Slashdot Mirror
RSA Says SecurID Hack Based On Phishing With Flash 0-Day
Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."
Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.
The Geek in Black
I know my BCD's (when I'm Sober)
.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc
Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.
Set spam folder to auto-delete incoming.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
You can embed flash in excel files!? WHY WOULD YOU DO THAT
has the securid seeds database been compromised?
anything else you announce is fluff.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
NotSoSecurID
Is there a way to set up a server "A" that computes some function f(x) for values of x coming from a networked computer "B", and sends the result f(x) back to B, without any chance of any hacker getting hold of the code for f(x)? Some kind of special network that can only send x in one direction, f(x) in the other, and clearly never do anything else even if machine B gets compromised?
"BIATCH confirmed on Friday that the attack that compromised her high-value NoPrego product was essentially a small, targeted phushing campaign that included a payload of a malicious Flesh object embedded in a broken Trojan."
Don't fight for your country, if your country does not fight for you.
... would I have fallen for such a phishing attack? And the answer is - yes, quite probably
and I wonder, how would I protect against it? And I come up with very few practical ideas.
Anyone?
Why jobs doesn't want that POS on Iphones or Ipads!
Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.
Why jobs doesn't want that POS on Iphones or Ipads!
Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
The only thing you got correct in your post is that this was a phishing attack.
iOS is quite secure,
Which explains why the iOS is never jailbroken ever.
If they were to add a .nexls (non executables or something similar) file type that companies needing a bit of security could use that only had stuff a normal spread sheet has values, borders, charts, formulas ... (and something similar for word).
Of course it would be hard to add new features to these versions and therefore sell updates and completing products would be able implement the standard pretty quickly.
Including not being vulnerable to Flash exploits?
Not being able to run something is a curious criterion for invulnerability.
If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.
Mostly harmless.
... the Microsoft products used in it.
Anons need not reply. Questions end with a question mark.
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
Just because iPhone is a cool phone doesn't make it the best at everything.
You can hack an iPhone by visiting a webpage, it also got hacked the 2nd day of pwn2own. iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.
Isn't flash mainly used as a toy or for entertainment? What work do you need flash for? Plus, you can always watch flash video on the iphone with an app.
So it comes down to games, and the iphone has 3d capability... so really who gives a shit about flash? I don't get it.
iOS is quite secure,
Which explains why the iOS is never jailbroken ever.
What system is invulnerable to the user itself? Once an iOS device is jailbroken, it's essentially a standard UNIX system. The security system that can be jailbroken is a significant security enhancement beyond any other consumer OS.
Including not being vulnerable to Flash exploits?
Not being able to run something is a curious criterion for invulnerability.
No, it's actually quite logically sound. You can't be infected by something you can't run.
If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.
No need to go to extremes. Simply avoiding significant security risks, like Flash and ActiveX, is a good start.
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
Just because iPhone is a cool phone doesn't make it the best at everything.
I wonder where you got the idea that anyone is claiming that it is.
You can hack an iPhone by visiting a webpage,
Not anymore.
it also got hacked the 2nd day of pwn2own.
Everything gets hacked at pwn2own.
iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.
You would say that, but that doesn't make it true. Risk requires actual malicious code. Android is many orders of magnitude more risky than iOS, due to the simple fact that there has been plenty of malware for Android (some of which distributed on the Android Market). The only iOS malware that has ever existed has been for jailbroken devices--which is to say, for devices which the user has deliberately compromised the security of their device.
How you can think this is the sign of a "risky" OS is beyond me.
Remember, Google has had to use their remote "kill switch" on multiple occasions. The very same "kill switch" that everyone got all worked up over when it was presumed that Apple had it on iOS, but has never actually used.
I hate to bring it to you, but I was not serious.
Mostly harmless.
iOS is quite secure,
Which explains why the iOS is never jailbroken ever.
What system is invulnerable to the user itself?
Node, you just answered your original question and now should understand the satirical post about using Apple products.
Stupid web developers who make flash only sites, and dumb managers who think flashy intros are required, nevermind that all flashy intro effects can be done in HTML5 nowadays.
AC because I modded.
You're not being very clear. What OS, including iOS, is invulnerable to users deliberately hacking their own device?
Well, I suppose that's one way to recover from saying something that doesn't make any sense...
Care to clarify the actual purpose of your original reply?
Microsoft, Adobe, e-mail and stupid people. Seriously, the internal security is just as important as external - too bad almost no large organization heeds these warnings and continues to trust all their users and their computers as being safe and secure. My organization thinks because you're on the internal network, you don't need encryption necessarily for passwords and the like, they actually call it the Secure Network whereas the unencrypted wireless and the network that links up to external providers are the only insecure network.
Custom electronics and digital signage for your business: www.evcircuits.com
Just for the hell of it: if You can't be infected by something you can't run, the logical consequence would be to never run anything.
But don't take that as something personal. Of course the real thing to do is to avoid significant security risks. (Such as, just to try and stay on topic, fishing a message out of junk and open whatever attachment it comes with.)
Mostly harmless.
Sar-chasm: n: The gulf between a speaker of a sarcastic comment, and those who don't get it...
"City hall" in German is "Rathaus" Kinda explains a few things......
At my work we used to use the RSA token and a 4 number PIN that never changed to log into the network (as well as the regular username and password). Five failures to log in would get your account locked out.
Now we have to use our RSA token and an 8 letter/number PIN that changes every 30 days(!) to log into the network (as well as the regular username and password), and the system locks out accounts after only 3 failed log-ins.
They are obviously relying _much_ more heavily on the user selected PIN than before, almost to the point that the token output is irrelevant.
You're not being very clear. What OS, including iOS, is invulnerable to users deliberately hacking their own device?
One of the iOS jailbreaking methods was a pure drive-by just by visiting a web site. No user interaction. So you really can't claim that is only about "users deliberately hacking their own device". Drive-by rooting and compromising just by visiting a web site, without user knowing, clearly have implications beyond that.
You seem to forget that you can jailbreak your ipod by going to a webpage. That is insecure. --- See that period... I mean it. There is no ifs and or buts about the subject, it can be rooted by going to a web page, that is NOT SECURE!
The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.
RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Nowadays anyone with a brain should know to stay clear of Microsoft's Windows operating system if they don't want to end up with a virus infested machine and security problems. This person clearly did not have Linux on their computer.
And this "event" does too.
In a week or so they will admit that "some seeds" were stolen, a week or two later, it will be a "significant number of seeds" and some more weeks later it will be "all seeds".
The real question is however this: Why the hell were the seeds accessible over the network? Are these people totally and utterly incompetent? Even the mere possibility of a seed database compromise over the net (and they have indirectly, but conclusively confirmed this, as it is the only part of the system that must remain secret) is proof of gross incompetence and mandates a move to a different vendor. Nothing RSA does henceforth can be trusted to be secure, as some important part of that company (my guess: management) does not get how security works.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
watch the RSA stock plummet, time to buy entrust!!!!!
> RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file." ..
Don't open email attachments on a Windows computer that is used to control your SecurID product ...
If the software that scans incoming email for threats flags a particular piece of email and puts it in your junk folder, why not have that be a permanent resting place. Once something is in junk, the use can only do a limited number of things: 1) View Sender, Receiver, Date, Subject 2) View message header as text 3) Delete item
The user then cannot move the item from the junk folder and there would be a variable length housekeeping delete that the administrator can set to one month or whatever.
Basically, once something is junk, it can't come back. Parts of it can be examined, but that's it. Enough of it can be examined so that if it is legit, the receiver can see what the problem is and the sender can send it in a different way.
I mean, it's not like there are no known Linux exploits, but -- when you've got average users using windows for day-to-day work, it's just a matter of time....
Security by obscurity, but -- among other things -- the attacker would, have to figure out that you're not using Windows.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
No, you can't.
What OS has never had remote exploits? iOS has had exactly one. And it was never turned into a malicious exploit. And it has long been patched. What other OS would you possibly label as being notably insecure for having had one remote exploit in five years, which has long since been patched? I assume this sort of scrutiny and aversion applies only to OS's from fruit-themed companies, since that's the only thing consistent on this topic around here.
After all, there have been multiple remote exploits for Android.
Just for the hell of it: if You can't be infected by something you can't run, the logical consequence would be to never run anything.
That's not the logical consequence. That's an absurd consequence. There's nothing inherent in my statement that suggests taking absurd measures. Security isn't binary. You cull the severe risks, and manage the lesser ones.
I did misinterpret your original reply, though. When you said you weren't being serious, I thought you were referring to your argument as a whole (which I got quite clearly, you were trying to dismiss my claim that iOS is more secure for not running Flash by pretending it must be taken to its most absurd extreme). You are correct that your absurd logic shouldn't be taken as serious, however that still leaves me wondering why make the statement in the first place?
But don't take that as something personal. Of course the real thing to do is to avoid significant security risks. (Such as, just to try and stay on topic, fishing a message out of junk and open whatever attachment it comes with.)
Sure, because that worked out so well, didn't it? It's far too easy to accidentally or unwittingly run an attachment. Better to do away with something like Flash in the first place. It's of dubious value on something like a phone or a tablet. It's not like we're talking about eschewing an established, modern, popular OS for an archaic OS that no one uses or develops for. Just not using an optional web plug-in that is notorious for security issues.
Presently, Flash is highly irrelevant on mobile devices. Why take on the unnecessary risk?
So I look at the file, and it's an excel file that implies a list of recruits. What part of an organization is tied completely to the Microsoft suite? (hint, they only communicate through email using attached .DOC files) Which part of the organization is concerned with "recruiting?" Which part of the organization is despised as being filled with overpaid idiots?
RSA was brought down by their Human Resources Department. Someone retrieved an email from their junk box, from someone they didn't even know, and RAN AN ATTACHMENT AND PROBABLY HAD TO IGNORE A WARNING MESSAGE TO TURN ON ACTIVE CONTENT. They probably had admin rights on their machine because admin rights are considered a privilege of rank rather than of strict necessity, which Human Resources implicitly allows.
Anybody on LinkedIn? See if there are any recent departures from RSA from HR.
Your tense is wrong. You *could* jailbreak it by going to a web page, but that is no longer possible. Now, you need to drop your device into DFU mode and jailbreak it via USB.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
ITT: node 3 getting trolled hard.
As others have observed there was nothing particularly sophisticated in this attack – it is pretty much standard stuff that I almost see on a day to day basis.
The key here is that taking control of those “low profile target” users (which could have been avoided in this specific case using good security policies) should never allow further escalation to the keys of the kingdom That in itself is very troubling for a company like RSA which should have much tighter security. Braging about this being such an incredibly smart attack is also worrying - are they living in a cave ?
The next step is now full disclosure about what has actually been compromised. No more corporate PR, just the straight facts. And frankly apart from the seed database I don't know what could really be of real interest.
-1 troll
Err... how did parent get modded "offtopic"? It's precisely ON topic in terms of a reply; a vulnerability that allows a jailbreak is no less a vulnerability that allows an exploit. They're both an "own the system" gambit.
This isn't a remote exploit. It's a Flash file that was embedded in an Excel file that was emailed and opened on a local system.
You can hack an iPhone by visiting a webpage,
Not anymore.
Same is true of the Flash vuln -- it was patched by Adobe on March 21.