Slashdot Mirror
RSA Says SecurID Hack Based On Phishing With Flash 0-Day
Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."
Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.
The Geek in Black
I know my BCD's (when I'm Sober)
.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc
Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.
Set spam folder to auto-delete incoming.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
You can embed flash in excel files!? WHY WOULD YOU DO THAT
has the securid seeds database been compromised?
anything else you announce is fluff.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
"BIATCH confirmed on Friday that the attack that compromised her high-value NoPrego product was essentially a small, targeted phushing campaign that included a payload of a malicious Flesh object embedded in a broken Trojan."
Don't fight for your country, if your country does not fight for you.
... would I have fallen for such a phishing attack? And the answer is - yes, quite probably
and I wonder, how would I protect against it? And I come up with very few practical ideas.
Anyone?
Why jobs doesn't want that POS on Iphones or Ipads!
Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.
Why jobs doesn't want that POS on Iphones or Ipads!
Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
The only thing you got correct in your post is that this was a phishing attack.
If they were to add a .nexls (non executables or something similar) file type that companies needing a bit of security could use that only had stuff a normal spread sheet has values, borders, charts, formulas ... (and something similar for word).
Of course it would be hard to add new features to these versions and therefore sell updates and completing products would be able implement the standard pretty quickly.
Including not being vulnerable to Flash exploits?
Not being able to run something is a curious criterion for invulnerability.
If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.
Mostly harmless.
iOS is quite secure,
Which explains why the iOS is never jailbroken ever.
What system is invulnerable to the user itself? Once an iOS device is jailbroken, it's essentially a standard UNIX system. The security system that can be jailbroken is a significant security enhancement beyond any other consumer OS.
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
Just because iPhone is a cool phone doesn't make it the best at everything.
I wonder where you got the idea that anyone is claiming that it is.
You can hack an iPhone by visiting a webpage,
Not anymore.
it also got hacked the 2nd day of pwn2own.
Everything gets hacked at pwn2own.
iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.
You would say that, but that doesn't make it true. Risk requires actual malicious code. Android is many orders of magnitude more risky than iOS, due to the simple fact that there has been plenty of malware for Android (some of which distributed on the Android Market). The only iOS malware that has ever existed has been for jailbroken devices--which is to say, for devices which the user has deliberately compromised the security of their device.
How you can think this is the sign of a "risky" OS is beyond me.
Remember, Google has had to use their remote "kill switch" on multiple occasions. The very same "kill switch" that everyone got all worked up over when it was presumed that Apple had it on iOS, but has never actually used.
I hate to bring it to you, but I was not serious.
Mostly harmless.
You're not being very clear. What OS, including iOS, is invulnerable to users deliberately hacking their own device?
Microsoft, Adobe, e-mail and stupid people. Seriously, the internal security is just as important as external - too bad almost no large organization heeds these warnings and continues to trust all their users and their computers as being safe and secure. My organization thinks because you're on the internal network, you don't need encryption necessarily for passwords and the like, they actually call it the Secure Network whereas the unencrypted wireless and the network that links up to external providers are the only insecure network.
Custom electronics and digital signage for your business: www.evcircuits.com
Just for the hell of it: if You can't be infected by something you can't run, the logical consequence would be to never run anything.
But don't take that as something personal. Of course the real thing to do is to avoid significant security risks. (Such as, just to try and stay on topic, fishing a message out of junk and open whatever attachment it comes with.)
Mostly harmless.
Sar-chasm: n: The gulf between a speaker of a sarcastic comment, and those who don't get it...
"City hall" in German is "Rathaus" Kinda explains a few things......
At my work we used to use the RSA token and a 4 number PIN that never changed to log into the network (as well as the regular username and password). Five failures to log in would get your account locked out.
Now we have to use our RSA token and an 8 letter/number PIN that changes every 30 days(!) to log into the network (as well as the regular username and password), and the system locks out accounts after only 3 failed log-ins.
They are obviously relying _much_ more heavily on the user selected PIN than before, almost to the point that the token output is irrelevant.
Yes.
It's called sneakernet.
The "x" comes from computer "B", which is shown on a display. A human operator types "x" into server "A", which has no network connection at all. Server "A" then displays f(x), which the human operator types into a different keyboard connected to computer "B".
In order for this to work truly securely, though, several things have to be true:
- The operator has to have no chance to enter incorrect information by accident, or enter the information in the wrong place. That means this cannot be a general purpose computer, or the operator cannot have access to anything other than the input field for the data. Preferably both.
- The operator has to be completely trusted, otherwise incorrect information could be coded into what should be the f(x) result, by the operator typing in f2(source_code_for_f(x)) instead. This means, basically, the operator has to be you.
- something else I haven't thought of yet, in this idle intellectual exercise.
So, yes, it can be done. But it's certainly not practical.
Someone might suggest having computer "C" in between, which monitors network traffic and only allows x to flow one way, and f(x) to flow the other. But there are problems with this:
- what if computer "C" gets compromised? It could be modified to allow other data to flow from server "A" to computer "B".
- how does computer "C" know that f(x) is _actually_ f(x)? Could it be other data disguised to look like f(x)? The only method guaranteed to work is for computer "C" to know the source for f(), by which it could compare its own f(x) result to that flowing over the network from A to B. If they match, let it pass. This, however, obviously makes hiding the source of f(x) that much more difficult, since it can now be compromised on two different computers, rather than one.
This is why 100% security is impossible. Not because we don't want it, but because there will always be another way to get in, regardless of what has been locked down.
"City hall" in German is "Rathaus" Kinda explains a few things......
Wouldn't work. If the hacker can gain control of B, the hacker has the ability to generate enough points of data for x and f(x) to figure out what the function is.
The way RSA does it is better. B doesn't send X, it sends a User ID, which is static. A then looks up in a secure hash what salt User ID corresponds to, and uses that along with system time to figure out what X is, so that it can return f(x) to B. (in other words, to figure out what your secure token is displaying) It's a much more secure way of doing things than what you propose... as long as f(x) remains secure, and as long as the hash table for user ID to key ID remains secure. (especially considering that the "salt" could be anything, from an offset to a transformation to a separate equation to run f(x) through before returning the result)
The big kerfluffle going on with the RSA hack is that RSA is not being forthcoming as to whether or not the hash tables have been compromised. If they have, then f(x) can be easily compromised and everybody who uses an RSA key fob needs to either get a new key fob, or switch to a different method of securing things. Particularly important when you consider the implications of who uses an RSA key fob to secure things: I work for Ma Bell, and one of the systems I can access in conjunction with my RSA key is the DMS. (https://secure.wikimedia.org/wikipedia/en/wiki/Digital_Multiplex_System for those who don't recognize the acronym). Think of the damage that could be caused if the wrong people got access to that system: they could crash the PSTN. (fortunately there is multi-layer security that I'm not really able to discuss, so that kind of breach is extremely unlikely... but this is a very serious breach of security just the same).
The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.
RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
And this "event" does too.
In a week or so they will admit that "some seeds" were stolen, a week or two later, it will be a "significant number of seeds" and some more weeks later it will be "all seeds".
The real question is however this: Why the hell were the seeds accessible over the network? Are these people totally and utterly incompetent? Even the mere possibility of a seed database compromise over the net (and they have indirectly, but conclusively confirmed this, as it is the only part of the system that must remain secret) is proof of gross incompetence and mandates a move to a different vendor. Nothing RSA does henceforth can be trusted to be secure, as some important part of that company (my guess: management) does not get how security works.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
> RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file." ..
Don't open email attachments on a Windows computer that is used to control your SecurID product ...
I mean, it's not like there are no known Linux exploits, but -- when you've got average users using windows for day-to-day work, it's just a matter of time....
Security by obscurity, but -- among other things -- the attacker would, have to figure out that you're not using Windows.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
No, you can't.
What OS has never had remote exploits? iOS has had exactly one. And it was never turned into a malicious exploit. And it has long been patched. What other OS would you possibly label as being notably insecure for having had one remote exploit in five years, which has long since been patched? I assume this sort of scrutiny and aversion applies only to OS's from fruit-themed companies, since that's the only thing consistent on this topic around here.
After all, there have been multiple remote exploits for Android.
Just for the hell of it: if You can't be infected by something you can't run, the logical consequence would be to never run anything.
That's not the logical consequence. That's an absurd consequence. There's nothing inherent in my statement that suggests taking absurd measures. Security isn't binary. You cull the severe risks, and manage the lesser ones.
I did misinterpret your original reply, though. When you said you weren't being serious, I thought you were referring to your argument as a whole (which I got quite clearly, you were trying to dismiss my claim that iOS is more secure for not running Flash by pretending it must be taken to its most absurd extreme). You are correct that your absurd logic shouldn't be taken as serious, however that still leaves me wondering why make the statement in the first place?
But don't take that as something personal. Of course the real thing to do is to avoid significant security risks. (Such as, just to try and stay on topic, fishing a message out of junk and open whatever attachment it comes with.)
Sure, because that worked out so well, didn't it? It's far too easy to accidentally or unwittingly run an attachment. Better to do away with something like Flash in the first place. It's of dubious value on something like a phone or a tablet. It's not like we're talking about eschewing an established, modern, popular OS for an archaic OS that no one uses or develops for. Just not using an optional web plug-in that is notorious for security issues.
Presently, Flash is highly irrelevant on mobile devices. Why take on the unnecessary risk?
Your tense is wrong. You *could* jailbreak it by going to a web page, but that is no longer possible. Now, you need to drop your device into DFU mode and jailbreak it via USB.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
ITT: node 3 getting trolled hard.
Err... how did parent get modded "offtopic"? It's precisely ON topic in terms of a reply; a vulnerability that allows a jailbreak is no less a vulnerability that allows an exploit. They're both an "own the system" gambit.
This isn't a remote exploit. It's a Flash file that was embedded in an Excel file that was emailed and opened on a local system.
You can hack an iPhone by visiting a webpage,
Not anymore.
Same is true of the Flash vuln -- it was patched by Adobe on March 21.