Forgot your password?
typodupeerror
Security IT

Was This the Phishing E-mail That Took Down RSA? 165

Posted by Soulskill
from the hello-sir-madam dept.
alphadogg tips this IDG News report: "'I forward this file to you for review. Please open and view it.' As a ploy to get a hapless EMC recruiter to open up a booby-trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman. The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever."
This discussion has been archived. No new comments can be posted.

Was This the Phishing E-mail That Took Down RSA?

Comments Filter:
  • Keep your systems separate. If you have important keys and they don't need to be on a network when they aren't in use, don't put them on a network. Don't give people more privileges than they need to do their jobs. That does have the secondary issue that if you go too far in that direction then people will try to get around your security measures and might open up holes in the process, and they won't take security as seriously. So you need to balance that. Also, never open up attachments that you don't know
  • Warning about FTA (Score:4, Insightful)

    by Hijacked Public (999535) on Friday August 26, 2011 @09:48AM (#37218182)

    Looking closer, Hirvonen found that the file seemed to match RSA's description in possible every way.

    I assumed this was a poorly translated phishing article and immediately closed my browser window and reinstalled Windows.

  • beyond the how part. The most telling part of the article is:

    "That's a pretty embarrassing example for RSA," he said. "It tells you that in any reasonably sized company, including a security company, there's someone who will do something really dumb."

    The world's second oldest profession has been exploiting that weakness forever. They key to information is not to compromise the leaders; you get in via the support staff. They're not thinking security. It's amazing what a simple phone call can net in terms of information; even if you are up front with what you are looking for and why you want it. The internet just makes it easier to reach them and provides new tools to extract information.

    • by Scutter (18425) on Friday August 26, 2011 @09:58AM (#37218304) Journal

      I wouldn't necessarily say it was something "really dumb". It looked like a legitimate e-mail from a legitimate contact, exploiting a zero-day flaw in a system. From a user standpoint, I'm not sure they could have done anything different to avoid getting infected. Users still have to get their work done. Your average user can't spend twenty minutes researching every attachment to make sure it doesn't have a zero-day attack in it.

      That said, could RSA as an organization have done anything different to prevent this? Of course they could have, starting with not running an OS that's two major revisions out of date (let's not get into a Windows vs. *nix discussion here). But let's not put all the blame on the user for this.

      • I wouldn't necessarily say it was something "really dumb". It looked like a legitimate e-mail from a legitimate contact, exploiting a zero-day flaw in a system. From a user standpoint, I'm not sure they could have done anything different to avoid getting infected. Users still have to get their work done. Your average user can't spend twenty minutes researching every attachment to make sure it doesn't have a zero-day attack in it.

        While I agree with you in general, and would add that a number of root causes for the infection should be explored, the user did apparently retrieve it from the trash prior to opening it. That tells me either their spam filter causes a lot of false positives and users are used to checking junk mail for real messages, indicating a systemic problem; junk email show up in their inbox and is just flagged, another systemic problem; or, the user really wasn't trained on why email goes to buck and what to do if th

        • If this was a multi-step attack, rather than just stopping the first phishing email, wouldn't detection anywhere further up the chain also have limited the damage?
      • I DO fault RSA for not compartmentalizing their security. A compromise of a user desktop should be expected. The fact that this foothold let someone get to the token seeds suggests some serious design and procedural negligence on RSA's part. The damage should have been limited to some emails getting leaked, not a compromise of their most vital secrets.

  • by sandytaru (1158959) on Friday August 26, 2011 @09:54AM (#37218264) Journal
    End users aren't always that stupid, but some of them are, and the others can be distracted and not really pay attention and accidentally open something they otherwise wouldn't have. This is why it's vital to have automated spam and virus detection on the backend. A few weeks ago I noticed Exchange catching and cleaning up viruses that were coming from the computer of a manager of one of our client companies - the person in charge of the whole darn operation had managed to get her PC infected. Exchange caught the viruses before they were sent off to other PCs in the network, but we had to completely wipe down that person's computer to get rid of it for good. All because she opened an email forwarded from her son that said "Funny pictures!" with twenty attachments.
  • How do you own someone with an XLS file nowadays?!

    (I'm assuming, "How dangerous can it be? It's not an executable!" is exactly what the hapless employee who opened it was thinking too...)

    • Having now read TFA (always a good policy), it looks like a Flash exploit was involved. Maybe the Flash applet was embedded using OLE?

    • by ahecht (567934)

      It wasn't a macro, it was an embedded Adobe Flash object.

      • by X0563511 (793323)

        So it wasn't just a ball of mud, it was a ball of mud with a nugget of shit in the middle?

    • by Inda (580031)
      This work PC is locked down to the wire. One of my jobs is to wirte Excel spreadsheets including VBA.

      Accessing the FSO (File System Object) is childs play. I can read, write and delete anything I have access to on the network.

      It's that easy. Still.

      And then there's the Window APIs I can access through VBA...

      And I'm pretty poor at doing this stuff (but better than 99% of the office workers)
    • by rgviza (1303161)
      get them to click "Run macros" or whatever the dialog says
  • by Blackeagle_Falcon (784253) on Friday August 26, 2011 @10:14AM (#37218490)
    I join F-Secure in asking, "why the heck does Excel support embedded Flash"?
    • by maxwell demon (590494) on Friday August 26, 2011 @10:29AM (#37218696) Journal

      Indeed, there should be a strict separation between documents (things you merely view and possibly edit) and programs (things which do something). Unfortunately that line has been crossed by about every document format, from office files (Word, Excel, ...) over HTML (JavaScript) to PDF.

      There should be a set of standard document formats which are guaranteed to not contain any executable code whatsoever, so except for possibly exploiting buffer overflows in interpreting code, displaying the documents is safe. It should be impossible by specification to insert any "active content", i.e. programs, in such documents.

      • by KliX (164895)

        Dude, once a stream is being parsed, you are always screwed. There will always be a security hole.

        Doesn't matter if the 'executable' code is essentially in the document; or the document itself, running against a parser.

        They're really the same thing.

      • Much of the success of Apple, object-oriented systems in general, and later NeXT and the World Wide Web (which was inspired by the NeXT on Berners-Lee's desk), was due to the ability to support 'rich' documents. Back in 1989 being able to send an audio or video file to an associate as part of an email, or incorporate as a natural part of a shared document, was pretty much the 'killer app' for the NeXT. So this raises the question, "How do we define 'executable' in this context?"

        For example, a video might

      • by sorak (246725)

        Or we could just provide a "security" mode. MS Office just makes a feature that says "no macros or flash of any kind in anything that gets opened". They may already have it, but it is hidden in a dialog box that takes twelve clicks to get to, and will be moved to a different location once Office 2011.5 comes out.Anyway, my big innovation is (wait for it)...

        Put it on the ribbon.

        That's right! Don't hide the "prevent me from fucking over the entire company because i don't need a motherfucking punch the monkey

      • Indeed, there should be a strict separation between documents (things you merely view and possibly edit) and programs (things which do something).

        There aren't just two buckets (documents and programs). There is an entire spectrum that starts with documents (what I'd call declarative knowledge) and ends with programs (imperative knowledge). In between are things like SQL and Regular Expressions and so forth. The middle of that spectrum is actually pretty interesting because you start to gain a lot of funct

      • by Cecil (37810)

        Well... there's ASCII.

    • by owlstead (636356)

      And as an engineer, I would say: because it shares a code base with other Microsoft products. But that does not make it less wrong. And the problem is two fold: why does it support it at all, widening the attack surface, and why does allow Excel, and then the OS that it compromises security in such a way. IMHO, talking security is about talking "security layers", and both at RSA and with current operating environments, the layers allow for too much to slip by.

    • by rb12345 (1170423)

      It's not that it supports embedded Flash, it's that it supports embedded COM objects, which includes OLE and ActiveX. Now, if you you're including embedded Word documents, charts, images and equations, it's great. If you want to write your own custom control for your own purposes, that might also be useful! It also means that you can embed Flash and Media Player as a side-effect.

      The downside is that Excel (and any other program that can embed such objects in their files) can be used to exploit bugs in an

  • by Trufagus (1803250) on Friday August 26, 2011 @10:16AM (#37218510)

    So an anti-virus company, always on the lookup for free publicity, claims that it has come what might have been the e-mail that took down the RSA.

    And this makes the news?

    In case you hadn't noticed, the anti-virus companies will claim anything to get noticed these days.

    • by hAckz0r (989977)
      Not only that, but the RSA people submitted the email to Virus Total and it passed all tests, including the one from F-Secure. In effect, their product did nothing to prevent the exploitation, or even detect it. Why do you think they wanted the email so bad as to search throughout millions of submitted files for weeks? They needed the sample to build a "signature" for the custom exploit so they could say that their snake oil works wonders.

      .
      AV products are a loosing battle. If you have to get shot first

  • by Lumpy (12016) on Friday August 26, 2011 @10:18AM (#37218554) Homepage

    If you use a commodity OS inside your secure network. you will get hacked and you will get it knocked over.

    If you have a high security network and run windows and office on it, it's not high security anymore.

    you run apps and Operating systems rated for the security that are tightened down. only a moron would let someone edit a spreadsheet on a PC that is connected to the secure network. You flip to the insecure network machine for tasks like that. No connections between them other than the eyeballs and fingers of the user.

    • There are spreadsheets that contain data that the company needs to be kept secure. If the argument is that they should be in gnumeric or open office that's one thing, but even they have scripting languages in them. Furthermore there is source that needs to be written and compiled and tested in secure environments. Simply denying the user all access to executable languages is not an option for some secure systems. Even denying physical access is probably not possible in some test labs. What fits for NOR

  • All you need to do is provide a hap to every employee on their first day of work. Then, later just have an annual hap screening to make sure everyone still has one. Haps can be expensive, but the cost of employees being hapless is much higher.

    • Every New Hire Pack should have the following to be given to the New Hire

      1 a current employee handbook (in a readable language)
      2 a Hap
      3 a Round Tuit
      4 a Clue
      5 whatever else is normally provided
      6 that stack of paperwork that various departments need for a New Hire

  • I am intrigued that RSA forwards their emails to a free virus scanning service. I should going to start my own service. Any company with highly sensitive information is welcome to send it all to me. Don't worry though: we have a posted privacy policy somewhere on our web site.

    Ooh, even better idea! How about sending all your passwords to my free service too, and I'll let you know if any of them are insecure!

  • I used to work for one of the world's leading sporting goods companies. We had contractors onsite with the same network/desktop configuration and access as full time employees. At least one of these outsourced but in-house contractors was stupid enough to fall for pretty much any phishing/fake anti-virus/whatever scheme you can come up with. I have no doubt that any company in the US (what does that mean any more, anyway?) could be compromised given enough persistence and relentless effort to find THAT GUY.

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Working...