Slashdot Mirror
Was This the Phishing E-mail That Took Down RSA?
alphadogg tips this IDG News report: "'I forward this file to you for review. Please open and view it.' As a ploy to get a hapless EMC recruiter to open up a booby-trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman. The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever."
is one careless user. How many secretaries, finance weenies, inside sales or middle managers at RSA actually are part of that "most respected computer security" knowledge at the company? I'm guess they have a lot of people who know nothing about security, much like every other company.
Keep your systems separate. If you have important keys and they don't need to be on a network when they aren't in use, don't put them on a network. Don't give people more privileges than they need to do their jobs. That does have the secondary issue that if you go too far in that direction then people will try to get around your security measures and might open up holes in the process, and they won't take security as seriously. So you need to balance that. Also, never open up attachments that you don't know who they are from. This is a really basic point that should be driven into people. And look at the extension of the file, if it looks suspicious don't open it. These are basic points. It is embarrassing that RSA of all companies would apparently have such basic security problems. But it does help drive home a point: if they can be vulnerable to simple phishing and bad attachments so can everyone.
Looking closer, Hirvonen found that the file seemed to match RSA's description in possible every way.
I assumed this was a poorly translated phishing article and immediately closed my browser window and reinstalled Windows.
"Sacrifice for the good of The State" - The State
"That's a pretty embarrassing example for RSA," he said. "It tells you that in any reasonably sized company, including a security company, there's someone who will do something really dumb."
The world's second oldest profession has been exploiting that weakness forever. They key to information is not to compromise the leaders; you get in via the support staff. They're not thinking security. It's amazing what a simple phone call can net in terms of information; even if you are up front with what you are looking for and why you want it. The internet just makes it easier to reach them and provides new tools to extract information.
I'm a consultant - I convert gibberish into cash-flow.
I dunno. How many people still leave their doors unlocked, drive home drunk, text and drive, say something stupid to the wrong person, vote for Republicans (haha, yeah I said it, deal with it), and etc etc.
Shit is not going to stop, so all we can do is react and repair. However, when someone has a specific amount of access, perhaps a security policy and/or security training/certificate are required which would include legal or financial punishment to their lax attention.
Well, some people need to be burned a few times before learning. And there's new schemes every day. Multiplied by the planet's population.
A couple centillion times should do it.
IMO, the most cunning instance of social engineering leading to this break in was convincing a security company to use insecure software, like Excel, Windows, and Flash.
Have gnu, will travel.
End users aren't always that stupid, but some of them are, and the others can be distracted and not really pay attention and accidentally open something they otherwise wouldn't have. This is why it's vital to have automated spam and virus detection on the backend. A few weeks ago I noticed Exchange catching and cleaning up viruses that were coming from the computer of a manager of one of our client companies - the person in charge of the whole darn operation had managed to get her PC infected. Exchange caught the viruses before they were sent off to other PCs in the network, but we had to completely wipe down that person's computer to get rid of it for good. All because she opened an email forwarded from her son that said "Funny pictures!" with twenty attachments.
Occasionally living proof of the Ballmer peak.
How do you own someone with an XLS file nowadays?!
(I'm assuming, "How dangerous can it be? It's not an executable!" is exactly what the hapless employee who opened it was thinking too...)
MS is vulnerable because its the biggest target out there. Android is now the biggest mobile target. As Apple gets a larger share, it will become a target as well. I dislike MS as much as anyone I know, but your statement is simply foolish. ALL systems can be compromised by stupid users. I say stupid and not ignorant. I have more than my fair share of stupid users and pushing them to Linux won't solve it. You can only solve it by building sandboxes around them.
Or we can start expecting the people who have chosen to specialize their careers in preventing this type of thing, to ensure that a spreadsheet cannot exploit a bug in animation software to gain root access to the entire network.
Cost accounting may prevent either solution from being possible, who knows.
"Sacrifice for the good of The State" - The State
I join F-Secure in asking, "why the heck does Excel support embedded Flash"?
So an anti-virus company, always on the lookup for free publicity, claims that it has come what might have been the e-mail that took down the RSA.
And this makes the news?
In case you hadn't noticed, the anti-virus companies will claim anything to get noticed these days.
Bullshit.
Apple was/is the largest mobile target if you include iPod Touches, > 200M devices running iOS. If not, it's a close second to Android.
Stil has an order of magnitude fewer attacks than Android. So biggest target != most attacks. Least secure == most attacks.
There are two types of people in the world: Those who crave closure
Except no. If you've been following this story, it wasn't just defacing their website, the attackers got the crown jewels this time.
I am trolling
PEBKAC.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
You're smart enough to understand that some systems are designed better than others. Just because it isn't the biggest target doesn't mean it's secure only via obscurity.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
If you use a commodity OS inside your secure network. you will get hacked and you will get it knocked over.
If you have a high security network and run windows and office on it, it's not high security anymore.
you run apps and Operating systems rated for the security that are tightened down. only a moron would let someone edit a spreadsheet on a PC that is connected to the secure network. You flip to the insecure network machine for tasks like that. No connections between them other than the eyeballs and fingers of the user.
Do not look at laser with remaining good eye.
Nice one. Missed the point of course. The post was about MS. Specifically if you selected MS you were asking for problems. I was attempting (failed) to point out that if Apple had the same market share they would have lots of problems as well. NO system is secure. Ask RSA.
Yes. You are correct. My point was the poster was saying that if one selects MS then they are asking for problems. I'm pretty sure that if Apple had 80+ market share there would be a lot of issues with them as well, despite the control they have over the OS and hardware and developers. Android has even less control than MS so I am certain it will be riddles with exploits.
No, I was invalidating your point which was largest == most hit. In actuality, it's most insecure == most hit.
There are two types of people in the world: Those who crave closure
MS is vulnerable because its the biggest target out there.
While it's true that few people would try to exploit a system nobody uses, MS does its share of the effort to become insecure.
In this specific case, the first breach was done by a Flash program embedded in an Excel spreadsheet. We are going waaay back to all that DDE/COM/OLE/ActiveX thing that has been opening so many backdoors in Microsoft systems for the last decades. Broken by design.
While you are right it would probably help somewhat, it wouldn't defeat phishing attacks which usually rely on "social engineering" (i.e. making someone want to do the thing you want them to do). If you can put the right attack in front of the right user (one with sufficient rights and insufficient knowledge) then no amount of security in the OS will help.
Well, I won't argue that a large chunk of the holes we find in MS are found because they are the big target. That said, even if they weren't the holes would still be there. I'm just saying the two really aren't connected (in that fashion) despite the arguments people like to toss about claiming such.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
You were attempting to invalidate my comment. Malicious code is written for an intended target. Android a year ago was more vulnerable than today, yet today it is hit more often. Why? What has changed? Its size.
And as such, we need to start expecting people to have basic computer literacy skills so they do not fall prey to such schemes. How many thousands upon thousands of times does it have to happen before people learn?
Hear, Hear! I can't tell you how many secretaries and mailroom minions I've had to fire because they couldn't detect zero-day vulnerability exploits!
then your boss' boss will know that your boss is unable to manage their team effectively and fire your entire team.
Because that is not a hypotesis but a logically inevitable consequence. Your logic is awesome.
you're an idiot.
Noooo, he's a professional. His job is to escalate and let the chips fall where they may, and in the unlikely chance of getting fired, he goes to get another job. Yeah, yeah, even in this bad economy, that's what you do.
Barring some streneous condition (having a newborn baby or a shitload of medical bills) if someone doesn't escalate things when necessary due to fear of getting fired (an implication of a near complete lack of alternatives) one has to wonder what type of technical value if any such a person has to offer considering that he surrenders his professional duties to that kind of unspoken, on-the-job black-mailing and/or ZOMG! phear of getting hopelessly unemployed.
That doesn't answer why iOS, with more total users, isn't hit more than Android.
There are two types of people in the world: Those who crave closure
Except that they hacked RSA. So the first panel would have to say that hackers took down the website of ZIA for the analogy to apply.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Can we also assume that the user had Admin privilages on the PC? Could the exploit have otherwise got control of the OS?
Or companies need to start implementing defence in depth strategies, rather than concentrating purely on border security.
Virtually every network i've seen has been based around the idea of a firewall separating it from the outside and virtually no security inside the network, or relying entirely on something like active directory access controls and not for a second considering how easy it is to subvert the whole thing.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If your mail admin (or outsourced mail provider) allows inbound messages that are spoofing your company's domain(s), they are worthless and have no business running your mail system.
grep -iw skynet
All you need to do is provide a hap to every employee on their first day of work. Then, later just have an annual hap screening to make sure everyone still has one. Haps can be expensive, but the cost of employees being hapless is much higher.
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
I am intrigued that RSA forwards their emails to a free virus scanning service. I should going to start my own service. Any company with highly sensitive information is welcome to send it all to me. Don't worry though: we have a posted privacy policy somewhere on our web site.
Ooh, even better idea! How about sending all your passwords to my free service too, and I'll let you know if any of them are insecure!
Every New Hire Pack should have the following to be given to the New Hire
1 a current employee handbook (in a readable language)
2 a Hap
3 a Round Tuit
4 a Clue
5 whatever else is normally provided
6 that stack of paperwork that various departments need for a New Hire
Any person using FTFY or editing my postings agrees to a US$50.00 charge
They could have spoofed a vendor's domain (didn't read the article). How could their mail server detect that unless there are some very strict SPF in place for that domain?
SPF, another mail system element that is trivial to implement, that any sysadmin worth a damn should have done already; but I suppose you're right, a spearphisher that has intimate knowledge of an organization could spoof a vendor's email address. I don't know about you, but I don't open unsolicited attachments from anyone these days, Sally in Accounting OTOH...
grep -iw skynet
I DO fault RSA for not compartmentalizing their security. A compromise of a user desktop should be expected. The fact that this foothold let someone get to the token seeds suggests some serious design and procedural negligence on RSA's part. The damage should have been limited to some emails getting leaked, not a compromise of their most vital secrets.
Do not forget the 443 and others SSL doors. Most of those new exploit/connect back/trojans take advantage in those doors, that are generally opened without restrictions.
MS Office and similar has taught far too many people to circulate stuff in an unfinished editable format when it should be a finished read only document. If you are not collaborating on something it makes no sense at all to get the documents in a editable format. How can you trust somebody not to alter a contract if you send it in MS Word format? On the other side we have things like in the article to show that you can't trust received documents of this sort from an unknown source.
It was an exaggeration, there are text editors for VMS that haven't required a bug fix in decades. There is almost no chance that between its maturity and simplicity that it still has security holes. However his point is that its not a black and white problem of executable or not executable. Writing a secure text editor is easier than writing a secure word processor, media codecs are not parsing executable files by intent, but there have been holes in them anyway. Its a continuum of increasing complexity and decreasing security from text editors to mp3 players, to sandboxed javascript to piping turing complete languages off the internet directly into your kernel space (webGL). The simple knee-jerk against scripting is misguided both in the sense that the value of adding scripting can in some situations outweigh the risks, and in the sense that a format that isn't intended to have executable content but can still be an avenue of attack.
refactor the law, its bloated, confusing and unmaintainable.
There are spreadsheets that contain data that the company needs to be kept secure. If the argument is that they should be in gnumeric or open office that's one thing, but even they have scripting languages in them. Furthermore there is source that needs to be written and compiled and tested in secure environments. Simply denying the user all access to executable languages is not an option for some secure systems. Even denying physical access is probably not possible in some test labs. What fits for NORAD doesn't fit for everyone. No easy answers just lots of diligence and mistakes and hard lessons.
refactor the law, its bloated, confusing and unmaintainable.
I used to work for one of the world's leading sporting goods companies. We had contractors onsite with the same network/desktop configuration and access as full time employees. At least one of these outsourced but in-house contractors was stupid enough to fall for pretty much any phishing/fake anti-virus/whatever scheme you can come up with. I have no doubt that any company in the US (what does that mean any more, anyway?) could be compromised given enough persistence and relentless effort to find THAT GUY.