Feeds

RSA explains how attackers breached its systems

Howdunnit explained but depth of hack or what was taken remain a mystery

5 things you didn’t know about cloud backup

RSA has provided more information on the high-profile attack against systems behind the EMC division's flagship SecurID two factor authentication product.

The security firm, criticised for its refusal to discuss the hack – aside from warning that the security of SecurID might be reduced – broke its silence to provide a fair amount of detail on how it was attacked. What it didn't say is what was taken, a topic that remains the subject of both concern and speculation.

The attack itself involved a targeted phishing campaign that used a Flash object embedded in an Excel file. The assault, probably selected after reconnaissance work on social networking sites, was ultimately aimed at planting back-door malware on machines on RSA's network, according to a blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA.

The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn't consider these users particularly high profile or high value targets. The email subject line read "2011 Recruitment Plan".

The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled "2011 Recruitment plan.xls".

The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.

Rivner compared the hack to stealth bombers getting past RSA's perimeter defences. He said many other high profile targets, such as Google via the Operation Aurora attacks, had been hit by such "Advanced Persistent Threats" (an industry buzzword that often boils down to a combination of targeted phishing and malware).

In the case of the RSA attack the assault involved a variant of the Poison Ivy Trojan. Once inside the network, the attacker carried out privilege elevation attacks to gain access to higher value administrator accounts. Such stepping stone attacks allow hackers to jump from compromised access to a low interest account onto accounts with far more privileges before carrying out the end purpose of a multi-stage assault, normally the extraction of commercially or financially sensitive information. Even though RSA detected the attack in progress hackers still managed to make off with sensitive data, as Rivner explains.

The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction.

The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.

So what data was extracted? We still don't know. The concern is that SecurID seeds have been lifted, along with the mechanism that links an individual token's serial number to its individual seed. It may be, in addition, that RSA's database of serial numbers has been compromised.

It may be that SecurID's two-factor authentication has not been broken in either of these ways but until RSA explains what was taken and how that impact customers then user's will not unnaturally think the worst. RSA may well have provided an anatomy of an attack but it hasn't said what was stolen, akin to a bank saying that robbers got in through the vault and made off with something without saying what was taken. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?