RSA release a few details on their big security breach

Filed Under: Adobe, Data loss, Malware, Privacy, Social networks, Vulnerability

In mid-March, Naked Security reported that RSA's executive chairman, Art Coviello, had revealed a doozie of a cyber-attack story: hackers had broken into RSA servers and stolen information related to the company's SecurID two-factor authentication products.

On Friday - ironically April Fool's day - Uri Rivner, head of new technologies and consumer identity protection, at RSA, posted a blog entry releasing additional details on the RSA security breach.

Uri-Rivner-post

It is a very long article, which provides a few details of how the attack managed to penetrate their defences. Unfortunately, it does leave some big details out.

So, here are the bare bones of the attack, summarised from Rivner's post:

1. Attackers got their hands on specific employees' publicly available information. Unsurprisingly, social media sites are useful for both good guys and bad guys. By giving away employees' full names, job titles and company contact details, we inadvertently provide hackers and phishers with some of the necessary information to make a scam look legitimate. For example, if we know someone works in HR, then tailoring a bogus email for that department makes the attack more likely to succeed.

2. Hackers sent specific employees a phishing email, entitled '2011 Recruitment Plan' with an Excel spreadsheet attached. The spreadsheet, called '2011 Recruitment plan.xls', hid an embedded Flash exploit, which took advantage of Adobe's zero-day vulnerability: (CVE-2011-0609).

3. A remote administration tool called Poison Ivy RAT variant was downloaded by the Trojan to give the attackers remote control of the computer.

4. The attackers took the access credentials from the compromised victims. The attackers then performed "privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators."

5. The hackers went into the servers of interest, copied data and moved it to internal staging servers. The data was then aggregated, compressed and encrypted for extraction. FTP was used to transfer "many" password-protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider.

6. The files were subsequently pulled by the attackers and removed from the external compromised host to remove any traces of the attack.

Rivner says that RSA's Computer Incident Response Team caught the threat during their third stage, rather than hearing about it months later. This allowed RSA to respond quickly and engage in immediate countermeasures.

You read all this, and you can't help but want more details. What did the attackers take? How does it affect RSA's customers? What can they do about it? What is RSA doing to stave off future similar attacks?

Perhaps that information is still to come. I know many of us are dying to know more.

secureID thumb driveHowever, I am really pleased that RSA sketched out some of the details of the attack. I don't know if they planned to do so all along, or if they bowed to external pressure to do so. It does force other companies to really think about their own infrastructure and what measures they have in place to help them mitigate against this type of attack.

And it must be nerve-racking for RSA's shareholders and CxOs to read a public document about how the company got hacked, but releasing it really shows a tremendous amount of social responsibility. Well done Rivner and co.

RSA are not the first to be victims of this sort of attack, and they sadly won't be the last. No matter what technology you have in place, the vulnerability that all businesses can't get away from are employees.

Keeping them informed about how threats will try to take advantage of them and giving them the right knowledge and tools to help spot these types of attacks will go a long way to help secure a company's confidential information.

Naked Security provided some tips here for IT security teams to share with their users last year: Sophos's security manifesto.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Hi. I am a social, brand and communications expert with 10 years in senior roles in the tech space. I'm currently Sophos' s Global Director of Social Media and Communities. Proudest work achievement? Creating and launching award-winning Naked Security. Outside work, I am a mean cook, an avid reader, a chronic insomniac, a podcast obsessive and blogger .