> Citrix said in a later update on April 4 that the attack was likely a result of password spraying, which attackers use to breach accounts by brute-forcing from a list of commonly used passwords that aren’t protected with two-factor authentication.<p>How did Citrix not have 2FA in place?
I fully assume there are more hacks we don’t hear about that ones we do. Not only because of cover ups but it can’t be that hard to cover your tracks if you know what you are doing.
Security is hard. On the upside, every breach is a chance to learn for everyone else. I hope they release more details on how it happened.<p>Is there any blog or news that summarizes such post-mortem lessons? Could be a nice project to collect that.
Has anyone gotten that kind of call from the FBI and can shed light on how the process works? Would be fascinating for a outsider and provide a guide on what next steps look like for those poor souls that receive the call in the future.
If you'd like a full perspective of the Citrix hack three security people from Detroit discussed it on a recent episode of their show, How they got hacked:<p><a href="https://www.youtube.com/watch?v=fMgdrq0xMLk" rel="nofollow">https://www.youtube.com/watch?v=fMgdrq0xMLk</a>
If you have anything of value, I absolutely guarantee you that there are hackers in your network right now.<p>One thing that frustrates me more than anything else is people assuming that their corporate network is safe. Your firewall and your vpc or whatever is a speed bump at best. You have to assume that you have an attacker on the desk right next to you, because you will eventually.
You need network sniffer and pattern recognition. Otherwise basically you hope some of the unusual activities will affect ids/ips (or touch internet). However if it is normal account you need some sort of intelligence to recognise and alert.<p>Not many software can do this.
>Citrix said in a later update on April 4 that the attack was likely a result of password spraying, which attackers use to breach accounts by brute-forcing from a list of commonly used passwords that aren’t protected with two-factor authentication.<p>Wow. This simply reinforces the fact that humans cannot, and should not, be trusted with actively maintaining security of a system especially if there could be significant economic consequences.<p>Would a password manager help in this? I don't know.<p>Probably a hardware token which controls all and any access to a system.<p>*Removed some ambiguous sentences.