RSA Says SecurID Hack Based On Phishing With Flash 0-Day 153
Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."
Wait wait hold up (Score:5, Interesting)
Simple question: securid seeds? (Score:5, Interesting)
has the securid seeds database been compromised?
anything else you announce is fluff.
Re:And I think to myself... (Score:2, Interesting)
They haven't stated how the hackers progressed from the low value employee workstations to higher value systems...
Although this is just a guess, based on my experience of other organisations they typically use active directory to manage everything from low level employee workstations, to high value servers... Elevating yourself from a low value workstation to domain admin using tools such as incognito, lsadump or hash passing is relatively easy and from there you have a very good chance of getting access to crucial systems...
Even in companies which try to separate critical functions away from general office stuff (which i would assume RSA did) if you take over the sysadmin workstations (which usually are linked to the active directory domain) then you can start keylogging or hijacking their existing sessions and getting into other stuff. Some companies also have central databases containing passwords protected by something as weak as active directory!
Re:Simple question: securid seeds? (Score:5, Interesting)
And just to amplify this with a bit of Wikipedia manipulation; have a look at this edit [wikipedia.org] which comes from 128-221-197-57.emc.com, Where EMC is RSA's parent company, which I found from this article [wordpress.com] which also includes an RSA letter which they are supposedly sending out to customers.
Full disclosure to all affected users; it shouldn't be a matter of dispute. It should be the law.
Ditto (Score:4, Interesting)
At my work we used to use the RSA token and a 4 number PIN that never changed to log into the network (as well as the regular username and password). Five failures to log in would get your account locked out.
Now we have to use our RSA token and an 8 letter/number PIN that changes every 30 days(!) to log into the network (as well as the regular username and password), and the system locks out accounts after only 3 failed log-ins.
They are obviously relying _much_ more heavily on the user selected PIN than before, almost to the point that the token output is irrelevant.