RSA Says SecurID Hack Based On Phishing With Flash 0-Day 153
Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."
And ActiveX (Score:5, Insightful)
Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.
Thanks again ADOBE (Score:3, Insightful)
.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc
Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.
Re:And then people wonder (Score:2, Insightful)
Why jobs doesn't want that POS on Iphones or Ipads!
Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.
Re:And I think to myself... (Score:5, Insightful)
Re:And then people wonder (Score:4, Insightful)
Why jobs doesn't want that POS on Iphones or Ipads!
Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
The only thing you got correct in your post is that this was a phishing attack.
Re:Thanks again ADOBE (Score:4, Insightful)
Sad part is trying to live without Flush [sic] and MS, is darned near impossible.
100 million iPhone users and 20 million iPad users disagree.
Re:Thanks again ADOBE (Score:5, Insightful)
.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc
Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.
You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.
Re:And I think to myself... (Score:4, Insightful)
Corporate IT security is like a slot machine that costs 25 cents to play, with a payout schedule that pays $1 on average, but one out of every 1M pulls you lose $10M.
The IT manager who ultra-secures their systems gets tons of complaints, and the company becomes less nimble than their competition who don't bother to secure (there is a real cost when you make it harder for your employees to communicate and work together).
So, if you're an IT manager who promotes strong security you quickly lose your job to somebody who doesn't.
Then every once in a while one of these insecure managers pulls the lever and loses the company a lot of money. The manager is blamed for lax security and fired. The replacement will start out being more secure, and once the spotlight is off they'll go back to doing exactly what their predecessor did, and they'll get bonuses because there isn't a repeat of the huge loss and things are just as efficient as before. That must mean he is doing his job right, right?
I've been finding that successful executives these days really are just lucky. They enact risky policies that have short term gains, pocket bonuses from these gains, and try to move on before it comes back to hurt them. Many get terminated, but those who don't shoot way up the ladder. What passes for due diligence at the CxO level isn't about preventing problems, but instead punishing whoever was left standing without a chair when the music stopped.
Re:Simple question: securid seeds? (Score:4, Insightful)
Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.
This is going to cost RSA a lot more than sales of its SecureID product. People buy this product, not because they have analyzed the system and decided it is architecturally secure; they bought it because they trusted RSA. RSA was founded by the most illustrious minds in the field. I was looking at some RSA job postings recently, and they don't appear to hire anybody who doesn't have a PhD. RSA is supposed to be the company that knows how to do things right. That means they knowingly produced a system that violated stuff you learn in Chapter 1 of a basic crypto text, and then induced customers to rely on that system for security.
RSA reputation, meet porcelain bowl.
I want to be clear I'm not criticizing RSA for the security breach. I'm criticizing them for inducing customers to rely on a system that becomes irreparably untrustworthy after a single event that was bound to happen sooner or later.
THIS one barely counts as social engineering (Score:5, Insightful)
The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.
RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).
Re:Thanks again ADOBE (Score:5, Insightful)
Combined with the fact that they still don't have a stable 64-bit release of Flash for any OS makes me feel like they are a bunch of no-talent ass clowns without a sound development process in place.
Oh, and in the Linux world, we use tools like SELinux or Apparmor so a hijacked spreadsheet can't go accessing parts of the system where it doesn't belong.