Citing Attack, GoToMyPC Resets All Passwords (krebsonsecurity.com) 41
Security reporter Brian Krebs writes:GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites. Owned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.
Rename Company To JackMyPC (Score:3)
Re: (Score:2)
Heh. My actual thought after going to their website ("I wonder if it's really cheap"): Whoa! $144 per year for that? No way!
I guess my cheap-butt ways saved me yet again from a hack worse than death. Or not.
Re: (Score:1)
Re: Rename Company To JackMyPC (Score:1)
Remote Desktop for home users is completely different. It's not for tech support, you can't see what the other guy is doing because they are logged into a different account. And if they log into your account you get logged off. Also it doesn't have the simple random ID/PW login. You have to make an account or give out your password, which is much worse than losing your recycled PW from a 3rd party breach.
Sure Remote Desktop can be used securely, but the average user has no clue. These services thrive on the
Re: (Score:3)
Ask Microsoft/Apple. I mean, Linux is free, why should anyone use Windows or macOS? Hell, why do people pay RedHat billions of dollars a year for Linux? It's all free, after all.
The answer is, the commercial tools have
Re: (Score:2)
Heh. My actual thought after going to their website ("I wonder if it's really cheap"): Whoa! $144 per year for that? No way!
Hey! Good hacks don't come cheap, ya freeloader!
Password Managers, people (Score:2)
Re: (Score:3)
Serious question: How's that work for you when you regularly use six different computers?
Re: (Score:2, Informative)
Not quite six, but KeePass2 and Dropbox works pretty well for home and work.
Dropbox and security? (Score:4)
Able to download the files of others by knowing the filename and hash - that was Dropbox when people used this bug as an alternative to bittorrent for a while.
Able to login to other people's accounts without a password - Dropbox was wide open one day with that massive fuckup.
Using the interface to revoke other people's access to your files, getting told that it had worked, then those other people found they could still get the files - Dropbox again.
And that's just the stuff that has had dedicated articles about it on Slashdot.
If you don't want your worst enemy, a potential thief, or your mother to see something then don't put it on Dropbox.
Re: Password Managers, people (Score:1)
Re: (Score:2)
My encrypted password DB is in my Google drive so I can access it from my computer or directly from an app on my phone when I'm not in front of my PC but need a password. This requires wifi or a data connection but otherwise it's been working great so far.
I did this using KeePass and a Google drive plugin, but there are other plugins available as well.
Re: (Score:2)
This improves TeamViewer creditibility/Need FIDO? (Score:1)
When TeamViewer users [slashdot.org] where impacted, the initial reaction was TeamViewer itself had been hacked. They responded with the claim that users' reuse of passwords where to blame and TeamViewer security had not been breached. The fact an independent remote access software company is exhibiting the same issues seems to indicate that TeamViewer was probably correct that user behavior regarding poor handling of passwords is to blame.
While both TeamViewer and Citrix seem to now be pushing two-factor authentication
Re: (Score:2)
GoToMyPC was first released in 1998.
TeamViewer was first released sometime around 2005.
Since then there have been a number of proposed common first-level login standards (OpenID, SAML..) along with second-factor ones (Symantec VIP, U2F...). Phone-based authentication seems to be popular at the moment.
How are companies supposed to figure out if the standard they choose will last? Companies have embraced various standards, only to abandon them a year or two later.
In short: the current state of things is a mes
Re: (Score:2)
SSH was first released in 1995.
Re: (Score:2)
SSH is now 21 years old.
Back in 1994, Telnet (released in 1969) was 25 years old.
Can you guarantee that SSH will still be around in 5 years?
What are you trying to say? (Score:2)
There are plenty of old systems in use. In five years there will still be a lot of current systems in use so it's a given that SSH will still around even if something much better is available.
Re: (Score:2)
Sightation needed.
I think there needs to be a public database (Score:2)
Full of exposed user information. Once the cat is out of the bad it's out of the bag and it needs to be acknowledged. You should be able to look up yourself and all your past exposed password so that you can never ever use them again. In fact you should be able to add to the list yourself.
Re: I think there needs to be a public database (Score:1)
"Once the cat is out of the bad it's out of the bag and it needs to be acknowledged."
I've never heard this phrase before and it's very confusing.
There is that haveibeenpwned website. It doesn't list passwords and I think that's a good thing. It just says if your email address was included in a leak, if what was leaked included passwords then that would be your clue.
Err, correction to the headlines (Score:3)
Owned by Santa Clara, Calif. based networking giant Citrix Err, Citrix is based in Ft. Lauderdale, and with the recent layoffs in Santa Clara, it is become clearer Citrix is circling its wagons back to South Florida (for better or worse, time will tell.)