RSA Says SecurID Hack Based On Phishing With Flash 0-Day

Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."

And ActiveX

[EnigmaticSource]

Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.

Re:And ActiveX

[LO0G]

Ok, this gets on my nerves. ActiveX is a plugin framework. It is *exactly* the same as Mozilla's XPCOM. Both XPCOM and ActiveX carry the exact same set of vulnerabilities. There are only two differences between ActiveX controls and NPAPI plugins:
1) NPAPI plugins are typically only hosted on mozilla.com. ActiveX controls can be hosted on any site.
2) ActiveX controls are required to be digitally signed. NPAPI plugins aren't.

The Wikipedia page on NPAPI does a good job of describing the similarities.

So don't blame ActiveX - blame the plugins. This attack could have been mounted against Firefox (after all it used a *flash* vulnerability and last I heard, flash was available for firefox).

Thanks again ADOBE

.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

Re:Thanks again ADOBE

[gnasher719]

Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

100 million iPhone users and 20 million iPad users disagree.

Re:Thanks again ADOBE

[trifish]

.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.

Re:Thanks again ADOBE

[limaxray]

I think the difference is that we hear about 0-day exploits in Adobe software on a much more regular basis than in Linux or its associated software stack. It feels like Adobe announces another PDF or Flash vulnerability every month and that they have a complete disregard for secure practices.

Combined with the fact that they still don't have a stable 64-bit release of Flash for any OS makes me feel like they are a bunch of no-talent ass clowns without a sound development process in place.

Oh, and in the Linux world, we use tools like SELinux or Apparmor so a hijacked spreadsheet can't go accessing parts of the system where it doesn't belong.

Wait wait hold up

[atari2600a]

You can embed flash in excel files!? WHY WOULD YOU DO THAT

Re:Wait wait hold up

[Joce640k]

You don't put background music in the spreadsheets you email to people? Weird. Numbers are so boring without some Slipknot playing.

Re:Wait wait hold up

[cigawoot]

Excel Embeds: Turning Excel files into MySpace pages one sheet at a time.

Re:Wait wait hold up

[Undead+Waffle]

Well I've seen it used for flash games whose websites are normally blocked...

Simple question: securid seeds?

[rtfa-troll]

Dear RSA; speaking as a customer; we need a simple answer to the question:

has the securid seeds database been compromised?

anything else you announce is fluff.

Re:Simple question: securid seeds?

[93+Escort+Wagon]

Dear RSA; speaking as a customer; we need a simple answer to the question:

has the securid seeds database been compromised?

anything else you announce is fluff.

We use a LOT of SecurID tokens at our university, and the group that manages them has been way too quiet since this happened. But today they sent an email out - no mention of the RSA breach, just that they have decided to "retire the SecurID tokens early to save money" and are replacing them with a different product.

So I'm guessing they think the seeds database has been compromised.

Re:Simple question: securid seeds?

[rtfa-troll]

Yes; fun fun fun. It's good the way they let a mafia of MSCE certified IT administrators pretend they didn't screw up by choosing SecurID and letting them keep the seed info whilst their real customers, the people who have their systems and data secured with SecurID, don't know squat about what's going on.

Re:Simple question: securid seeds?

[rtfa-troll]

And just to amplify this with a bit of Wikipedia manipulation; have a look at this edit which comes from 128-221-197-57.emc.com, Where EMC is RSA's parent company, which I found from this article which also includes an RSA letter which they are supposedly sending out to customers.

Full disclosure to all affected users; it shouldn't be a matter of dispute. It should be the law.

Re:Simple question: securid seeds?

[wkk2]

I think real question is why doesn't the customer initialize the token. There are lots of interface options to initialize a small token: I2C, USB, even IR.

Re:Simple question: securid seeds?

[hey!]

Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.

This is going to cost RSA a lot more than sales of its SecureID product. People buy this product, not because they have analyzed the system and decided it is architecturally secure; they bought it because they trusted RSA. RSA was founded by the most illustrious minds in the field. I was looking at some RSA job postings recently, and they don't appear to hire anybody who doesn't have a PhD. RSA is supposed to be the company that knows how to do things right. That means they knowingly produced a system that violated stuff you learn in Chapter 1 of a basic crypto text, and then induced customers to rely on that system for security.

RSA reputation, meet porcelain bowl.

I want to be clear I'm not criticizing RSA for the security breach. I'm criticizing them for inducing customers to rely on a system that becomes irreparably untrustworthy after a single event that was bound to happen sooner or later.

Re:Simple question: securid seeds?

[jd]

The first of the removed paragraphs could be considered "original research" (banned on Wikipedia). I'm of the opinion that linear deductions are not research, but automatically follow. However, I've had a few entries edited out as "original research" myself and know that Wikipedia takes the rule extremely seriously even if it is to the point of absurdity.

The rest of the paragraphs are more inflamatory/op-ed and don't belong in an encyclopedia setting. They may be technically correct (only RSA knows) but they are most certainly not neutral POV and not useful in understanding the event.

Sounds like my girlfriend

[houghi]

"BIATCH confirmed on Friday that the attack that compromised her high-value NoPrego product was essentially a small, targeted phushing campaign that included a payload of a malicious Flesh object embedded in a broken Trojan."

Re:Sounds like my girlfriend

[burni2]

Good Lord, do you mean she is pregnant !? You should buy better condoms, so the Trojan doesn't break.

btw. she is ;)

Re:And I think to myself...

[antifoidulus]

Um, not opening Excel or Flash files on computers that access the database would be a start. Furthermore sanboxing, and lots of it. Not running the most insecure OS on the planet would help too. The people at RSA really should have known better.

Re:And then people wonder

[node+3]

Why jobs doesn't want that POS on Iphones or Ipads!

Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.

How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?

The only thing you got correct in your post is that this was a phishing attack.

Re:And I think to myself...

[Scott+Scott]

Don't open anything flagged as spam until you've read the full headers?
Don't use Excel as your first option when reading e-mail attachments?
Run off of a read-only file system?
Convert every excel file to CSV before opening?
View using Google Docs or one of its clones? (Not that I advocate using Google's tools in general...)
Open nonessentials on a different computer with restrictive security settings? Don't use Windows?

The possibilities are endless.

Realistically, it's not possible to stop an attacker who's willing to invest serious time and approach in a smart manner. It is, however, possible to avoid being the person in the organization who lets them in. Someone will fall for it, given enough time and a large enough company, and once they have access they won't be interested in tricking you anymore.

Re:And I think to myself...

[maxwell+demon]

Not running the most insecure OS on the planet would help too.

Usually as employee you cannot decide that.

Re:And I think to myself...

Not running the most insecure OS on the planet would help too.

Where in the article they say that OSX is being used?

Re:And I think to myself...

They haven't stated how the hackers progressed from the low value employee workstations to higher value systems...

Although this is just a guess, based on my experience of other organisations they typically use active directory to manage everything from low level employee workstations, to high value servers... Elevating yourself from a low value workstation to domain admin using tools such as incognito, lsadump or hash passing is relatively easy and from there you have a very good chance of getting access to crucial systems...
Even in companies which try to separate critical functions away from general office stuff (which i would assume RSA did) if you take over the sysadmin workstations (which usually are linked to the active directory domain) then you can start keylogging or hijacking their existing sessions and getting into other stuff. Some companies also have central databases containing passwords protected by something as weak as active directory!

Re:And then people wonder

[andrea.sartori]

Including not being vulnerable to Flash exploits?
Not being able to run something is a curious criterion for invulnerability.
If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.

Re:And I think to myself...

[Rich0]

Corporate IT security is like a slot machine that costs 25 cents to play, with a payout schedule that pays $1 on average, but one out of every 1M pulls you lose $10M.

The IT manager who ultra-secures their systems gets tons of complaints, and the company becomes less nimble than their competition who don't bother to secure (there is a real cost when you make it harder for your employees to communicate and work together).

So, if you're an IT manager who promotes strong security you quickly lose your job to somebody who doesn't.

Then every once in a while one of these insecure managers pulls the lever and loses the company a lot of money. The manager is blamed for lax security and fired. The replacement will start out being more secure, and once the spotlight is off they'll go back to doing exactly what their predecessor did, and they'll get bonuses because there isn't a repeat of the huge loss and things are just as efficient as before. That must mean he is doing his job right, right?

I've been finding that successful executives these days really are just lucky. They enact risky policies that have short term gains, pocket bonuses from these gains, and try to move on before it comes back to hurt them. Many get terminated, but those who don't shoot way up the ladder. What passes for due diligence at the CxO level isn't about preventing problems, but instead punishing whoever was left standing without a chair when the music stopped.

Ditto

[Kludge]

At my work we used to use the RSA token and a 4 number PIN that never changed to log into the network (as well as the regular username and password). Five failures to log in would get your account locked out.
Now we have to use our RSA token and an 8 letter/number PIN that changes every 30 days(!) to log into the network (as well as the regular username and password), and the system locks out accounts after only 3 failed log-ins.
They are obviously relying _much_ more heavily on the user selected PIN than before, almost to the point that the token output is irrelevant.

THIS one barely counts as social engineering

[Sloppy]

The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.

RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).