The most shocking revelation IMO is that "less than 10 percent of [RSA's] customers have requested replacement tokens". IOW, everybody knows the entire SecurID system was compromised, yet 90% of its users decided to do nothing about it!
I believe that is weasely at best, I've been given the impression previously that over 50% of the tokens in active use had been switched out before the public announcement of the free replacements was made. Perhaps they're doing something like counting every company that bought a few for an eval and aren't using them.
Shocking perhaps but it shouldn't be terribly surprising. Cargo cult behavior (imitation devoid of knowledge or critical thinking) tends to be the norm rather than the exception. In security as in elsewhere.
In the comments of this the blogger notes that malware put in place to launch the exploits were all for Windows machines. It sounds like it mostly works by getting unwitting users to click on unknown emails. It's been 15 years and we're still doing that?
Not quite 'unknown' e-mails as I would think of them - these were e-mails that appeared to be from co-workers and addressed specifically to another individual, hence spear-phishing, rather than just phishing. For all intents and purposes, it probably had all the appearances of a legit e-mail.
If I understand it, then, someone opens the initial payload which allows malware to be downloaded- and this downloaded malware orchestrates the "spear phishing?"
I haven't seen this as I've been out of an organization for quite a while. Thanks for clarifying.
The documents and addresses used for high end spear phishing usually come from a recent previous compromise. You'll see a sender that you frequently get mail from and know personally and the document attached will be a new version of something they previously sent, or something new that person is working on that would be of particular interest. It is quite difficult to completely insulate even the smartest and most prepared organizations from persistent attacks like this - someone only has to screw up once, and people screw up a lot more than that.
I agree, that is quite a sophisticated attack and I hadn't been aware of it (even missed it after skimming the McAffee article I guess). Thanks for clarifying.
There are plenty of non-tech-savvy people employed by the federal government/large companies. It's easy to underestimate how large a percentage it still is.
Fascinating reading - my take-home is that US corporates are going to have to have disclosure rules whether they want to or not. The question is whether this will come from Congress or the regulators.
> As spring gave way to summer, bloggers and computer-security experts found evidence that the attack on RSA had come from China
They never say what evidence, which is the most interesting part of the article. Does anyone have a more detailed description of how they identified it was China?
I worked on the technical side of the RSA attack analysis and not the attribution/political side but some guy on Twitter (https://twitter.com/yuange1975) who pretends to be Chinese has claimed responsibility for the RSA 0-day and some other high profile 0-day exploits on his Twitter feed in a way that makes him the credible original source of those exploits.
I am sure the people on the attribution side dug deeper than this (for example they most likely tried to verify that this guy is really Chinese and not just pretend-Chinese) but I don't know anything about the non-technical side of things.
That's cool. Much better than the blah acticle. 袁哥 is actually a very skilled hacker and reputable in China. IIRC He works for NSFocus, NSFocus used to be the de facto operator of China's G.F.W., it was replace by another firm after a Taiwan spy issue.
While I support the opinions with regard to security and disclosure as presented, the rest of the article is regrettably lacking in detail, specifics, evidence, or attributable quotes on what has actually occurred. It's hard to say if this is just the typical style of a piece for general audiences on this topic, or the tail wagging the dog on attributing these things to china in the public eye.
Frankly, what's more alarming; the dedicated resources of a single state actor, or a complex, emergent network of self-interested individuals and groups persuing their own aims?
I find the Chinese explanation a little too convenient and a little too amenable to typical national defense thinking. What this article really says to me is that if you want to hack an American company, own a Chinese box first. Nobody will look any further.
The truth is that both are happening. When you talk to people who are pragmatic and watch the strategic elements they are often saying things like "or someone operating with chinese cover". There is definitely evidence that other actors are using chinese IPs, working hours and techniques to muddy the water. But at the same time, a preponderance of evidence suggests strongly that a majority of these attacks are from chinese sources. Keep in mind that military and national security investigators - even private sector investigators - have access to a lot more intelligence about these matters than simply what IP launched what. So, yes, while some intrusions from china are undoubtedly the work of non-chinese it still makes sense to focus a lot of your efforts on the dragon in the room.
i totally believe that there is more evidence out there, it is just rarely actually revealed.
so it seems at least possible that there is some collusion, conscious or not, between journalists and cybersecurity spooks to name an enemy in order to get traction in the public mind, vs. saying "well, it's from a lot of different people, lots of stuff from china, and who knows what else."
I even think this might be a good strategy - I guess my point is i'd like to see more real public evidence before we accuse foreign governments of attacking us in the press. not because i don't believe it is happening, but because i feel those assertions should be backed up if they're going to be made.
What this article really says to me is that if you want to hack an American company, own a Chinese box first. Nobody will look any further.
Exactly -- it's pretty easy to rent a chinese box from one of the many botnets out there, and I guess that would be the first choice of an intruder to hide his trails.
> I find the Chinese explanation a little too convenient and a little too amenable to typical national defense thinking. What this article really says to me is that if you want to hack an American company, own a Chinese box first. Nobody will look any further.
Would you also limit your targets to things that would seem to be of overwhelming interest to the chinese government?
US defense contractors; the governments of US, Canada, Vietnam, South Korea, Taiwan, and India; Democracy/Human Rights groups; mining, security, electronics, power companies.
That seems like an unlikely target list for someone who's in it for the 'lulz'.
While your claim is a reasonable one, Dmitri Alperovitch's analysis (link in metachris's comment) of Operation Shady RAT strongly suggests that China is behind this operation.
Let's review Computer Security 101 with a case study in Mainstream Media Morality Play Nonsense 102:
The article is garbage. Nonsense. Brain-dead. Trying to jerk people around by the gut.
'Vanity Fair' is for what, overly emotional, determinedly non-technical, easily scared, fundamentally incompetent and, thus, dependent, young woman who want to gossip about fashion and celebrities?
If the article had anything, then it would have explained something solid; since nothing solid was explained, it must not have had anything.
So, the article starts with:
"Lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an e-mail from an associate with a subject line that looked legitimate caught the man’s eye. The subject line said '2011 Recruitment Plan.' It was late winter of 2011. The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations."
and in particular:
"The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA."
So, he received an e-mail message. Okay, we're talking likely post office protocol 3 (POP 3).
Back when I was using OS/2 and had no decent e-mail software, I took out an afternoon and wrote my own POP 3 client e-mail software. I used it for years. I'm about to ditch Outlook 2003 and return to what I wrote (in Rexx) on OS/2.
Gotta tell you, no way, not a chance, was there any way to infect my computer by sending me e-mail. Not in this galaxy. Send me anything you want, pictures, viruses, root-kits, Flash, infected, 'active' PDF files, EXE files, Active-X files, spreadsheets, etc., and no way will my computer be 'infected'. Just impossible.
Why: First, the data that comes via POP 3 is lines of text of just 8 bit characters. Period.
At the beginning are the 'header lines'. The end of the header lines is denoted by one blank line.
The rest of the e-mail is just the 'body', and it is just more lines of text of 8 bit characters.
Harmless. It's just some simple minded data as lines of 8 bit characters. Can put the data in an ordinary file, edit it with an ordinary editor, view it on the screen, print it out, etc. All harmlessly.
The body may have a PDF file, a movie, some audio, some Flash, and EXE file, a spreadsheet, etc., and still it's all just harmless data. Period.
If there is one or more 'attachments', then each of these is delimited by a line with some text indicated in the header. Each such attachment is just more lines of text. To permit sending any data at all, these lines of text consist of just 65 simple-minded, old ASCII printable characters. You can print them out, and they won't hurt you, steal your bank records, install software on your computer, etc. They are 100% harmless.
Those 65 characters are part of a scheme called 'base 64 encoding' which is part of the e-mail 'multi-media internet mail extensions' (MIME).
For such an attachment. can follow the base 64 rules and 'decode' the attachment back to the original data in the file. The file, then, will be a sequence of 8 bit bytes. Give the file any name you want and put it in any directory ('folder') you want. Yes, you do NOT want to put the file where other software will use that file without your knowledge; but why would you do that? E.g., don't overwrite some important operating system DLL file.
The file may be in the format of an EXE file, JPG file, GIF file, PNG file, XLS file, etc. Still it is just a file, just a sequence of bytes. Like any other sequence of bytes, it's harmless, will not cause blindness, falling hair, black toenails, or an infected computer. You can copy it, back it up, send it as an attachment via e-mail, etc. all harmlessly.
The file can be a virus, a root-kit, a Trojan, malicious, malevolent, nasty, etc., but STILL is just 100% harmless, safe, and innocuous. No rubber gloves needed.
Now, if the computer is being used by a total dummy, idiot, drooling on the keyboard, licking the screen, etc., then there might be a threat: The rube might permit such a file to execute as software on their computer. Dumb. Stupid. Brain-dead. Don't do that. Never do that.
First rule of computer security:
Never, ever permit data from an untrusted
source to execute as software.
Never. Ever. Don't do that.
So, if there was a computer security problem, then it was NOT the e-mail, the attachment, or the spreadsheet but JUST some total idiot who let such an attachment execute as software.
Any author of any e-mail program that lets data execute as software without very explicit approval of a user should be dragged through the streets while peasants throw garbage, two week old dead animals, night soil, upchuck, toxic witch's brew, effluent from tanning animal skins, etc., racked, excoriated, eviscerated, drawn, quartered, hung, dried, roasted, and fed to sick animals.
You are sorely mistaken. First, the article clearly states that the user downloaded and opened the file. It was not some automatic process put into motion by the mere fact that someone emailed him, as you suggest in your rant.
Second, I suggest you take a moment to reconsider your position that "a virus, a root-kit, a Trojan, malicious, malevolent, nasty, etc., but STILL is just 100% harmless, safe, and innocuous" unless the computer is being operated by an idiot. That is, unless you have never, on any occasion, been a victim of malware yourself. If that is the case, I suppose it is possible that you are superior, in every way, to the rest of the computing world. Has it occurred to you that perhaps there is a legitimate reason for the thriving computer security industry?
It is a fact that there are very competent people behind these attacks. You don't slip through the security of the likes of major defense contractors and multi-billion dollar internet companies like Google without some skill. It is also a fact that even the most competent computer users make mistakes from time to time. The whole scenario seemed quite plausible to me, without my having to assume that RSA employs a bunch of idiots.
As for your gripe about the quality of the article, think about the target audience. You are obviously not a part of it. It was directed at the mainstream, and it would have been inappropriate to fill it with technical details that only another hacker would understand. That said, I thought it was a pretty decent article. It explained in relatively easy to understand terms how the attack worked and the possible rationale behind it. The tech-savvy readers can use a little imagination to fill in the technical gaps. You probably already have a pretty good idea how some parts of it worked. You don't need to trash the author for not spelling it out for you. It's not supposed to be a howto guide.
Please seriously entertain my claim that the article is not to inform computer users about how to avoid 'malware' but, instead, is just a case of a standard practice in journalism to distort a real situation to create uninformed fears to grab people by the gut to get their eyeballs for the ads.
In particular, the article is very far from reality about computer security.
Next, you are just not reading; instead, you wrote:
"You are sorely mistaken. First, the article clearly states that the user downloaded and opened the file. It was not some automatic process put into motion by the mere fact that someone emailed him, as you suggest in your rant."
Totally, flatly, clearly, absolutely wrong. Your "and opened the file" is just wrong. The article never said any such thing. I just went through the whole article and looked at every case of the string 'open', and at no point did the article mention that the file was open or opened. And in the first paragraph with the start of the story, nothing like 'opened' was described or even implied.
Instead, the situation in the article was just as I quoted in the key statement from the first paragraph of the article:
"The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA."
There is nothing here about 'open' in any sense.
Indeed, if this sentence were correct, then with any decent e-mail software his computer would have been quite safe.
Of course, "downloaded the attached Excel spreadsheet file" has to be wrong: The e-mail message would have already been received, in total, with the "attached" file so that the file did not need to be "downloaded". Of course, if the file was "downloaded" from just a URL in the e-mail message, then the file was not "attached" to the e-mail message. So, either the spreadsheet file was attached or downloaded but not both.
With irony, your:
"It was not some automatic process put into motion by the mere fact that someone emailed him, as you suggest in your rant."
gets at the main bad point in the article: The author is interested in drama, just drama, to grab readers by the gut, and in the special case of drama as some threat from some inexplicable, unfathomable, hidden evil forces of darkness. In particular the article did NOT include your "opened" the file and, instead, just had its:
"unwittingly set in motion a chain of events allowing hackers to raid ..."
So the threat was not from your "opened" but from its "unwittingly", that is, synonymous with my "inexplicable, unfathomable, hidden" and, with irony, also with your "some automatic process ...". The author IS claiming that the 'infection' was from some "automatic process" which, of course, is nonsense.
Again, the main claim early in the article is that any computer user is vulnerable to a massively destructive infection and security breach MERELY, "unwittingly", from an "automatic process", of receiving a bad e-mail and then downloading an attachment. This claim is nonsense, total 100% fuming, flaming, reeking nonsense. It's wrong, and from an effort to create confusion to scare people.
For your
"Second, I suggest you take a moment to reconsider your position that 'a virus, a root-kit, a Trojan, malicious, malevolent, nasty, etc., but STILL is just 100% harmless, safe, and innocuous' unless the computer is being operated by an idiot."
No, my statement is correct, a nice contribution, and fully appropriate for the subject of computer security for users of e-mail and personal computers.
To repeat, the key point for the target audience is not some "unwittingly" but just what I wrote:
Never, ever permit data from an untrusted
source to execute as software.
That's the key rule that everyone using a personal computer today needs to commit to memory, tattoo on the back of their right hand if necessary, pray to God each day at bedtime if necessary, and follow in all computer usage without exception.
The rule is simple and plenty within the ability of nearly any computer user.
And the rule insists that computer users know the difference between data just sitting in a file and data permitted to execute as software; this difference is just crucial.
Of course, the article, out of convenient ignorance or deliberate confusion or both, wanted to avoid mentioning your "opened", to avoid saying that the problem was not receiving the e-mail with an attachment, was not downloading a spreadsheet file, but WAS 'opening', and thus executing as software, data from an untrusted source.
The poor computer user was fine, safe, secure, etc. up to the moment they 'opened' the file. Again, the problem was 'opening' the file and not just receiving or downloading, unwittingly or not, the file.
"That is, unless you have never, on any occasion, been a victim of malware yourself."
The usual approach of the losing side of an argument is to attack the other person, not the other ideas. So, you are now after me, personally. I'm not the subject here; the article and computer security are the subject.
I've never gotten an infected computer via e-mail. With any decent e-mail software used in any decent way, it's essentially impossible for anyone to get an infected computer via e-mail. Again, as I explained, all standard SMTP and POP 3 e-mail is is just some lines of text of 8 bit bytes. This data is super simple to handle safely. To get an infection from such data, have to work at it. I made this point clear; it's good news; apparently you missed it.
Sadly, last year I did have at least three infections, my first ever. All three were from Web browser usage. I don't know the sources of the first two, but the third infection was from one use of the Akamai download manager software to get a PDF file from an Asus Web site. As I since discovered, that Akamai program is a common source of viruses: There are some obscure parameters in the program with some bugs, and passing the right string from an HTML page to the program can infect a computer. So, again, the problem was that the Web browser and the Akamai software permitted software from an untrusted source to execute.
My solution:
(1) Except for a few, essential, explicitly trusted Web sites, do Web browsing only in Windows User mode and not Windows Administrator mode.
(2) Severely restrict what Web browsers can do. For each browser, spend hours or a few days going over each browser security option in detail and block everything at all questionable until have a browser that barely works on common Web sites. When on some Web sites the security options are too severe, f'get about the sites. For the options, document each click. Of course, must block Java and Active-X as if they were bytes of Anthrax.
(3) Disable all Web browser plug-ins except Flash. Due to the security threats of Flash, restrict Web browsing only to 'mainstream' Web sites and hope and pray.
In particular, never even entertain enabling anything like the Akamai download manager. If want a PDF file from Asus, then try to get one sent as an e-mail attachment instead of via a browser plug-in. For now and into the future, regard essentially all browser plug-ins as never to be used. Period.
(4) For PDF files, let Adobe Acrobat read only files from relatively trusted sources. Disable the ability of a Web browser to call Adobe Acrobat automatically. That is, do not let any PDF reading software be an enabled browser plug-in.
(5) After any software changes, review again what browser plug-ins are enabled and again disable all but Flash (many software installations install and enable browser plug-ins without permission or notification). Swat back all those plug-ins like infected insects.
(6) Once a month download and run the latest Microsoft Malicious Software Removal tool (MRT).
(7) Keep a copy of the boot partition when all the software on it was freshly installed and still virus free, and be able to restore that copy of the partition given any symptom of a virus. With some effort, some careful usage of options, 'decoding' some really obscure Microsoft documentation, some experiments, some guessing, some detective work, and a few days of work, maybe two weeks full time, this saving and restoring are possible via the standard Windows program NTBACKUP.
(8) Of course, block all automatic software updates and downloads, and minimize all software updates. When the system is working, essentially FREEZE it -- if it ain't broke, don't fix it.
(9) Try hard to block any automatic execution of any software on removable media. Here, Microsoft tries really, really, really hard to keep people from blocking such automatic execution. Microsoft really, really, REALLY wants such automatic execution and wants to sweep under the rug the outrageously obvious security threats. So, have to be very careful about what removable media insert into a Windows system.
(10) Have Windows Firewall enabled with severe restrictions.
(11) Be very careful about any software source where permit its software to execute. This means, permit third party software to execute only from essentially impeccable sources, e.g., with signed software, etc. This also means, for nearly all third party software, f'get about it.
So far these steps have worked.
For infections as in the article, that is, via e-mail, I am not concerned. In particular, for some progress on PC computer security, pay attention to my 11 steps above. Also pay close attention to the first rule of computer security. For the article and its "unwittingly" via e-mail and downloads, f'get about those. I'm passing out stuff that is from good up to great; the article is passing out nonsense.
You wrote:
"It is a fact that there are very competent people behind these attacks."
That statement is true but a 'non sequitur' in this discussion and, thus, off the subject.
The issue from the article is getting infected "unwittingly" via an attachment via e-mail, and, with anything like a decent e-mail program used in anything like a decent way, that's nonsense even for "very competent people".
In particular, the article is pointing people in the wrong direction: The problems were not from e-mail or downloading but, presumably, that is, taking the minimum from the article, from 'opening' a spreadsheet file. That distinction is key, crucial. There's nothing "unwittingly" about it. The problem was that word you claimed was there but was not -- OPEN.
"The whole scenario seemed quite plausible to me, without my having to assume that RSA employs a bunch of idiots."
It's not "plausible" to me: The problem had to be "open" and not e-mail or downloading. And "unwittingly" had no role. Again, once again, still again, over again, once more, the first rule of computer security is:
Never, ever permit data from an untrusted
source to execute as software.
The problem in the article was a violation of this rule.
Just what is it about this rule you are having such a really difficult time understanding? Why are you so determined to believe in "unwittingly" instead of rationality?
This rule is really good news; why are you being so determined to keep struggling in the 31 F waters instead of reaching for the lifeboat and warm, dry blankets of this rule?
"As for your gripe about the quality of the article, think about the target audience."
I am: The audience needs to f'get about the article and "unwittingly" and pay close and careful attention to the first rule of computer security. For that rule, did I mention:
Never, ever permit data from an untrusted
source to execute as software.
"That said, I thought it was a pretty decent article. It explained in relatively easy to understand terms how the attack worked and the possible rationale behind it."
No: That is definitely what the article, deliberately and/or incompetently, did NOT do. The article claimed that "how the attack worked" was via its "unwittingly" and downloading, which are nonsense. Again, once again, to repeat yet again, still again, the problem was OPEN and, in particular, violation of:
Never, ever permit data from an untrusted
source to execute as software.
That's enough. If I continue to respond to your writing from not having read what I wrote, I will be just repeating the same, simple, on target points over a dozen times.
