I am planning to be very quick and brief with this post and to try to clarify some misconception regarding some of our latest posts and projects on GNUCITIZEN.
The first general misconception is regarding the CITRIX posts. Let’s start with
Then me and Adrian published a post (
I would like to draw your attention to some of the details published regarding this vulnerability. First of all it is remote. Second of all, attackers can completely hijack the victim, including but not only, their INTERNET TRAFFIC, their VOIP calls, their BANK ACCOUNTS, their SOCIAL PROFILES, and of course, they can purchase goods on the behalf of the victim, perform IDENTITY THEFT stunts, etc, etc, etc. The attack is a combination of a Cross-site scripting, Cross-site request forgery and Authentication Bypass vulnerabilities. This means that no matter how strong your password is, you are still vulnerable. Period!
Next, two follow up posts were published on some rather concerning CITRIX and Microsoft Terminal Services issues. The first one, titled
The second post
0day: Hacking secured CITRIX from outside expands on the previous one and provides some details on how easy it is to penetrate CITRIX by simply tricking unaware user to visit a malicious website. In this case, the victim does not have to authenticate or perform any interaction. The attack is automatic, transparent and quite dangerous.
Last but not least, I would like to bring some light on what I meant when I said that
Security in depth does not exist. IT security is not only about keeping the perimeter safe. There is a lot more then that. Sometimes, it is so hard to get the security right that attacks are just inevitable. Sometimes systems are set in such an impossible way that it is extremely hard and very expensive to set them the right way. This is all the time. Security in depth is hard to implement. You may think that you implement it the right away but as they say:
a system is as secure as the weakest link. Luckily we have a Black PR/Crisis PR consultant on board, here at GNUCITIZEN, to explain to us how to handle the security problem the right way.