Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA Blames Nation State For Cyber Attack

Posted by Soulskill on from the guess-we-can-rule-out-the-amish dept.

An anonymous reader writes "Security firm RSA has revealed that it believes two groups, working on behalf of a single nation state, hacked into its servers and stole information related to the company's SecurID two-factor authentication products. Speaking at the RSA Security Conference in London, RSA executive chairman Art Coviello described the high profile attack thus: 'There were two individual groups from one nation state, one supporting the other. One was very visible and one less so. We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication and resources involved it could only have been a nation state.' Sophos security researcher Graham Cluley questions how RSA has concluded that a country was responsible for the attack — when RSA is unwilling to name who it suspects. Could it be that the firm is simply applying spin, describing the attack as a 'highly sophisticated Advanced Persistent Threat' to protect its image?"

24 of 145 comments (clear)

  1. Everyone's going to accuse by aBaldrich · · Score: 5, Informative

    China

    --
    In soviet russia the government regulates the companies.
    1. Re:Everyone's going to accuse by symbolset · · Score: 4, Interesting

      China's active in this stuff, as is North Korea, several former Soviet Republics, Israel, Western Europe, and most of South America. Well, to be honest, most of the planet, but everywhere else is where some proxies are. You might as well say "I don't know".

      The nation-state claim is based on depth of analysis of technologies, leveraging of classified information not known to be leaked, sophistication of attacks. Also maybe on RSA's desire to say "What can we do against a the dedicated resources of a nation-state?"

      This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.

      It doesn't require a nation-state's resources to do this. Fifty thousand geeks in their mom's basement will do if a hundred of them are Aspies - and they are. They'll do it for the lulz, and on their backtrace they'll drag a red herring across a nation state if it amuses them to do so. Or they'll taint the Church of Scientology instead if that's their thing this week. It would take a nation-state to fund that level of effort, to coordinate that level of action - unless they do it for free for the lulz and the aspies organize it for them for free because it's a puzzle worthy of their attention. No resources are required except the neighbor's open Wifi because Mom provides the Hot Pockets and Mountain Dew.

      /Not saying it wasn't a nation-state, but have no faith in the analysis.

      --
      Help stamp out iliturcy.
    2. Re:Everyone's going to accuse by ColdWetDog · · Score: 2

      This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.

      Not sure how you can come to that conclusion. If the US three letter agencies have a presence in the "dark side" of the Internet, it's not as if they're going to post it on 4Chan. Sometimes you let people get away with things in order not to compromise sources.

      From the standpoint of a mere mortal, a dumb poster on Slashdot, we'll never know.

      --
      Faster! Faster! Faster would be better!
    3. Re:Everyone's going to accuse by garyebickford · · Score: 4, Informative

      I was at a conference in 1999 where a Navy officer spoke. At that time the DoD was in the process of setting up three separate cyber warfare battalions, working on both defense and offense. He did mention that until recently-at-that-time it had been a hard slog getting the brass to wake up, but things were starting to move faster. IIRC a battalion is about 500 'soldiers' plus some number of support staff (Wikipedia sez 300-1200 total).

      I would expect that in the 12 years since then the size of this effort has expanded by up to 2 orders of magnitude. There are literally thousands of nondescript buildings in shopping malls and industrial parks all over the country filled with folks doing all sorts of eyes-only burn-before-reading stuff, and I'm sure that a lot of that is cyber warfare research, training and activity. Part of the plan back in 1999 was to enlist major companies in information sharing regarding security threats to the economic infrastructure. Some of that effort got put into CERT early on, but I expect there are more classified levels of that going on.

      Keeping the baddies out of Ford, SmithKline or even Proctor & Gamble is almost as important as keeping them out of several levels of DoD. Warfare has always been a fundamentally economic activity.

      If I had the head for that sort of thing and were a lot younger I'd think seriously about getting into that - it would make for a very 'secure' future. :)

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
    4. Re:Everyone's going to accuse by cavreader · · Score: 2

      "This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet" I seriously doubt this is the case. The US would have no problem returning the favor. Like China the US government security agencies avoid publicizing their accomplishments and vulnerabilities to avoid disclosing their capabilities.

    5. Re:Everyone's going to accuse by Samantha+Wright · · Score: 3, Funny

      Been there. Done that. The algorithms are still where it's at.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    6. Re:Everyone's going to accuse by AmiMoJo · · Score: 2

      China's active in this stuff, as is North Korea, several former Soviet Republics, Israel, Western Europe, and most of South America. Well, to be honest, most of the planet, but everywhere else is where some proxies are. You might as well say "I don't know".

      Don't forget Struxnet and groups like Anonymous. There is probably just as much hacking going on in the US as anywhere else but we hear less about it, not least because the attacks are focused on other countries and simply don't make the news in here.

      Even with proxies you can often figure out where an attack comes from. Russian hackers will tend to use Russian words for file names or in binary executables, and it is often possible to tell if two separate hacks were by the same group based on digital forensics so they only have to make that kind of mistake once.

      Going off-topic a bit I find it laughable that the US should be accusing Iran of breaking US and international law by trying to organise an assassination on US soil, when the US seems to feel free to use cyber-attacks against Iran.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Everyone's going to accuse by GameboyRMH · · Score: 2

      At this point if I was going to do anything illegal I'd proxy it through China. Nobody would ever suspect it could be anyone else.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    8. Re:Everyone's going to accuse by garyebickford · · Score: 2

      That doesn't sound very physically secure.

      A good question. Relevant reading below. From my own slight experience, quite a while back, these buildings are often much more secure than they appear on the outside. They are purposely nondescript. Sometimes there are fake fronts and such, and even sometimes a smallish building on the surface connects to a large underground complex. Putting them in relatively high traffic areas makes it easier to hide the traffic of workers going in and out.

      Back in the day I saw a few in DC suburbs (Tyson's Corner VA) that had no windows and only one door, and walls that were blast-resistant and incorporated Faraday cages to prevent electronic leakage. That was the old-school way, I don't know to what extent that is still the case but I assume that is mostly still true, just as a starter. It depends on the type and quality of information.

      Even back in the late 1970s and early 1980s technical equipment intended for some government agencies had to pass the TEMPEST EMI test, which has no published spec - they test it and tell you only whether it passed. If it didn't, you were not given any clues as to what needed fixing.

      Top Secret America portal article.

      Another article, excerpted from the book: "Top Secret America: The Rise of the New American Security State".

      This article, adapted from a chapter of the newly released “Top Secret America: The Rise of the New American Security State,” by Washington Post reporters Dana Priest and William M. Arkin, chronicles JSOC’s spectacular rise, much of which has not been publicly disclosed before. Two presidents and three secretaries of defense routinely have asked JSOC to mount intelligence-gathering missions and lethal raids, mostly in Iraq and Afghanistan, but also in countries with which the United States was not at war, including Yemen, Pakistan, Somalia, the Philippines, Nigeria and Syria.

      “The CIA doesn’t have the size or the authority to do some of the things we can do,” said one JSOC operator.

      The president has given JSOC the rare authority to select individuals for its kill list — and then to kill, rather than capture, them. Critics charge that this individual man-hunting mission amounts to assassination, a practice prohibited by U.S. law. JSOC’s list is not usually coordinated with the CIA, which maintains a similar but shorter roster of names.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  2. well we did blame.... by ganjadude · · Score: 2

    Iran for an attempted attack on us soil just today. Maybe they figured (or were coaxed *tin foil hat) that they should just add blame to iran to either to save face (most likely) or to add ammo to the fact that they did in fact back the attack?(end tin foil hat)

    --
    have you seen my sig? there are many others like it but none that are the same
  3. Defective as designed. by faedle · · Score: 5, Insightful

    Any design that held all the keys in a central database that was not changeable by the end-user organization was defective-as-designed, IMHO.

  4. Re:Awww, a security firm got hacked? by Dunbal · · Score: 2

    Yah an it was a COUNTRY that did it mommmmmieeeeeeeeeeeeeeeeeeeeeeeeeeeeeee!

    --
    Seven puppies were harmed during the making of this post.
  5. Surprisingly Poor Security Policy by LazLong · · Score: 5, Insightful

    RSA should never have allowed systems containing anything related to SecureID beyond marketing data be connected to a network with an Internet connection. SecureID development should have been restricted to a physically separate (air-gapped) network.

    Why would I ever want to trust any security company who would make such a fundamental mistake?

    1. Re:Surprisingly Poor Security Policy by Grishnakh · · Score: 3, Insightful

      Why would I ever want to trust any security company who would make such a fundamental mistake?

      Because you like to play golf with their sales rep and he takes you out to expensive restaurants?

    2. Re:Surprisingly Poor Security Policy by bill_mcgonigle · · Score: 2

      Is that a nation state in your pocket, or are you just happy to see me?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:Surprisingly Poor Security Policy by firstnevyn · · Score: 2

      FREE HAT! FREE HAT!

  6. It had to be a nation-state... by arglebargle_xiv · · Score: 5, Insightful

    ...because having to admit "we got 0wned by some random script kiddie" would be just too embarrassing.

  7. Pure spin... even if it's true by swillden · · Score: 5, Insightful

    It really doesn't matter whether this was a targeted, sophisticated attack or not. The fact is that if RSA had done a decent job of securing its keys it wouldn't matter who was attacking them.

    Any company with secret keys remotely as valuable as RSAs should have generated them and managed them ONLY in high-security HSMs (host security modules) configured to refuse to ever divulge the keys under any circumstances, except to securely transport them to another HSM. That plus reasonable logical access controls on the HSMs, with separation of authority for all important operations, and strong physical security around the HSMs makes it virtually impossible for any attacker, no matter how skilled, sophisticated or well-funded, to get at the data.

    This really isn't rocket science. Lots of banks and lots of other security-conscious companies do this sort of thing all the time. Given who RSA's clientele was, if they'd gone to the NSA and asked for help they'd have gotten all the free consultation they needed from some of the best there are, if they'd needed it. Which they shouldn't have.

    Whether it was a sophisticated team from a world superpower or a couple of random script kiddies is really just a question of how much gross negligence.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. Bullcrap by Oriumpor · · Score: 2, Insightful

    I spend a week a year listening to crap like this for hour after hour. In 2010 everyone said (and still this year the big Security firms are still clueless) that the PLC attack against the Siemens controllers "Was an extremely sophisticated attack" blah blah blah "nation state" blah blah blah.

    This is based on the following:
    1. Obviously the 2 signed pieces of code would have required real human assets.
    2. The PLC controllers are incredible sophisticated and expensive.
    3. The method of infiltration was extremely well planned.

    Until earlier this year I was spouting the same crap... then an individual busted Comodo wide open. Then later Diginotar (as if Comodo wasn't evidence enough.) SO Check, #1 no longer requires human assets.
    Then I saw a talk that blew #2 and #3 out of the water. A relatively low funded talk ( about 6k) was done, where an individual (not a team, not even two people) was able to identify a direct backdoor that provided shell access into all PLCs of the model applicable in the Stuxnet attack, and could perform the attack without the need of the configuration stations...

    THERE WAS NO NEED FOR A USB PAYLOAD TO BOOTSTRAP THE COMPILER! You could actually login, and patch the damn executables on the plc itself using the backdoor.

    My conclusion about 30 seconds after these things were demonstrated (on the actual PLCs) was that it probably did take a team of engineers to create the rube goldberg that was stuxnet, but it didn't involve anyone at Siemens (since when confronted with the researchers findings, they acknowledged them, saying they were already aware.)

    Since the RSA attack is like three steps down from that, I would say that RSA is trying to perform damage control with their shareholders since in terms of sophistication a user clicking a malicious URL in an email is sooooOoo 1999.

    1. Re:Bullcrap by hism · · Score: 2

      Wait, I don't see how the security beach at Comodo rules out #1. Maybe I'm not understanding CAs correctly, but the two situations have a big distinction. In the Comodo case, somebody breached Comodo, a CA authority, and issued new CAs which could be used by a malicious site to claim that they are some other trusted site. In the case of Stuxnet, already-issued CAs for Realtek and JMicron were stolen to sign malicious drivers. CAs that had already signed legitimate drivers in the past. Aren't these two cases a bit different? I'm not saying that the CAs at Realtek and JMicron couldn't have been stolen without real human assets, but how does the Comodo case change anything?

  9. Not that sophisticated... by Vellmont · · Score: 5, Insightful

    The article is correct. APT is merely a buzzword to throw around to make the attack sound sophisticated. It was certainly a good attack, but it's hardly something that requires the resources of a "nation state". Individuals are constantly finding software flaws that are more sophisticated than what RSA was hit by. The attack merely combines social engineering (getting the victim to open the spreadsheet), a hidden payload of Flash packaged inside it, and a flash exploit. None of those are really that sophisticated, or particularly new.

    I don't think any details have been given about what happened once the initial machine was owned. But given that RSA is already trying to hack into something resembling "the hack of the century", AND the fact they didn't reveal tokens had been stolen until AFTER a stolen token was used in a Lockheed Martin attack, I'd say the opinion of RSA on who was involved can't be trusted.

    Speculation of the attacker based on who has an interest in breaking Lockheed Martin is meaningless. I could come up with a dozen different explanations, all equally plausible that wouldn't involve a nation state at all. Perhaps the first attacker breached RSA, then sold the stolen tokens to some other hacker. Without evidence to keep us honest, we can make up whatever theories we like.

    --
    AccountKiller
    1. Re:Not that sophisticated... by SmurfButcher+Bob · · Score: 2

      > The Lockheed Martin breakin is being used to suggest that the RSA hack must have been carried out by a nation state

      That's puzzled me, however.

      The RSA hack was a black swan, but it bridged enough facets to not be trivial - so we're not talking about the attackers being morons, here.
      But then actions against LM were beyond stupid. Not only because of the sledge-hammer tactic that even HBGary could have found, but more because it confirmed what RSA refused to reveal - it confirmed that they had the seeds. Doing so completely devalued them... for what equates to little more than a dozen failed password attempts. That's just... "Duh?"

      One attack smells like for-profit/for-hire, and the other attack smells like short-term stupid-n00b on many levels. If there's a nation-state involved, it wasn't during the RSA part... the subsequent stupidity at LM could not have been the same talent.

      On the LM side, it'd be a nation that (1) is stupid enough to blow the seeds over a short term access attempt, and (2) doesn't have a lot of nationals hired by LM with existing long term access, assets and options. That means it wasn't China, India or Taiwan... all three nations already have people who will (and will continue to) do things the old fashioned way: crawling through air ducts, walking a freakin drive out the door, or social eng. None of them would piss the seeds away like what was tried - they'd integrate them into their existing tactics, AFTER a valid user/pass had been acquired by those tactics.

      It smells more like someone who wanted to FUD the RSA product, quite frankly.

      Cheers,

      --

      help me i've cloned myself and can't remember which one I am

  10. Re:Unwilling to name for good reason by msobkow · · Score: 3, Insightful

    Then it's unreasonable for them to assume it requires a "nation state" to perform the attacks. Some of the cracker groups out there are very, very skilled and have a lot resources available to them.

    But it would be embarassing for them to admit a loosely organized bunch of people could get past their much-vaunted security. Better save face and paint pictures of a ghostly "nation state" so they don't look incompetent.

    --
    I do not fail; I succeed at finding out what does not work.
  11. Re:Mod parent up. by tlhIngan · · Score: 2

    And those products DEPEND upon the seed being secret?

    Um, that's the point of the RSA token. The RSA token is merely a watch that instead of displaying the current time, displays a 6-digit number. That number is basically the output of a PRNG - one cryptographically secure (so hijacking a number or two won't reveal the entire sequence). That PRNG is seeded by a seed value so it generates a predictable set of numbers.

    When you register a key, you enter in its ID number, which does a seed lookup so when you log in, the appropriate number can be calculated and compared with what your key should be showing you.

    The seed has to be available somehow - the key gets programmed with a seed out of necessity (so it can calculate the proper number), but the log in authenticator also needs the seed. And the authenticator can be made by anyone licensing the technology. Somehow the seed value needs to be transported to the authenticator so all valid users' numbers can be calculated and compared.

    The only thing I don't know is when the authenticator needs the seed - does it check against RSA's system or does it just log the seed value internally. Or why RSA keeps the seed once it's been registered (perhaps to allow multiple authenticators to use the same keyfob?).