GoToMyPC hacked – expert comments

Following the news that remote access service GoToMyPC is the latest company to fall victim to a ‘sophisticated password attack’, @DFMag received the following comments from industry experts;

Lisa Baergen, director, NuData Security:

“I sound like a broken record; but here we are again, news of yet another hack attack hits the wire.  It’s only been a couple of weeks since TeamViewer user accounts were hijacked, and now GoToMYPC hit by a very sophisticated password attack. No matter how long it takes to come out, the bottom line is that organisations have to stop thinking “what IF” and accepting it should be seen as “ WHEN” we get hit…

Although usernames and passwords can be changed, as being asked here by Citrix, victims of a breach need to understand that every bit of information exposed is important and building out solid packages of identity information on the Dark Web. Fraudsters are creating, selling and buying more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, fraudsters can ultimately do more damage and permeate a lot of these “temporary” points solutions and step up authentication solutions a lot of organisations are putting up.

For example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. Where credit card fraud was all the rage a couple years ago, it is account takeover and new account fraud that is on the dramatic rise. We saw in our own database of billions of behavioural events annually, we’re seeing generally a 10% month-over-month increase in new account fraud.

Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and know and trust it is not the hacker using all of our identity information online. User behaviour analytics can provide victims of this, and other breaches, with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to consumers.  This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with our legitimate information ripped from all these breaches.  Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring.  The only way to achieve this is by truly being able to identify the IDENTITY of the user behind the device.” 

David Gibson, VP of strategy and market development, Varonis:

“The GoToMyPC attack illustrates that data breaches should be considered a real and inevitable possibility – even for the most secure environments.  Organisations need to get the basics right when it comes to securing their most valuable data, and disposing of information that is no longer necessary to the business. In this GoToMyPC attack, good corporate citizenship and a fast response enabled everyone to remain relatively safe – as long as everyone remembers to change their passwords. Folks are probably used to that by now, but they may not be following best practices for password hygiene.

For example, ‘dadada’!  Even Mark Zukerberg had a reminder earlier this month that you shouldn’t use the same password on multiple sites. From what we know, hackers worked from a list of cracked accounts that came from a 2012 breach at Linkedin, and then reportedly got into his Twitter, Instagram and Pinterest account utilising the same password. 

People are bad at coming up with their own passwords. We’re all guilty! For convenience, we make them obvious or short or both, and use them more than once. Hackers are good and getting better all the time at breaking them, either though brute force guessing or dictionary-style attacks if the hackers have access to the password hash.

The ‘correct horse battery staple’ method is a memory trick where each letter of the password represents a word in a story. You can read more about that, here.”

(121)

Share