Global Secure Systems (GSS) penetration testers have found a spreadsheet that held the domain admin passwords for every server at a financial services company, plus quotations, methodologies, terms of business and reports from a number of the firm's competitors.
Robin Hollington, director of consulting for GSS, which uncovered the lapse, said the unencrypted information had been contained in a folder, but had been protected using access rules.
"Using the access rules we had acquired at the time, we were able to read the information, including passwords, which gave us system administrator access to every server (several hundred) in the organisation," said Hollington. "That level of access not only gave us complete control of their systems, but we could have deleted any audit trail we might have left."
Citrix users were still leaving their companies open to data breaches, six months after GSS had reported that poor implementations of the thin-client system left holes in the security that surrounded it, said Hollington.
In other cases, GSS had found a company's complete disaster recovery plan, records of all the broken locks and windows on a housing estate, and directors' emails containing details of planned site closures. In one case, GSS was able to write and run a Java port scanning tool, which led to the discovery of the entire network disaster recovery configuration and admin passwords.
Hollington said this was not an issue with Citrix itself, or the applications, but mainly with configuration errors. "Too many people install Citrix without comprehensive knowledge of the design and management of the Citrix environment, and careful consideration of how to mitigate risk," he said.
"Rule one is to implement Citrix's own guidance about how to lock down a system - read the manual, please. Rule two is to be meticulous in how you define and provide access to information. Switching to role-based access is a step in the right direction."
He said GSS had performed about 50 penetration tests, around 20 with financial services companies, and had found:
• 100% of Citrix deployments tested were vulnerable to arbitrary code execution.
• Sensitive information in each test.
• Many breached the Data Protection Act.
• Standard security procedures were not applied to most deployments.
Breaches are now faster, said Hollington. Last year a breach took 15 seconds now it is less than 10. "Even in the most locked-down environment GSS ever encountered, we discovered five high-risk vulnerabilities," he added. These resulted from small errors made in configurations.
Hollington said GSS had reported its findings to Citrix.