Citrix ShareFile security breach last week

Software. Marketing. Training. Running your business.
#1
Posts:
886
Joined:
26-Feb-2016 10:14pm
Location:
Oakland CA
Citrix site now states that the break-in was from "credential stuffing" attack not a hack, not phishing:

"There has been a constant increase in internet-account credential (usernames and passwords) theft, and, since those same credentials are often used to access other accounts, we have seen a commensurate increase in credential stuffing attacks. To help our customers protect their data, we are requiring a password reset and will be incorporating a regularly-scheduled, password reset into our normal operating procedures. Users will need to reset their passwords when logging into ShareFile. We do not believe that this issue resulted from a compromise of our systems. We believe this is an important step to continue to help our customers use our solutions securely. For more information, please refer to our blog."

From Wiki: "Credential Stuffing attacks are made possible because many users will reuse the same password across many sites with one survey reporting that 81% of users have reused a password across 2 or more sites and 25% of users use the same password across a majority of their accounts[3]."

It's plausible that some of my clients reused their credentials from other sites.

Would seem that multi factor authentication would have protected those accounts where people reused their credentials from other sites that had gotten hacked.

But in true successful hack of a site, wouldn't the multi factor code have gotten compromised also?

(Meanwhile turning on two factor authentication for my clients has broken upload alerts to them from ShareFile...
 

#2
makbo  
Posts:
6840
Joined:
23-Apr-2014 3:44pm
Location:
In The Counting House
This is similar to when the IRS website was allegedly "hacked" -- they weren't hacked, the bad guys came in through the front door because they had the keys. A hack is a break-in at the system level, like breaking a window to enter the premises.

Yes, MFA can be compromised pretty easily too, this has been well-documented for years -- for example, using social engineering to get Apple to reset your phone security can allow a bad guy to receive the MFA code in your place. Better MFA involves a possession of a specific device, not just knowledge of a texted or mailed code. For example, UltraTax requires MFA using a phone or tablet running a Thomson Reuters app, which has previously been registered to the user (in the case of UT, they require you to scan a QR code from your login screen to validate the app on your device).

UT also now provides a small card (similar to credit card size) which generates a random code to use, so that you don't have to own a smartphone or tablet. This is similar to devices I used in my job 25 years ago, but back then they were much thicker than a credit card, and battery life was more of an issue.

Oh -- and never use the same password for multiple accounts, and don't use Facebook or Google as a login service -- always create a direct, local account with each service.
 

#3
irc162  
Account Deactivated
Posts:
384
Joined:
5-Jan-2015 5:34pm
makbo wrote:This is similar to when the IRS website was allegedly "hacked" -- they weren't hacked, the bad guys came in through the front door because they had the keys. A hack is a break-in at the system level, like breaking a window to enter the premises.

Yes, MFA can be compromised pretty easily too, this has been well-documented for years -- for example, using social engineering to get Apple to reset your phone security can allow a bad guy to receive the MFA code in your place. Better MFA involves a possession of a specific device, not just knowledge of a texted or mailed code. For example, UltraTax requires MFA using a phone or tablet running a Thomson Reuters app, which has previously been registered to the user (in the case of UT, they require you to scan a QR code from your login screen to validate the app on your device).

UT also now provides a small card (similar to credit card size) which generates a random code to use, so that you don't have to own a smartphone or tablet. This is similar to devices I used in my job 25 years ago, but back then they were much thicker than a credit card, and battery life was more of an issue.

Oh -- and never use the same password for multiple accounts, and don't use Facebook or Google as a login service -- always create a direct, local account with each service.


Are you currently using the UT issued card? How is it wortking out? Is the card account based so that it can be used for one UT account on mulitiple devices? In otherwords, if one preparer works on two seperate computers, will one card suffice?

I am interested because Drake is rolling out MFA and wants users to use a third party app that will download codes to a cellphone. I think there are inherent risks in tying security to a device that gets used for mulitple purposes and is commonly carried around. I get that the card can be carried around and stolen too, but maybe not as much as a phone.

If I had employees, I would be really uneasy knowing that they are essentially carrying around a cellphone which essentailly allows access to client data. Who knows what they do with that phone when they are not working. After all, its their phone. I would probably want to purchase a "work" cell phone for them that must be kept on site (locked up and secured while not in use)---with no apps or usage other than accessing MFA apps. And that will add at least some operating costs.

There are several articles online discussing potential methods of overriding (for want of a better word) MFA that relies on an app dowloaded to a cellphone. It could be that this will not an acceptable standard for long. One article pointed out that Google Authenticator has not been updated in over a year. The author seems to think Google is working on another option.

https://smartphones.gadgethacks.com/new ... e-0186776/

For now, I think a card like what UT is using (or FOB such as what is offerred by Google Authenticator) is a better option but I would like to hear from people who are currerntly using this method with their tax software.
 

#4
Posts:
886
Joined:
26-Feb-2016 10:14pm
Location:
Oakland CA
Citrix tech called me back after two calls to Citrix and over an hour wait each time.

However their techs are very good.

Showed me how to run a report that would show attempted break ins on my clients. I say attempted because when he looked at the report (which incidentily didn't show what he hoped it would) it showed one attempt that lasted about two minutes. Interestingly it occurred a couple of months ago. No idea why turning on forced mfa resulted in bounced invites for a new client, but I noticed the client had an unusual Office 365 header in his email. Could be has very aggressive anti spam enabled. Not sure.
 


Return to Business Operations and Development



Who is online

Users browsing this forum: No registered users and 28 guests