RSA Blames Nation State For Cyber Attack 145
An anonymous reader writes "Security firm RSA has revealed that it believes two groups, working on behalf of a single nation state, hacked into its servers and stole information related to the company's SecurID two-factor authentication products. Speaking at the RSA Security Conference in London, RSA executive chairman Art Coviello described the high profile attack thus: 'There were two individual groups from one nation state, one supporting the other. One was very visible and one less so. We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication and resources involved it could only have been a nation state.' Sophos security researcher Graham Cluley questions how RSA has concluded that a country was responsible for the attack — when RSA is unwilling to name who it suspects. Could it be that the firm is simply applying spin, describing the attack as a 'highly sophisticated Advanced Persistent Threat' to protect its image?"
Everyone's going to accuse (Score:5, Informative)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
And I suppose China must have been behind Stuxnet as well?
The Chinese are not the only ones in this game.
Re: (Score:2)
China: "No I'm not"
Re:Everyone's going to accuse (Score:5, Interesting)
China's active in this stuff, as is North Korea, several former Soviet Republics, Israel, Western Europe, and most of South America. Well, to be honest, most of the planet, but everywhere else is where some proxies are. You might as well say "I don't know".
The nation-state claim is based on depth of analysis of technologies, leveraging of classified information not known to be leaked, sophistication of attacks. Also maybe on RSA's desire to say "What can we do against a the dedicated resources of a nation-state?"
This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.
It doesn't require a nation-state's resources to do this. Fifty thousand geeks in their mom's basement will do if a hundred of them are Aspies - and they are. They'll do it for the lulz, and on their backtrace they'll drag a red herring across a nation state if it amuses them to do so. Or they'll taint the Church of Scientology instead if that's their thing this week. It would take a nation-state to fund that level of effort, to coordinate that level of action - unless they do it for free for the lulz and the aspies organize it for them for free because it's a puzzle worthy of their attention. No resources are required except the neighbor's open Wifi because Mom provides the Hot Pockets and Mountain Dew.
/Not saying it wasn't a nation-state, but have no faith in the analysis.
Re: (Score:3)
This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.
Not sure how you can come to that conclusion. If the US three letter agencies have a presence in the "dark side" of the Internet, it's not as if they're going to post it on 4Chan. Sometimes you let people get away with things in order not to compromise sources.
From the standpoint of a mere mortal, a dumb poster on Slashdot, we'll never know.
Re:Everyone's going to accuse (Score:5, Informative)
I was at a conference in 1999 where a Navy officer spoke. At that time the DoD was in the process of setting up three separate cyber warfare battalions, working on both defense and offense. He did mention that until recently-at-that-time it had been a hard slog getting the brass to wake up, but things were starting to move faster. IIRC a battalion is about 500 'soldiers' plus some number of support staff (Wikipedia sez 300-1200 total).
I would expect that in the 12 years since then the size of this effort has expanded by up to 2 orders of magnitude. There are literally thousands of nondescript buildings in shopping malls and industrial parks all over the country filled with folks doing all sorts of eyes-only burn-before-reading stuff, and I'm sure that a lot of that is cyber warfare research, training and activity. Part of the plan back in 1999 was to enlist major companies in information sharing regarding security threats to the economic infrastructure. Some of that effort got put into CERT early on, but I expect there are more classified levels of that going on.
Keeping the baddies out of Ford, SmithKline or even Proctor & Gamble is almost as important as keeping them out of several levels of DoD. Warfare has always been a fundamentally economic activity.
If I had the head for that sort of thing and were a lot younger I'd think seriously about getting into that - it would make for a very 'secure' future. :)
Re: (Score:1)
there are literally thousands of nondescript buildings in shopping malls and industrial parks all over the country filled with folks doing all sorts of eyes-only burn-before-reading stuff
That doesn't sound very physically secure.
Re: (Score:3)
That doesn't sound very physically secure.
A good question. Relevant reading below. From my own slight experience, quite a while back, these buildings are often much more secure than they appear on the outside. They are purposely nondescript. Sometimes there are fake fronts and such, and even sometimes a smallish building on the surface connects to a large underground complex. Putting them in relatively high traffic areas makes it easier to hide the traffic of workers going in and out.
Back in the day I saw a few in DC suburbs (Tyson's Corner VA
Re: (Score:2)
If you were a subscriber here on /. you could read back my comment history where I discussed these things at length not only with outside folks like you, but also with the senior Microsoft program manager who initially resisted, and then came around to my point of view after further outside analysis and discussion with internal experts. They didn't do it as thouroughly as I'd have liked, but they did do it. That's how Microsoft came to deprecate Autorun. I did that. Me, and me only. If you're willing to
Re: (Score:1)
Most of these geeks aren't into it to do crime - it's just where the algorithm action is.
someday i hope you can experience the joys of a woman.
Re: (Score:2)
Re: (Score:2)
Maybe they meant the joys of being a woman. : - )
Re:Everyone's going to accuse (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
What work relationship?
I have no idea who cheeks5965 is, other than a fellow slashdotter, who may or may not be a "fellow".
Re: (Score:1)
Re: (Score:2)
So you're the one that got symbolset knocked up 5 times?
It's so neat to meet your baby where the algorithm action is.
Re: (Score:1)
China's active in this stuff, as is North Korea, several former Soviet Republics, Israel, Western Europe, and most of South America. Well, to be honest, most of the planet, but everywhere else is where some proxies are. You might as well say "I don't know".
missed Iran in there, I think most of South America is a big claim, Brazil maybe but the rest of them are happy enough using actual guns to annoy their neighbours
The nation-state claim is based on depth of analysis of technologies, leveraging of classified information not known to be leaked, sophistication of attacks. Also maybe on RSA's desire to say "What can we do against a the dedicated resources of a nation-state?"
Agree, it is the ultimate excuse.
This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.
I think just some are happy hackers, most others are payed to do it by DoD, or are making a little on the side
It doesn't require a nation-state's resources to do this. Fifty thousand geeks in their mom's basement will do if a hundred of them are Aspies - and they are. They'll do it for the lulz, and on their backtrace they'll drag a red herring across a nation state if it amuses them to do so. Or they'll taint the Church of Scientology instead if that's their thing this week. It would take a nation-state to fund that level of effort, to coordinate that level of action - unless they do it for free for the lulz and the aspies organize it for them for free because it's a puzzle worthy of their attention. No resources are required except the neighbor's open Wifi because Mom provides the Hot Pockets and Mountain Dew.
That is a nice concept but can you imagine trying to manage a joint project of 49,900 geeks and 100 Aspies? it would be like herding lolcats, I think a feat like that would take an amount of hot pockets and mountain dew that would requre some pretty deep pockets. I am not being rude here, I honestly think we are all somewhere on the scale between paris hilton and rainman (both fictional characters) but the lack of social skills would hinder such a project methinks
/Not saying it wasn't a nation-state, but have no faith in the analysis.
True, but this is the security industry we are talking about, where there are 8 billion new viruses every minute and 17 billion new zero days, and whatever else number that you can loosely statistically justify if it proves the value of your product/budget. Nobody really trusts anything anymore.
p.s. That is one awesome ID number you are rocking.
Re: (Score:2)
>p.s. That is one awesome ID number you are rocking.
Thanks. It's accidental but I like it.
Your post was garbled. I want to respectfully reply, but I can't.
Re: (Score:1)
Thanks for saying garbled and not garbage, such netiquette is rare these days
p.s. Please excuse the accidental AC message, it is this need for multiple browsers that sites like face{tracking}book have made for me.
Re: (Score:2)
It's pretty simple. If you think you might have Aspergers, then you don't. Aspies don't have doubt, they have unknown quantities.
Re: (Score:1)
I have taught some kids with problems of this type, they are brilliant. I feel it is really the world which doesn't measure up to them. Why isn't English phonetic? why do years not always have the same number of days? why do I say "do it like this" when I mean "do a similar but personalized revision of this"?
Anyways, waaaaay off topic now
Re: (Score:2)
My kids are going through this now. We teach them the alphabet at 6 months, phonetics at 10 months. By two they're reading real books and repairing their own PC. And then they fail the standard test because they won't call out the sounds of letters because to them it's baby talk too embarassing to say. But they can read at a sixth grade level, and write at third - entering kindergarten.
You normals are so fucking retarded. My boy came back from his first day of kindergarten and he had two things to sa
Re: (Score:2)
Welcome to my world growing up. Actually, I'm still there, but it's a lot easier to laugh INSIDE instead of outward at others now.
I feel your kids' pain. It doesn't really get better until you are free and have the ability to laugh at others and/or find people you can communicate with. Hopefully ones that can understand one freaking thing you are saying. >:(
Re: (Score:2)
My kids are going through this now. We teach them the alphabet at 6 months, phonetics at 10 months. By two they're reading real books and repairing their own PC. And then they fail the standard test because they won't call out the sounds of letters because to them it's baby talk too embarassing to say. But they can read at a sixth grade level, and write at third - entering kindergarten.
You normals are so fucking retarded. My boy came back from his first day of kindergarten and he had two things to say: "Other people are stupid" and "They don't even have computers". What could I say but "this is how it is. You have to get used to it."
I'm enjoying this new troll immensely, but you need to do a bit of research. Autism/Asperger's isn't inherited.
Re: (Score:2)
Being an arrogant ass does run in families, though, and it's occasionally confused with Asperger's.
Not clear whether being an arrogant ass is inherited or influenced by family environment; my money is on "both".
Re: (Score:1)
"Your time is limited, so don't waste it living someone else's life. Don't be trapped by dogma — which is living with the results of other people's thinking. Don't let the noise of others' opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary." - El Steve.
But messages like that don't carry much
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That might need some clarification for you norms. The key term is "might". If you were that different from the norms, you would know it. You wouldn't have to have it explained to you. Some of you think you have Aspergers, but you don't. Us Aspies are way different. Hopefully you guys are mature enough now to accept us.
How do you know what is normal though? You don't know how my mind works or how I see things any more than I know how you do.
And who defined normal to you? A few doctors presumably? What objective tests could they use to prove you were different from the norm?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I can't see it being Israel, since Adi Shamir is actually Israeli himself.
Re: (Score:2)
He is who he is, a man. If you make what you are as a people to live and die with a man, then you have chosen your fate because all men die eventually. You know better than that. You've survived 100 iterations of that. What's different now?
Re: (Score:3)
China's active in this stuff, as is North Korea, several former Soviet Republics, Israel, Western Europe, and most of South America. Well, to be honest, most of the planet, but everywhere else is where some proxies are. You might as well say "I don't know".
Don't forget Struxnet and groups like Anonymous. There is probably just as much hacking going on in the US as anywhere else but we hear less about it, not least because the attacks are focused on other countries and simply don't make the news in here.
Even with proxies you can often figure out where an attack comes from. Russian hackers will tend to use Russian words for file names or in binary executables, and it is often possible to tell if two separate hacks were by the same group based on digital forensi
Re: (Score:2)
Going off-topic a bit I find it laughable that the US should be accusing Iran of breaking US and international law by trying to organise an assassination on US soil, when the US seems to feel free to use cyber-attacks against Iran.
Or the larger elephant in the room, "when the US seems to feel free to commit assassinations on foreign soil." (Especially of US citizens!)
Re: (Score:1)
I'm not sure robots are against the Geneva convention but they certainly should be.
Nothing will eliminate humanity faster than an escalating robot war.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
China
I'm sorry, I must have missed the part where that accusation would somehow be wrong or inaccurate to make, based on merely the unclassified information the general population knows about, let alone the classified information...I wasn't aware that we had to suddenly ignore agendas or underlying motives within communist States simply because they fill our shelves at Walmart.
Like there's not blatant motive here...
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Blame Canada...they're not even a real country anyway.
Re: (Score:3)
At this point if I was going to do anything illegal I'd proxy it through China. Nobody would ever suspect it could be anyone else.
Maybe some hacker got lucky... (Score:2)
well we did blame.... (Score:3)
Defective as designed. (Score:5, Insightful)
Any design that held all the keys in a central database that was not changeable by the end-user organization was defective-as-designed, IMHO.
Mod parent up. (Score:2)
I would expect such from most companies. But from a company that sells computer security products?
And those products DEPEND upon the seed being secret?
I get the feeling that they're claim this now (MONTHS after the crack) in order to justify their failure.
Who cares if it was a single cracker or a cracker group or a nation employing crackers? If they didn't go in with gunships then it is the same in the end. A cracker got past their defenses and all the way into their vault.
Why was the vault available on-lin
Re: (Score:3)
Um, that's the point of the RSA token. The RSA token is merely a watch that instead of displaying the current time, displays a 6-digit number. That number is basically the output of a PRNG - one cryptographically secure (so hijacking a number or two won't reveal the entire sequence). That PRNG is seeded by a seed value so it generates a predictable set of numbers.
When you register a key, you enter in its ID number, which does a seed lookup so when you log
Re: (Score:2)
Of course, if the generator was based on a public/private key system instead of block cipher (ie, encrypting the time stamp using the private key), then there would be no need for the private 'seed' to be stored anywhere outside of the security token. The number would be a digitally signed timestamp.
Re: (Score:2)
Of course, if the generator was based on a public/private key system instead of block cipher (ie, encrypting the time stamp using the private key), then there would be no need for the private 'seed' to be stored anywhere outside of the security token. The number would be a digitally signed timestamp.
Check the patent situation for the reason why you can't do that.
Companies (generally) don't do snake oil accidentally...
Re: (Score:2)
that would also require a bit more processing power on the token---which would make'em more expensive to manufacture, and battery not last as long...
Re: (Score:2)
Yeah, but you'd think that a company named "RSA" would think to maybe employ RSA...
And I can't see how this would impact battery life much - how often does one of these things really need to generate a key. Just put a clock in it, and then a button which generates a key on demand. That uses as much power as a digital watch, plus a hair bit more twice a day or whatever. There is no need to have it continuously generating keys when it is sitting in a briefcase...
Re: (Score:1)
Bit of a plug for some people I have met, but if you check out Duo Security, they have some neat stuff where you can avoid the whole adding a second password as two factor authentication. Instead, you're authenticating a login through your phone (can either be through their app, or a phone call from a nice robotic lady). They also offer methods similar to RSA's. I don't know off the top of my head if you can configure it to only allow certain types of two factor auth.
Re: (Score:2)
Private industry: Defective by Design.
Poor Threat Model (Score:1)
They only have themselves to blame if their threat modeling didn't take into consideration a possible attack from an entity with the means of an intelligence service or nation. Either that, or they sold their customers a false sense of security.
Unwilling to name for good reason (Score:2)
Im not at all surprised that they are not saying what nation they suspect.
RSA cannot prove, beyond reasonable doubt, which country is the criminal. Naming any country without significant proof will cause more harm than good.
They suspect a nation, but without better proof, the media shitstorm that inevitably results, will cause far more harm to the company than the hack itself has.
Re:Unwilling to name for good reason (Score:4, Insightful)
Then it's unreasonable for them to assume it requires a "nation state" to perform the attacks. Some of the cracker groups out there are very, very skilled and have a lot resources available to them.
But it would be embarassing for them to admit a loosely organized bunch of people could get past their much-vaunted security. Better save face and paint pictures of a ghostly "nation state" so they don't look incompetent.
Re: (Score:2)
Re: (Score:2)
Sophos security researcher Graham Cluley questions how RSA has concluded that a country was responsible for the attack â" when RSA is unwilling to name who it suspects.
Why would they lay all their cards on the table? They don't need to prove to you and me that they know who did it, though the perps certainly now know that RSA knows they did it. I mean, that RSA is "unwilling" to tell Sophos does NOT mean that RSA has told no one.
And, RSA and Sophos have commercial interests and relationships in some of the same business markets, why would RSA tell them anything?
Re: (Score:2)
Just name the country where the tracks disappear. Whether the country was the source, or just used as a patsy. Everyone needs to know where the hackers were last spotted.
So far, only Google has had the balls to do that. If RSA is not willing to risk all its future business with the country in question (like Google did), then they should just pull out from our country. A technology security company can not have two masters.
Surprisingly Poor Security Policy (Score:5, Insightful)
RSA should never have allowed systems containing anything related to SecureID beyond marketing data be connected to a network with an Internet connection. SecureID development should have been restricted to a physically separate (air-gapped) network.
Why would I ever want to trust any security company who would make such a fundamental mistake?
Re:Surprisingly Poor Security Policy (Score:4, Insightful)
Why would I ever want to trust any security company who would make such a fundamental mistake?
Because you like to play golf with their sales rep and he takes you out to expensive restaurants?
Re: (Score:1)
No strip clubs? I'll ditch them for another vendor!
Re: (Score:2)
I totally forgot about the strip clubs. Surely that's the RSA sales reps' secret.
Re: (Score:3)
Is that a nation state in your pocket, or are you just happy to see me?
Re: (Score:2)
I totally forgot about the strip clubs. Surely that's the RSA sales reps' secret.
only if the sales rep's name is Victoria.
Re: (Score:2)
FREE HAT! FREE HAT!
Re: (Score:2)
For one, when I worked for the federal government, such actions would be illegal.
I guess you weren't a Congressperson, then, because such actions are rather tame for them. They prefer to receive big bags of money from corporate lobbyists. So why was it illegal for you to be taken out to dinner, but it's OK for Congresspeople to accept big bags of money?
It had to be a nation-state... (Score:5, Insightful)
Re: (Score:2)
haha :), that was my reaction too :)
Re: (Score:2)
We have a winner!!!!
Kind of like when you get your ass kicked in a bar fight, when you tell the story the guy was definitely a heavyweight boxer. Couldn't be you just got your ass whupped by a girl.
It was really.... (Score:1)
Meanwhile, two teenage boys are laughing their asses off. The would have continued but it was a Warcraft raid night.
That's interesting, but you still messed up. (Score:2)
There are lots of groups who would love to have a copy of RSA's SecurID database. Frankly, I don't really care what part of the world the attackers came from. The bottom line is that RSA messed up big time with some very basic stuff. I don't see them as a victim and am a little disturbed that their chairman would have anything other than apologies for their incompetence and poor handling of the situation after the attack. It would be nice for him to also explain how this type of attack could not succeed aga
Really Stupid Assholes. (Score:2)
1. Make up big numbers ....
2.
3. Profit!
Worked for years, until:
4. Totally Fuck Up the very thing you depend on
5. Cry Espionage
6. Bankrupt.
Bye!
Pure spin... even if it's true (Score:5, Insightful)
It really doesn't matter whether this was a targeted, sophisticated attack or not. The fact is that if RSA had done a decent job of securing its keys it wouldn't matter who was attacking them.
Any company with secret keys remotely as valuable as RSAs should have generated them and managed them ONLY in high-security HSMs (host security modules) configured to refuse to ever divulge the keys under any circumstances, except to securely transport them to another HSM. That plus reasonable logical access controls on the HSMs, with separation of authority for all important operations, and strong physical security around the HSMs makes it virtually impossible for any attacker, no matter how skilled, sophisticated or well-funded, to get at the data.
This really isn't rocket science. Lots of banks and lots of other security-conscious companies do this sort of thing all the time. Given who RSA's clientele was, if they'd gone to the NSA and asked for help they'd have gotten all the free consultation they needed from some of the best there are, if they'd needed it. Which they shouldn't have.
Whether it was a sophisticated team from a world superpower or a couple of random script kiddies is really just a question of how much gross negligence.
Not credible (Score:2)
RSA has good reason to make the attackers as scary as they can. After all, from the details available it sounds like this was a relatively easy hack. Advanced, but easy. If they admit that, they look like the incompetent and arrogant hacks they apparently are.
My advice is to not buy anything from them at least for a few years.
Bullcrap (Score:3, Insightful)
I spend a week a year listening to crap like this for hour after hour. In 2010 everyone said (and still this year the big Security firms are still clueless) that the PLC attack against the Siemens controllers "Was an extremely sophisticated attack" blah blah blah "nation state" blah blah blah.
This is based on the following:
1. Obviously the 2 signed pieces of code would have required real human assets.
2. The PLC controllers are incredible sophisticated and expensive.
3. The method of infiltration was extremely well planned.
Until earlier this year I was spouting the same crap... then an individual busted Comodo wide open. Then later Diginotar (as if Comodo wasn't evidence enough.) SO Check, #1 no longer requires human assets.
Then I saw a talk that blew #2 and #3 out of the water. A relatively low funded talk ( about 6k) was done, where an individual (not a team, not even two people) was able to identify a direct backdoor that provided shell access into all PLCs of the model applicable in the Stuxnet attack, and could perform the attack without the need of the configuration stations...
THERE WAS NO NEED FOR A USB PAYLOAD TO BOOTSTRAP THE COMPILER! You could actually login, and patch the damn executables on the plc itself using the backdoor.
My conclusion about 30 seconds after these things were demonstrated (on the actual PLCs) was that it probably did take a team of engineers to create the rube goldberg that was stuxnet, but it didn't involve anyone at Siemens (since when confronted with the researchers findings, they acknowledged them, saying they were already aware.)
Since the RSA attack is like three steps down from that, I would say that RSA is trying to perform damage control with their shareholders since in terms of sophistication a user clicking a malicious URL in an email is sooooOoo 1999.
Re: (Score:2)
Wait, I don't see how the security beach at Comodo rules out #1. Maybe I'm not understanding CAs correctly, but the two situations have a big distinction. In the Comodo case, somebody breached Comodo, a CA authority, and issued new CAs which could be used by a malicious site to claim that they are some other trusted site. In the case of Stuxnet, already-issued CAs for Realtek and JMicron were stolen to sign malicious drivers. CAs that had already signed legitimate drivers in the past. Aren't these two
Re: (Score:1)
None of this is accurate. Stuxnet was not considered sophisticated for any of the reasons you mentioned, and #1 was literally never suggested by anyone of note as it is obviously untrue. Stuxnet was considered advanced becaused it was covert in a number of ways, targeted a specific air-gapped network, and most importantly it used four different 0-days.
Finally, while it may have been unnecessary to subvert the compiler, the specific target they wanted used them and it was far more covert.
Not that sophisticated... (Score:5, Insightful)
The article is correct. APT is merely a buzzword to throw around to make the attack sound sophisticated. It was certainly a good attack, but it's hardly something that requires the resources of a "nation state". Individuals are constantly finding software flaws that are more sophisticated than what RSA was hit by. The attack merely combines social engineering (getting the victim to open the spreadsheet), a hidden payload of Flash packaged inside it, and a flash exploit. None of those are really that sophisticated, or particularly new.
I don't think any details have been given about what happened once the initial machine was owned. But given that RSA is already trying to hack into something resembling "the hack of the century", AND the fact they didn't reveal tokens had been stolen until AFTER a stolen token was used in a Lockheed Martin attack, I'd say the opinion of RSA on who was involved can't be trusted.
Speculation of the attacker based on who has an interest in breaking Lockheed Martin is meaningless. I could come up with a dozen different explanations, all equally plausible that wouldn't involve a nation state at all. Perhaps the first attacker breached RSA, then sold the stolen tokens to some other hacker. Without evidence to keep us honest, we can make up whatever theories we like.
Re: (Score:2)
The Lockheed Martin breakin is being used to suggest that the RSA hack must have been carried out by a nation state. However, it is clear from the past that there are individuals (e.g. Gary McKinnon) have both the motivation and capability to break into U.S. military sites. Security "experts" like those at RSA consistently (and conveniently) underestimate the capabilities of individual hackers and hacker groups, and yet the past 15 years have shown that military sites, government sites, security expert site
Re: (Score:3)
> The Lockheed Martin breakin is being used to suggest that the RSA hack must have been carried out by a nation state
That's puzzled me, however.
The RSA hack was a black swan, but it bridged enough facets to not be trivial - so we're not talking about the attackers being morons, here.
But then actions against LM were beyond stupid. Not only because of the sledge-hammer tactic that even HBGary could have found, but more because it confirmed what RSA refused to reveal - it confirmed that they had the seeds.
Re: (Score:2)
It smells more like someone who wanted to FUD the RSA product, quite frankly.
I'm not sure if FUD is really the right term here. FUD is Fear, Uncertainty, and Doubt.
Right now you can be CERTAIN that people who aren't supposed to have the ability to impersonate any RSA SecureID tokens you own. There is no DOUBT that people can use this to do you harm. So, you should be VERY AFRAID unless you've replaced them with some other solution that isn't completely owned.
FUD is making vague insinuations to get people to not use a product. There is nothing vague about this - a security vendor
Iran did it.. (Score:2)
Don't worry, their Canadian Girlfriend fixed it (Score:2)
Re: (Score:2)
Modification (Score:2)
Could it be that the firm is simply applying spin, describing the attack as a 'highly sophisticated Advanced Persistent Threat' to protect its image?
Let me make a quick change. That is a question, so let's make it a statement. Also, let's change a few words and.... *Cartman voice* There we go:
"The firm is simply applying spin, describing the attack as a 'highly sophisticated Advanced Persistent Threat' to protect an image... An image that their services are worth money."
/snark
I'm not saying that they aren't, I'm just sayin', man... I'm just sayin'.
Perhaps OS selection? (Score:1)
http://toolbar.netcraft.com/site_report?url=http://www.rsa.com [netcraft.com]
Hosting History
Netblock Owner IP address OS Web Server Last changed
RSA Security Inc. 174 Middlesex Turnpike Bedford MA US 01730 216.162.240.32 Windows Server 2003 Microsoft-IIS/6.0 5-Sep-2011
RSA Security Inc. 174 Middlesex Turnpike Bedford MA US 01730 216.162.240.32 Windows Server 2003 Microsoft-IIS/6.0 25-Jul-2011
RSA Security Inc. 174 Middlesex Turnpike Bedford MA US 01730 216.162.240.32 Windows Server
RSA got 0wn3d by a spreadsheet. (Score:2)
This wasn't stuxnet. It was Excel.
http://www.f-secure.com/weblog/archives/00002226.html [f-secure.com]
FACTS (Score:1)
"it's a nation state, we're not going to tell you which" (or you're just bullshitting)
"the public is going to be amazed when they find out the secret interpretation of the amendment. It's so horrible. I know what the secret interpretation is, but when you'll find out, you will be in awe." (FUD)
"we killed Osama, but didn't take any pictures and dumped the body in the ocean" (ORLY?)
I shouldn't be surprised though, given t
Re: (Score:3)
Re: (Score:2)
Check this out:
we're very confident that with the skill, sophistication and resources involved it could only have been a nation state.'
Now look at this:
http://www.h-online.com/security/news/item/RSA-break-in-it-was-the-Flash-Player-s-fault-1221057.html [h-online.com]
RSA said that two variants of infected emails with an attachment called "2011 Recruitment plan.xls" were sent to a group of RSA employees over two days. Apparently, one of the targeted employees retrieved the email from a spam folder and opened it. The intruders used the exploit to install the widely known and freely available Poison Ivy "remote administration tool". The tool allowed the attackers to spy on the user's server access credentials, log into the server and escalate their access privileges (via further vulnerabilities). This gradually allowed them to work their way into the systems that interested them.
There, they harvested data and copied it to other servers on the internal network, where they combined, compressed and encrypted the information before transferring it to an external FTP server.
OH NOES SUCH UBER-L33T TACTICS! IT MUST BE TEH CHINESE CYBER-MARINES!
Re: (Score:2)
usa doesn't act as a nation-state.
only very small nations are capable of that, so it's probably some island state on the pacific.
even if it was a 100 guys from china funded by some government douche, it still wouldn't qualify as china acting, there would be 100 generals who would have been against that it if it had been brought up at a general assembly of the party.
but what real assets would have they recovered using the hack? friggin nothing, they could just buy the necessary cad sw, the necessary automati