Slashdot Mirror
Was This the Phishing E-mail That Took Down RSA?
alphadogg tips this IDG News report: "'I forward this file to you for review. Please open and view it.' As a ploy to get a hapless EMC recruiter to open up a booby-trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman. The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever."
So why did the non-security support staff have access to the same network the private keys were on? It doesn't just take one careless user, RSA should know about defense in depth.
Give me Classic Slashdot or give me death!
I wouldn't necessarily say it was something "really dumb". It looked like a legitimate e-mail from a legitimate contact, exploiting a zero-day flaw in a system. From a user standpoint, I'm not sure they could have done anything different to avoid getting infected. Users still have to get their work done. Your average user can't spend twenty minutes researching every attachment to make sure it doesn't have a zero-day attack in it.
That said, could RSA as an organization have done anything different to prevent this? Of course they could have, starting with not running an OS that's two major revisions out of date (let's not get into a Windows vs. *nix discussion here). But let's not put all the blame on the user for this.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
My understanding is that the attack proceeded in multiple steps and that knocking over a soft target was just a convenient opening move. Anybody who can be cracked just by duping some support person is Doing It Wrong; but it is hard to imagine a structure where having access to one or more low privilege accounts wouldn't make an attacker's life somewhat easier.
Now, as for the broader question of why RSA retained the seed keys for a nontrivial slice of the US's more security-touchy corporations in any remotely online-accessible form, or why those customers accepted that arrangement... There are not words enough to condemn that level of folly.
Indeed, there should be a strict separation between documents (things you merely view and possibly edit) and programs (things which do something). Unfortunately that line has been crossed by about every document format, from office files (Word, Excel, ...) over HTML (JavaScript) to PDF.
There should be a set of standard document formats which are guaranteed to not contain any executable code whatsoever, so except for possibly exploiting buffer overflows in interpreting code, displaying the documents is safe. It should be impossible by specification to insert any "active content", i.e. programs, in such documents.
The Tao of math: The numbers you can count are not the real numbers.
I worked for RSA for 4 years, both before and after EMC acquired them (I was not working there when the break-in occurred). The security experts at RSA are not the people that are running EMC corporate IT. When the acquisition occurred, RSA IT was one of the first groups to be let go. EMC IT policy seemed to be more worried about meeting regulations for compliance than for implementing security policies that actually made sense.