<b>⌨ A Breach, or Just a Forced Password Reset? ⌨</b>
<code>Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains thatβs not the case. Hereβs a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.</code><code>The notice sent to ShareFile users looked like this:</code><code>Media</code><code>Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didnβt understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.</code><code>I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.</code><code>A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).</code><code>More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using multi-factor authentication. To wit:</code><code>βThis is not in response to a breach of Citrix products or services,β wrote spokesperson Jamie Buranich. βCitrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attackerβs additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls [emphasis added]. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.β</code><code>The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended the National Institute of Standards and Technology (NIST), which warns:</code><code>βVerifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.β</code><code>NIST explains its rationale for steering organizations away from regular forced password resets thusly:</code><code>βUsers tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.β</code><code>βBut if there is evidence that the memorized secret has been compromised, such as by a breach of the verifierβs hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.β</code><code>In short, NIST says it makesβ¦
<code>Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains thatβs not the case. Hereβs a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.</code><code>The notice sent to ShareFile users looked like this:</code><code>Media</code><code>Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didnβt understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.</code><code>I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.</code><code>A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).</code><code>More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using multi-factor authentication. To wit:</code><code>βThis is not in response to a breach of Citrix products or services,β wrote spokesperson Jamie Buranich. βCitrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attackerβs additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls [emphasis added]. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.β</code><code>The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended the National Institute of Standards and Technology (NIST), which warns:</code><code>βVerifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.β</code><code>NIST explains its rationale for steering organizations away from regular forced password resets thusly:</code><code>βUsers tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.β</code><code>βBut if there is evidence that the memorized secret has been compromised, such as by a breach of the verifierβs hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.β</code><code>In short, NIST says it makesβ¦
π΄ Backdoors Up 44%, Ransomware Up 43% from 2017 π΄
π Read
via "Dark Reading: ".
Nearly one in three computers was hit with a malware attack this year, and ransomware and backdoors continue to pose a risk.π Read
via "Dark Reading: ".
Darkreading
Backdoors Up 44%, Ransomware Up 43% from 2017
Nearly one in three computers was hit with a malware attack this year, and ransomware and backdoors continue to pose a risk.
β Google Chrome 71 Touts 43 Fixes, Fights Ad Abuse β
π Read
via "Threatpost | The first stop for security news".
The browser comes with a new set of protections to block pop-ups that could lead to 'abusive experiences.'π Read
via "Threatpost | The first stop for security news".
Threat Post
Google Chrome 71 Touts 43 Fixes, Fights Ad Abuse
The browser comes with a new set of protections to block pop-ups that could lead to 'abusive experiences.'
β Could adult content ban spell the end for Tumblr? β
π Read
via "Naked Security".
#TumblrIsDead? Tumblr is banning adult content in an effort to be safer, better, βmore positive,β and less (female) nipple-ish.π Read
via "Naked Security".
Naked Security
Could adult content ban spell the end for Tumblr?
#TumblrIsDead? Tumblr is banning adult content in an effort to be safer, better, βmore positiveβ.
β Those are NOT your grandchildren! FTC warns of new scam β
π Read
via "Naked Security".
Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the FTC warns.π Read
via "Naked Security".
Naked Security
Those are NOT your grandchildren! FTC warns of new scam
Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the FTC warns.
β Kubernetes cloud computing bug could rain data for attackers β
π Read
via "Naked Security".
Kubernetes, a tool that powers much modern native cloud infrastructure, just got its first big security bug - and itβs a mammoth one.π Read
via "Naked Security".
Naked Security
Kubernetes cloud computing bug could rain data for attackers
Kubernetes, a tool that powers much modern native cloud infrastructure, just got its first big security bug β and itβs a mammoth one.
β Quora.com admits data breach affecting 100 million accounts β
π Read
via "Naked Security".
Hackers have compromised data from the accounts of 100 million users of question and answer site Quora.com.π Read
via "Naked Security".
Naked Security
Quora.com admits data breach affecting 100 million accounts
Hackers have compromised data from the accounts of 100 million users of question and answer site Quora.com.
π΄ 6 Ways to Strengthen Your GDPR Compliance Efforts π΄
π Read
via "Dark Reading: ".
Companies have some mistaken notions about how to comply with the new data protection and privacy regulation - and that could cost them.π Read
via "Dark Reading: ".
Dark Reading
6 Ways to Strengthen Your GDPR Compliance Efforts
Companies have some mistaken notions about how to comply with the new data protection and privacy regulation - and that could cost them.
π 3 ways to kick-start your organization's cybersecurity training π
π Read
via "Security on TechRepublic".
Only 45% of organizations offer mandatory cybersecurity training, according to a Mimecast report. Here's how to boost your employees' security education.π Read
via "Security on TechRepublic".
TechRepublic
3 ways to kick-start your organization's cybersecurity training
Only 45% of organizations offer mandatory cybersecurity training, according to a Mimecast report. Here's how to boost your employees' security education.
π 70% of businesses using bots to boost efficiency, only 5% govern their access to data π
π Read
via "Security on TechRepublic".
As software bots spread throughout the enterprise, business leaders must control their access to sensitive information, according to a SailPoint report.π Read
via "Security on TechRepublic".
TechRepublic
70% of businesses using bots to boost efficiency, only 5% govern their access to data
As software bots spread throughout the enterprise, business leaders must control their access to sensitive information, according to a SailPoint report.
β Adobe Patches Zero-Day Vulnerability in Flash Player β
π Read
via "Threatpost | The first stop for security news".
The vulnerability could lead to arbitrary code execution.π Read
via "Threatpost | The first stop for security news".
Threat Post
Adobe Patches Zero-Day Vulnerability in Flash Player
The vulnerability could lead to arbitrary code execution.
π 5 ways to avoid cyberattacks during holiday travel π
π Read
via "Security on TechRepublic".
Whether traveling for business or the holidays this month, follow these tips from Matrix Integration to keep your devices safe.π Read
via "Security on TechRepublic".
TechRepublic
5 ways to avoid cyberattacks during holiday travel
Whether traveling for business or the holidays this month, follow these tips from Matrix Integration to keep your devices safe.
π΄ The Case for a Human Security Officer π΄
π Read
via "Dark Reading: ".
Wanted: a security exec responsible for identifying and mitigating the attack vectors and vulnerabilities specifically targeting and involving people.π Read
via "Dark Reading: ".
Dark Reading
Endpoint Security recent news | Dark Reading
Explore the latest news and expert commentary on Endpoint Security, brought to you by the editors of Dark Reading
β Kubernetes Flaw is a βHuge Deal,β Lays Open Cloud Deployments β
π Read
via "Threatpost | The first stop for security news".
Hackers can steal data, sabotage cloud deployments and more.π Read
via "Threatpost | The first stop for security news".
Threat Post
Kubernetes Flaw is a βHuge Deal,β Lays Open Cloud Deployments
Hackers can steal data, sabotage cloud deployments and more.
β Adobe Flash Zero-Day Leveraged Via Office Docs in Campaign β
π Read
via "Threatpost | The first stop for security news".
Adobe issued a patch for the zero-day on Wednesday.π Read
via "Threatpost | The first stop for security news".
Threat Post
Adobe Flash Zero-Day Leveraged Via Office Docs in Campaign
Adobe issued a patch for the zero-day on Wednesday.
π΄ Windows 10 Security Questions Prove Easy for Attackers to Exploit π΄
π Read
via "Dark Reading: ".
π Read
via "Dark Reading: ".
Darkreading
Windows 10 Security Questions Prove Easy for Attackers to Exploit
New research shows how attackers can abuse security questions in Windows 10 to maintain domain privileges.
π΄ Republican Committee Email Hacked During Midterms π΄
π Read
via "Dark Reading: ".
The National Republican Congressional Committee detected the compromise of four staffers' email accounts in April.π Read
via "Dark Reading: ".
Darkreading
Republican Committee Email Hacked During Midterms
The National Republican Congressional Committee detected the compromise of four staffers' email accounts in April.
π Symantec develops neural network to thwart cyberattack-induced blackouts π
π Read
via "Security on TechRepublic".
The company is rolling out a device that scans for malware on USB devices to block attacks on IoT and operational technology environments.π Read
via "Security on TechRepublic".
TechRepublic
Symantec develops neural network to thwart cyberattack-induced blackouts
The company is rolling out a device that scans for malware on USB devices to block attacks on IoT and operational technology environments.
π΄ Former Estonian Foreign Minister Urges Cooperation in Cyberattack Attribution, Policy π΄
π Read
via "Dark Reading: ".
Nations must band together to face nation-state cyberattack threats, said Marina Kaljurand.π Read
via "Dark Reading: ".
Dark Reading
Former Estonian Foreign Minister Urges Cooperation in Cyberattack Attribution, Policy
Nations must band together to face nation-state cyberattack threats, said Marina Kaljurand.
π΄ Google Cloud Security Command Center Now in Beta π΄
π Read
via "Dark Reading: ".
The beta release of Google Cloud SCC will include broader coverage across the cloud platform and more granular access controls, among other features.π Read
via "Dark Reading: ".
Dark Reading
Google Cloud Security Command Center Now in Beta
The beta release of Google Cloud SCC will include broader coverage across the cloud platform and more granular access controls, among other features.
ATENTIONβΌ New - CVE-2017-1622
π Read
via "National Vulnerability Database".
IBM QRadar SIEM 7.2.8 and 7.3 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-force ID: 133120.π Read
via "National Vulnerability Database".