The theft of secret data related to RSA's SecurID tokens used by 40 million employees to access sensitive networks likely started with a 13-word email, evidence uncovered through a researcher's dogged sleuthing suggests. “I forward this file to you for review,” the unsigned email, sent to four employees of RSA's parent company …
I think even I have received that one.
As the company is too small to have a recruitment plan at all, I wasn't fooled.
Makes you wonder
Whether Adobe are in it with the crooks.
nothing suspicious apart from excel crashing on launch? I'd report that immediately.
I flip a coin to decide if excel is going to crash this time...
Well then you must live the blessed life of
never having to open Excel files which have been emailed by clients.
Phishing would not work without being helped by incompetence
And RSA showed they really master it!
If I get it correctly, remote control software being installed by the doctored Excel file means lower-level employees were having admin rights on their PCs, No really, why do they pay those security architects for ?
SPF and public key crypto have been around for some time now and still an impressive string of very important companies were being penetrated like melting butter because they didn't bother to use them ?
"a small group of lower-level employees"
Of course, it wouldn't have been a senior level executive who opened it. Who else reviews annual recruitment plans, obviously the lower level workers.
You're employed at a computer security organisation, and you're not trained NOT TO OPEN ANY UNKNOWN emails? Fire the HR manager or whoever hired these folks.
And they're using Windows?
Flash and Excel on one system?
I mean Flash is purely for entertainment, while Excel is for demotivation. There is no usecase which requires both to be on one system. So why didn't they just use virtual systems. It would have made the exploit way more complicated.
Training delivery. Computer-based training applications may use Flash objects. Excel is on the low-level workers' PCs to enable them to build clunky hard-to-audit pseudo-databases, as every fule kno.
please click here for title
" “I forward this file to you for review,” the unsigned email,"
It was in the junk folder? unsigned? and they opened it?
They still work for the company?
Yes - they're still there
Management always floats to the top, casualties always come from the lower ranks. You really think a manager is going to fall on his sword for this?
@Elmur Phud & Garbo
Nice and cuddly guys you 2 are, wanting to fire the guilty. Makes me feel the warm fuzzies.
Not to mention, incompetent yourself. If your cunning security scheme for the company is to hope that somehow, no employee will ever open bogus emails, you're idiots. Three times over.
More to the point is the poster who questions why the PCs were unprotected enough that the malware had admin rights when running. Then how the malware remained undetected locally and the network subsequently detected no intrusions.
Perhaps, as another poster stated, if these computers were sensitive, why where they running Windows? And, packing Flash, a known attack vector?
Also to the point is why Excel is dumb enough to run Flash and why that kind of crap can't be easily filtered out of Excel's exec privileges. Look, I can't even open Excel without it warning me about my own macros. How much does one care about Excel macro warnings when it is dumb enough to repeatedly warn me about my own code?
What is the use case for Excel spreadsheets having embedded Flash? I suspect it is the same use case as Outlook emails running scripts up until a few years ago - M$ finds it extends the user experience and damn the security.
Solely blaming a silly end user for this epic fail should be the last thing a serious security person should do.
It's always the ape, isn't it?
Damn hominids, they are the weakest link.
Is this really an Advanced Persistent Threat <http://blogs.rsa.com/rivner/anatomy-of-an-attack/>?
If so, what's a Dumb Ongoing Relentless Knocking-at-the-door?
A passage from "Herbert West, Reanimator"?
Email as root
Again it has to be asked, why does an e-mail client need root access to a machine? Or why does excel need root access? Why does flash need root access? There is your problem right there.
"...Flash is executed by Excel..."
Why, why, why does Excel need to execute Flash?
You idiot, of course Excel needs Flash ... otherwise who would both to watch the presentations, or even both to open .xls files from the accountants. Management demand Flash be installed so that they can produce attractive Company Reports.
Some people! They just have no idea how companies are really run! You probably think I went to the Harvard Business School for the degree ... Dude, really!
...thanks to the "helpful feature" that is Microsoft's COM, any ActiveX plugin can be inserted into office documents. Of course, Microsoft doesn't care about how flawed and insecure COM is, especially as a feature in Office documents. But why have security when you can have buzzwords and lock-in?
Shame on EMC
The bigger question is why is a computer with access to secure information being used to access the internet. We develop software. We have a desktop and laptop on every desk. Separate networks, MAC filtering. Desktops are secure, laptops are not. Signs all over the place. Little red stickers on every case, display, keyboard, and USB hub to mitigate any confusion. Anyone who transgresses gets fined or fired. It's in everyone's employment contract including mine. And yes, I have fired employees for exposing IP.
When security is given the correct priority within an organization IP mysteriously becomes secure.
More to the point, why does anyone who is not customer facing require internet access in the first place?
So your network is totally secured?
"When security is given the correct priority within an organization IP mysteriously becomes secure."
You are 100% sure your network is totally secure? Then explain this:
"And yes, I have fired employees for exposing IP."
So it appears you live in a glass house and it has fallen more than once.
Do you want an empty El Reg comment section?
>> MAC filtering
Because MACs can't be faked, right ?
Retrieve from Spam
Hmm yes of course its not suspect!
No matter how much you tell them
Users are going to open email content they find intreaguing, that simple.
No amount of training/nagging is going to change that, after all there isnt anything really at stake for the user who opens this file is there, it IT who have to clean up the shitstorm
RSA uses Windows (fail), does not have enough in-depth security (fail), has never trained staff about basic security (fail). Or worse, a top manager opened that email. A manager of the kind that WANT to have admin access to everything, and is so dull and gullible that he is the perfect target for every phishing scam in the world. Either way, this is an EXTRA SUPER DUPER FAIL.
Crafted well enough?
"...crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file" ???
I wonder how much money these guys have lost to 409 scams and by ordering fake pills. After all, it seems that just about *any* spam is "crafted well enough" for these types.
"Hi, I'm a signature virus. Please copy and paste me to your sig file."
"Hi, I'm a signature virus. Please copy and paste me to your sig file."
ahh-ahh, saviour of the universe.
Because it was an .MSG outlook file, VirusTotal failed to extract the exploit?
What a shambles. They went to the trouble of finding the virus code and exploit, shared it with the anti-virus community, but since it was actually inside the email (which they could have opened and found the exploit code inside the Excel attachement), it went completly un-noticed?
This is one of the biggest failings of the AV industry - still entirely reliant on signature based recognision of dodgy files, dependant on the assumption people are prepared to send them the malware in the first place.
You can see why simple 0day exploit code and custom malware is both trivial to write, and trivial to avoid detection, with all the patching and AV in the world failing to protect you.
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Analysis Who is the mystery sixth member of LulzSec?
- Comment Congress: It's not the Glass that's scary - It's the GOOGLE
- Analysis Hey, Teflon Ballmer. Look, isn't it time? You know, time to quit?
- Murdoch Facebook gloat: You're like my $580m, 'CRAPPY' MySpace