June 20th, 2016 – Citrix-owned GoToMyPC, a remote access service, has initiated a mass password reset, a move other online service providers have taken following recent large leaks of login credentials for MySpace, LinkedIn and others (see ‘Historical Mega Breaches’ Continue: Tumblr Hacked).
“Unfortunately, the GoToMyPC service has been targeted by a very sophisticated password attack,” according to a June 19 statement. “To protect you, the security team recommended that we reset all customer passwords immediately.”
GoToMyPC enables users to log in through a web service and remotely access another computer that has its application installed. As a result, a hacker who has valid credentials could completely access someone’s computer.
Online service providers generally do not take mass password resets lightly. Some companies do sophisticated monitoring of login attempts and lock accounts that appear to be specifically targeted. Mass password resets run the risk of aggravating users but may be necessary in an emergency.
Large data breaches at several large online services have put other services on edge. During May, more than 630 million credentials belonging to users of LinkedIn, MySpace, Fling, Vkontakte and Tumblr were released. The hacks of those services occurred several years ago, and it still is a mystery why the credentials were recently put up for sale on underground markets.
But because people frequently reuse credentials across websites, the releases have still posed a risk that other accounts could be taken over.
In a separate statement, Citrix said the “recent incident was a password reuse attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users.” No other Citrix products were affected, according to John Bennett, Citrix’s product line director.
In May, Reddit reset 100,000 passwords in reaction to the mega-breaches. Reddit said it had not been exploited but that there is little defense when people decide to reuse credentials.
One way to reduce the risk of having an account taken over due to the use of same credentials is two-factor authentication, which can, for example, involve entering a one-time passcode. GoToMyPC offers that security feature, but two-factor authentication has a notoriously low takeup: For example, less than 1 percent of Dropbox users have it enabled.
As a result of GoToMyPC’s decision to reset all of its users’ passwords, it appears the service now has several barriers in place that are designed to prevent account takeovers, including nested passwords.
To access another computer, a user logs into GoToMyPC’s website with an email address and a password. The service then asks for another password a user has created to access a specific machine and also for a unique access code for that computer. The unique access code is only stored on a person’s computer, and GoToMyPC doesn’t have it.
Still, all of this information could be vulnerable through password reuse, and email addresses are easy to obtain. Also, any computer that has malware installed would be vulnerable to account takeovers.
GoToMyPC also uses similar gates that other services employ, such as limiting the number of login attempts and requiring minimum eight-character passwords with numbers and letters. It also shuts down connections that have been inactive for a certain period of time.
Users should know quickly if someone else has accessed their computer. GoToMyPC shows a notice if a computer is being accessed remotely as well as when they last logged in.
GoToMyPC’s troubles mirror recent issues seen by TeamViewer, a German company that also develops remote access software (see TeamViewer Bolsters Security After Account Takeovers).
In early June, some TeamViewer users complained their accounts had been taken over. Once on a computer, attackers looked for other credentials stored in web browsers for PayPal, eBay and Amazon, then attempted to make fraudulent transactions.
Those who use remote access software should be aware of a few security tips. If a remote access program is no longer needed, it should be removed from a computer, says John Christly, CISO of Netsurion, a network security consultancy.
Passwords for such applications should be strong, unique and not used elsewhere. Also, access through remote applications by other vendors or partners should be thoroughly vetted.
“Remote capabilities should be reviewed at least annually to ensure that orphaned accounts do not remain,” Christly says.
Article found here.