back to article Phishing email used in serious RSA attack surfaces

The theft of secret data related to RSA's SecurID tokens used by 40 million employees to access sensitive networks likely started with a 13-word email, evidence uncovered through a researcher's dogged sleuthing suggests. “I forward this file to you for review,” the unsigned email, sent to four employees of RSA's parent company …

COMMENTS

This topic is closed for new posts.
Silver badge
Happy

Oh well.

I think even I have received that one.

As the company is too small to have a recruitment plan at all, I wasn't fooled.

2
0
Alert

Makes you wonder

Whether Adobe are in it with the crooks.

0
5
WTF?

you mean...

nothing suspicious apart from excel crashing on launch? I'd report that immediately.

1
3
Windows

constantly reporting

I flip a coin to decide if excel is going to crash this time...

5
0
Silver badge

Well then you must live the blessed life of

never having to open Excel files which have been emailed by clients.

0
0
FAIL

Phishing would not work without being helped by incompetence

And RSA showed they really master it!

If I get it correctly, remote control software being installed by the doctored Excel file means lower-level employees were having admin rights on their PCs, No really, why do they pay those security architects for ?

SPF and public key crypto have been around for some time now and still an impressive string of very important companies were being penetrated like melting butter because they didn't bother to use them ?

1
0
Big Brother

"a small group of lower-level employees"

Of course, it wouldn't have been a senior level executive who opened it. Who else reviews annual recruitment plans, obviously the lower level workers.

3
0
WTF?

Job Description?

You're employed at a computer security organisation, and you're not trained NOT TO OPEN ANY UNKNOWN emails? Fire the HR manager or whoever hired these folks.

And they're using Windows?

3
0
Silver badge

Flash and Excel on one system?

I mean Flash is purely for entertainment, while Excel is for demotivation. There is no usecase which requires both to be on one system. So why didn't they just use virtual systems. It would have made the exploit way more complicated.

3
2
Bronze badge
Linux

Use Case

Training delivery. Computer-based training applications may use Flash objects. Excel is on the low-level workers' PCs to enable them to build clunky hard-to-audit pseudo-databases, as every fule kno.

0
0
Silver badge
WTF?

please click here for title

" “I forward this file to you for review,” the unsigned email,"

It was in the junk folder? unsigned? and they opened it?

They still work for the company?

0
0
Silver badge
Happy

Yes - they're still there

Management always floats to the top, casualties always come from the lower ranks. You really think a manager is going to fall on his sword for this?

1
1
Bronze badge
FAIL

@Elmur Phud & Garbo

Nice and cuddly guys you 2 are, wanting to fire the guilty. Makes me feel the warm fuzzies.

Not to mention, incompetent yourself. If your cunning security scheme for the company is to hope that somehow, no employee will ever open bogus emails, you're idiots. Three times over.

More to the point is the poster who questions why the PCs were unprotected enough that the malware had admin rights when running. Then how the malware remained undetected locally and the network subsequently detected no intrusions.

Perhaps, as another poster stated, if these computers were sensitive, why where they running Windows? And, packing Flash, a known attack vector?

Also to the point is why Excel is dumb enough to run Flash and why that kind of crap can't be easily filtered out of Excel's exec privileges. Look, I can't even open Excel without it warning me about my own macros. How much does one care about Excel macro warnings when it is dumb enough to repeatedly warn me about my own code?

What is the use case for Excel spreadsheets having embedded Flash? I suspect it is the same use case as Outlook emails running scripts up until a few years ago - M$ finds it extends the user experience and damn the security.

Solely blaming a silly end user for this epic fail should be the last thing a serious security person should do.

5
0
Terminator

It's always the ape, isn't it?

Damn hominids, they are the weakest link.

0
0

An APT?

Is this really an Advanced Persistent Threat <http://blogs.rsa.com/rivner/anatomy-of-an-attack/>?

If so, what's a Dumb Ongoing Relentless Knocking-at-the-door?

0
0
Silver badge
Alien

Well...

A passage from "Herbert West, Reanimator"?

0
0

Email as root

Again it has to be asked, why does an e-mail client need root access to a machine? Or why does excel need root access? Why does flash need root access? There is your problem right there.

3
1
FAIL

"...Flash is executed by Excel..."

Why, why, why does Excel need to execute Flash?

11
0
Silver badge
Devil

naturally

You idiot, of course Excel needs Flash ... otherwise who would both to watch the presentations, or even both to open .xls files from the accountants. Management demand Flash be installed so that they can produce attractive Company Reports.

Some people! They just have no idea how companies are really run! You probably think I went to the Harvard Business School for the degree ... Dude, really!

2
1
Devil

Sadly...

...thanks to the "helpful feature" that is Microsoft's COM, any ActiveX plugin can be inserted into office documents. Of course, Microsoft doesn't care about how flawed and insecure COM is, especially as a feature in Office documents. But why have security when you can have buzzwords and lock-in?

0
0

Shame on EMC

The bigger question is why is a computer with access to secure information being used to access the internet. We develop software. We have a desktop and laptop on every desk. Separate networks, MAC filtering. Desktops are secure, laptops are not. Signs all over the place. Little red stickers on every case, display, keyboard, and USB hub to mitigate any confusion. Anyone who transgresses gets fined or fired. It's in everyone's employment contract including mine. And yes, I have fired employees for exposing IP.

When security is given the correct priority within an organization IP mysteriously becomes secure.

4
0
Facepalm

Why?

More to the point, why does anyone who is not customer facing require internet access in the first place?

0
4
FAIL

@Jared Vanderbilt

So your network is totally secured?

"When security is given the correct priority within an organization IP mysteriously becomes secure."

You are 100% sure your network is totally secure? Then explain this:

"And yes, I have fired employees for exposing IP."

So it appears you live in a glass house and it has fallen more than once.

0
1
Silver badge
WTF?

Really!

Do you want an empty El Reg comment section?

0
0

Eh ?

>> MAC filtering

Because MACs can't be faked, right ?

0
1
Bronze badge
Facepalm

Retrieve from Spam

Hmm yes of course its not suspect!

0
0
Anonymous Coward

No matter how much you tell them

Users are going to open email content they find intreaguing, that simple.

No amount of training/nagging is going to change that, after all there isnt anything really at stake for the user who opens this file is there, it IT who have to clean up the shitstorm

2
0
FAIL

Unbelievable

RSA uses Windows (fail), does not have enough in-depth security (fail), has never trained staff about basic security (fail). Or worse, a top manager opened that email. A manager of the kind that WANT to have admin access to everything, and is so dull and gullible that he is the perfect target for every phishing scam in the world. Either way, this is an EXTRA SUPER DUPER FAIL.

2
0
Facepalm

Crafted well enough?

Waitaminute...

"...crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file" ???

I wonder how much money these guys have lost to 409 scams and by ordering fake pills. After all, it seems that just about *any* spam is "crafted well enough" for these types.

"Hi, I'm a signature virus. Please copy and paste me to your sig file."

2
0
Happy

Done.

"Hi, I'm a signature virus. Please copy and paste me to your sig file."

0
0
Silver badge

Flash

ahh-ahh, saviour of the universe.

1
0
FAIL

Because it was an .MSG outlook file, VirusTotal failed to extract the exploit?

What a shambles. They went to the trouble of finding the virus code and exploit, shared it with the anti-virus community, but since it was actually inside the email (which they could have opened and found the exploit code inside the Excel attachement), it went completly un-noticed?

This is one of the biggest failings of the AV industry - still entirely reliant on signature based recognision of dodgy files, dependant on the assumption people are prepared to send them the malware in the first place.

You can see why simple 0day exploit code and custom malware is both trivial to write, and trivial to avoid detection, with all the patching and AV in the world failing to protect you.

0
0
This topic is closed for new posts.

Forums