous Coward
    Anonymous Coward

    The average American has approximately 30 free offers of credit monitoring for one year available to them. How about offers of 1 year + of free housing for the people responsible in these companies (usually top management that didn't want to bother to spend the money) for failure to secure their networks, preferably at a Federal Super Max hotel. As for Equifax, do you know how much money they made due to their big data breach? A lot, since they used it to offer an extra level of security services to those people whose data they failed to protect in the first place.

    1. JLV Silver badge

      Hey, this makes me think of something. There are basically 3 credit bureaus, at least in N America, right?

      How about, instead of 1 year free monitoring on their system, the law is changed to require 1 year free on their competitor’s system? Might focus corporate attention on security somewhat.

      But still like jail time for gross negligence. From peon to CEO, if warranted.

      Yup, given their offerings Citrix falling for password spraying and mislaying 6TB of data transfer over 5 months is a bit like an accountant failing 3rd grade math. 8-/

      That’s one domain AI ML might help: spotting anomalous network usage patterns. Seems like a number of vendors are aiming for that.

      1. Michael Wojcik Silver badge

        There are basically 3 credit bureaus, at least in N America, right?

        Nope. There are three big ones, and a handful of smaller, specialized ones, which are just as vulnerable. Trying to make sure you've frozen your accounts everywhere is fun.

        In any case, "free" credit monitoring is mostly just marketing, venturing as close as possible to outright fraud. The bureaus make an effort to convince people that they should either extend or enhance their free monitoring with paid services.

  10. Anonymous Coward
    Anonymous Coward

    We have found no indication that the threat actors discovered and exploited any vulnerabilities in our products or services to gain entry.

    If I were said international cyber crims I would also ransack an area of the network that made it look like I'd got in a certain way and only made off with email addresses and social security details which would keep them occupied for a fair while worrying about ID theft (as well as providing potential income and future attack avenues). In the mean time I'd be rifling the shit out of the rest of the network because, let's face it, they don't seem as if they have a f*cking clue and it's likely that's what they were after all along. I would be nervous if I were using their kit on the perimeter.

    It's like a burglary when you throw the contents of some drawers on the floor and make the place look a mess whilst taking some obvious jewellery but you've also taken copies of confidential business materials and made copies of keys and hard drives - the bit you actually came for. Everyone thinks it was "just junkies" etc.

  11. Griffo

    Talk About an Own Goal

    I'm just going to leave this here..

    https://www.citrix.com/blogs/2019/04/04/security-best-practices-multi-factor-authentication/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019