customers also baffled
Baffled by "Custoemrs": intentional / pun? Am I just dense?
Citrix says there is no reason to panic after it asked customers to reset their passwords on its Sharefile service. The file-slinging service rang in the new month with the announcement that it would begin regularly requiring users to change their passwords. That new policy will begin this week, as all users are being asked to …
I used to work somewhere as a non-sysadmin that required regular password resets, retained 12 previous passwords but had no minimum password age. I just used to sit there and reset my password 13 times to get back to the one (very complex) one I had committed to memory.
I say this to perhaps reinforce that having a policy is one thing, having an effective policy is harder. Sounds like Citrix is at least trying to do good things.
I have had this, try to think of new one each month.
Now I am a railway enthusiast so chose the following
month 1 - dreadnought
month 2 - superb
month 3 - temeraire
month 4 - stvincent
All from the Platform 5 book of regularly changed memorable passwords
4 years worth
left there fortunately before I got too far down the list
I'm a bit confused about the reasoning behind forcing password changes leading to weaker passwords. If it's only x number of users doing so and making garbage passwords/not using password managers (or company or whatever not providing them), isn't only that single user being effected, or does that become other people's issue as well? If you change out the locks on a door every month, and the person with the key keeps taping it to the same door that's locked, is it the locks fault the door got open by somebody who shouldn't have opened it? If I sell really sharp utility knives to people, do I have to hire people to go and put helmets on users before they start trying to hold the knives with their mouths? I think it's fair to allow for the assumption of a bit of responsibility to the user.
"I'm a bit confused about the reasoning behind forcing password changes leading to weaker passwords"
I imagine it goes something like this: you start out with D9xTMffgH!#82 then D9xTMff then DxCitrixAgain and then ihatecitrix and ihatecitrix! and ihatecitrix123
So they're 'protecting' users who do dumb things like re-use passwords ... by doing dumber things like forcing them to deal with extra complexity. Along with all those who would never dream of reusing their Correct Horse Battery Staples. This is broken, so let's double down on it.
Do they also make you identify with memorable personal data? Mother's maiden name, favourite colour, first school, sorta thing? Now that really does feature in data leaks. As if it was even secure in the first place.
Where's the Pratchett icon, for occasions like this when he helps translate AAARGH to a half-decent LART?
If you are of a certain age then the problem for a lot of people will be from all those harvesting emails in the late 90’s/early 00’s where huge email chains were used to find your Star Trek/Porn Star/etc. names.
This means that there are probably a lot of hash tables out there with a decent subset of personal data, and probably databases with links between personal info supplied above and surnames/emails.
Whilst emails could well have changed for many people and so this may be less of a problem these days, it would explain why some ID theft campaigns were so successful in the past, and why memorable personal data could be considered compromised or less secure.
"So they're 'protecting' users who do dumb things like re-use passwords ..."
Perhaps the users are trying, in the only way available to them, to communicate to you what they think of complicated password based authentication schema.
Let me ask the inevitable downvoters one question.
Are your ideas of how to do things working?
"I just write it down on a post-it note and stick it under the keyboard"
You want to be protected from evil hackers on the internet, and from nosy colleagues at your workplace. So if you use this method, take a password that is memorable to you, but not to your colleagues, add a longish random password, and only write the longish random part on a note. Evil hackers on the internet can't read the note. Nosy colleagues are usually not skilled enough to add your memorable words part.
The National Cyber Security Centre (part of GCHQ) doesn't think that forcing regular password expiry is a good thing.
NCSC may be part of GCHQ, but their remit is to protect government (interpreted broadly) systems, and UK businesses.
There are plenty of other people saying password resets other than when compromised are a bad idea.
If Citrix wanted to do something useful, they could check new passwords aren't in the Have I Been Pwned database.
""Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.""
I'm guessing Citrix have downloaded one of the many available leaked credentials databases from the web (they are there if you look), and ran a comparison against their existing database, and found X% of matches. They've probably also worked that if an attacker starts at a and ends with z it will take Y weeks until the first account is hacked and Z weeks until the matches all are, so password change all round.
I say I'm assuming cos that's exactly what I did with one of the systems I look after and a forced urgent password change was undertaken in a race against the hackers. Every time a new leaked database is made public, rinse and repeat.
I heartily recommend people to have a nosey at https://haveibeenpwned.com/ and change their password if appropriate.
They did, except that they were dumb enough to post notice during the week-end.
They should have posted the notice Monday morning, then waited until Thursday to implement.
Instead, they thought people were really intent on following their services during the week-end. That's what you get when you take FaceBook as an actual news platform, and confuse your number of followers with your number of friends.
"According to Citrix, there's no specific data breach or incident behind the move"
Really? If so, why am I dealing with users asking about this then?
"We have been notified this morning of a security incident relating to our support data sharing tool Sharefile, and we have provided their message to us as part of our management of this situation. We have contacted ShareFile and are awaiting further clarification from them, and as their message states they are continuing investigations into the incident."
I'm all for increased security, so I went to their website, changed my password to a random generated one (I have no idea what it is) and saved it in my password manager Blur. Then I went to see if they had a 2FA option. There is yay! But only via sms/phone call, boo! But wait, after enabling SMS 2FA, I can then enable a backup 2FA via an Authenticator App, but you cannot remove the SMS 2FA.
I signed in on my mobile and it sent me an SMS rather than using the authenticator app.
They are nearly there, but they need to push to use the authenticator app as the first choice and give the option to remove SMS as 2FA (in fact encourage it), sim swapping is incredibly easy to do, use of it to take over accounts has exploded recently. SMS 2FA cannot be trusted anymore.
I've removed SMS 2FA from my google account, name cheap and anywhere else that gives me the option.
Sharefile is probably the most important account I have, I use it to transfer customer data. That thing needs to be secure. They should up their game with regards to 2FA.
Not knowing what this was about, I did some quick research.
What I found is that, yes, this is a thing and yes, it can be real headache.
However, there are a few prerequisites :
1) sim-swapping targets "profitable victims", which means said victims have been identified among the many - not so obvious
2) "Laying the groundwork for a SIM swap scheme involves collecting as much information about the victim as possible. - sounds like work, even if clueless people also have money
3) living in a country where phone providers activate new sims via phone call
And that is the crux. If you live in a country where the phone provider will not do any such thing over the phone, and instead send the legitimate owner a new sim via mail to the legitimate address, then this whole scheme is dead before it started.
More details now posted here:
Credential stuffing attack. I'm still not a fan of scheduled enforced password changes, but it's better than nothing for users that don't have 2FA enabled and have their credentials exposed online.
Nearly every user who received one at my company reported it as a potential phishing attack. Even our security team was confused by the message when we evaluated it (suspicious content but legit links). Wasn't until we saw a Twitter conversation by ShareFile claiming they were legit before we finally gave the thumbs up on performing the password resets.
... that for some reason travelled backwards in time from May 2019 into my today's inbox:
"Dear happy Cixtrix user,
as you please have heard must please reset password now. Or not have access. Convenienly, plase click [a href="someplace.please-dont-block-my-account.wherever.tk]here[/a] to not have account removed and set new password. Must enter old password first. Please ignore if some get warning browser message, all is OK. Awaintingly, Cxitrix user best support team."
I had a similar thought. I wonder if the spammers are already using the confusion to dupe users into providing their new credentials. Just a simple "Dear user, please reset your password again. The one you did earlier was lost by our server" email, followed by a relatively official looking login page, might trick far too many users. Never underestimate the gullibility of the user base.
The problem is of course that even in the absence of data breaches users frequently find ways to compromise their own logins so you should probably always assume that some proportion of your users are using compromised credentials.
Frequent forced resets are obviously harmful but the mistake I think that we make nowadays is in assuming that if frequent forced resets (worst I've personally experienced was 30-day but I've heard of worse!) are bad for overall security then the ideal must be to never, ever force your users to reset their passwords.
I'm not 100% sure this is always true - particularly given that over time your users will tend to compromise their own credentials one way or another. Even if an infrequent forced reset isn't a perfect "refresh" - it seems like its better than just letting the proportion of compromised credentials grow over time.
If Citrix did indeed run a comparison of their sign-ins against publicly known compromised credentials it would be interesting to know if they did the same again after the reset - and whether or not and how much difference it made.
"If Citrix did indeed run a comparison of their sign-ins against publicly known compromised credentials..." then I would be very worried, because Citrix is not supposed to know their user's passwords and not supposed to be able to do this easily. And not faster than any hacker could do it.
These email responses have been sent to some Citrix Sharefile users.
"I got an email that included the following:
We are writing to notify you of a security incident on the Citrix ShareFile service (aka Citrix Content Collaboration) that affected users on your Citrix ShareFile account. We recently became aware of suspicious activity associated with certain user accounts. Based on our investigation to date, we believe that an unauthorized party used credentials obtained from third-party sources to attempt to access and obtain information from certain Citrix ShareFile user accounts.
"We believe these attempts were successful for some Citrix ShareFile user accounts associated with your organization. There is no indication that this issue resulted from a compromise of our systems."
"We have taken a number of steps to address this issue, including disabling unauthorized account access and requiring all non-SSO users to reset their passwords. In addition, we continue to closely monitor our network to detect and prevent any suspicious activity associated with the Citrix ShareFile service.""
"Based on our investigation to date, we believe that an unauthorized party used credentials obtained from third-party sources to attempt to access and obtain information from certain Citrix ShareFile user accounts."
"In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures."
FFS. I thought we'd got past stupid bollocks like this.
Doing a reporting process vs. the HIBP Pwned Passwords API and then forcing resets on specific users with matching passwords (and then querying HIBP on password resets going forward) could be construed to be a useful and sensible thing to do to scotch people speculatively trying compromised passwords. Along with encouraging/pushing adoption of (token or H/TOTP - not SMS!) 2FA to outright mitigate password theft.
Arbitrarily going back to 2001 and requiring regular password resets is just stupid.
Our organization has over 300 users. 80 of them are part of our Sharefile workforce. All 80 have been getting a particular phishing email several times a day which began 4 days before Sharefile mysteriously began enforcing this new policy. The rest of our non-Sharefile users have received a single one. This is not a confidence. Whoever performed this hack were able to obtain a list of addresses. I don't know if they were able to get to any of our data. I believe the truth will come out.