Slashdot Mirror
Was This the Phishing E-mail That Took Down RSA?
alphadogg tips this IDG News report: "'I forward this file to you for review. Please open and view it.' As a ploy to get a hapless EMC recruiter to open up a booby-trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman. The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever."
is one careless user. How many secretaries, finance weenies, inside sales or middle managers at RSA actually are part of that "most respected computer security" knowledge at the company? I'm guess they have a lot of people who know nothing about security, much like every other company.
And as such, we need to start expecting people to have basic computer literacy skills so they do not fall prey to such schemes. How many thousands upon thousands of times does it have to happen before people learn?
Keep your systems separate. If you have important keys and they don't need to be on a network when they aren't in use, don't put them on a network. Don't give people more privileges than they need to do their jobs. That does have the secondary issue that if you go too far in that direction then people will try to get around your security measures and might open up holes in the process, and they won't take security as seriously. So you need to balance that. Also, never open up attachments that you don't know who they are from. This is a really basic point that should be driven into people. And look at the extension of the file, if it looks suspicious don't open it. These are basic points. It is embarrassing that RSA of all companies would apparently have such basic security problems. But it does help drive home a point: if they can be vulnerable to simple phishing and bad attachments so can everyone.
Looking closer, Hirvonen found that the file seemed to match RSA's description in possible every way.
I assumed this was a poorly translated phishing article and immediately closed my browser window and reinstalled Windows.
"Sacrifice for the good of The State" - The State
"That's a pretty embarrassing example for RSA," he said. "It tells you that in any reasonably sized company, including a security company, there's someone who will do something really dumb."
The world's second oldest profession has been exploiting that weakness forever. They key to information is not to compromise the leaders; you get in via the support staff. They're not thinking security. It's amazing what a simple phone call can net in terms of information; even if you are up front with what you are looking for and why you want it. The internet just makes it easier to reach them and provides new tools to extract information.
I'm a consultant - I convert gibberish into cash-flow.
IMO, the most cunning instance of social engineering leading to this break in was convincing a security company to use insecure software, like Excel, Windows, and Flash.
Have gnu, will travel.
End users aren't always that stupid, but some of them are, and the others can be distracted and not really pay attention and accidentally open something they otherwise wouldn't have. This is why it's vital to have automated spam and virus detection on the backend. A few weeks ago I noticed Exchange catching and cleaning up viruses that were coming from the computer of a manager of one of our client companies - the person in charge of the whole darn operation had managed to get her PC infected. Exchange caught the viruses before they were sent off to other PCs in the network, but we had to completely wipe down that person's computer to get rid of it for good. All because she opened an email forwarded from her son that said "Funny pictures!" with twenty attachments.
Occasionally living proof of the Ballmer peak.
How do you own someone with an XLS file nowadays?!
(I'm assuming, "How dangerous can it be? It's not an executable!" is exactly what the hapless employee who opened it was thinking too...)
MS is vulnerable because its the biggest target out there. Android is now the biggest mobile target. As Apple gets a larger share, it will become a target as well. I dislike MS as much as anyone I know, but your statement is simply foolish. ALL systems can be compromised by stupid users. I say stupid and not ignorant. I have more than my fair share of stupid users and pushing them to Linux won't solve it. You can only solve it by building sandboxes around them.
http://xkcd.com/932/
Yes they should be using Google Docs instead especially on those backend machines.
I join F-Secure in asking, "why the heck does Excel support embedded Flash"?
So an anti-virus company, always on the lookup for free publicity, claims that it has come what might have been the e-mail that took down the RSA.
And this makes the news?
In case you hadn't noticed, the anti-virus companies will claim anything to get noticed these days.
Bullshit.
Apple was/is the largest mobile target if you include iPod Touches, > 200M devices running iOS. If not, it's a close second to Android.
Stil has an order of magnitude fewer attacks than Android. So biggest target != most attacks. Least secure == most attacks.
There are two types of people in the world: Those who crave closure
Except no. If you've been following this story, it wasn't just defacing their website, the attackers got the crown jewels this time.
I am trolling
PEBKAC.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
You're smart enough to understand that some systems are designed better than others. Just because it isn't the biggest target doesn't mean it's secure only via obscurity.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
If you use a commodity OS inside your secure network. you will get hacked and you will get it knocked over.
If you have a high security network and run windows and office on it, it's not high security anymore.
you run apps and Operating systems rated for the security that are tightened down. only a moron would let someone edit a spreadsheet on a PC that is connected to the secure network. You flip to the insecure network machine for tasks like that. No connections between them other than the eyeballs and fingers of the user.
Do not look at laser with remaining good eye.
Nice one. Missed the point of course. The post was about MS. Specifically if you selected MS you were asking for problems. I was attempting (failed) to point out that if Apple had the same market share they would have lots of problems as well. NO system is secure. Ask RSA.
I would like to think I would never fall for something like this. But if this email had a return address of someone in the company? That would make it seem VERY legitimate. Of course, if I don't usually receive emails from that person, I might assume the email was misdirected and not open it. Maybe.
As far as my home email is concerned, the only reliable indicator I've found for phishing attempts is bad grammar and spelling. If these attackers get a good grasp of the English language, we're screwed.
Yes. You are correct. My point was the poster was saying that if one selects MS then they are asking for problems. I'm pretty sure that if Apple had 80+ market share there would be a lot of issues with them as well, despite the control they have over the OS and hardware and developers. Android has even less control than MS so I am certain it will be riddles with exploits.
No, I was invalidating your point which was largest == most hit. In actuality, it's most insecure == most hit.
There are two types of people in the world: Those who crave closure
MS is vulnerable because its the biggest target out there.
While it's true that few people would try to exploit a system nobody uses, MS does its share of the effort to become insecure.
In this specific case, the first breach was done by a Flash program embedded in an Excel spreadsheet. We are going waaay back to all that DDE/COM/OLE/ActiveX thing that has been opening so many backdoors in Microsoft systems for the last decades. Broken by design.
While you are right it would probably help somewhat, it wouldn't defeat phishing attacks which usually rely on "social engineering" (i.e. making someone want to do the thing you want them to do). If you can put the right attack in front of the right user (one with sufficient rights and insufficient knowledge) then no amount of security in the OS will help.
Well, I won't argue that a large chunk of the holes we find in MS are found because they are the big target. That said, even if they weren't the holes would still be there. I'm just saying the two really aren't connected (in that fashion) despite the arguments people like to toss about claiming such.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
You were attempting to invalidate my comment. Malicious code is written for an intended target. Android a year ago was more vulnerable than today, yet today it is hit more often. Why? What has changed? Its size.
The biggest questions left unanswered by all of this are:
1) Why doesn't RSA scan all incoming email and all attachments for malicious payloads?
2) Even if they do, why didn't said anti-virus, IDS, or IPS system they have in place identify this Poison.Ivy payload?
3) If their anti-virus detection measures failed to detect this (apparently) known exploit (Poison.Ivy from the Network World article), what product(s) are they using?
My hunch is that it isn't F-Secure, because the inference is that their products would have detected the problem and quarantined and stripped the email of the attachment before delivering it to recruiter Dum Bass in HR.
then your boss' boss will know that your boss is unable to manage their team effectively and fire your entire team.
Because that is not a hypotesis but a logically inevitable consequence. Your logic is awesome.
you're an idiot.
Noooo, he's a professional. His job is to escalate and let the chips fall where they may, and in the unlikely chance of getting fired, he goes to get another job. Yeah, yeah, even in this bad economy, that's what you do.
Barring some streneous condition (having a newborn baby or a shitload of medical bills) if someone doesn't escalate things when necessary due to fear of getting fired (an implication of a near complete lack of alternatives) one has to wonder what type of technical value if any such a person has to offer considering that he surrenders his professional duties to that kind of unspoken, on-the-job black-mailing and/or ZOMG! phear of getting hopelessly unemployed.
That doesn't answer why iOS, with more total users, isn't hit more than Android.
There are two types of people in the world: Those who crave closure
Except that they hacked RSA. So the first panel would have to say that hackers took down the website of ZIA for the analogy to apply.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Can we also assume that the user had Admin privilages on the PC? Could the exploit have otherwise got control of the OS?
All you need to do is provide a hap to every employee on their first day of work. Then, later just have an annual hap screening to make sure everyone still has one. Haps can be expensive, but the cost of employees being hapless is much higher.
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
I am intrigued that RSA forwards their emails to a free virus scanning service. I should going to start my own service. Any company with highly sensitive information is welcome to send it all to me. Don't worry though: we have a posted privacy policy somewhere on our web site.
Ooh, even better idea! How about sending all your passwords to my free service too, and I'll let you know if any of them are insecure!
So far, todays include "ACH payment rejected" from 171.229.252.128 with a report_numbers.pdf.exe file,
"Thank you from Google!" from 184.77.112.65 with a zip file, and "Fraud tax income" from
14.97.106.122 with another blah.pdf.exe file. I wish I had more time to load them up on an instrumented
box and see what's up.
Every New Hire Pack should have the following to be given to the New Hire
1 a current employee handbook (in a readable language)
2 a Hap
3 a Round Tuit
4 a Clue
5 whatever else is normally provided
6 that stack of paperwork that various departments need for a New Hire
Any person using FTFY or editing my postings agrees to a US$50.00 charge
And, then running away? Now - above ALL else?? Well... I may post as AC, but we all see who the TRULY "anonymous COWARDS" are around here, in yourself (whoever downmodded my post without technically justifying WHY & on valid factual & undeniable grounds in computing, not some other off topic trolling crap!)
The type that hit & run downmods + runs from saying why and on what TECHNICAL GROUNDS (because anything else, is pure 100% OFF-TOPIC Bullshit, period) is ruining slashdot... yes, I had to say it, & I am NOT alone in it either!
In fact yesterday's post on Mr. Malda Resigning here had several postings saying "SLASHDOT IS DYING" & one even had some substance behind it...
I.E./E.G.-> Evidences, in citing attendance drops around here, & your "kind/ilk" (cowardly little trolls of all types) is most likely why.
APK
P.S.=> The type that does that, alongside adhominem attacks & other forms of effete "not men" type trolling (such as being wannabe human spellcheckers OR illusions of being professional writing critics etc./ et al on your parts)?
Face it, because we ALL know this much:
You KNOW you can't stand up to me on technical grounds on this account, or really, ANY other in posts I am involved in... that's for nearly 7 yrs. now straight here too - show me once where "your kind" has "gotten the best of me" on technical grounds (or really any others)... you can't!
Too many of "your kind" since 2005 have tried only to end up with egg on your faces everytime, eating your own trolling off topic illogical forums "illogic-logic" style adhominem attacks flavored with the "bitter taste of YOUR OWN defeat" to wash it down as you *drink-it-in-&-digest-it", as I wiped the floor with your type here in technical debates!
Thus - so all you have left, are these effete hit & run downmods...
Fact is - this tells us all how you've lived your lives in fact - you're the kind of dweeb who did the jocks' homework while being made to WATCH as your g/f gave them a "good time" in front of you (assuming any girl would even go NEAR a cowardly weasel like your kind, because you're MORE WOMEN THAN WOMEN ARE)... period!
... apk
I DO fault RSA for not compartmentalizing their security. A compromise of a user desktop should be expected. The fact that this foothold let someone get to the token seeds suggests some serious design and procedural negligence on RSA's part. The damage should have been limited to some emails getting leaked, not a compromise of their most vital secrets.
Do not forget the 443 and others SSL doors. Most of those new exploit/connect back/trojans take advantage in those doors, that are generally opened without restrictions.
MS Office and similar has taught far too many people to circulate stuff in an unfinished editable format when it should be a finished read only document. If you are not collaborating on something it makes no sense at all to get the documents in a editable format. How can you trust somebody not to alter a contract if you send it in MS Word format? On the other side we have things like in the article to show that you can't trust received documents of this sort from an unknown source.
It was an exaggeration, there are text editors for VMS that haven't required a bug fix in decades. There is almost no chance that between its maturity and simplicity that it still has security holes. However his point is that its not a black and white problem of executable or not executable. Writing a secure text editor is easier than writing a secure word processor, media codecs are not parsing executable files by intent, but there have been holes in them anyway. Its a continuum of increasing complexity and decreasing security from text editors to mp3 players, to sandboxed javascript to piping turing complete languages off the internet directly into your kernel space (webGL). The simple knee-jerk against scripting is misguided both in the sense that the value of adding scripting can in some situations outweigh the risks, and in the sense that a format that isn't intended to have executable content but can still be an avenue of attack.
refactor the law, its bloated, confusing and unmaintainable.
There are spreadsheets that contain data that the company needs to be kept secure. If the argument is that they should be in gnumeric or open office that's one thing, but even they have scripting languages in them. Furthermore there is source that needs to be written and compiled and tested in secure environments. Simply denying the user all access to executable languages is not an option for some secure systems. Even denying physical access is probably not possible in some test labs. What fits for NORAD doesn't fit for everyone. No easy answers just lots of diligence and mistakes and hard lessons.
refactor the law, its bloated, confusing and unmaintainable.
I used to work for one of the world's leading sporting goods companies. We had contractors onsite with the same network/desktop configuration and access as full time employees. At least one of these outsourced but in-house contractors was stupid enough to fall for pretty much any phishing/fake anti-virus/whatever scheme you can come up with. I have no doubt that any company in the US (what does that mean any more, anyway?) could be compromised given enough persistence and relentless effort to find THAT GUY.
Because the network in RSA/EMC was so flat an email to HR was able to penetrate parts of the network only engineers really needed access to. And of course now the network is locked up so freakin tight the engineers have trouble doing any work at all, yet HR still has access to excel, flash an every other security hole on their machines.