Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA Blames Nation State For Cyber Attack

Posted by Soulskill on from the guess-we-can-rule-out-the-amish dept.

An anonymous reader writes "Security firm RSA has revealed that it believes two groups, working on behalf of a single nation state, hacked into its servers and stole information related to the company's SecurID two-factor authentication products. Speaking at the RSA Security Conference in London, RSA executive chairman Art Coviello described the high profile attack thus: 'There were two individual groups from one nation state, one supporting the other. One was very visible and one less so. We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication and resources involved it could only have been a nation state.' Sophos security researcher Graham Cluley questions how RSA has concluded that a country was responsible for the attack — when RSA is unwilling to name who it suspects. Could it be that the firm is simply applying spin, describing the attack as a 'highly sophisticated Advanced Persistent Threat' to protect its image?"

8 of 145 comments (clear)

  1. Everyone's going to accuse by aBaldrich · · Score: 5, Informative

    China

    --
    In soviet russia the government regulates the companies.
    1. Re:Everyone's going to accuse by symbolset · · Score: 4, Interesting

      China's active in this stuff, as is North Korea, several former Soviet Republics, Israel, Western Europe, and most of South America. Well, to be honest, most of the planet, but everywhere else is where some proxies are. You might as well say "I don't know".

      The nation-state claim is based on depth of analysis of technologies, leveraging of classified information not known to be leaked, sophistication of attacks. Also maybe on RSA's desire to say "What can we do against a the dedicated resources of a nation-state?"

      This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.

      It doesn't require a nation-state's resources to do this. Fifty thousand geeks in their mom's basement will do if a hundred of them are Aspies - and they are. They'll do it for the lulz, and on their backtrace they'll drag a red herring across a nation state if it amuses them to do so. Or they'll taint the Church of Scientology instead if that's their thing this week. It would take a nation-state to fund that level of effort, to coordinate that level of action - unless they do it for free for the lulz and the aspies organize it for them for free because it's a puzzle worthy of their attention. No resources are required except the neighbor's open Wifi because Mom provides the Hot Pockets and Mountain Dew.

      /Not saying it wasn't a nation-state, but have no faith in the analysis.

      --
      Help stamp out iliturcy.
    2. Re:Everyone's going to accuse by garyebickford · · Score: 4, Informative

      I was at a conference in 1999 where a Navy officer spoke. At that time the DoD was in the process of setting up three separate cyber warfare battalions, working on both defense and offense. He did mention that until recently-at-that-time it had been a hard slog getting the brass to wake up, but things were starting to move faster. IIRC a battalion is about 500 'soldiers' plus some number of support staff (Wikipedia sez 300-1200 total).

      I would expect that in the 12 years since then the size of this effort has expanded by up to 2 orders of magnitude. There are literally thousands of nondescript buildings in shopping malls and industrial parks all over the country filled with folks doing all sorts of eyes-only burn-before-reading stuff, and I'm sure that a lot of that is cyber warfare research, training and activity. Part of the plan back in 1999 was to enlist major companies in information sharing regarding security threats to the economic infrastructure. Some of that effort got put into CERT early on, but I expect there are more classified levels of that going on.

      Keeping the baddies out of Ford, SmithKline or even Proctor & Gamble is almost as important as keeping them out of several levels of DoD. Warfare has always been a fundamentally economic activity.

      If I had the head for that sort of thing and were a lot younger I'd think seriously about getting into that - it would make for a very 'secure' future. :)

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  2. Defective as designed. by faedle · · Score: 5, Insightful

    Any design that held all the keys in a central database that was not changeable by the end-user organization was defective-as-designed, IMHO.

  3. Surprisingly Poor Security Policy by LazLong · · Score: 5, Insightful

    RSA should never have allowed systems containing anything related to SecureID beyond marketing data be connected to a network with an Internet connection. SecureID development should have been restricted to a physically separate (air-gapped) network.

    Why would I ever want to trust any security company who would make such a fundamental mistake?

  4. It had to be a nation-state... by arglebargle_xiv · · Score: 5, Insightful

    ...because having to admit "we got 0wned by some random script kiddie" would be just too embarrassing.

  5. Pure spin... even if it's true by swillden · · Score: 5, Insightful

    It really doesn't matter whether this was a targeted, sophisticated attack or not. The fact is that if RSA had done a decent job of securing its keys it wouldn't matter who was attacking them.

    Any company with secret keys remotely as valuable as RSAs should have generated them and managed them ONLY in high-security HSMs (host security modules) configured to refuse to ever divulge the keys under any circumstances, except to securely transport them to another HSM. That plus reasonable logical access controls on the HSMs, with separation of authority for all important operations, and strong physical security around the HSMs makes it virtually impossible for any attacker, no matter how skilled, sophisticated or well-funded, to get at the data.

    This really isn't rocket science. Lots of banks and lots of other security-conscious companies do this sort of thing all the time. Given who RSA's clientele was, if they'd gone to the NSA and asked for help they'd have gotten all the free consultation they needed from some of the best there are, if they'd needed it. Which they shouldn't have.

    Whether it was a sophisticated team from a world superpower or a couple of random script kiddies is really just a question of how much gross negligence.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. Not that sophisticated... by Vellmont · · Score: 5, Insightful

    The article is correct. APT is merely a buzzword to throw around to make the attack sound sophisticated. It was certainly a good attack, but it's hardly something that requires the resources of a "nation state". Individuals are constantly finding software flaws that are more sophisticated than what RSA was hit by. The attack merely combines social engineering (getting the victim to open the spreadsheet), a hidden payload of Flash packaged inside it, and a flash exploit. None of those are really that sophisticated, or particularly new.

    I don't think any details have been given about what happened once the initial machine was owned. But given that RSA is already trying to hack into something resembling "the hack of the century", AND the fact they didn't reveal tokens had been stolen until AFTER a stolen token was used in a Lockheed Martin attack, I'd say the opinion of RSA on who was involved can't be trusted.

    Speculation of the attacker based on who has an interest in breaking Lockheed Martin is meaningless. I could come up with a dozen different explanations, all equally plausible that wouldn't involve a nation state at all. Perhaps the first attacker breached RSA, then sold the stolen tokens to some other hacker. Without evidence to keep us honest, we can make up whatever theories we like.

    --
    AccountKiller