back to article Quiet cryptologist Bill Duane's war with Beijing's best

In March 2011, a suspected-to-be-Beijing-backed hacking unit infiltrated security giant RSA, successfully subverted its SecureID product and hacked top American defence contractor Lockheed Martin. That attack left Bill Duane stressed and exhausted. Duane is a quiet cryptologist who co-developed the SecureID token. As the …

  1. Anonymous Coward
    Anonymous Coward

    Easy fix

    'Pass the hash' is a Microsoft thing, so don't use windows LAN management.

    As for worrying about "food on their tables and their kids going to school", have good social safety nets, then they'll still have food schools and healthcare, while they look for another job at a company that uses Linux.

    Man that was easy.

    1. RIBrsiq
      Trollface

      Re: Easy fix

      Yes, of course! Linux will solve all of humanity's problems!!

      It's so obvious, now that you point it out.

      1. Destroy All Monsters Silver badge
        Headmaster

        Re: Easy fix

        There is no NEED to point it out!

        Also:

        "The strongest thing that was driving me, I'm slightly embarrassed to say, wasn't the customers or the stock price, but was that if I failed my fellow employees would be out of work and that would affect food on their tables and their kids going to school."

        Capitalistic exploitation!!

        1. LDS Silver badge
          Joke

          Re: Easy fix

          Yes, but does he know how many Chinese are sent to a "reeducation camp" with their families if they fail an attack?

      2. HmmmYes Silver badge

        Re: Easy fix

        No it wont. But Linux will help.

        Its easy to run a stripped down version of a Linux system - less software running then the less attack space.

        And its easy to audit all files on a machine.

        Christ, you could recompile the system and use your own ELF ID if you must.

        1. TheVogon Silver badge

          Re: Easy fix

          "Its easy to run a stripped down version of a Linux system - less software running then the less attack space."

          It's even easier to run a stripped down version of Windows Server - it comes out of the box. It's called the "Server Core" version. Or "Nano" in the newer versions.

    2. Aodhhan Bronze badge

      Re: Easy fix

      It's true... half the people who post are below average intelligence.

      Sure, use Linux because as a penetration tester... I can say it's no more secure than Windows.

      This scenario has been played out many times in the networking labs at nearly every university with computer system theory degrees.

      Imagine if everyone in a company used Linux, Ubuntu, etc. on their desktop. In practice it's easier to get a foothold into a network if this is the case. Far more open source apps built without security in mind. Linux has no real effective whitelisting in place to alleviate this. This is just one attack vector. There are many.

      Keep spouting Linux is more secure. It shows where you are on the bell curve.

      1. Anonymous Coward
        Anonymous Coward

        @Aodhhan - Re: Easy fix

        Yeah, we're all penetration testers here. Small world, isn't it ?

        1. Ian 55

          Re: @Aodhhan - Easy fix

          I keep trying to be a penetration tester, but the women keep saying 'no'...

          1. 9Rune5

            Re: @Aodhhan - Easy fix

            "but the women keep saying 'no'"

            I keep hearing good things about 'social engineering' as an effective attack vector.

            Also: Have you tried turning it off and on again?

  2. Gordon 10 Silver badge

    I'm more concerned

    By the fact that RSA have never admitted the full extent of the breach and just how compromised their tokens were during that period.

    They SHOULD have gone bust for the shameful way they handled it where protecting their company was more important than their customers,

    1. Overcharged Aussie

      Re: I'm more concerned

      I was in the audience at AusCERT 2016 and heard Bill's presentation. He did say that it did cost them a huge amount and reissued millions of tokens to end users where seed records were suspected of being compromised.

  3. Nifty

    Hope a book gets written on the story.

    1. Destroy All Monsters Silver badge

      Hell yeah. Hopefully not by a "Ghostwriter" à la Tsutomu Shimomura, leading to egotrip pulp fiction.

      It willl go next to Cliff Stoll's if done right.

    2. kmac499

      "Hope a book gets written on the story."

      There is one "The Cuckoo's Egg" by Cliff Stoll A different era and technology maybe, it's about hunting east german hackers, but a great read.

      I've since seen Cliff Stoll on Youtube showing off his Klein bottles.( well worth a look) If there was ever a Doc Emmet Brown in the flesh it's Cliff; nothing like the character I'd imagined as the sysadmin cum sleuth of the book.

    3. Rusty 1
      Thumb Up

      The full story/book

      Yes indeed.

      This has been added to my list of things to check every year whether they exist.

  4. HmmmYes Silver badge

    Id like so more detail on this too.

    I found:

    http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/?_r=0

    The lines:

    'In the attack on RSA, the attacker sent “phishing” e-mails with the subject line “2011 Recruitment Plan” to two small groups of employees over the course of two days. Unfortunately, one was interested enough to retrieve one of these messages from his or her junk mail and open the attached Excel file. The spreadsheet contained malware that used a previously unknown, or “zero-day,” flaw in Adobe’s Flash software to install a backdoor. RSA said that Adobe had since released a patch to fix that hole.'

    Im truley boggled that a secutiry company would have a network that is open to a dumb user opening a dodgy email and running Flash. I mean, FFS.

    Sure, have a network connected to the internet for your employees to watch cacts on FB. But FFS dont connect the secret stuff to it FFS.

    1. Captain Badmouth

      "a previously unknown, or “zero-day,” flaw in Adobe’s Flash software"

      Gracious, have you ever heard of such a thing?

      1. oldcoder

        Re: "a previously unknown, or “zero-day,” flaw in Adobe’s Flash software"

        The real surprise is having a spreadsheet tool with access to flash...

        But then, it is Windows... everything has access to everything - even from China.

        1. TheVogon Silver badge

          Re: "a previously unknown, or “zero-day,” flaw in Adobe’s Flash software"

          "The real surprise is having a spreadsheet tool with access to flash..."

          Yes awful, nearly as bad having say a spreadsheet tool that uses Java?

  5. Amos1

    "excelled in plundering highly-secure US firms." - Why is this in the RSA breach story?

    From various reports of the incident: They allowed people to release emails from quarantine despite anyone with any sense knowing people are easily fooled. The From address clearly was not from EMC or RSA yet it was about an HR retention (salary) program. RSA, the "Security (revenue) Division of EMC" did not hire their first CISO until after the breach. They had an unsegmented network. They had poor egress controls. They did not have an effective DLP program.

    They were easy pickings, just like most of the corporate America run by old guys who are clueless about the 21st century risks.

    1. Warm Braw Silver badge

      Re: "excelled in plundering highly-secure US firms." - Why is this in the RSA breach story?

      old guys who are clueless about the 21st century risks

      I'll take someone who's clueless and knows it above someone who thinks he knows it all.

      Unfortunately, experience shows that if you are a sufficiently valuable target you are ultimately going to lose against a well-resourced nation state. While this is no excuse for lax defences, it would seem like a good idea to have a viable response plan in place before the inevitable happens - stored in a safe on paper.

      1. Bloakey1

        Re: "excelled in plundering highly-secure US firms." - Why is this in the RSA breach story?

        <snip>

        "I'll take someone who's clueless and knows it above someone who thinks he knows it all."

        <snip>

        Ahhh, the old "Delusions of Adequacy" in my experience that is the most frightening of all scenarios and leads to all sorts of messes that get denied by the person doing it.

        1. Anonymous Coward
          Anonymous Coward

          Re: "excelled in plundering highly-secure US firms." - Why is this in the RSA breach story?

          "Delusions of Adequacy" - you've had contact with DevOps, haven't you!

        2. Lotaresco

          Re: "excelled in plundering highly-secure US firms." - Why is this in the RSA breach story?

          Hi Bloakey. I'm salting a few of your posts in the hope of making contact. The miscers have a duplicate forum on Facebook with fewer nutjobs than Usenet.

    2. DropBear Silver badge
      Trollface

      Re: "excelled in plundering highly-secure US firms." - Why is this in the RSA breach story?

      What do you mean clueless? It WAS secure! They did tell nobody the key was under the flower pot...!

  6. Anonymous Coward
    Anonymous Coward

    And most of the skills the Chinese use in such attacks are taught to them in UK Universities, the Confucius Institute so popular with UK Uni's is part of the Chinese Gov't's extended reach operations, along with embedded academic's who facilitate direct industrial and research espionage.

    When the Chinese Ambassador visits a research facility of any sort at least part of their party, usually those described as secretarial support, will try to 'accidentally' wander off to see what else is being worked on, far from being secretaries they will be trained scientific and security staff tasked with gathering information on the nature of other projects and security. Where they find something interesting they cannot get enough information on the security info enables future targeting for direct 'out of hours unauthorised visits', facilitated by either their embedded staff contacts or break-in and theft of information/samples, though with most things computer based now they will simply lift most information by hacking, excepting commercial operations within using stand alone machines which need physical access, those they steal.

    With most Universities any pretence of security beyond the protective security for the visitors goes out the window with such VIP visits, with VC's and other impotent (s.p.!) academics falling over themselves to ingratiate and facilitate in the hope of funding, or an overseas visiting chair in a Chinese University... Anonimouse for obvious reasons.

  7. Anonymous Coward
    Anonymous Coward

    My preferred epitaph

    .....virtually no online presence, no photos indexed by Google, no social media accounts, despite a tech sector career spanning more than 3 decades.

    1. Lotaresco

      Re: My preferred epitaph

      And the astonishing thing is that nobody cares.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019