Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA Says SecurID Hack Based On Phishing With Flash 0-Day

Posted by timothy on from the not-straight-but-chaser dept.

Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."

153 comments

  1. And then people wonder by Anonymous Coward · · Score: -1

    Why jobs doesn't want that POS on Iphones or Ipads!

    1. Re:And then people wonder by rainmouse · · Score: 1, Insightful

      Why jobs doesn't want that POS on Iphones or Ipads!

      Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.

    2. Re:And then people wonder by node+3 · · Score: 3, Insightful

      Why jobs doesn't want that POS on Iphones or Ipads!

      Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.

      How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?

      The only thing you got correct in your post is that this was a phishing attack.

    3. Re:And then people wonder by Anonymous Coward · · Score: 0, Offtopic

      iOS is quite secure,

      Which explains why the iOS is never jailbroken ever.

    4. Re:And then people wonder by andrea.sartori · · Score: 2

      Including not being vulnerable to Flash exploits?
      Not being able to run something is a curious criterion for invulnerability.
      If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.

      --
      Mostly harmless.
    5. Re:And then people wonder by emj · · Score: 0

      How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?

      Just because iPhone is a cool phone doesn't make it the best at everything.

      You can hack an iPhone by visiting a webpage, it also got hacked the 2nd day of pwn2own. iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.

    6. Re:And then people wonder by Anonymous Coward · · Score: 0

      Isn't flash mainly used as a toy or for entertainment? What work do you need flash for? Plus, you can always watch flash video on the iphone with an app.

      So it comes down to games, and the iphone has 3d capability... so really who gives a shit about flash? I don't get it.

    7. Re:And then people wonder by node+3 · · Score: 1

      iOS is quite secure,

      Which explains why the iOS is never jailbroken ever.

      What system is invulnerable to the user itself? Once an iOS device is jailbroken, it's essentially a standard UNIX system. The security system that can be jailbroken is a significant security enhancement beyond any other consumer OS.

    8. Re:And then people wonder by node+3 · · Score: 0

      Including not being vulnerable to Flash exploits?

      Not being able to run something is a curious criterion for invulnerability.

      No, it's actually quite logically sound. You can't be infected by something you can't run.

      If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.

      No need to go to extremes. Simply avoiding significant security risks, like Flash and ActiveX, is a good start.

    9. Re:And then people wonder by node+3 · · Score: 1, Troll

      How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?

      Just because iPhone is a cool phone doesn't make it the best at everything.

      I wonder where you got the idea that anyone is claiming that it is.

      You can hack an iPhone by visiting a webpage,

      Not anymore.

      it also got hacked the 2nd day of pwn2own.

      Everything gets hacked at pwn2own.

      iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.

      You would say that, but that doesn't make it true. Risk requires actual malicious code. Android is many orders of magnitude more risky than iOS, due to the simple fact that there has been plenty of malware for Android (some of which distributed on the Android Market). The only iOS malware that has ever existed has been for jailbroken devices--which is to say, for devices which the user has deliberately compromised the security of their device.

      How you can think this is the sign of a "risky" OS is beyond me.

      Remember, Google has had to use their remote "kill switch" on multiple occasions. The very same "kill switch" that everyone got all worked up over when it was presumed that Apple had it on iOS, but has never actually used.

    10. Re:And then people wonder by andrea.sartori · · Score: 1

      I hate to bring it to you, but I was not serious.

      --
      Mostly harmless.
    11. Re:And then people wonder by jhoegl · · Score: 0

      iOS is quite secure,

      Which explains why the iOS is never jailbroken ever.

      What system is invulnerable to the user itself?

      Node, you just answered your original question and now should understand the satirical post about using Apple products.

    12. Re:And then people wonder by Anonymous Coward · · Score: 0

      Stupid web developers who make flash only sites, and dumb managers who think flashy intros are required, nevermind that all flashy intro effects can be done in HTML5 nowadays.

      AC because I modded.

    13. Re:And then people wonder by node+3 · · Score: 1

      You're not being very clear. What OS, including iOS, is invulnerable to users deliberately hacking their own device?

    14. Re:And then people wonder by node+3 · · Score: 0

      Well, I suppose that's one way to recover from saying something that doesn't make any sense...

      Care to clarify the actual purpose of your original reply?

    15. Re:And then people wonder by andrea.sartori · · Score: 1

      Just for the hell of it: if You can't be infected by something you can't run, the logical consequence would be to never run anything.
      But don't take that as something personal. Of course the real thing to do is to avoid significant security risks. (Such as, just to try and stay on topic, fishing a message out of junk and open whatever attachment it comes with.)

      --
      Mostly harmless.
    16. Re:And then people wonder by cbiltcliffe · · Score: 1

      Sar-chasm: n: The gulf between a speaker of a sarcastic comment, and those who don't get it...

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    17. Re:And then people wonder by Anonymous Coward · · Score: 0

      You're not being very clear. What OS, including iOS, is invulnerable to users deliberately hacking their own device?

      One of the iOS jailbreaking methods was a pure drive-by just by visiting a web site. No user interaction. So you really can't claim that is only about "users deliberately hacking their own device". Drive-by rooting and compromising just by visiting a web site, without user knowing, clearly have implications beyond that.

    18. Re:And then people wonder by Anonymous Coward · · Score: 0

      You seem to forget that you can jailbreak your ipod by going to a webpage. That is insecure. --- See that period... I mean it. There is no ifs and or buts about the subject, it can be rooted by going to a web page, that is NOT SECURE!

    19. Re:And then people wonder by node+3 · · Score: 1

      No, you can't.

    20. Re:And then people wonder by node+3 · · Score: 1

      What OS has never had remote exploits? iOS has had exactly one. And it was never turned into a malicious exploit. And it has long been patched. What other OS would you possibly label as being notably insecure for having had one remote exploit in five years, which has long since been patched? I assume this sort of scrutiny and aversion applies only to OS's from fruit-themed companies, since that's the only thing consistent on this topic around here.

      After all, there have been multiple remote exploits for Android.

    21. Re:And then people wonder by node+3 · · Score: 1

      Just for the hell of it: if You can't be infected by something you can't run, the logical consequence would be to never run anything.

      That's not the logical consequence. That's an absurd consequence. There's nothing inherent in my statement that suggests taking absurd measures. Security isn't binary. You cull the severe risks, and manage the lesser ones.

      I did misinterpret your original reply, though. When you said you weren't being serious, I thought you were referring to your argument as a whole (which I got quite clearly, you were trying to dismiss my claim that iOS is more secure for not running Flash by pretending it must be taken to its most absurd extreme). You are correct that your absurd logic shouldn't be taken as serious, however that still leaves me wondering why make the statement in the first place?

      But don't take that as something personal. Of course the real thing to do is to avoid significant security risks. (Such as, just to try and stay on topic, fishing a message out of junk and open whatever attachment it comes with.)

      Sure, because that worked out so well, didn't it? It's far too easy to accidentally or unwittingly run an attachment. Better to do away with something like Flash in the first place. It's of dubious value on something like a phone or a tablet. It's not like we're talking about eschewing an established, modern, popular OS for an archaic OS that no one uses or develops for. Just not using an optional web plug-in that is notorious for security issues.

      Presently, Flash is highly irrelevant on mobile devices. Why take on the unnecessary risk?

    22. Re:And then people wonder by e4g4 · · Score: 1

      Your tense is wrong. You *could* jailbreak it by going to a web page, but that is no longer possible. Now, you need to drop your device into DFU mode and jailbreak it via USB.

      --
      The secret to creativity is knowing how to hide your sources. - Albert Einstein
    23. Re:And then people wonder by mug+funky · · Score: 1

      ITT: node 3 getting trolled hard.

    24. Re:And then people wonder by Anonymous Coward · · Score: 0

      -1 troll

    25. Re:And then people wonder by mad.frog · · Score: 1

      Err... how did parent get modded "offtopic"? It's precisely ON topic in terms of a reply; a vulnerability that allows a jailbreak is no less a vulnerability that allows an exploit. They're both an "own the system" gambit.

    26. Re:And then people wonder by mad.frog · · Score: 1

      This isn't a remote exploit. It's a Flash file that was embedded in an Excel file that was emailed and opened on a local system.

    27. Re:And then people wonder by mad.frog · · Score: 1

      You can hack an iPhone by visiting a webpage,

      Not anymore.

      Same is true of the Flash vuln -- it was patched by Adobe on March 21.

  2. And ActiveX by EnigmaticSource · · Score: 4, Insightful

    Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.

    --
    The Geek in Black
    I know my BCD's (when I'm Sober)
    1. Re:And ActiveX by LO0G · · Score: 3, Informative

      Ok, this gets on my nerves. ActiveX is a plugin framework. It is *exactly* the same as Mozilla's XPCOM. Both XPCOM and ActiveX carry the exact same set of vulnerabilities. There are only two differences between ActiveX controls and NPAPI plugins:
      1) NPAPI plugins are typically only hosted on mozilla.com. ActiveX controls can be hosted on any site.
      2) ActiveX controls are required to be digitally signed. NPAPI plugins aren't.

      The Wikipedia page on NPAPI does a good job of describing the similarities.

      So don't blame ActiveX - blame the plugins. This attack could have been mounted against Firefox (after all it used a *flash* vulnerability and last I heard, flash was available for firefox).

    2. Re:And ActiveX by trifish · · Score: 1

      You're fixing the thing at the wrong level. Try the element sitting behind the keyboard.

      (Hint: No matter how hardened your OS/browser is, there will always be unpatched security issues in them, and therefore 0-day exploits -- and yes, even in bare sans-Flash Linux or Firefox. The common element, the thing that always works for the attacker, is social-engineering, like in this case.)

    3. Re:And ActiveX by EnigmaticSource · · Score: 1

      I wasn't trashing ActiveX per se; but rather the idea the label represents, binary embedding in (an expected) document; or binary embedding period. I hope most people read that I dislike the idea, not the brand name.

      --
      The Geek in Black
      I know my BCD's (when I'm Sober)
    4. Re:And ActiveX by LO0G · · Score: 1

      That's fair 'nuf and makes a lot of sense.

      Actually *any* architecture that runs plugins with full trust is fundimentally broken. This means ActiveX, NPAPI/XPCOM, Mozilla's XUL extensions (JS running with full trust that can interact with the DOM == scary). At least IE runs plugins in its sandbox (as does Chrome for some plugins like Flash).

    5. Re:And ActiveX by Anonymous Coward · · Score: 0

      You miss a huge point people don't use plug-ins/XPCOM like they do ActiveX. That is what makes it dangerous. ActiveX gives basically any website the ability to install dangerous applications easily. Plug-ins aren't used in that way. I have never seen a XPCOM/plug-in required for any site in which Firefox was supported. ActiveX has been used in the past to do really simple stuff. Stupidly users were fooled into accepting it because of a lack of security. ebay, snapfish, shutterfly, and others all depended on such ActiveX components and with each site you had to trust that the ActiveX component was safe. If a plug-in existed to do file uploads then we would see a single plug-in. Not one for each site most likely. What has changed is now everybody is using flash for file-uploads and it is cross platform. While flash is potentially dangerous too because of security vulnerability it is allot less dangerous. Flash doesn't give access to the whole system under normal circumstances.

    6. Re:And ActiveX by LO0G · · Score: 1

      Funny - most of the sites I visit require an NPAPI plugin to work.

      That's because most of the sites I use require flash. And guess what: Flash is an NPAPI plugin.

    7. Re:And ActiveX by sjames · · Score: 1

      Not exactly the same. The differences are the key. Look at Security.

      Another difference for the NPAPI is that implementations (prior to Mozilla Firefox, see below) did not automatically download or install missing plugins. A missing plugin caused the browser to display a jigsaw piece representing the plugin. If the user clicked on that they were directed to Netscape's plugin finder service where they could manually download and install the plugin for themselves. While this is inconvenient to the user, it is also an important security measure since it prevented the content using the browser as a vector for malware.

      and

      Mozilla Firefox attempts to present a middle ground. If a plugin is missing, it will notify the user that the plugin is missing and initiate a secure connection to a plugin finder service hosted on mozilla.org. The user can permit Firefox to download and install the plugin. This model prevents content specifying where a plugin should be downloaded from – the plugin finder service does. This enables Firefox to present a fairly seamless installation mechanism but limit the service to trusted and compatible plugins from reliable sources. This model implicitly trusts the plugin finder service to return "good" plugins, increasing the security required on the host site.

      The devil is in the details as usual.

      That's all moot here since it was a flash object embedded into an Excel spreadsheet sent as an email attachment that did the damage.

    8. Re:And ActiveX by LO0G · · Score: 1

      I 100% agree with the analysis in the Security section (that's actually why I included the wikipedia link).

      However the core threats between NPAPI/XPCOM and ActiveX are identical. The two mechanism have different mitigation schemes (FF redirects the user to a secure download location that presumably holds up-to-date versions of the plugins, IE requires that all plugins be digitally signed, checks a CRL and has a blacklist of known bad plugins (and a phoenix list to redirect to a known good plugin)).

      Given that IE requires that all ActiveX controls be digitally signed, the only real risk associated with a sites ability to host an activex control required for the site is that a site might host a known vulnerable version of someone else's control. But in order for that to be effective, the control must not be on the blacklist or the phoenix list AND the user must acknowledge a prompt that warns them that loading the plugin could compromise their computer AND the user must acknowledge a UAC elevation prompt (most of the time).

      The only thing that FF's security model brings to the table (and it's a HUGE difference in FF's favor) is that Mozilla can remove the known vulnerable versions of the plugins from their site (since they control the default location of plugins).

      Ironically ActiveX controls are more vulnerable because they're *more* open than NPAPI plugins :). Anyone who can get a code signing certificate can write and deploy an ActiveX plugin. But the developer of an NPAPI plugin needs to convince Mozilla to host their plugin on their download site,

      By many definitions, that makes ActiveX plugins more open than NPAPI plugins. Go figure that one out.

      And of course it's always important to remember that if the seeing the dancing pigs requires that the user install a plugin, they will install the plugin. There's nothing that can stop them.

  3. Thanks again ADOBE by Anonymous Coward · · Score: 3, Insightful

    .. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

    Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

    1. Re:Thanks again ADOBE by gnasher719 · · Score: 4, Insightful

      Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

      100 million iPhone users and 20 million iPad users disagree.

    2. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      Because all those users do not also own a laptop, right?

    3. Re:Thanks again ADOBE by trifish · · Score: 5, Insightful

      .. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

      Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

      You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.

    4. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      Erm, to my knowledge, Linux hasn't had a remotely exploitable 0-day exploit for a few years.

    5. Re:Thanks again ADOBE by Anonymous Coward · · Score: -1

      What do toys have to do with that? That's not even the same category.

    6. Re:Thanks again ADOBE by Raghu13 · · Score: 1

      It is always a question of degree of suspectibility. Comparing Flash/Excel combo with others is a joke and speaks tons about people doing the comparison. Also, another one being PDF. Calling them secure is a joke. One has to be suicidal/kamikaze type in Linux to achieve to get pwned like this. The security in linux is not based on a single point of failure, you will have to often exploit multiple exploits simultaneously to achieve a complete trojan-like remote control of the system, otherwise you will end atmost causing a DoS. Well, as mentioned earlier I cannot speak about people running internet explorer/notepad under WINE in linux ..

    7. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      Erm, to my knowledge, Linux hasn't had a remotely exploitable 0-day exploit for a few years.

      Dream on. Or don't, but provide a citation for this obvious nonsense.

    8. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      That's for one device that doesn't exactly matter or have any real use. On the desktop, however, currently it is impossible as so many corporate websites require it.

    9. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

      100 million iPhone users and 20 million iPad users disagree.

      They get by by having site owners bend over backwards for them and create apps for them. Half the websites I can use without flash on my iPhone won't work without flash on my laptop unless I purposely use a horribly limited mobile version or someone reverse-engineers the app.

    10. Re:Thanks again ADOBE by HangingChad · · Score: 1

      >Or don't, but provide a citation for this obvious nonsense.

      Where's yours? Show your list of Linux zero day exploits. Just declaring they're out there doesn't conjure them. And make sure that they're automated with super user privileges.

      --
      That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    11. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      neither of you provided a source, so your both idiots.

    12. Re:Thanks again ADOBE by Anonymous Coward · · Score: 1

      You're saying that (a significant fraction of) all those millions use their iPad/iPod as their only computing device. Doubtful.

    13. Re:Thanks again ADOBE by hey! · · Score: 1

      Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

      100 million iPhone users and 20 million iPad users disagree.

      ** Lightbulb Illuminates ***

      Great Scott! They're all zombies! It's a giant army of undead customers animated with Steve Jobs' unholy juju! Aaargh!

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    14. Re:Thanks again ADOBE by Sloppy · · Score: 1

      This is all Microsoft. It never would have worked, if Excel spreadsheets were actually "documents" (as we think of that word) rather than executable programs. It is fucking insane that people email that kind of thing around. If someone emails you an Excel spreadsheet, you should consider that equivalent to someone emailing you a program with the subject line, "Here, run this. I want your computer."

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    15. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      .. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

      Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

      You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.

      Logic fail.

      What you just did is the equivalent of saying Ted Bundy wasn't guilty of mass murder because someone else got into a car accident that killed someone.

      Yeah, coders on all platforms make mistakes. BFD. There's no INTENT there to cause harm.

      But it's INTENT when Microsoft deliberately creates insecure protocols and then uses its monopoly status to shove them down our throats. Unless you think Microsoft's developers and architects are so fucking stupid they don't know that what they're doing is insecure.....

    16. Re:Thanks again ADOBE by limaxray · · Score: 4, Insightful

      I think the difference is that we hear about 0-day exploits in Adobe software on a much more regular basis than in Linux or its associated software stack. It feels like Adobe announces another PDF or Flash vulnerability every month and that they have a complete disregard for secure practices.

      Combined with the fact that they still don't have a stable 64-bit release of Flash for any OS makes me feel like they are a bunch of no-talent ass clowns without a sound development process in place.

      Oh, and in the Linux world, we use tools like SELinux or Apparmor so a hijacked spreadsheet can't go accessing parts of the system where it doesn't belong.

    17. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      What does this have to do with Linux again? In any event, you screwed up your punchline. What you meant to say was:

      "drumrolls -- End users are gullible."

    18. Re:Thanks again ADOBE by ildon · · Score: 1

      You mean the 80 million iPhone and 16 million iPad users that also have a Windows PC, laptop, and/or netbook?

    19. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

      100 million iPhone users and 20 million iPad users disagree.

      But I suspect a large portion of those people use some sort of computer with either Flash/MS.

    20. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      Use IE7Pro to block flash. Then you only have to turn it on when you really want it. (rare)

    21. Re:Thanks again ADOBE by Builder · · Score: 1

      *you're

      Doh!

    22. Re:Thanks again ADOBE by grkvlt · · Score: 1

      You can't show a list of zero day exploits, by definition.

      Zero day exploits are exploits for vulnerabilities that have been public knowledge for, wait for it, zero days. In other words, a '0day' is a piece of exploit code or vulnerabilty information that has not been diclosed. So, it is impossible to list the number of Linux, or any other operating system, zero day exploits in the wild.

      The important metrics for risk analysis of a particular system are:
      1. The number of disclosed vulnerabilities $V_d$
      2. The number of those that have mitigating patches available $V_p$
      3. The number of said patches that are actually deployed on the system of interest $P$
      4. The total number of vulnerabilities on that class of system $V_t$

      These numbers are related as follows, with the actual values left as an exercise for the risk analyst:
      $V_t > V_d > V_p > P$

      However, this relationship implies that every real system, consisting of some type of operating system with installed application software, has a non-zero attack surface.

      Based on the number of publicly known exploits, both patched and unpatched, there must be a non-zero number number of '0day' vulnerabilities in existance, which will be in use by black-hat hackers, penetration testers and national security or intelligence agencies. This number $V_0$ is simply $V_t - V_d$ and attempts have been made to estimate this based on trends in public disclosures of vulnerabilities [1].

      [1] Exposing Vendors (In)security Performance

      grkvlt.

      --
      -- andrew international ? consonants : http://grkvlt.blogspot.com/
    23. Re:Thanks again ADOBE by Linuxmonger · · Score: 1

      But, and this is a huge but, Linux also has zero day fixes.

    24. Re:Thanks again ADOBE by Anonymous Coward · · Score: 0

      100 million iPhone users and 20 million iPad users disagree.

      I know several iThing owners (myself included) that really wish Flash worked on said thing.

  4. Note to self: by MyFirstNameIsPaul · · Score: 1

    Set spam folder to auto-delete incoming.

    --

    I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

  5. Wait wait hold up by atari2600a · · Score: 5, Interesting

    You can embed flash in excel files!? WHY WOULD YOU DO THAT

    1. Re:Wait wait hold up by Joce640k · · Score: 5, Funny

      You don't put background music in the spreadsheets you email to people? Weird. Numbers are so boring without some Slipknot playing.

      --
      No sig today...
    2. Re:Wait wait hold up by Anonymous Coward · · Score: 1

      to give people infections?

    3. Re:Wait wait hold up by Anonymous Coward · · Score: 0

      because you'd want to force them to watch adverts when they open the spreadsheet ;-)

    4. Re:Wait wait hold up by DNS-and-BIND · · Score: 1

      1. It looks good as a bullet point on a presentation explaining how this quarter's development is coming along.
      2. Some manager probably got a bonus for innovation for implementing the feature.
      3. You should use Microsoft products as much as possible. Not being able to embed flash into an Excel file might, someday, make someone not use Excel. This would be bad.
      4. Because it's technically possible. Why do web browsers store a list of every website you ever visited? Same reason, it's technically possible and easy to implement.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    5. Re:Wait wait hold up by Anonymous Coward · · Score: 0

      2. Some manager probably got a bonus for innovation for having someone else implement the feature.

    6. Re:Wait wait hold up by cigawoot · · Score: 2

      Excel Embeds: Turning Excel files into MySpace pages one sheet at a time.

    7. Re:Wait wait hold up by Bengie · · Score: 1

      The real question is "why would you open an Excel file from an unknown sender?"

    8. Re:Wait wait hold up by mevets · · Score: 1

      I think the real question is "why do you have to be afraid to open a spreadsheet?".

      I know FLASH is just the easiest way to get in - but does excel really need a way to run arbitrary code?

    9. Re:Wait wait hold up by Anonymous Coward · · Score: 1

      There are business analysts who write Excel spreadsheets with a macro that refreshes part of the sheet from an ODBC connection. Once upon a time I used such a thing as a rapid-prototype that I later developed into a Java/Tomcat/JFreeChart web application. Look at it this way: spreadsheets are a fancy extension to a calculator. A programmable calculator can run arbitrary code ... but usually does not have an Internet connection and access to all your notes and other spreadsheets on a local filesystem.

      I believe Excel does have a "disable macros" option that pops up when you open a new file for the first time. I can't say whether it's 100% effective, as I do not have access to the Excel source code.

    10. Re:Wait wait hold up by jjohnson · · Score: 1

      ... after retrieving it from the spam folder, no less.

      "Goddammit, there's gotta be pics of Anna Kournikova one of these times..."

      --
      Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
    11. Re:Wait wait hold up by Undead+Waffle · · Score: 2

      Well I've seen it used for flash games whose websites are normally blocked...

    12. Re:Wait wait hold up by Anonymous Coward · · Score: 0

      There is one person where I work that ONLY knows how to send people stuff if it's embedded in a .xls. They'll CREATE an image, embed it in the table, taking the time to make sure the table structure isn't broken too badly, and then arbitrarily select nearby cells to write notes about the various parts of an image in. The day I bring a shotgun to work, that dude is the first to go.

    13. Re:Wait wait hold up by Charliemopps · · Score: 1

      Work for a company that doesn't allow you to have a compiler for a while and you'll understand. Embedded software in office documents is pretty much how I made it into a "real" job. When a managers options are: Hire 3 temps OR Have your programming department quote you a $30k project that will take 6 months and run over budget OR have that smart guy over there spend half an hour writing a script in an excel file... your choice is kind of made for you.

    14. Re:Wait wait hold up by WorBlux · · Score: 1

      I wonder, does interpreted python break the no complier rule?

    15. Re:Wait wait hold up by Anonymous Coward · · Score: 0

      Who the fucking hell are Slipknot?

  6. Simple question: securid seeds? by rtfa-troll · · Score: 5, Interesting
    Dear RSA; speaking as a customer; we need a simple answer to the question:

    has the securid seeds database been compromised?

    anything else you announce is fluff.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    1. Re:Simple question: securid seeds? by 93+Escort+Wagon · · Score: 5, Informative

      Dear RSA; speaking as a customer; we need a simple answer to the question:

      has the securid seeds database been compromised?

      anything else you announce is fluff.

      We use a LOT of SecurID tokens at our university, and the group that manages them has been way too quiet since this happened. But today they sent an email out - no mention of the RSA breach, just that they have decided to "retire the SecurID tokens early to save money" and are replacing them with a different product.

      So I'm guessing they think the seeds database has been compromised.

      --
      #DeleteChrome
    2. Re:Simple question: securid seeds? by rtfa-troll · · Score: 2

      Yes; fun fun fun. It's good the way they let a mafia of MSCE certified IT administrators pretend they didn't screw up by choosing SecurID and letting them keep the seed info whilst their real customers, the people who have their systems and data secured with SecurID, don't know squat about what's going on.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    3. Re:Simple question: securid seeds? by rtfa-troll · · Score: 5, Interesting

      And just to amplify this with a bit of Wikipedia manipulation; have a look at this edit which comes from 128-221-197-57.emc.com, Where EMC is RSA's parent company, which I found from this article which also includes an RSA letter which they are supposedly sending out to customers.

      Full disclosure to all affected users; it shouldn't be a matter of dispute. It should be the law.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    4. Re:Simple question: securid seeds? by Anonymous Coward · · Score: 0

      So I'm guessing they think the seeds database has been compromised.

      That doesn't mean anything. Maybe they wanted to move away from SecurID for some time. Now that there are rumours and whatnot they may simply have another argument to go ahead. Uncertainty and speculations are a powerful argument when it comes to business decisions.

      I worked for a large corporation that banned Blackberry devices for executives and production systems because of the rumours and speculations that foreign intelligence services might have access to their data since BB routed via a foreign country. They had no evidence or official statements, though. Rumours were enough not to touch BB.

      That's why MS occasionally swings the FUD club: because it works.

    5. Re:Simple question: securid seeds? by AftanGustur · · Score: 1
      The short answer is "The attackers almost certainly stole enough information to compromise the token authentication"

      Those in-the-known, i.e. government agencies, have or are adding 3-factor authentication. That is.. In addition to the RSA token and a passcode, they are adding a second passcode, most often the user's intranet password (Windows Domain).

      So until they tell me the truth, I will draw my own conclusions from what I know.

      --
      echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
    6. Re:Simple question: securid seeds? by wkk2 · · Score: 2

      I think real question is why doesn't the customer initialize the token. There are lots of interface options to initialize a small token: I2C, USB, even IR.

    7. Re:Simple question: securid seeds? by Anonymous Coward · · Score: 0

      See? Why isn't stuff like this on the front page?

    8. Re:Simple question: securid seeds? by hey! · · Score: 3, Insightful

      Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.

      This is going to cost RSA a lot more than sales of its SecureID product. People buy this product, not because they have analyzed the system and decided it is architecturally secure; they bought it because they trusted RSA. RSA was founded by the most illustrious minds in the field. I was looking at some RSA job postings recently, and they don't appear to hire anybody who doesn't have a PhD. RSA is supposed to be the company that knows how to do things right. That means they knowingly produced a system that violated stuff you learn in Chapter 1 of a basic crypto text, and then induced customers to rely on that system for security.

      RSA reputation, meet porcelain bowl.

      I want to be clear I'm not criticizing RSA for the security breach. I'm criticizing them for inducing customers to rely on a system that becomes irreparably untrustworthy after a single event that was bound to happen sooner or later.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    9. Re:Simple question: securid seeds? by Anonymous Coward · · Score: 0

      "Dear RSA; speaking as a customer; we need a simple answer to the question [zdnet.com.au]:"

      It looks to me like they are desperately trying to avoid the costs of a recall for all compromised tokens.
      Ultimately, I think this avoidance will cost them more in the long run.

    10. Re:Simple question: securid seeds? by Joce640k · · Score: 1

      If I was writing a trojan to hack RSA I wouldn't send the CEO an email saying exactly what was compromised.

      In fact I'd try to leave as few traces and as many doubts as possible.

      --
      No sig today...
    11. Re:Simple question: securid seeds? by Anonymous Coward · · Score: 0

      While it is apparent the fundamental security of SecureID has been compromised (the seeds stolen), it is unfortunate that this question hasn't been answered, except only to government and other high-profile customers.

      Worse, beyond all the fluff it is clear that RSA is trying to spin this spear-fishing attack into a great APT story, which will spin and work with their acquisition of Netwitness. While this is obviously fatal to RSA and SecurID, they are busy trying to figure out how to exploit this situation to help them make customers think the Netwitness acquisition is smart and hopefully sell more. Regardless of the spin, RSA has been a long time customer of Netwitness that failed them, and have delayed the announcement to spin things. It will be unfortunate that even if the general public buys into the APT story and the Netwitness acquisition, it isn't going to make up all the lost money.

    12. Re:Simple question: securid seeds? by Culture20 · · Score: 1

      Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.

      The token system isn't anything like DRM in Sony playstations. Each token is unique, and the only way to break the system was the access RSA's database. The system still works though, because RSA doesn't keep a database of which "something you have" goes with which "something you know". It can be narrowed down per company, but there's still a lot of guesswork and lockouts involved.

    13. Re:Simple question: securid seeds? by jd · · Score: 2

      The first of the removed paragraphs could be considered "original research" (banned on Wikipedia). I'm of the opinion that linear deductions are not research, but automatically follow. However, I've had a few entries edited out as "original research" myself and know that Wikipedia takes the rule extremely seriously even if it is to the point of absurdity.

      The rest of the paragraphs are more inflamatory/op-ed and don't belong in an encyclopedia setting. They may be technically correct (only RSA knows) but they are most certainly not neutral POV and not useful in understanding the event.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    14. Re:Simple question: securid seeds? by hey! · · Score: 1

      Never said it was like DRM. The point is: they lost the secret, and the *system* is irretrievably compromised. It doesn't matter where the secret was stored, it was still baked in.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    15. Re:Simple question: securid seeds? by jd · · Score: 1

      The underlying problem, though, is that you can never know if something is secret, you can only know if something is not secret. Thus, you have a paradox - the only way to know if something was secret is to share it and see if anyone else already knew.

      As such, any system based on secrets of any kind whatsoever is inherently flawed because it is dependent on an assumption that is provably unprovable.

      This is why you will see the phrase "security through obscurity is no security at all".

      The catch is that published crypto systems rely on a problem being irreducably hard (exponential or hyperexponential difficulty). There are very few hard problems for which there is a non-existance proof of a solution simpler than the best solution hitherto known. This means that opponents could be keeping secret a solution to the problem you do not possess. However, they too are subject to the secrets paradox and therefore their ability to crack the cypher in better-than-expected time may be known to others besides themselves.

      (This has been used in wartime, when Allies and the Axis powers deliberately sent messages in encrypted forms that they knew the other side could break in order to confuse them.)

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    16. Re:Simple question: securid seeds? by rtfa-troll · · Score: 1

      The edit was incorrect in any case. There are pretty clear Wikipedia policies limiting editing of your right to edit articles about yourself. The edit didn't clearly state who it was from. The editor should have copied the text to the talk page for discussion. There were facts which have been referred to elsewhere on news sites (e.g. the existence of an RSA letter to customers) which were simply deleted. Most importantly, all of the speculation referred to in the edit does exist in widely known sources. At most adding a "citation needed" tag of some sort would be the right thing to do. The best thing would be to link to the correct sources and rewrite to state exactly what they say.

      There's a more important thing here though. The edit came from EMC. As a company EMC knows the current state of the investigation. If they know that the secrets have been stolen then the edit was disingenuous. If they know that the secrets have not been stolen then they could also say so. If they refuse to answer that then they shouldn't be messing around manipulating alternative media. If it was a rogue employee who doesn't know the status of the investigation made the edit they should also say so. They can only expect to have correct coverage to the extent

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  7. Now Introducing by AnonymmousCoward · · Score: 0

    NotSoSecurID

  8. How to secure a computation server by Anonymous Coward · · Score: 0

    Is there a way to set up a server "A" that computes some function f(x) for values of x coming from a networked computer "B", and sends the result f(x) back to B, without any chance of any hacker getting hold of the code for f(x)? Some kind of special network that can only send x in one direction, f(x) in the other, and clearly never do anything else even if machine B gets compromised?

    1. Re:How to secure a computation server by cbiltcliffe · · Score: 1

      Yes.
      It's called sneakernet.

      The "x" comes from computer "B", which is shown on a display. A human operator types "x" into server "A", which has no network connection at all. Server "A" then displays f(x), which the human operator types into a different keyboard connected to computer "B".

      In order for this to work truly securely, though, several things have to be true:

      - The operator has to have no chance to enter incorrect information by accident, or enter the information in the wrong place. That means this cannot be a general purpose computer, or the operator cannot have access to anything other than the input field for the data. Preferably both.
      - The operator has to be completely trusted, otherwise incorrect information could be coded into what should be the f(x) result, by the operator typing in f2(source_code_for_f(x)) instead. This means, basically, the operator has to be you.
      - something else I haven't thought of yet, in this idle intellectual exercise.

      So, yes, it can be done. But it's certainly not practical.

      Someone might suggest having computer "C" in between, which monitors network traffic and only allows x to flow one way, and f(x) to flow the other. But there are problems with this:

      - what if computer "C" gets compromised? It could be modified to allow other data to flow from server "A" to computer "B".
      - how does computer "C" know that f(x) is _actually_ f(x)? Could it be other data disguised to look like f(x)? The only method guaranteed to work is for computer "C" to know the source for f(), by which it could compare its own f(x) result to that flowing over the network from A to B. If they match, let it pass. This, however, obviously makes hiding the source of f(x) that much more difficult, since it can now be compromised on two different computers, rather than one.

      This is why 100% security is impossible. Not because we don't want it, but because there will always be another way to get in, regardless of what has been locked down.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    2. Re:How to secure a computation server by realityimpaired · · Score: 1

      Wouldn't work. If the hacker can gain control of B, the hacker has the ability to generate enough points of data for x and f(x) to figure out what the function is.

      The way RSA does it is better. B doesn't send X, it sends a User ID, which is static. A then looks up in a secure hash what salt User ID corresponds to, and uses that along with system time to figure out what X is, so that it can return f(x) to B. (in other words, to figure out what your secure token is displaying) It's a much more secure way of doing things than what you propose... as long as f(x) remains secure, and as long as the hash table for user ID to key ID remains secure. (especially considering that the "salt" could be anything, from an offset to a transformation to a separate equation to run f(x) through before returning the result)

      The big kerfluffle going on with the RSA hack is that RSA is not being forthcoming as to whether or not the hash tables have been compromised. If they have, then f(x) can be easily compromised and everybody who uses an RSA key fob needs to either get a new key fob, or switch to a different method of securing things. Particularly important when you consider the implications of who uses an RSA key fob to secure things: I work for Ma Bell, and one of the systems I can access in conjunction with my RSA key is the DMS. (https://secure.wikimedia.org/wikipedia/en/wiki/Digital_Multiplex_System for those who don't recognize the acronym). Think of the damage that could be caused if the wrong people got access to that system: they could crash the PSTN. (fortunately there is multi-layer security that I'm not really able to discuss, so that kind of breach is extremely unlikely... but this is a very serious breach of security just the same).

  9. Sounds like my girlfriend by houghi · · Score: 3, Funny

    "BIATCH confirmed on Friday that the attack that compromised her high-value NoPrego product was essentially a small, targeted phushing campaign that included a payload of a malicious Flesh object embedded in a broken Trojan."

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:Sounds like my girlfriend by burni2 · · Score: 2

      Good Lord, do you mean she is pregnant !? You should buy better condoms, so the Trojan doesn't break.

      btw. she is ;)

    2. Re:Sounds like my girlfriend by Scott+Scott · · Score: 1

      Jerry! Jerry!

    3. Re:Sounds like my girlfriend by houghi · · Score: 1

      You think I have a girlfriend? You must be new her.

      --
      Don't fight for your country, if your country does not fight for you.
  10. And I think to myself... by Angostura · · Score: 1

    ... would I have fallen for such a phishing attack? And the answer is - yes, quite probably

    and I wonder, how would I protect against it? And I come up with very few practical ideas.

    Anyone?

    1. Re:And I think to myself... by antifoidulus · · Score: 4, Insightful

      Um, not opening Excel or Flash files on computers that access the database would be a start. Furthermore sanboxing, and lots of it. Not running the most insecure OS on the planet would help too. The people at RSA really should have known better.

      --
      Monstar L
    2. Re:And I think to myself... by maxwell+demon · · Score: 1

      Well, if it ends up in your junk folder, you simply should ask yourself why it went there. And take a closer look at the email before opening any attachments. I'm pretty sure that a quick look at the headers would have revealed that the originator isn't part of the company.

      Of course if they have a collaborator inside the company network (or maybe can send the mail from another compromised company computer) that precaution measure probably won't help.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    3. Re:And I think to myself... by Anonymous Coward · · Score: 0

      Not running the most insecure OS on the planet

      I am sure they already upgraded from Windows 95.

    4. Re:And I think to myself... by hey · · Score: 1

      Avoid Excel?

    5. Re:And I think to myself... by Scott+Scott · · Score: 2

      Don't open anything flagged as spam until you've read the full headers?
      Don't use Excel as your first option when reading e-mail attachments?
      Run off of a read-only file system?
      Convert every excel file to CSV before opening?
      View using Google Docs or one of its clones? (Not that I advocate using Google's tools in general...)
      Open nonessentials on a different computer with restrictive security settings? Don't use Windows?

      The possibilities are endless.

      Realistically, it's not possible to stop an attacker who's willing to invest serious time and approach in a smart manner. It is, however, possible to avoid being the person in the organization who lets them in. Someone will fall for it, given enough time and a large enough company, and once they have access they won't be interested in tricking you anymore.

    6. Re:And I think to myself... by maxwell+demon · · Score: 2

      Not running the most insecure OS on the planet would help too.

      Usually as employee you cannot decide that.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    7. Re:And I think to myself... by maxwell+demon · · Score: 1

      View using Google Docs or one of its clones?

      Yeah, your employer will love it if you open internal company documents (and the document posed as internal company document) through a server of another company ...
      </sarcasm>

      --
      The Tao of math: The numbers you can count are not the real numbers.
    8. Re:And I think to myself... by rtfa-troll · · Score: 1

      Don't keep your database of nuclear launch codes on your gaming PC. Use a non networked computer instead.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    9. Re:And I think to myself... by Anonymous Coward · · Score: 4, Funny

      Not running the most insecure OS on the planet would help too.

      Where in the article they say that OSX is being used?

    10. Re:And I think to myself... by MichaelSmith · · Score: 1

      Um, not opening Excel or Flash files on computers that access the database

      What if the "database" is an Excel file?

      --
      http://michaelsmith.id.au
    11. Re:And I think to myself... by JaredOfEuropa · · Score: 1

      If I read the article right, it wasn't as simple as that. The people who opened the phising email were regular employees with little or no access to valuable data. The hackers used these accounts as a springboard to get to the employees who do have access to the good stuff. Once you control a few accounts, phishing suddenly becomes real easy... Using something other than Windows doesn't really help anymore at that point.

      I do agree with sandboxing: many companies still take a "walled garden" approach to security: they wall off the perimeter and trust everyone who is inside. Even super sensitive data is often protected only by a second walled garden inside the first one, failing to address the issue of compromised trusted accounts.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    12. Re:And I think to myself... by MichaelSmith · · Score: 1

      take a closer look at the email before opening any attachments. I'm pretty sure that a quick look at the headers would have revealed that the originator isn't part of the company.

      I noticed a couple of things about windows: users inside the company compulsively send attachments to the point where people open them without thinking. Outlook adds external users to its address book, then hides domain name information when it displays that user. It can be hard to tell what is internal mail and what is not.

      --
      http://michaelsmith.id.au
    13. Re:And I think to myself... by Anonymous Coward · · Score: 2, Interesting

      They haven't stated how the hackers progressed from the low value employee workstations to higher value systems...

      Although this is just a guess, based on my experience of other organisations they typically use active directory to manage everything from low level employee workstations, to high value servers... Elevating yourself from a low value workstation to domain admin using tools such as incognito, lsadump or hash passing is relatively easy and from there you have a very good chance of getting access to crucial systems...
      Even in companies which try to separate critical functions away from general office stuff (which i would assume RSA did) if you take over the sysadmin workstations (which usually are linked to the active directory domain) then you can start keylogging or hijacking their existing sessions and getting into other stuff. Some companies also have central databases containing passwords protected by something as weak as active directory!

    14. Re:And I think to myself... by Scott+Scott · · Score: 1

      I don't recall any indication of or basis for a reasonable inference that the Excel file was posed as an internal document. All the article said was that it was intriguing enough for someone to pull it out of the spam folder. General practice in internal IT and network administration is to whitelist internal emails and toss anything suspicious into spam, if not blacklist it entirely.

      Again, I'm not a fan of using Google Docs, but I'd much rather let their servers clobber a zero-day than let it in through the front door. I see emails I occasionally think are intriguing, too; that doesn't mean they're from Bob in marketing or that I should open their attachments using the very applications they are designed to target.

    15. Re:And I think to myself... by Angostura · · Score: 1

      How about opening an Excel file on a computer that can access a computer that can access a computer that can access the database?

    16. Re:And I think to myself... by Angostura · · Score: 1

      I am reminded of a line from the comedy series "Twenty Twelve". "Is it just me, or is the common thread running though these possibilities that they aren't actually possibilities?"

      "Sorry boss, can you pop that spreadsheet onto a floppy for me, so that I can open it on a quarantine machine".

    17. Re:And I think to myself... by Scott+Scott · · Score: 1

      Let's have a look at the simplest. How exactly is not dragging suspicious emails out of your spam folder and opening their attachments an impossible option?

    18. Re:And I think to myself... by IBitOBear · · Score: 1

      Friends don't ask Friends to "open" programs that pretend to be documents, that are run by interpreters that pretend to be office productivity applications, that have full access with administrative privileges, let alone on machines that have any data that anybody actually cares about...

      Microsoft... Where do you think your data _didn't_ go _today_?

      --
      Innocent people shouldn't be forced to pay for inferior software development.
      --"Code Complete" Microsoft Press
    19. Re:And I think to myself... by Anonymous Coward · · Score: 0

      It was flash that had the exploit, not Excel. So what if google docs displays the flash content for you unaltered; you're still screwed. Not exactly a solution.

    20. Re:And I think to myself... by Rich0 · · Score: 3, Insightful

      Corporate IT security is like a slot machine that costs 25 cents to play, with a payout schedule that pays $1 on average, but one out of every 1M pulls you lose $10M.

      The IT manager who ultra-secures their systems gets tons of complaints, and the company becomes less nimble than their competition who don't bother to secure (there is a real cost when you make it harder for your employees to communicate and work together).

      So, if you're an IT manager who promotes strong security you quickly lose your job to somebody who doesn't.

      Then every once in a while one of these insecure managers pulls the lever and loses the company a lot of money. The manager is blamed for lax security and fired. The replacement will start out being more secure, and once the spotlight is off they'll go back to doing exactly what their predecessor did, and they'll get bonuses because there isn't a repeat of the huge loss and things are just as efficient as before. That must mean he is doing his job right, right?

      I've been finding that successful executives these days really are just lucky. They enact risky policies that have short term gains, pocket bonuses from these gains, and try to move on before it comes back to hurt them. Many get terminated, but those who don't shoot way up the ladder. What passes for due diligence at the CxO level isn't about preventing problems, but instead punishing whoever was left standing without a chair when the music stopped.

    21. Re:And I think to myself... by cbiltcliffe · · Score: 1

      What if the "database" is an Excel file?

      Then RSA needs to be nuked from orbit, as it's the only way to be sure....

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    22. Re:And I think to myself... by Anonymous Coward · · Score: -1

      Stop pretending that poorly implemented patented security buzzwords are better security than the good, well written code (and a fair amount of it open-source) that makes up OS X. I'm not saying that it's secure by any means, but it's a darn sight more than Windows. (Pwn2Own doesn't count before you mention it - what would you prefer: a $2000 macbook or a $1000 PC?)

    23. Re:And I think to myself... by joebagodonuts · · Score: 1

      And I'm sure the people at RSA are doing the same thing that every other large institution/business is doing: Cutting costs. Those imaginary people at RSA you speak of cost money to train and retain. This was bound to happen, as soon as the primary focus switched from providing secure products to maximizing profits. I'm imagining a scenario like this:

      Executive 1: Q2 close is coming up. Are we going to make our numbers?
      Accountant 1: No sir, it doesn't look like it
      Executive 1: Let's cut costs. Lay off some folks, freeze pay increases. I want my bonus.

      Time goes by...

      Executive 1: Q2 close is coming up. Are we going to make our numbers?
      Accountant 1: No sir. Our most popular product was compromised.
      Executive 1: Goddamn employees. It's their fault!

      I don't mean to bash money-making. I'm a fan. A bit of balance would be nice. Companies don't require to report "record-making profits" every quarter.

      Cheap > Quality. Thank you WalMart and Microsoft

      --
      "Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
    24. Re:And I think to myself... by Anonymous Coward · · Score: -1

      This is why people should not talk abown pwn2own, it confuses the terminally stupid.

    25. Re:And I think to myself... by noctrl · · Score: 1

      I noticed a couple of things about windows: users inside the company compulsively send attachments to the point where people open them without thinking. Outlook adds external users to its address book, then hides domain name information when it displays that user. It can be hard to tell what is internal mail and what is not.

      Sad, isnt it?
      I wonder where this fetish for Outlook come from.
      I call it OutOfLuck, because you really are.
      It is one of the things that make stupid users more stupid...

    26. Re:And I think to myself... by Anonymous Coward · · Score: 0

      Yeah, you would think that they would keep the super secure seed database on a closed loop network that did not have access to the outside world. It sounds like the seed database is in MS Access on some guys computer.

    27. Re:And I think to myself... by StayFrosty · · Score: 1

      Microsoft... Where do you think your data _didn't_ go _today_?

      You are really dating yourself there.
       
      Dammit, I just dated myself by getting the reference.

      --
      "Frequently wrong, never in doubt."
    28. Re:And I think to myself... by Anonymous Coward · · Score: 0

      I remember when Excel was used as a spreadsheet, not as a vehicle for embedding crap or a crappy excuse for a database. I really hate feature creep in software, this is one reason why.

    29. Re:And I think to myself... by Scott+Scott · · Score: 1

      Google Docs does not support Flash content. That's kind of the point.

    30. Re:And I think to myself... by IBitOBear · · Score: 1

      Well... no one else will date me...

      8-)

      --
      Innocent people shouldn't be forced to pay for inferior software development.
      --"Code Complete" Microsoft Press
  11. Jezus, some people! by Anonymous Coward · · Score: -1

    Because you can and it makes you kewl!

    It's like how /. fucked this site up with JavaShit up the ying-yang because the dumbasses thought that would spiff it up to compete with dogg. All it did for me is make me come here far less often.

    Cheers,
    A Bof

  12. You would think that Microsoft could stop this by nzac · · Score: 1

    If they were to add a .nexls (non executables or something similar) file type that companies needing a bit of security could use that only had stuff a normal spread sheet has values, borders, charts, formulas ... (and something similar for word).
    Of course it would be hard to add new features to these versions and therefore sell updates and completing products would be able implement the standard pretty quickly.

    1. Re:You would think that Microsoft could stop this by Anonymous Coward · · Score: 1

      um, that's what an xlsx file is: no macros. xlsm files have macros. Unfortunately, the older xls files are both.

  13. System security is only as strong as... by Gravis+Zero · · Score: 0

    ... the Microsoft products used in it.

    --
    Anons need not reply. Questions end with a question mark.
  14. The epitome of a good attack by guruevi · · Score: 1

    Microsoft, Adobe, e-mail and stupid people. Seriously, the internal security is just as important as external - too bad almost no large organization heeds these warnings and continues to trust all their users and their computers as being safe and secure. My organization thinks because you're on the internal network, you don't need encryption necessarily for passwords and the like, they actually call it the Secure Network whereas the unencrypted wireless and the network that links up to external providers are the only insecure network.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  15. Ditto by Kludge · · Score: 3, Interesting

    At my work we used to use the RSA token and a 4 number PIN that never changed to log into the network (as well as the regular username and password). Five failures to log in would get your account locked out.
    Now we have to use our RSA token and an 8 letter/number PIN that changes every 30 days(!) to log into the network (as well as the regular username and password), and the system locks out accounts after only 3 failed log-ins.
    They are obviously relying _much_ more heavily on the user selected PIN than before, almost to the point that the token output is irrelevant.

    1. Re:Ditto by Anonymous Coward · · Score: 1

      In this case, never changes is actually better.
      The idea in '2 factor' authentication is you should use 'something you have' and 'something you know'. This way your wallet or keychain alone isn't enough to get in, spying on one login session isn't enough to get in, you need to combine multiple security breaches together to break the security.
      If you change the 'something you know' often, then people write it down, it goes in your wallet, and the 2 factor authentication is now 'something you have' coupled with 'something else you also have', and stealing the contents of your pocket is now enough to break the security on its own.

  16. THIS one barely counts as social engineering by Sloppy · · Score: 4, Insightful

    The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.

    RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    1. Re:THIS one barely counts as social engineering by LordLimecat · · Score: 1

      The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.

      You might as well argue that folks need to go back to the days of paper filing and abandon computers because viruses exist. How do you suppose an office will collaborate if none of the computers with network access can open network hosted documents? How are the computers with the word processor supposed to access those documents? How are they supposed to mail out the finished proposal?

      Just because there are attacks that can be mounted, doesnt mean there arent countermeasures. GPOs that disable embedding and macros; software restriction policies; setting appropriate permissions (including deny execute-- which IS distinct from the "read" permission necessary to open a document, so no, its NOT like chmod a+x) on network shares; and for those truly sensitive computers, disabling or preventing the installation of browser plugins.

      Guess what-- without browser plugins on the machines with said high-level access, this would not have occurred. How often do we see 0-days for Chrome, or Firefox, or even IE8/9? Compare that to the number we see for combined java, flash, acrobat, and quicktime; now you understand how overreactive and knee-jerk your post is.

  17. He/she was using a Microsoft's Windows OS... by Anonymous Coward · · Score: 0

    Nowadays anyone with a brain should know to stay clear of Microsoft's Windows operating system if they don't want to end up with a virus infested machine and security problems. This person clearly did not have Linux on their computer.

  18. RSA "information" policy reminds me of TEPCO. by gweihir · · Score: 1

    And this "event" does too.

    In a week or so they will admit that "some seeds" were stolen, a week or two later, it will be a "significant number of seeds" and some more weeks later it will be "all seeds".

    The real question is however this: Why the hell were the seeds accessible over the network? Are these people totally and utterly incompetent? Even the mere possibility of a seed database compromise over the net (and they have indirectly, but conclusively confirmed this, as it is the only part of the system that must remain secret) is proof of gross incompetence and mandates a move to a different vendor. Nothing RSA does henceforth can be trusted to be secure, as some important part of that company (my guess: management) does not get how security works.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  19. mahahhaaah by Anonymous Coward · · Score: 0

    watch the RSA stock plummet, time to buy entrust!!!!!

  20. and the solution is .. by doperative · · Score: 1

    > RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file." ..

    Don't open email attachments on a Windows computer that is used to control your SecurID product ...

    1. Re:and the solution is .. by darkonc · · Score: 1

      The users attacked weren't the final targets.. It was probably something like a receptionist or other non-technical staff that was used as the shoe-horn to get into the system. RTFA

      --
      Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  21. Time to change the behavior of junk mail folders by Anonymous Coward · · Score: 0

    If the software that scans incoming email for threats flags a particular piece of email and puts it in your junk folder, why not have that be a permanent resting place. Once something is in junk, the use can only do a limited number of things: 1) View Sender, Receiver, Date, Subject 2) View message header as text 3) Delete item

    The user then cannot move the item from the junk folder and there would be a variable length housekeeping delete that the administrator can set to one month or whatever.

    Basically, once something is junk, it can't come back. Parts of it can be examined, but that's it. Enough of it can be examined so that if it is legit, the receiver can see what the problem is and the sender can send it in a different way.

  22. RSA is using WIndows for the Desktop??!!! by darkonc · · Score: 1
    I thought they were a security company!

    I mean, it's not like there are no known Linux exploits, but -- when you've got average users using windows for day-to-day work, it's just a matter of time....

    Security by obscurity, but -- among other things -- the attacker would, have to figure out that you're not using Windows.

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.
  23. HUMAN RESOURCES, SCOURGE OF COMPANIES by Anonymous Coward · · Score: 0

    So I look at the file, and it's an excel file that implies a list of recruits. What part of an organization is tied completely to the Microsoft suite? (hint, they only communicate through email using attached .DOC files) Which part of the organization is concerned with "recruiting?" Which part of the organization is despised as being filled with overpaid idiots?

    RSA was brought down by their Human Resources Department. Someone retrieved an email from their junk box, from someone they didn't even know, and RAN AN ATTACHMENT AND PROBABLY HAD TO IGNORE A WARNING MESSAGE TO TURN ON ACTIVE CONTENT. They probably had admin rights on their machine because admin rights are considered a privilege of rank rather than of strict necessity, which Human Resources implicitly allows.

    Anybody on LinkedIn? See if there are any recent departures from RSA from HR.

  24. Nothing new here by Anonymous Coward · · Score: 0

    As others have observed there was nothing particularly sophisticated in this attack – it is pretty much standard stuff that I almost see on a day to day basis.

    The key here is that taking control of those “low profile target” users (which could have been avoided in this specific case using good security policies) should never allow further escalation to the keys of the kingdom That in itself is very troubling for a company like RSA which should have much tighter security. Braging about this being such an incredibly smart attack is also worrying - are they living in a cave ?

    The next step is now full disclosure about what has actually been compromised. No more corporate PR, just the straight facts. And frankly apart from the seed database I don't know what could really be of real interest.