

RSA: Anatomy of an Attack - trotsky
http://blogs.rsa.com/rivner/anatomy-of-an-attack/

======
ajays
FTA: "The spreadsheet contained a zero-day exploit that installs a backdoor
through an Adobe Flash vulnerability (CVE-2011-0609)."

How many times has Adobe been responsible for such backdoors? I mean, they
can't even put out a decent PDF "reader", for Chrissake. This company
shouldn't be allowed to operate till they get their act together (I'm just
venting). I hope someone sues Adobe one of these days and drives them into
bankruptcy.

~~~
drivebyacct2
Reader has probably 100 other features that are very important to companies
who produce documents consumed by it, that you're probably not even aware of.

If you're using it as a PDF reader, you're doing it wrong. Try FoxIt (or since
they're going the bloat/install-ware route), the lighter Sumatra. If you're
not on Windows, I have no idea why you'd go installing Adobe Reader anyway,
less you need those previously alluded to features.

~~~
Groxx
> _If you're using it as a PDF reader, you're doing it wrong._

Entirely agree. As well as the extra features, which I essentially never see
anyone use, though I of course don't see internal documentation. And I've seen
_one_ embedded 3D model and a couple sound files.

However. "You're doing it wrong" ignores the real world, where _almost
everyone_ uses Adobe's reader to view PDFs. OSX users are a bit of an
abnormality, as they have Preview installed by default, but many many many
things still tell you you need "Adobe Reader" installed, and provide a link,
and people install it, and it takes over. Or company / school / government-
supplied computers have it pre-installed.

I feel I can be confident saying that _millions_ of people use Adobe's reader
as nothing more than a reader. That's millions of slow, intrusive, background-
running, auto-starting readers just hanging around, waiting to be exploited.
And they're likely sitting on computers for people who don't even _know_ any
other option exists, are less techy, and are therefore _even more_ likely to
be easy-entry targets.

~~~
drivebyacct2
Millions of people run Windows, ignore automatic updates and don't understand
why their peers tell them to use Firefox.

I don't disagree with your point, but maybe they're just different variants of
"doing it wrong". The fact that they're ignorant of alternatives doesn't make
it less of a bad practice.

------
oasisbob
I love all the False Proper Nouns included in this release, as well as the
"unnecessary quotes".

\- Advanced Persistent Threat \- Spear Phishing \- Computer Incident Response
Team \- "defeat" \- Phishing \- Trojan

I think they say a lot.

------
Getahobby
Every time he uses "APT", take a drink.

~~~
danenania
_Belch_

------
trotsky
Seems to be the classic "bury it on friday night" approach to disclosure.

------
cookiecaper
The majority of this post is RSA tooting its own horn for catching the
attackers so quickly (along with other PR shenanigans). It'd be a nice if we
could see a more detailed, straight-up technical version without all the
pandering.

That said, the "new defense doctrine" against phishing and other impersonation
scams should be, dun dun DUN, public key cryptography. It's not that
complicated, and it would save so many people so much trouble if they actually
used it. HBGary comes to mind, and now RSA; if RSA had even just signed its
emails, not encrypted, this attack would not have happened. Kind of funny that
a big firm whose whole business is based on this kind of cryptography wouldn't
use it extensively itself.

~~~
bigiain
It'd also be nice if they answered the important question "was the private key
securing all the deployed tokens stolen?". Knowing _how_ it happened satisfies
some intellectual curiosity, but fundamentally hasn't shown us anything we
don't know.

------
rwmj
Could someone edit RSA's post for me, removing all the lame excuses?

------
gojomo
Is there any authority under which DHS or the Department of Commerce can
condemn as unsafe-for-human-habitation the entire Adobe product line? Just
red-tag the whole vulnerability-infested infrastructure?

