There are two approaches for remotely controlling a computer, calling out and dialing in.
RealVNC and Microsoft's Remote Desktop are examples of the dialing in approach. When the server side of RealVNC is installed on a computer, it waits for an incoming connection. If the computer is behind a firewall, a hole needs to be punched in the firewall to allow this incoming connection.
People who don't want to deal with firewalls and port forwarding, can choose software, such as GoToMyPC that, like ET, phones home. This takes advantage of the fact that firewalls, as a rule, let anything out.
When the server side of GoToMyPC software is installed on a computer, it phones home to Citrix and maintains that connection at all times. A GoToMyPC customer, seeking to remotely control a computer, contacts Citrix, the company behind GoToMyPC. Citrix serves as a man in the middle and makes the connection between the two computers.
As such, there is a lot of trust involved. GoToMyPC customers have to assume that Citrix employees can get into their computers at any time. Unlike RealVNC, Citrix knows, at all times, which computers can be remotely controlled, where they are, and the passwords.
Given this, you would think Citrix would be on its best behavior at all times. When security issues come up, you would expect the company to deal with them quickly and in an above-board manner, much like LastPass did last year or TeamViewer more recently. Their business depends on trust.
I have been a GoToMyPC customer for years, but their actions the last few days have caused me to lose trust in the company.
SSHHH, THERE'S A PROBLEM
For one thing, I found out about this security incident by accident, while scanning the tech news last weekend. Instead of emailing its customers, Citrix posted a note on its website. Many Citrix customers, I'm sure, did not see the note when it was posted.
Remotely controlling a computer, at least from a Windows machine, can be done via a desktop shortcut, bypassing the GoToMyPC website. This is what I do, as it's faster. Thus, I go months on end without ever looking at the GoToMyPC site, and I'm probably not the only customer who works this way.
And, what Citrix did say, at least at first, wasn't much.
This was a common gripe running through all the articles I read initially. Graham Cluley wrote "It's also a pity that the details are a little sketchy." Mark Wilson of BetaNews said "details are a little thin on the ground at the moment" and Catalin Cimpanu noted that "The company didn't provide any other details."
David Murphy, writing in PC Magazine put it best:
... it's unclear just how many users were potentially affected ... Citrix also hasn't indicated just how, exactly, attackers got their hands on these stolen passwords. It's also unclear whether password were even stolen, or whether the attackers are simply logging into GoToMYPC accounts en masse with stolen credentials from another attack.
That was Sunday. By Monday, Brian Krebs had more details. But his report, Citing Attack, GoToMyPC Resets All Passwords, was wrong. As noted earlier, I am a GoToMyPC customer and on Monday, June 20th, when Krebs wrote that, passwords had not been changed. Krebs had not verified what Citrix told him, and the person he spoke with was ill-informed.
By Monday, Citrix was telling everyone that GoToMyPC users had to change their password, despite its not being true. Their incident report said "Effective immediately, you will be required to reset your GoToMYPC password before you can login again."
Everyone took this at face value without confirming it. At PC World, Nick Mediati wrote "Before you next use GoToMyPC, you’ll have to reset your password." At Fortune, Barb Darrow wrote that Citrix "had proactively reset all customer passwords."
I was able to use three different GoToMyPC accounts that day without changing any passwords. The forced password change happened the next day, Tuesday the 21st, but all passwords did not have to change.
A couple accounts where I had changed the password on Monday worked fine on Tuesday. But other accounts, where the password had not been changed in years, were forced to pick a new password.
The password reset procedure also left something to be desired.
It starts off with entering the email address of a GoToMyPC customer on a Forgot Password page. Citrix then emails a link which, when clicked, lets their customer chose a new password. But, they did not require the customer to enter the old password which would have been more secure. Rather than do something specific for this problem, they opted to use their existing forgotten password procedure.
The emails from Citrix were also a problem, multiple email systems classified them as spam. I spent too much time fighting with this as I had to disable spam filtering on multiple accounts just to receive the password reset emails. Emails flagged as spam is a solvable problem, but apparently not for Citrix.
HACKED OR NOT
Citrix says both that they were hacked, and, that they were not hacked.
One of their early status reports said "Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack."
But a later report says "Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users." Translation: they were not attacked any more than Twitter or TeamViewer were recently.
Citrix is also inconsistent about the password change.
Early on, their message was that customers have to reset their passwords "if you are having trouble logging in to your account". This wording has not changed. But, many of their status reports and articles in the press cite the password change as mandatory for all customers.
Citrix is in the process of spinning off their GoTo products into a separate company. Along with that, the company was reported to get rid of 1,000 employees. You have to wonder what effect this has had on them.
Reporting by the tech press was disappointing. Perhaps typical, but disappointing nonetheless.
A common thread running through all the published articles that I read was that of a GoToMyPC password. A CNET article, for example, says "The remote PC service is requiring all users to change their passwords following a recent hack". Brian Krebs wrote that Citrix "is forcing all users to change their passwords..."
The problem? GoToMyPC does not have "a" password, it has two.
A GoToMyPC account requires the usual userid/password and Citrix uses an email address as the userid. But logging in to a GoToMyPC account, in and of itself, does not let you remotely control anything. To actually control a remote computer requires a second password, one tied to the remote machine. Officially, Citrix calls this second password an "access code".
It seems that every person covering the story has never actually used the service. If they had, they would know how useless a single GoToMyPC password is.
For the record, Citrix only forced their customers to change the first password, not the second one. And the boiler plate password rules that they suggest people use, do not apply to the second password/access code.
And how about some skepticism from the press?
Certainly anyone who follows technology would have noticed that the claim to have been targeted by a "very sophisticated" attack is par for the course. Every company is targeted by sophisticated hackers. No one ever admits that an amateur caused their problems.
Being the victim of a sophisticated attack is just as mandatory as the other claim from Citrix that they take "the safety and security of its customers very seriously..."
Since this effected me, I read a lot of articles on the subject. By and large, they did nothing but re-publish what Citrix said. Not much value was added by anyone. Perhaps this is the real price of "free" news online. Much of it is regurgitated press releases.
An article at Fortune stood out however. In an attempt to provide some context it noted that "GoToMyPC competes with remote access offerings like ... VMware Workstation." Ouch.
Taking a step back, this incident raises the question of the safest approach for remote control, dial-in or calling out. Sure, leaving a TCP/IP port open is dangerous, but it can be mitigated in a number of ways with RealVNC
- use a non-standard port number
- limit the number of wrong passwords that can be entered
- use a long password that is not used anywhere else for anything
- limit the source IP address and/or network
What mitigation can we take against a company like Citrix that acts as a middleman for remote control sessions? I can't think of any.
Plus, the RealVNC viewer can run on a Chromebook (no Android required) and RealVNC is cheaper than GoToMyPC.
Finally, a unrelated gripe about GoToMyPC.
Techies often use remote control for software maintenance that requires a reboot. Both RealVNC and TeamViewer can hold the connection, wait for the remote computer to restart and then re-establish communications. GoToMyPC just disconnects. Period.