Slashdot Mirror
Was This the Phishing E-mail That Took Down RSA?
alphadogg tips this IDG News report: "'I forward this file to you for review. Please open and view it.' As a ploy to get a hapless EMC recruiter to open up a booby-trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman. The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever."
Actually, if you have proper network, server, and file access constraints, you can limit exposure depending on the person that gets phished.
That said, most companies think convenience > security.
Looking closer, Hirvonen found that the file seemed to match RSA's description in possible every way.
I assumed this was a poorly translated phishing article and immediately closed my browser window and reinstalled Windows.
"Sacrifice for the good of The State" - The State
I dunno. How many people still leave their doors unlocked, drive home drunk, text and drive, say something stupid to the wrong person, vote for Republicans (haha, yeah I said it, deal with it), and etc etc.
Shit is not going to stop, so all we can do is react and repair. However, when someone has a specific amount of access, perhaps a security policy and/or security training/certificate are required which would include legal or financial punishment to their lax attention.
So why did the non-security support staff have access to the same network the private keys were on? It doesn't just take one careless user, RSA should know about defense in depth.
Give me Classic Slashdot or give me death!
End users aren't always that stupid, but some of them are, and the others can be distracted and not really pay attention and accidentally open something they otherwise wouldn't have. This is why it's vital to have automated spam and virus detection on the backend. A few weeks ago I noticed Exchange catching and cleaning up viruses that were coming from the computer of a manager of one of our client companies - the person in charge of the whole darn operation had managed to get her PC infected. Exchange caught the viruses before they were sent off to other PCs in the network, but we had to completely wipe down that person's computer to get rid of it for good. All because she opened an email forwarded from her son that said "Funny pictures!" with twenty attachments.
Occasionally living proof of the Ballmer peak.
I wouldn't necessarily say it was something "really dumb". It looked like a legitimate e-mail from a legitimate contact, exploiting a zero-day flaw in a system. From a user standpoint, I'm not sure they could have done anything different to avoid getting infected. Users still have to get their work done. Your average user can't spend twenty minutes researching every attachment to make sure it doesn't have a zero-day attack in it.
That said, could RSA as an organization have done anything different to prevent this? Of course they could have, starting with not running an OS that's two major revisions out of date (let's not get into a Windows vs. *nix discussion here). But let's not put all the blame on the user for this.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Being the most secure company on earth is awesome until you go out of business because nobody could get any work done and make the company any money.
There is a balance between convenience and security.
It wasn't a macro, it was an embedded Adobe Flash object.
There is a balance between convenience and security.
Of course there is, but given how often these problems are happening as of late, it seems clear that very few of these companies are finding that balance. One would think the inconvenience of higher security would pale in comparison to the inconvenience of rebuilding your reputation after the entire world watches your organization get brought to it's knees, or lose copious amounts of proprietary data, due to ridiculous things like phishing expeditions.
My understanding is that the attack proceeded in multiple steps and that knocking over a soft target was just a convenient opening move. Anybody who can be cracked just by duping some support person is Doing It Wrong; but it is hard to imagine a structure where having access to one or more low privilege accounts wouldn't make an attacker's life somewhat easier.
Now, as for the broader question of why RSA retained the seed keys for a nontrivial slice of the US's more security-touchy corporations in any remotely online-accessible form, or why those customers accepted that arrangement... There are not words enough to condemn that level of folly.
I join F-Secure in asking, "why the heck does Excel support embedded Flash"?
I've found you don't want to work for companies that don't listen to their IT departments as that is bad for job security. A smart boss will listen to a reasoned explanation as to why something is a bad idea. If they don't you should work for them as a consultant and not as an employee - companies with bad IT policies make great clients for consultants, because they spend far more on IT than companies that listen to their IT staff.
Get a web developer
So an anti-virus company, always on the lookup for free publicity, claims that it has come what might have been the e-mail that took down the RSA.
And this makes the news?
In case you hadn't noticed, the anti-virus companies will claim anything to get noticed these days.
If you use a commodity OS inside your secure network. you will get hacked and you will get it knocked over.
If you have a high security network and run windows and office on it, it's not high security anymore.
you run apps and Operating systems rated for the security that are tightened down. only a moron would let someone edit a spreadsheet on a PC that is connected to the secure network. You flip to the insecure network machine for tasks like that. No connections between them other than the eyeballs and fingers of the user.
Do not look at laser with remaining good eye.
So it wasn't just a ball of mud, it was a ball of mud with a nugget of shit in the middle?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
You mean the file extension that actually matched what the file appeared to be (Excel spreadsheet) and had nothing at all to do with the reason this attack was successful?
If I may paraphrase JoshuaZ's point, it was "Turn on file extensions, and don't open files with suspicious extensions". It was also unrelated to this particular security breach, but at least it's still good advice in general.
You could even search through the Windows registry for registered file types with a "NeverShowExt" value set and delete the value. Then even extensions like .url, .lnk, etc. will be visible.
MS is vulnerable because its the biggest target out there.
While it's true that few people would try to exploit a system nobody uses, MS does its share of the effort to become insecure.
In this specific case, the first breach was done by a Flash program embedded in an Excel spreadsheet. We are going waaay back to all that DDE/COM/OLE/ActiveX thing that has been opening so many backdoors in Microsoft systems for the last decades. Broken by design.
You would love to read "The Cuckoo's Egg" by Cliff Stoll. A lengthy but very interesting read.
http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)
By analogy, this is part of the reason why high security buildings around Washington DC have no windows. Too easy to 'peek' through (using some arbitrary 'peaking' technology), or break in through.
Most normal buildings are only *apparently* secure, since a simple lock pick or broken window gets you in. I think this phishing attack is analogous to the classic Hollywood entry using a glass cutter and shorting across the alarm wiring. This gets you in the building so you can do your dirty work.
Those high security buildings also sometimes have Faraday cages and other systems built into the structure, but that's another story.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
then your boss' boss will know that your boss is unable to manage their team effectively and fire your entire team.
Because that is not a hypotesis but a logically inevitable consequence. Your logic is awesome.
you're an idiot.
Noooo, he's a professional. His job is to escalate and let the chips fall where they may, and in the unlikely chance of getting fired, he goes to get another job. Yeah, yeah, even in this bad economy, that's what you do.
Barring some streneous condition (having a newborn baby or a shitload of medical bills) if someone doesn't escalate things when necessary due to fear of getting fired (an implication of a near complete lack of alternatives) one has to wonder what type of technical value if any such a person has to offer considering that he surrenders his professional duties to that kind of unspoken, on-the-job black-mailing and/or ZOMG! phear of getting hopelessly unemployed.
Well, that's an interesting question: how much business *does* a company actually lose by being embarrassed in an event like this? Companies keep getting hacked (Citigroup, Sony, TJmaxx, RSA), but they don't seem to be going out of business because of it, or even taking that much of a financial hit...so I'm beginning to suspect that there isn't that much impact after all.
So, if there's no real financial impact aside from PR and cleanup, why should they bother being secure?
I worked for RSA for 4 years, both before and after EMC acquired them (I was not working there when the break-in occurred). The security experts at RSA are not the people that are running EMC corporate IT. When the acquisition occurred, RSA IT was one of the first groups to be let go. EMC IT policy seemed to be more worried about meeting regulations for compliance than for implementing security policies that actually made sense.
If this was a multi-step attack, rather than just stopping the first phishing email, wouldn't detection anywhere further up the chain also have limited the damage?
If your mail admin (or outsourced mail provider) allows inbound messages that are spoofing your company's domain(s), they are worthless and have no business running your mail system.
grep -iw skynet