Iranian-backed hackers ransacked Citrix, swiped 6TB+ of emails, docs, secrets, claims cyber-biz Citrix today warned its customers that foreign hackers romped through its internal company network and stole corporate secrets. The enterprise software giant – which services businesses, the American military, and various US government agencies – said it was told by the FBI on Wednesday that miscreants had accessed Citrix's IT …
This post has been deleted by its author
@Pascal Monett
100% agree - Its still not taken seriously anywhere I've worked. Up until a few months ago, I worked for one of the UK's biggest consumer services, and their password security is piss poor. No sanity checking, no MFA, no verification, no notifying customers when there account is accessed - there really is no excuse, even simple steps such as checking new passwords against known compromised credential combo's would be a game changer - I won't even cover the worst bit (zero effort to prevent or detect exfiltration).
To be fair, the security team are trying to change this, but it's slow going, the senior leadership just have one mantra "customer journey and conversion".
A/C and no mention of company, as I'm fairly certain my contract had covenants against it.discussion/disclosure.
unless and until there are significant penalties for such laxity, and significant rewards for being in the lead. How? Maybe a public register of all companies and their "security score", built from 0 up by expert independent graders, with points given for demonstrated security features. Companies not willing to be evaluated will get a hex-rating. If one chooses to go with the cheapest, with a relatively low score, then one deserves to get burned.
"unless and until there are significant penalties for such laxity"
There are but they only come into play after the event.
There's need for pro-active inspection. Let's say a scoring system for the types of PII held and a need for audit-requiring certification where the total score over all the data subjects exceeds some minimum. If a business doesn't want to get into certification and the consequent regulation then it can dial down what PII it holds.
Yes, I can imagine the complaints about the cost of regulation but the fact is that far too many have failed to put procedures in place without regulation. It's a requirement that businesses have brought on themselves. I've written here many times that experience is a dear teacher but there are those that will learn by no other. If it was simply the likes of Sony and Citrix having their internal documents raided it wouldn't matter but when it's the likes of Equifax and Verification.io spilling millions of customer or 3rd party details it's too late for such businesses to learn by experience.
"Huawei is not the major threat"
I disagree - Huawei are a major threat. If there current progress towards 5G systems continues, they will likely devastate existing European, US and Japanese telecoms vendors leaving only the Chinese vendors capable of offering single vendor solutions. Ericsson have admitted as much publicly and blamed it on EU regulations limiting investment (read as EU laws preventing states propping up companies that are struggling in the marketplace).
"And this with a company that specifically does networking. That doesn't look good for their reputation."
Logged a case with Citrix where you gave them certificate keys to decrypt TLS sessions? Time to change those certificates...
My point is that security is not the immediate issue with Huawei - it's about the significant market headstart that Huawei has at present for 5G. i.e. Huawei hope to have an end-to-end system commercially available by late 2019/early 2020 while their western competitors are talking end of 2020/beginning of 2021.
The telecommunications sector has seen significant consolidation over the last 20 years - Huawei/ZTE COULD become the only two major players after 5G with the other players providing components in the larger solution if Huawei/ZTE don't produce them in-house.
Would that create a security issue for western governments? Possibly. It would certainly create a strategic issue if western governments wanted to implement a blockade on China in the event of a Ukrainian-style invasion.
But this is very much an economic issue (i.e. Huawei/ZTE become the dominant market players, with other vendors unable to justify the significant levels of investment to produce competing products) at present.
"with other vendors unable to justify the significant levels of investment to produce competing products"
If other vendors face being pushed out of the market it didn't ought ot be too difficult to justify the investment. Oh, silly me. We'll still be OK for a few more quarters without it and who looks further ahead than that?
If Huawei win the bids that are likely to go their way from either incumbents or telco's unhappy with their existing vendor because the delays may make them less competitive, I would guess Huawei will get around 60%-75% of the 5G market.
Aside from ZTE that is still growing, the other vendors are likely to struggle to re-coup their 5G investment.
6G will likely increase the required investment cost again and with dwindling revenues from 3G/4G support, committing to that will be tough. And without mobile, just how viable are the rest of the telecoms vendors businesses?
The article says the 3rd party was the FBI. So not surprising they didn't know if the FBI told them. I saw a stat a few years ago and it said something along the lines of intruders have network level access for on average about 190 days before being detected(stat was quoted by the then-CTO of Trend Micro). I think the number of days has been going up slightly as well in recent years.
The one thing that the article doesn't specifically cover is how much/if any of the source code was taken. They say corporate network, I have no idea if that includes development stuff or not.
Security is a hot topic these days but for the foreseeable future it will continue to be a losing battle for just about everyone(especially with state actors, APTs etc), not a game I'd like to play.
Security people are often coming across hoards of data from other firms on the dark web while tracking down their own client's lost data. They then report the intrusion to the FBI and to the company that this data comes from -- companies like Resecurity have friendly contacts within the FBI and in many corporate security departments for exactly that purpose. It's a fairly insular business where most of the major players know each other, share latte's and/or beers with each other on a regular basis at various conferences, etc., and most of the major players both in the independent consultancies and in the major corporations know each other.
The sensitive data is presumably only in Iran.
So the first step would be to cut all communications links to Iran, so no copies of the data can be sent out of the region.
Then conduct a house-to-house search of the entire country. Of course, that will require inactivating the existing regime. But the United States has adequate tools to carry out that job.
After all, it's not as if we were dealing with Russia or the People's Republic of China.
So I fail to see the problem.
I do recognize that regime change in Iran would present practical challenges. But since Iran is not a democracy, I don't see that taking down the country the way the police would take down the home of a suspected hacker poses a moral issue.
The government of Iran has conspired to commit a breach of U.S. law on U.S. soil. Information which should not get into the wrong hands has gotten into the wrong hands. Correcting that would help send a message that might help to prevent it from happening again.
But since Iran is not a democracy, I don't see that taking down the country the way the police would take down the home of a suspected hacker poses a moral issue.
Us is not a democracy either, barely a plutocracy. So should other countries promote a regime change in the US?
"You have zero privacy anyway," Scott McNealy told a group of reporters and analysts Monday night at an event to launch his company's new Jini technology.
"Get over it." Wired Magazine.
****
At the time, it seemed that the industry might pay attention and DO SOMETHING ABOUT THE THREAT. Clearly not!
So? The United States and Britain are both nations with free elections, a free press, and the rule of law. Of course they have to have intelligence agencies to defend themselves against tyrannies like Hitler's Germany or Stalin's Russia. It's when tyrants use their spies to commit acts of aggression that it's wrong.
What will be very interesting to see is what happens with Citrix Cloud. Presumably with full access to the corporate network, there have been a bunch of secrets uncovered, including methods for accessing customer environments. Citrix has been trying extremely hard to get customers subscribing to its software and taking the next step and hosting the control plane in Citrix Cloud. I doubt this is even going to register with decision makers, but techies might think twice.
There's no shortage of juicy targets...finding a zero day to access customers' environments would be a big win. Basically every hospital runs every Citrix product they ever released, and those Windows applications that XenApp/XenDesktop deliver tend to be line-of-business stuff where all the money and transactions are kept.
Fighting against security issues is a losing battle. No one cares because it costs more money and makes everything more inconvenient. But, I guarantee the CEO of most companies has the password "12345" both on his luggage and his corporate AD account. I've worked in places where we have to carve out password policy exceptions for executives because they just don't care. It would take something like credit card processing being down for a month or Facebook being offline for a week to get normal people to sit up and notice this in the current environment.
Monday morning of 3rd December, all users of Citrix ShareFile, including clients of users, (e.g. every client of an accountancy firm that uses ShareFile to send secured emails to their clients) were unable to log in to ShareFile. Some of these users use ShareFile as their 'cloud network drive' (sigh), some just for sending secure emails, or rightsignature documents.
After a while it became apparent that Citrix had forced a password reset for all accounts.
Explanations from Citrix were at first missing altogether, and then those that did come were conflicting.
My own opinion was that a data breach had happened and Citrix were not being open about it.
https://www.reddit.com/r/Citrix/comments/a2qs6p/sharefile_password_resets/
https://www.reddit.com/r/sysadmin/comments/a2ozk3/was_sharefile_citrix_compromised/
Remote-desktop giant hacked using remote-desktop software and had to wait for the FBI to tell them about it. Why is it that these cyber criminals are only ever from one of China/Iran/North Korea ..
I can believe China has the technical capabilities. Iran and Noth Korea, not so much* - but feel free to enlighten me. Except they're conveniently Anti-American and not big enough to be a threat in other ways.
* It seems more likely that they're weak enough on CyberSecurity to allows them to be used frequently for false-flag operations.
And this is why some of us continue to adopt a "luddite" approach to embracing the wonders of The Cloud - as convenient as it can be to just stick stuff online and access it from wherever, sometimes it's just better to keep things local and do away with a) the need to have a reliable connection to the cloud service in order to get to your stuff and b) the need to rely on someone else's security policies to keep your own stuff safe.
The term, "corporate network", used to mean a portion of the corporate network that doesn't include distribution, together with the "weak passwords" comment, makes me think it's only fancy offices that were affected.
Full of business types who see network security strictly as a revenue stream.
Such a situation wouldn't surprise me enough even to be disillusioned.
>How can they tell it's this group?
Well, given the volume of data suspect the relevant agency knew about the attack some while back. They then been 'monitoring' communications to learn about tactics and targets and having determined the group are based in Iran and thus beyond reach, have decided to inform people...
There was one, vWorkspace. Originally by Provision Networks, bought by Quest, in turn bought by Dell. Once Dell bought EMC and a stake in VMWare, they killed it as it competed (too well) with VMWare Horizon.
Shame as it was a decent product. Really easy to manage. It was also the first product that basically treated VDI as a single user terminal server and managed them both in exactly the same way. Citrix had two products for VDI and RDS, while VMWare just ignored RDS and tried to convince every one that VDI was perfect for all scenarios. They have since both copied the vWorkspace approach.
Password spraying is soaring these last months. Yesterday we received 243 attempts. Today we have already suffered 206. All coming from hacked systems using different offending IPs. All of them are now in our Offending IPs list. We do believe an effective online security begins with the best perimeter security.
It kind of sucks to have this happen when you are trying to position your company as a security company. How did this breach not get detected by the wonderful Citrix Analytics? So much for the Citrix Secure Gateway. If employee accounts were hacked then the hackers got access to admin accounts for Citrix Cloud and could have then accessed customer data. How embarrassing that Citrix had to be informed by the FBI that they had a breach.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
