Forgot your password?
typodupeerror
Security IT

RSA Says SecurID Hack Based On Phishing With Flash 0-Day 153

Posted by timothy
from the not-straight-but-chaser dept.
Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."
This discussion has been archived. No new comments can be posted.

RSA Says SecurID Hack Based On Phishing With Flash 0-Day

Comments Filter:
  • And ActiveX (Score:5, Insightful)

    by EnigmaticSource (649695) on Saturday April 02, 2011 @02:21AM (#35692410) Homepage

    Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.

    • Re:And ActiveX (Score:4, Informative)

      by LO0G (606364) on Saturday April 02, 2011 @10:10AM (#35693546)

      Ok, this gets on my nerves. ActiveX is a plugin framework. It is *exactly* the same as Mozilla's XPCOM. Both XPCOM and ActiveX carry the exact same set of vulnerabilities. There are only two differences between ActiveX controls and NPAPI plugins:
      1) NPAPI plugins are typically only hosted on mozilla.com. ActiveX controls can be hosted on any site.
      2) ActiveX controls are required to be digitally signed. NPAPI plugins aren't.

      The Wikipedia page on NPAPI [wikipedia.org] does a good job of describing the similarities.

      So don't blame ActiveX - blame the plugins. This attack could have been mounted against Firefox (after all it used a *flash* vulnerability and last I heard, flash was available for firefox).

      • I wasn't trashing ActiveX per se; but rather the idea the label represents, binary embedding in (an expected) document; or binary embedding period. I hope most people read that I dislike the idea, not the brand name.

        • by LO0G (606364)

          That's fair 'nuf and makes a lot of sense.

          Actually *any* architecture that runs plugins with full trust is fundimentally broken. This means ActiveX, NPAPI/XPCOM, Mozilla's XUL extensions (JS running with full trust that can interact with the DOM == scary). At least IE runs plugins in its sandbox (as does Chrome for some plugins like Flash).

      • by sjames (1099)

        Not exactly the same. The differences are the key. Look at Security [wikipedia.org].

        Another difference for the NPAPI is that implementations (prior to Mozilla Firefox, see below) did not automatically download or install missing plugins. A missing plugin caused the browser to display a jigsaw piece representing the plugin. If the user clicked on that they were directed to Netscape's plugin finder service where they could manually download and install the plugin for themselves. While this is inconvenient to the user, it is also an important security measure since it prevented the content using the browser as a vector for malware.

        and

        Mozilla Firefox attempts to present a middle ground. If a plugin is missing, it will notify the user that the plugin is missing and initiate a secure connection to a plugin finder service hosted on mozilla.org. The user can permit Firefox to download and install the plugin. This model prevents content specifying where a plugin should be downloaded from – the plugin finder service does. This enables Firefox to present a fairly seamless installation mechanism but limit the service to trusted and compatible plugins from reliable sources. This model implicitly trusts the plugin finder service to return "good" plugins, increasing the security required on the host site.

        The devil is in the details as usual.

        That's all moot here since it was a flash object embedded into an Excel spreadsheet sent as an email attachment that did the damage.

        • by LO0G (606364)

          I 100% agree with the analysis in the Security section (that's actually why I included the wikipedia link).

          However the core threats between NPAPI/XPCOM and ActiveX are identical. The two mechanism have different mitigation schemes (FF redirects the user to a secure download location that presumably holds up-to-date versions of the plugins, IE requires that all plugins be digitally signed, checks a CRL and has a blacklist of known bad plugins (and a phoenix list to redirect to a known good plugin)).

          Given th

    • by trifish (826353)

      You're fixing the thing at the wrong level. Try the element sitting behind the keyboard.

      (Hint: No matter how hardened your OS/browser is, there will always be unpatched security issues in them, and therefore 0-day exploits -- and yes, even in bare sans-Flash Linux or Firefox. The common element, the thing that always works for the attacker, is social-engineering, like in this case.)

  • Thanks again ADOBE (Score:3, Insightful)

    by Anonymous Coward on Saturday April 02, 2011 @02:28AM (#35692422)

    .. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

    Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

    • by gnasher719 (869701) on Saturday April 02, 2011 @04:51AM (#35692726)

      Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

      100 million iPhone users and 20 million iPad users disagree.

      • by hey! (33014)

        Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

        100 million iPhone users and 20 million iPad users disagree.

        ** Lightbulb Illuminates ***

        Great Scott! They're all zombies! It's a giant army of undead customers animated with Steve Jobs' unholy juju! Aaargh!

      • by ildon (413912)

        You mean the 80 million iPhone and 16 million iPad users that also have a Windows PC, laptop, and/or netbook?

    • by trifish (826353) on Saturday April 02, 2011 @05:32AM (#35692826)

      .. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

      Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

      You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.

      • by Sloppy (14984) on Saturday April 02, 2011 @09:47AM (#35693440) Homepage Journal

        The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.

        RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).

        • The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.

          You might as well argue that folks need to go back to the days of paper filing and abandon computers because viruses exist. How do you suppose an office will collaborate if none of the computers with network access can open network hosted documents? How are the computers with the word processor supposed to access those documents? How are they supposed to mail out the finished proposal?

          Just because there are attacks that can be mounted, doesnt mean there arent countermeasures. GPOs that disable embedding

      • by limaxray (1292094) on Saturday April 02, 2011 @09:49AM (#35693450) Homepage
        I think the difference is that we hear about 0-day exploits in Adobe software on a much more regular basis than in Linux or its associated software stack. It feels like Adobe announces another PDF or Flash vulnerability every month and that they have a complete disregard for secure practices.

        Combined with the fact that they still don't have a stable 64-bit release of Flash for any OS makes me feel like they are a bunch of no-talent ass clowns without a sound development process in place.

        Oh, and in the Linux world, we use tools like SELinux or Apparmor so a hijacked spreadsheet can't go accessing parts of the system where it doesn't belong.
    • by Sloppy (14984)

      This is all Microsoft. It never would have worked, if Excel spreadsheets were actually "documents" (as we think of that word) rather than executable programs. It is fucking insane that people email that kind of thing around. If someone emails you an Excel spreadsheet, you should consider that equivalent to someone emailing you a program with the subject line, "Here, run this. I want your computer."

  • Set spam folder to auto-delete incoming.
  • Wait wait hold up (Score:5, Interesting)

    by atari2600a (1892574) on Saturday April 02, 2011 @02:39AM (#35692450)
    You can embed flash in excel files!? WHY WOULD YOU DO THAT
    • by Joce640k (829181) on Saturday April 02, 2011 @02:43AM (#35692454) Homepage

      You don't put background music in the spreadsheets you email to people? Weird. Numbers are so boring without some Slipknot playing.

    • by Anonymous Coward

      to give people infections?

    • 1. It looks good as a bullet point on a presentation explaining how this quarter's development is coming along.
      2. Some manager probably got a bonus for innovation for implementing the feature.
      3. You should use Microsoft products as much as possible. Not being able to embed flash into an Excel file might, someday, make someone not use Excel. This would be bad.
      4. Because it's technically possible. Why do web browsers store a list of every website you ever visited? Same reason, it's technically possible an
    • by cigawoot (1242378)

      Excel Embeds: Turning Excel files into MySpace pages one sheet at a time.

    • by Bengie (1121981)

      The real question is "why would you open an Excel file from an unknown sender?"

      • by mevets (322601)

        I think the real question is "why do you have to be afraid to open a spreadsheet?".

        I know FLASH is just the easiest way to get in - but does excel really need a way to run arbitrary code?

      • by jjohnson (62583)

        ... after retrieving it from the spam folder, no less.

        "Goddammit, there's gotta be pics of Anna Kournikova one of these times..."

    • Well I've seen it used for flash games whose websites are normally blocked...
    • Work for a company that doesn't allow you to have a compiler for a while and you'll understand. Embedded software in office documents is pretty much how I made it into a "real" job. When a managers options are: Hire 3 temps OR Have your programming department quote you a $30k project that will take 6 months and run over budget OR have that smart guy over there spend half an hour writing a script in an excel file... your choice is kind of made for you.
  • by rtfa-troll (1340807) on Saturday April 02, 2011 @02:51AM (#35692466)
    Dear RSA; speaking as a customer; we need a simple answer to the question [zdnet.com.au]:

    has the securid seeds database been compromised?

    anything else you announce is fluff.

    • by 93 Escort Wagon (326346) on Saturday April 02, 2011 @03:04AM (#35692492)

      Dear RSA; speaking as a customer; we need a simple answer to the question [zdnet.com.au]:

      has the securid seeds database been compromised?

      anything else you announce is fluff.

      We use a LOT of SecurID tokens at our university, and the group that manages them has been way too quiet since this happened. But today they sent an email out - no mention of the RSA breach, just that they have decided to "retire the SecurID tokens early to save money" and are replacing them with a different product.

      So I'm guessing they think the seeds database has been compromised.

      • Yes; fun fun fun. It's good the way they let a mafia of MSCE certified IT administrators pretend they didn't screw up by choosing SecurID and letting them keep the seed info whilst their real customers, the people who have their systems and data secured with SecurID, don't know squat about what's going on.
      • Ditto (Score:4, Interesting)

        by Kludge (13653) on Saturday April 02, 2011 @07:14AM (#35692998)

        At my work we used to use the RSA token and a 4 number PIN that never changed to log into the network (as well as the regular username and password). Five failures to log in would get your account locked out.
        Now we have to use our RSA token and an 8 letter/number PIN that changes every 30 days(!) to log into the network (as well as the regular username and password), and the system locks out accounts after only 3 failed log-ins.
        They are obviously relying _much_ more heavily on the user selected PIN than before, almost to the point that the token output is irrelevant.

    • by rtfa-troll (1340807) on Saturday April 02, 2011 @04:49AM (#35692724)

      And just to amplify this with a bit of Wikipedia manipulation; have a look at this edit [wikipedia.org] which comes from 128-221-197-57.emc.com, Where EMC is RSA's parent company, which I found from this article [wordpress.com] which also includes an RSA letter which they are supposedly sending out to customers.

      Full disclosure to all affected users; it shouldn't be a matter of dispute. It should be the law.

      • by jd (1658)

        The first of the removed paragraphs could be considered "original research" (banned on Wikipedia). I'm of the opinion that linear deductions are not research, but automatically follow. However, I've had a few entries edited out as "original research" myself and know that Wikipedia takes the rule extremely seriously even if it is to the point of absurdity.

        The rest of the paragraphs are more inflamatory/op-ed and don't belong in an encyclopedia setting. They may be technically correct (only RSA knows) but the

        • The edit was incorrect in any case. There are pretty clear Wikipedia policies limiting editing of your right to edit articles about yourself. The edit didn't clearly state who it was from. The editor should have copied the text to the talk page for discussion. There were facts which have been referred to elsewhere on news sites (e.g. the existence of an RSA letter to customers) which were simply deleted. Most importantly, all of the speculation referred to in the edit does exist in widely known sourc

    • by AftanGustur (7715)
      The short answer is "The attackers almost certainly stole enough information to compromise the token authentication"

      Those in-the-known, i.e. government agencies, have or are adding 3-factor authentication. That is.. In addition to the RSA token and a passcode, they are adding a second passcode, most often the user's intranet password (Windows Domain).

      So until they tell me the truth, I will draw my own conclusions from what I know.

    • by wkk2 (808881)

      I think real question is why doesn't the customer initialize the token. There are lots of interface options to initialize a small token: I2C, USB, even IR.

    • by hey! (33014) on Saturday April 02, 2011 @08:50AM (#35693246) Homepage Journal

      Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.

      This is going to cost RSA a lot more than sales of its SecureID product. People buy this product, not because they have analyzed the system and decided it is architecturally secure; they bought it because they trusted RSA. RSA was founded by the most illustrious minds in the field. I was looking at some RSA job postings recently, and they don't appear to hire anybody who doesn't have a PhD. RSA is supposed to be the company that knows how to do things right. That means they knowingly produced a system that violated stuff you learn in Chapter 1 of a basic crypto text, and then induced customers to rely on that system for security.

      RSA reputation, meet porcelain bowl.

      I want to be clear I'm not criticizing RSA for the security breach. I'm criticizing them for inducing customers to rely on a system that becomes irreparably untrustworthy after a single event that was bound to happen sooner or later.

      • by Culture20 (968837)

        Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.

        The token system isn't anything like DRM in Sony playstations. Each token is unique, and the only way to break the system was the access RSA's database. The system still works though, because RSA doesn't keep a database of which "something you have" goes with which "something you know". It can be narrowed down per company, but there's still a lot of guesswork and lockouts involved.

        • by hey! (33014)

          Never said it was like DRM. The point is: they lost the secret, and the *system* is irretrievably compromised. It doesn't matter where the secret was stored, it was still baked in.

      • by jd (1658)

        The underlying problem, though, is that you can never know if something is secret, you can only know if something is not secret. Thus, you have a paradox - the only way to know if something was secret is to share it and see if anyone else already knew.

        As such, any system based on secrets of any kind whatsoever is inherently flawed because it is dependent on an assumption that is provably unprovable.

        This is why you will see the phrase "security through obscurity is no security at all".

        The catch is that publi

    • by Joce640k (829181)

      If I was writing a trojan to hack RSA I wouldn't send the CEO an email saying exactly what was compromised.

      In fact I'd try to leave as few traces and as many doubts as possible.

  • by houghi (78078) on Saturday April 02, 2011 @02:55AM (#35692476)

    "BIATCH confirmed on Friday that the attack that compromised her high-value NoPrego product was essentially a small, targeted phushing campaign that included a payload of a malicious Flesh object embedded in a broken Trojan."

  • ... would I have fallen for such a phishing attack? And the answer is - yes, quite probably

    and I wonder, how would I protect against it? And I come up with very few practical ideas.

    Anyone?

    • by antifoidulus (807088) on Saturday April 02, 2011 @03:28AM (#35692546) Homepage Journal
      Um, not opening Excel or Flash files on computers that access the database would be a start. Furthermore sanboxing, and lots of it. Not running the most insecure OS on the planet would help too. The people at RSA really should have known better.
      • Not running the most insecure OS on the planet would help too.

        Usually as employee you cannot decide that.

      • by Anonymous Coward on Saturday April 02, 2011 @03:57AM (#35692630)

        Not running the most insecure OS on the planet would help too.

        Where in the article they say that OSX is being used?

      • Um, not opening Excel or Flash files on computers that access the database

        What if the "database" is an Excel file?

        • What if the "database" is an Excel file?

          Then RSA needs to be nuked from orbit, as it's the only way to be sure....

      • If I read the article right, it wasn't as simple as that. The people who opened the phising email were regular employees with little or no access to valuable data. The hackers used these accounts as a springboard to get to the employees who do have access to the good stuff. Once you control a few accounts, phishing suddenly becomes real easy... Using something other than Windows doesn't really help anymore at that point.

        I do agree with sandboxing: many companies still take a "walled garden" approach
        • Re: (Score:2, Interesting)

          by Anonymous Coward

          They haven't stated how the hackers progressed from the low value employee workstations to higher value systems...

          Although this is just a guess, based on my experience of other organisations they typically use active directory to manage everything from low level employee workstations, to high value servers... Elevating yourself from a low value workstation to domain admin using tools such as incognito, lsadump or hash passing is relatively easy and from there you have a very good chance of getting access to

        • by Rich0 (548339) on Saturday April 02, 2011 @07:05AM (#35692970) Homepage

          Corporate IT security is like a slot machine that costs 25 cents to play, with a payout schedule that pays $1 on average, but one out of every 1M pulls you lose $10M.

          The IT manager who ultra-secures their systems gets tons of complaints, and the company becomes less nimble than their competition who don't bother to secure (there is a real cost when you make it harder for your employees to communicate and work together).

          So, if you're an IT manager who promotes strong security you quickly lose your job to somebody who doesn't.

          Then every once in a while one of these insecure managers pulls the lever and loses the company a lot of money. The manager is blamed for lax security and fired. The replacement will start out being more secure, and once the spotlight is off they'll go back to doing exactly what their predecessor did, and they'll get bonuses because there isn't a repeat of the huge loss and things are just as efficient as before. That must mean he is doing his job right, right?

          I've been finding that successful executives these days really are just lucky. They enact risky policies that have short term gains, pocket bonuses from these gains, and try to move on before it comes back to hurt them. Many get terminated, but those who don't shoot way up the ladder. What passes for due diligence at the CxO level isn't about preventing problems, but instead punishing whoever was left standing without a chair when the music stopped.

      • by Angostura (703910)

        How about opening an Excel file on a computer that can access a computer that can access a computer that can access the database?

      • by IBitOBear (410965)

        Friends don't ask Friends to "open" programs that pretend to be documents, that are run by interpreters that pretend to be office productivity applications, that have full access with administrative privileges, let alone on machines that have any data that anybody actually cares about...

        Microsoft... Where do you think your data _didn't_ go _today_?

        • Microsoft... Where do you think your data _didn't_ go _today_?

          You are really dating yourself there.
           
          Dammit, I just dated myself by getting the reference.

      • And I'm sure the people at RSA are doing the same thing that every other large institution/business is doing: Cutting costs. Those imaginary people at RSA you speak of cost money to train and retain. This was bound to happen, as soon as the primary focus switched from providing secure products to maximizing profits. I'm imagining a scenario like this:

        Executive 1: Q2 close is coming up. Are we going to make our numbers?
        Accountant 1: No sir, it doesn't look like it
        Executive 1: Let's cut costs. Lay off some fo

    • Well, if it ends up in your junk folder, you simply should ask yourself why it went there. And take a closer look at the email before opening any attachments. I'm pretty sure that a quick look at the headers would have revealed that the originator isn't part of the company.

      Of course if they have a collaborator inside the company network (or maybe can send the mail from another compromised company computer) that precaution measure probably won't help.

      • take a closer look at the email before opening any attachments. I'm pretty sure that a quick look at the headers would have revealed that the originator isn't part of the company.

        I noticed a couple of things about windows: users inside the company compulsively send attachments to the point where people open them without thinking. Outlook adds external users to its address book, then hides domain name information when it displays that user. It can be hard to tell what is internal mail and what is not.

    • by hey (83763)

      Avoid Excel?

    • Don't open anything flagged as spam until you've read the full headers?
      Don't use Excel as your first option when reading e-mail attachments?
      Run off of a read-only file system?
      Convert every excel file to CSV before opening?
      View using Google Docs or one of its clones? (Not that I advocate using Google's tools in general...)
      Open nonessentials on a different computer with restrictive security settings? Don't use Windows?

      The possibilities are endless.

      Realistically, it's not possible to stop an attacke
      • View using Google Docs or one of its clones?

        Yeah, your employer will love it if you open internal company documents (and the document posed as internal company document) through a server of another company ...
        </sarcasm>

        • I don't recall any indication of or basis for a reasonable inference that the Excel file was posed as an internal document. All the article said was that it was intriguing enough for someone to pull it out of the spam folder. General practice in internal IT and network administration is to whitelist internal emails and toss anything suspicious into spam, if not blacklist it entirely.

          Again, I'm not a fan of using Google Docs, but I'd much rather let their servers clobber a zero-day than let it in through t
      • by Angostura (703910)

        I am reminded of a line from the comedy series "Twenty Twelve". "Is it just me, or is the common thread running though these possibilities that they aren't actually possibilities?"

        "Sorry boss, can you pop that spreadsheet onto a floppy for me, so that I can open it on a quarantine machine".

        • Let's have a look at the simplest. How exactly is not dragging suspicious emails out of your spam folder and opening their attachments an impossible option?
    • Don't keep your database of nuclear launch codes on your gaming PC. Use a non networked computer instead.
  • If they were to add a .nexls (non executables or something similar) file type that companies needing a bit of security could use that only had stuff a normal spread sheet has values, borders, charts, formulas ... (and something similar for word).
    Of course it would be hard to add new features to these versions and therefore sell updates and completing products would be able implement the standard pretty quickly.

  • Microsoft, Adobe, e-mail and stupid people. Seriously, the internal security is just as important as external - too bad almost no large organization heeds these warnings and continues to trust all their users and their computers as being safe and secure. My organization thinks because you're on the internal network, you don't need encryption necessarily for passwords and the like, they actually call it the Secure Network whereas the unencrypted wireless and the network that links up to external providers ar

  • And this "event" does too.

    In a week or so they will admit that "some seeds" were stolen, a week or two later, it will be a "significant number of seeds" and some more weeks later it will be "all seeds".

    The real question is however this: Why the hell were the seeds accessible over the network? Are these people totally and utterly incompetent? Even the mere possibility of a seed database compromise over the net (and they have indirectly, but conclusively confirmed this, as it is the only part of the system th

  • > RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file." ..

    Don't open email attachments on a Windows computer that is used to control your SecurID product ...

    • by darkonc (47285)
      The users attacked weren't the final targets.. It was probably something like a receptionist or other non-technical staff that was used as the shoe-horn to get into the system. RTFA
  • I thought they were a security company!

    I mean, it's not like there are no known Linux exploits, but -- when you've got average users using windows for day-to-day work, it's just a matter of time....

    Security by obscurity, but -- among other things -- the attacker would, have to figure out that you're not using Windows.

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...