RSA Blames Nation State For Cyber Attack 145
An anonymous reader writes "Security firm RSA has revealed that it believes two groups, working on behalf of a single nation state, hacked into its servers and stole information related to the company's SecurID two-factor authentication products. Speaking at the RSA Security Conference in London, RSA executive chairman Art Coviello described the high profile attack thus: 'There were two individual groups from one nation state, one supporting the other. One was very visible and one less so. We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication and resources involved it could only have been a nation state.' Sophos security researcher Graham Cluley questions how RSA has concluded that a country was responsible for the attack — when RSA is unwilling to name who it suspects. Could it be that the firm is simply applying spin, describing the attack as a 'highly sophisticated Advanced Persistent Threat' to protect its image?"
Defective as designed. (Score:5, Insightful)
Any design that held all the keys in a central database that was not changeable by the end-user organization was defective-as-designed, IMHO.
Surprisingly Poor Security Policy (Score:5, Insightful)
RSA should never have allowed systems containing anything related to SecureID beyond marketing data be connected to a network with an Internet connection. SecureID development should have been restricted to a physically separate (air-gapped) network.
Why would I ever want to trust any security company who would make such a fundamental mistake?
Re:Surprisingly Poor Security Policy (Score:4, Insightful)
Why would I ever want to trust any security company who would make such a fundamental mistake?
Because you like to play golf with their sales rep and he takes you out to expensive restaurants?
It had to be a nation-state... (Score:5, Insightful)
Pure spin... even if it's true (Score:5, Insightful)
It really doesn't matter whether this was a targeted, sophisticated attack or not. The fact is that if RSA had done a decent job of securing its keys it wouldn't matter who was attacking them.
Any company with secret keys remotely as valuable as RSAs should have generated them and managed them ONLY in high-security HSMs (host security modules) configured to refuse to ever divulge the keys under any circumstances, except to securely transport them to another HSM. That plus reasonable logical access controls on the HSMs, with separation of authority for all important operations, and strong physical security around the HSMs makes it virtually impossible for any attacker, no matter how skilled, sophisticated or well-funded, to get at the data.
This really isn't rocket science. Lots of banks and lots of other security-conscious companies do this sort of thing all the time. Given who RSA's clientele was, if they'd gone to the NSA and asked for help they'd have gotten all the free consultation they needed from some of the best there are, if they'd needed it. Which they shouldn't have.
Whether it was a sophisticated team from a world superpower or a couple of random script kiddies is really just a question of how much gross negligence.
Bullcrap (Score:3, Insightful)
I spend a week a year listening to crap like this for hour after hour. In 2010 everyone said (and still this year the big Security firms are still clueless) that the PLC attack against the Siemens controllers "Was an extremely sophisticated attack" blah blah blah "nation state" blah blah blah.
This is based on the following:
1. Obviously the 2 signed pieces of code would have required real human assets.
2. The PLC controllers are incredible sophisticated and expensive.
3. The method of infiltration was extremely well planned.
Until earlier this year I was spouting the same crap... then an individual busted Comodo wide open. Then later Diginotar (as if Comodo wasn't evidence enough.) SO Check, #1 no longer requires human assets.
Then I saw a talk that blew #2 and #3 out of the water. A relatively low funded talk ( about 6k) was done, where an individual (not a team, not even two people) was able to identify a direct backdoor that provided shell access into all PLCs of the model applicable in the Stuxnet attack, and could perform the attack without the need of the configuration stations...
THERE WAS NO NEED FOR A USB PAYLOAD TO BOOTSTRAP THE COMPILER! You could actually login, and patch the damn executables on the plc itself using the backdoor.
My conclusion about 30 seconds after these things were demonstrated (on the actual PLCs) was that it probably did take a team of engineers to create the rube goldberg that was stuxnet, but it didn't involve anyone at Siemens (since when confronted with the researchers findings, they acknowledged them, saying they were already aware.)
Since the RSA attack is like three steps down from that, I would say that RSA is trying to perform damage control with their shareholders since in terms of sophistication a user clicking a malicious URL in an email is sooooOoo 1999.
Not that sophisticated... (Score:5, Insightful)
The article is correct. APT is merely a buzzword to throw around to make the attack sound sophisticated. It was certainly a good attack, but it's hardly something that requires the resources of a "nation state". Individuals are constantly finding software flaws that are more sophisticated than what RSA was hit by. The attack merely combines social engineering (getting the victim to open the spreadsheet), a hidden payload of Flash packaged inside it, and a flash exploit. None of those are really that sophisticated, or particularly new.
I don't think any details have been given about what happened once the initial machine was owned. But given that RSA is already trying to hack into something resembling "the hack of the century", AND the fact they didn't reveal tokens had been stolen until AFTER a stolen token was used in a Lockheed Martin attack, I'd say the opinion of RSA on who was involved can't be trusted.
Speculation of the attacker based on who has an interest in breaking Lockheed Martin is meaningless. I could come up with a dozen different explanations, all equally plausible that wouldn't involve a nation state at all. Perhaps the first attacker breached RSA, then sold the stolen tokens to some other hacker. Without evidence to keep us honest, we can make up whatever theories we like.
Re:Unwilling to name for good reason (Score:4, Insightful)
Then it's unreasonable for them to assume it requires a "nation state" to perform the attacks. Some of the cracker groups out there are very, very skilled and have a lot resources available to them.
But it would be embarassing for them to admit a loosely organized bunch of people could get past their much-vaunted security. Better save face and paint pictures of a ghostly "nation state" so they don't look incompetent.