

RSA SecurID attack details unveiled – they should have known better - trotsky
http://blogs.gartner.com/avivah-litan/2011/04/01/rsa-securid-attack-details-unveiled-they-should-have-known-better/

======
rst
What RSA's SecurID customers really want to know is what specific information
regarding SecurID got compromised, and what are the implications for the
security of SecurID itself. Which neither RSA's official post[1], nor
Gartner's writeup, seems to tell me.

(Knowing the details of how RSA got spearphished is interesting, I suppose,
but it leaves out the really important bits.)

[1] <http://blogs.rsa.com/rivner/anatomy-of-an-attack/>

------
Estragon

      It is also important to note that just as stealth fighters 
      evade radar instead of defeating it, APTs do not “defeat” 
      security products.
    

Haha. You keep telling yourself that bucko.

~~~
Groxx
"APT"? I don't know that acronym...

~~~
mukyu
<http://en.wikipedia.org/wiki/Advanced_Persistent_Threat>

~~~
Groxx
Ah, many thanks :) It was being thrown around all over, but no explanation.

> _Threat – means that there is a level of coordinated human involvement in
> the attack, rather than a mindless and automated piece of code. The
> operators have a specific objective and are skilled, motivated, organized
> and well funded._

Seems odd to specify "mindless and automated piece of code". Does this mean
Stuxnet wasn't a "Threat"? I'd say it fit all those requirements - specific
goal, wide-ranging tech use, and everyone saw it coming but nobody managed to
stop it.

~~~
trotsky
Stuxnet definitely fits the definition (with a bullet).

It's wikipedia with all the associated baggage. I'd guess what they meant to
draw a distinction from was the automated bots/worms out there that just
rattle the windows of hundreds of thousands of sites with for known
vulnerabilities. Then they install something relatively innocuous like an ad
for scareware AV similar to the current huge SQLi attack.

------
trotsky
RSA has posted a more detailed account to their blog:

Anatomy of an Attack

<http://blogs.rsa.com/rivner/anatomy-of-an-attack/>

~~~
mukyu
Sadly, it provides basically no details.

Skip to the appendix if you don't want to read irrelevant comparisons to
U-Boats and stealth aircraft.

Even there, the details are light. They got spearphished with excel files with
flash payloads (CVE-2011-0609). Those installed "Poison Ivy" (some remote
admin a la vnc/rdp). They spread out from those points attacking other
accounts/computers/servers. They looked around for interesting things, put it
in passworded RARs and FTPed them out to other compromised (non-RSA) servers
(apparently "Good[DOT]mincesur[DOT]com | up82673[DOT]hopto[DOT]org |
www[DOT]cz88[DOT]net").

There is very little useful information in their breakdown. Everything they
mention is standard fair, certainly not something special to "Advanced
Persistent Threats". The flash vuln (with excel files) has been known for
weeks. There is no discussion of what the attackers actually managed to get
their hands on.

~~~
trotsky
Agreed that all of the "omg, APT" in there comes off pretty badly in light of
the reported details. APT has more or less been poisoned as a term lately (see
comodo, etc.) and amounts to the latest scapegoat scenario. "See, we can't be
blamed! It's an APT!" is what I'm betting the RSA board hopes is the take away
here.

Of course they could also know something pretty significant that they're not
telling. What was taken and how tough it was to get at internally could be a
flag. If there was a really significant or telling element to the attack it
may well be that they've been asked not to reveal it. Not that I'd bet on that
side of the line.

------
chair6
I was really hoping it would be something at least somewhat interesting like
an SQL injection vulnerability or some kind of 0-day (EDIT: in external facing
system/service), for the sake of RSA.

But no, it was email attachments (EDIT: granted, with an Excel 0-day). Email
attachments???!! Says a lot about the effectiveness of security awareness
training. Fear the APT.

~~~
trotsky
If it's as they describe they did have a 0-day used on them. The email
attachments, which were excel spreadsheets with an embedded flash exploit
apparently were the source of the 0-day report documented in CVE-2011-0609 and
published on Mar 14. The RSA attack was reported on Mar 17.

[https://www.adobe.com/support/security/advisories/apsa11-01....](https://www.adobe.com/support/security/advisories/apsa11-01.html)

While there is definitely something to be said for what you're saying about
"omg, email attack" the other side of the coin is that spearphishing is the
most popular/common attack vector because it works.

~~~
mryall
It's a good reminder that with ubiquity comes an increased focus on security.
I'm much more conscious of the security problems with Flash after a lot of
recent news about it. However, it isn't necessarily because it's any less
secure than other applications, just that it's ubiquitous and therefore a more
likely avenue of attack.

------
kqueue
>The irony is that they don’t eat their own dogfood. In other words, they
relied on yesterday’s best of breed tools to prevent and detect the attack.

I don't think she understands what eating your dogfood means.

~~~
alecco
In the following paragraph she mentions RSA didn't use another tool they sell
to prevent this kind of attacks. I think she used the phrase correctly.

<http://en.wikipedia.org/wiki/Eating_your_own_dog_food>

~~~
kqueue
Can you copy that specific section?

~~~
Groxx
> _RSA sells its own fraud detection systems based on user and account
> profiling ... They should have applied these techniques to their own
> internal systems._

As they were using a network observer which wasn't as sophisticated as other
tools they make and sell.

------
r00fus
Is this another reason to laud Apple for not shipping Flash on their Macs (or
iOS devices for that matter)?

Having a fully scriptable, ubiquitous environment like Flash installed
systemwide just increases your attack vectors. I'm not blaming Adobe here as
much as recognizing that 0-day vulnerabilities will always exist.

Microsoft office aside (if you need to use, it's going to be installed),
perhaps there will now be pressure to remove and ban Flash from work
environments.

------
Pahalial
I can't believe the person who wrote this is legitimately knowledgeable about
this industry or the relevant tech. Phonetically misspelling "Bayesian" as
"Beysian", while hardly a deal-breaker or even worth notice from someone non-
technical, is a giant red flag from someone trying to sell themselves as a
technically competent analyst.

------
Estragon
So, does everyone still think it's China? Have they been able to trace the IP
addresses back, at all?

~~~
trotsky
There is a US-CERT EWIN that makes it seem like either it was, or someone
wanted people to think it was. Which does of course not narrow it down a ton,
but c'est la vie.

Domains used in the attack included:

www .usgoodluck .com

obama .servehttp .com

prc .dynamiclink .ddns .us

[http://krebsonsecurity.com/2011/03/domains-used-in-rsa-
attac...](http://krebsonsecurity.com/2011/03/domains-used-in-rsa-attack-
taunted-u-s/)

~~~
Estragon
Thanks.

