Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA Says SecurID Hack Based On Phishing With Flash 0-Day

Posted by timothy on from the not-straight-but-chaser dept.

Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."

12 of 153 comments (clear)

  1. And ActiveX by EnigmaticSource · · Score: 4, Insightful

    Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.

    --
    The Geek in Black
    I know my BCD's (when I'm Sober)
  2. Wait wait hold up by atari2600a · · Score: 5, Interesting

    You can embed flash in excel files!? WHY WOULD YOU DO THAT

    1. Re:Wait wait hold up by Joce640k · · Score: 5, Funny

      You don't put background music in the spreadsheets you email to people? Weird. Numbers are so boring without some Slipknot playing.

      --
      No sig today...
  3. Simple question: securid seeds? by rtfa-troll · · Score: 5, Interesting
    Dear RSA; speaking as a customer; we need a simple answer to the question:

    has the securid seeds database been compromised?

    anything else you announce is fluff.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    1. Re:Simple question: securid seeds? by 93+Escort+Wagon · · Score: 5, Informative

      Dear RSA; speaking as a customer; we need a simple answer to the question:

      has the securid seeds database been compromised?

      anything else you announce is fluff.

      We use a LOT of SecurID tokens at our university, and the group that manages them has been way too quiet since this happened. But today they sent an email out - no mention of the RSA breach, just that they have decided to "retire the SecurID tokens early to save money" and are replacing them with a different product.

      So I'm guessing they think the seeds database has been compromised.

      --
      #DeleteChrome
    2. Re:Simple question: securid seeds? by rtfa-troll · · Score: 5, Interesting

      And just to amplify this with a bit of Wikipedia manipulation; have a look at this edit which comes from 128-221-197-57.emc.com, Where EMC is RSA's parent company, which I found from this article which also includes an RSA letter which they are supposedly sending out to customers.

      Full disclosure to all affected users; it shouldn't be a matter of dispute. It should be the law.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  4. Re:And I think to myself... by antifoidulus · · Score: 4, Insightful

    Um, not opening Excel or Flash files on computers that access the database would be a start. Furthermore sanboxing, and lots of it. Not running the most insecure OS on the planet would help too. The people at RSA really should have known better.

    --
    Monstar L
  5. Re:And I think to myself... by Anonymous Coward · · Score: 4, Funny

    Not running the most insecure OS on the planet would help too.

    Where in the article they say that OSX is being used?

  6. Re:Thanks again ADOBE by gnasher719 · · Score: 4, Insightful

    Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

    100 million iPhone users and 20 million iPad users disagree.

  7. Re:Thanks again ADOBE by trifish · · Score: 5, Insightful

    .. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

    Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

    You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.

  8. THIS one barely counts as social engineering by Sloppy · · Score: 4, Insightful

    The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.

    RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  9. Re:Thanks again ADOBE by limaxray · · Score: 4, Insightful

    I think the difference is that we hear about 0-day exploits in Adobe software on a much more regular basis than in Linux or its associated software stack. It feels like Adobe announces another PDF or Flash vulnerability every month and that they have a complete disregard for secure practices.

    Combined with the fact that they still don't have a stable 64-bit release of Flash for any OS makes me feel like they are a bunch of no-talent ass clowns without a sound development process in place.

    Oh, and in the Linux world, we use tools like SELinux or Apparmor so a hijacked spreadsheet can't go accessing parts of the system where it doesn't belong.