RSA has provided more information on the high-profile attack against systems behind the EMC division's flagship SecurID two factor authentication product. The security firm, criticised for its refusal to discuss the hack – aside from warning that the security of SecurID might be reduced – broke its silence to provide a fair …
lmao some employee re-training will be going on, I imagine.
I don't think the employee can be entirely to blame here.
Unless the company has a well-defined protocol for communication, how is an employee to know whether an email purporting to be from firstname.lastname@example.org is genuine or not?
Additionally, as the attachment contained a zero day exploit for a third-party app, I'm guessing that the email antivirus and system antivirus did not pick anything up.
These guys have a root cert in every browser
Apparently signed email is Just Too Hard even for them.
Also, flash in excel? WTF mate?!? You'd think they'd learned after VBA, but evidently not.
When your business is security, even to the lowest person in the company, best security practices should be practiced by everyone.
How do you know the mail wasn't from HR? First hint is that it's in your junk mail. That requires closer inspection of the message. Like looking at the headers to see that the message didn't originate from an RSA server. The from address can be forged, but the initiating server header can't be. Moreover, the company should have a better means of distributing files, for just the reason that MS Office docs are notorious for security holes that have the potential to compromise your network. Network shares ought to be the standard and expected means of sharing documents within the company.
Next up, it's RSA, they own the certs. Every stinking email account in the company, including the janitor's, should come with an authentication signature. There are no acceptable excuses when you ARE the top level security company.
Aaargh - Adobe, defined as "house made of mud and shit"
forgive the maniacal ranting - but HTF does an excel file, opened with presumably macros switched off, allow a flash file to execute?
Who said spreadsheets would look too "last year" if they didn't contain video?
its pure madness gone mad!!!
But there are plenty of companies that need it turned on...
Where I work, we have to turn it on to do our timesheets, or we won't get paid.
I get a thumbs down because I work for a company with a shitty timesheet system?
@AC 04-Apr-2011 11:15GMT: True, but frankly
the inmates have been running the asylum on that count for a good 10 years now.
Now tell us if SecurID is still secure, and what the hell you're doing about it if it isn't.
"you wouldn't consider these users particularly high profile or high value targets"
FFS! Of course not you prat! Never heard the phrase, "the weakest link"? You never, ever attack the castle by the front door, you sneak in, going up through the poop-shute or in washer woman's cart!
Or get everyone to watch the big wooden horse you left outside
While you sneak in the back door.
The one with the copy of Eric in the pocket.
It has to be said ...
Have fun storming the castle!
No answer either means:
1) SecureID is no longer secure
2) We don't know what they took so unsure if SecureID is no longer secure.
RSA is very likely to be involved in some classified projects for the US Gov't, and if something like that was taken, silence might be their only choice.
Now, let's speculate - what these projects a... Arrrgh, let me go, you've got no right to break into my house like that...
Not to bang on about this
Almost every high profile, targeted hack attempt these days involves a zero day exploit of an Adobe product.
Now, part of this must be its ubiquitous presence on a desktop machine, but some large proportion of the blame must be laid at Adobe's door.
You won't mind listing those high profile targeted attacks which all exploited a zero-day Adobe hack then?
To get you started, some which didn't involve Adobe;
Comodo's SSL cert hack
Who's door should the failure be laid at?
RSA the company must accept full responsibility for this breach. Their policies and systems failed to prevent it.
Start from the premise that all software is buggy, that from a security perspective (the number one perspective for a company like RSA) things are going to get through despite everybody's best endeavours.
If you have data you really, really don't want to be stolen the solution is simple. Physically isolate it from the company network. What's worse - some inconvenience in operating, or a complete and public trashing of a business model?
If systems need to be linked to facilitate day-to-day business then there are physical and logical measures that can be taken. Here's two: physically isolate the hardware holding sensitive information and provide only one network connection. Through a dedicated firewall (or two, or three). That only allows traffic when certain authorised users are logged in and actively using systems that need the data. Make it as hard as possible for traffic to access the server from just anywhere. Heck, install software to exchange data over serial links instead of a normal network, that'll slow a trojan down somewhat.
If RSA's business model has been trashed, it's because they did not properly risk assess. They should have started by saying "OK what happens when (not if) a virus gets established and we're not aware of it?" and build their data security from that point.
Security analysis fail. If I was deploying RSA 2-factor authentication I would now be running on the assumption that it is broken. I imagine RSA are frantically trying to find a way to quickly adapt their architecture to nullify the data breach, and then they will come clean. Too late... trust takes time to build and a moment to destroy.
I'm with Kipling on this one.
The sins that you do by two and two, you shall pay for one by one.
RSA deserves a complete roasting for their failure, but that doesn't excuse Adobe who likewise deserve full roasting. I might make RSA's fire coal and Adobe grilling brickets, but neither company would enjoy it.
So your plan to mitigate against these kind of attacks is to put a firewall in? Or if that doesn't work, two or three firewalls? If that doesn't work, use a serial link?
Glad you're here, that's our internets all secure again...
"Advanced Persistent Threats"
I can picture it now: "APTs, you got them?" "Oh yeah baby, we're all over it."
It's a bit of a lie though. Like a good buzzword, it distorts reality. Here's how:
Advanced implies it would've been really hard to stop it, it's so advanced, so you can be excused. But maybe a security company should be able to stand up to that, no?
Persistent implies it's on-going and even harder to stop. Though cynics would say it means you're being robbed blind with your eyes open. Shame on you. But who listens to cynics anyway?
Threat implies all is not hopeless, you're not really been breached yet, it's fixable. But that's not what happened. Using another industry term, they got PWNED, and data was copied. Then it's not really a threat any longer. It's a successful breach. The crown jewels likely got sold on the black market. If you're a security company, you lost credibility. It's done. You've been had. It's all over but the shouting.
On that tangent, note what RSA doesn't call their attacker(s), but dear John does. A hack is a hack, it seems. Nice to hear what went down but we still don't know just what was compromised and what wasn't, and therefore we still must assume the token thing to be compromised.
@"Advanced Persistent Threats"
Sorry mate, you got it the wrong way round: Now all of RSA's customers have "Advanced Persistent Threats" from the folk who can break the 2-factor thing and are smart enough to get the other(s) factors like passwords via a nice trojan or two.
But really, the scenario is one of a piss-poor system for a security company. How come the windows boxes of those targeted by the outside world were even allowed through to the servers?
Why was ftp not spotted by some intrusion monitoring system?
And as already mentioned, why was something SO IMPORTANT even connected to "The Internet", and if really essential that it was, why not via several dedicated screwed-down-real-tight firewalls?
Of course, let us not forget Adobe's piss-poor security and MS' "lets embed everything" for making this so much easier to begin. Stealth bomber? More like lubed orifice.
Just to correct...
From looking in more detail, it appeared they used RSA's own ftp server, hence the lack of spotting the traffic as unusual.
So it appears there is some need to cover this area of data leakage: maybe a two step process for allowing data on ftp server, and some other person to authorise it through the firewall/intrusion detection system?
Have you noticed just what and who you're telling having it wrong?
RSA themselves say they're facing these "ATPs", using the term to say others like google had also been hit and to give a nice underdog spin to their predicament. I was merely dissecting the buzzword to show just what word games RSA is playing to try and extricate themselves from this right mess.
You do have a point talking technical detail, but I was leaving that to my fellow commentards. Simply noting that they are a security company, a big name, high profile one at that, that their shop has apparently entirely failed at this layered defense in depth thing and haven't so much as internally having seamlessly integrated crypto, and in fact are running easily abused office software with third party plugins enabled that have no business in there whatsoever, should tell you something about them and perhaps the general state of the industry as well.
Apparently they just sell canned widgets in security sauce. Now that they've been breached the sauce has gone stale. Well isn't that just too bad.
Can someone enlighten me?
We are told it was an advanced persistant threat, but:
1. I'm guessing the installed trojan/malware needed to open a line of communication to the outside world for the hacker to get inside the network. How are the port/protocol combinations and endpoints not checked and validated. I certainly cannot connect to any old host or port from my place of work and we certainly don't sell two-factor security.
2. As well as being able to elevate privileges and access staging and target servers - just how long did these people have access for and did they also have inside help? - they could also FTP the shit back out. It's great to see no checking whatsoever there! I thought these days companies that took their data seriously permitted FTP access only to certain endpoints for certain users? Sounds like they got hold of the keys to the city and made merry.
Should change their corporate tag-line to "Great two-factor security, shithouse internal though"
Oh come on, if ftp wasn't there, they could have tunnelled their data stream via multitude of protocols, including dns. This should have been detected by an IDS with anomaly detection, if proper firewall wasn't an option.
Which was my point, if they can't be arsed with basic simple measures then you have to assume that the hackers had the keys to the city and did whatever they damn well pleased. I'm always amazed at the lack of security in companies that specialise in it.
Disclaimer: Im not a BOFH
I think the thing that most worries me about this, weas the part that said that after compromising the low level attacks they were in your words "Once inside the network, the attacker carried out privilege elevation attacks to gain access to higher value administrator accounts.".
How was this not picked up by their IT department? Surely that should be one of the main things you watch for?
Letting them in through the lower access accounts is one thing, but then letting them get away unnoticed with increasing their access to the admin accounts is another keetle of fish entirely! Poor work...
What software do you use to check for that happening then? Out of curiosity?
Like i said im not a software person
but i would assume that you could automate it so that when a person's account goes up in access rights an email is automatically sent to the IT dept.
If that sort of system isnt available, that seems like a pretty big gaping security hole to me!
Best leave the commenting until you know something about the things you're commenting on. If you don't know what is or isn't possible, probably best not tell those who do how they should be doing their job.
From Bad to Worse ....... and the Beauty of IT is, Everyone knows No One knows.*
Does all of that info not make it sound like a SMARTer Conficker sortie ........ which is probably virtually betatesting one of those financial WMD which collapse systems in a flash and which probably also has now embedded and armed a whole selection of them to trigger even greater revolutionary events in areas and sections of society, which consider and think of themselves as being immune and protected from the consequence of their actions, which has always been a sad and mad delusion which has always conquered empires with their rotting from within, surrounded by crazed and powerful enemies without.
Whenever the thief is within and takes nothing, does they have everything they need and the keys to return at any time in the future, if they need to, for once in undiscovered behind compromised security protocols, who is to say that they would need to leave, whenever they can stay and relax and learn more about everything they are fed.
* That makes it an extremely valuable and powerful weapon and/or tool, fully dependent upon one's own moral disposition and cerebral intent. In actual fact, would it be priceless, given the losses that can be inflicted on markets with simple meltdowns/snippets of rogue renegade code injected and/or activated into programs.
got the message
Google got the message -- Windows is banned.
Your turn, RSA.
Only half a post?
You forgot the second half of your post:
.... oh, RSA banned too.
Yet another Flash Attack..
Again why does Apple be critiqued for not allowing this P.O.S on its iPad and IPhone!
Content to facilitate self-abuse.
Jobs. Proved Right ?
Now to understand his issue with Blu-Ray ("a whole lot of hurt" I believe is the phrase he used).
A lot of attacks are browser based too. Ban browsers!
Down with this sort of thing!
yet another incident with Layer 8 as the issue. With some help from Adobe of course.
"akin to a bank saying that robbers got in through the vault and made off with something without saying what was taken"
More akin to them breaking in and copying something but leaving the original undisturbed.. and the bank having to choose between admitting it does not know exactly what was copied, or having to say everything in there could have been copied.
As serious as this is (I use these things) it makes me grin too at the thought of these highly paid, highly manipulative corporate PR types up a certain creek without propulsion here; damned either way..
I'd love to know what is being said behind the backs of the press; directly to their corporate clients.
"I'd love to know what is being said behind the backs of the press; directly to their corporate clients."
Nothing. At least not to this corporate client.
I had a 20 minute conversation last week with RSA directly, and asked a simple question: What was taken? They refuse to answer, pretty much said they probably never will tell me, and then spout on about how they're still so confident in SecurID that they've made the decision to keep using it internally, to not deploy new tokens. Well bloody good for them. They have all the information they need to make that decision. How about allowing me the same informed choice?
Dittos. I'm not in the security branch at my govt office,
but I talk to people who are. They tell me RSA ain't telling them nutting either.
Privilege Escalation Attacks
The only zero day exploit mentioned, was the one to get the attackers through the front door.
After this there were privilege escalation attacks on systems or applications.
Were these systems / apps unpatched, default passwords and accounts left unchanged or were there internal web apps that were not security tested??
Give us more RSA. Your blog post on this is now giving a 500 server error....my god they're back for more!!
My favorite part: "The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder".
In other words: "We suspected the package might contain a bomb, but Phil thought the bow on it looked really nice so he unwrapped it".
maybe not so stupid
A bomb left outside a US government office building in Detroit was brought inside by a security guard and sat in the lost-and-found for two weeks before someone decided to X-ray it. All guards in the building are now being re-trained as to the meaning of "Treat all unattended packages as highly suspicious."
Pretty shit bomb though, to be fair. Given it's one job is to explode and it couldn't even manage that.
"Treat all unattended packages as highly suspicious."
You mean *even* the ones marked "Very large double chocolate cake from a shy well wisher" ?
Say it's not so!
Re: Deliberately Stupid
In many companies genuine email from HR is deliberately filtered in to the spam bin, as it's useless, patronising and time wasting crap!
Silence facilitates investigation
1) How did they know which servers etc to go to to get the data? Inside job or pissed off ex-employee, or sting.
2) They know exactly what was copied, and that if used identifies the culprits or more likely the buyers of the info.
3) Or they are a bunch of tools whose business is completely f&%*ed
PR skillz not getting much better
So *finally* they have explained *how* it was done.
No mention of what's (if anything) going to happen to the employee or even *if* they broke any company rules in doing what they did.
No *absolute* assurance that what has been taken will not affect securID (which I would suggest should have been a *key* feature of their network design, given it's, you know *quite* important to their company maintaining its business)
Nothing which sounds *remotely* reassuring to the customers who *buy* their products.
I'm not sure *whose* #2 in the security business but their chances of becoming #1 just got a whole lot better.
*Still* poor response.