RSA Tokens – Follow Up Investigation

If you read the prior post about the RSA security breach, I wrote about the way many groups have approached the issue. Mostly people were both shocked and dismayed that a security company like RSA – one that designs systems for protecting company confidential information – was broken into. More significantly, the RSA was breached through the Internet in a unique way. The summary of how this was done is they sent a phishing email to a low level employee mail account, infected the machine through an attachment and watched for who their bosses were, what network access their bosses had and worked their way around the company network, slowly finding their way into the corporate servers holding product development information. Eventually these hackers were able to find the special algorithms used inside of their security products, and compromised their entire security product line.

Wired recently published an article discussing recent RSA confession of who performed the attack. The most obvious conclusion is: if someone can figure out the RSA formula to protect computer information, then they could break into any company’s networks that uses RSA’s servers.

Wired’s article said the RSA claims two well known hacker groups who haven ot previously worked together were involved in this breach and were working for an unnamed government.

The article describes the situation”

The attackers gained access to the network after sending two different targeted phishing e-mails to four workers at its parent company EMC. The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.”

None of the recipients were people who would normally be considered high-profile or high-value targets, such as an executive or an IT administrator with special network privileges. Nonetheless, when one of the recipients clicked on the attachment, the attachment used a zero-day exploit targeting a vulnerability in Adobe Flash to drop another malicious file — a backdoor — onto the recipient’s desktop computer. This gave the attackers a crack they used to burrow farther into the network and gain the access they needed.

“The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” RSA wrote on its blog in April.

Heiser revealed this week that the hackers had knowledge of the internal naming conventions that his company used for hosts on its network. They also had knowledge of Active Directory — a Microsoft product used for managing the authentication of users on a network. This knowledge helped them disguise their malicious activity inside the network so that it appeared to be legitimate.

“User names could match workstation names, which could make them a little more difficult to detect if you are not paying attention,” Eddie Schwartz, RSA’s chief security officer, told IDG.

Heiser said the attackers used various pieces of malware to penetrate its system, some of which were compiled just hours before the attackers used them. The attackers also compressed and encrypted the data they stole before they exfiltrated it from the network, making it more difficult to identify as malicious traffic.

The attackers appeared to be after information that would help them penetrate networks belonging to U.S. defense contractors who used SecurID to authenticate their workers.

While many camps of journalism and IT professionals complain that the RSA is a failed company and should have done more to protect their important corporate data, there is another perspective that is being ignored. The consequences prove to everyone, it is not easy to protect computer networks. It is also difficult to maintain IT security within any company even when there are large budgets involved. The fact that RSA – who uses many “enterprise” level security devices to protect themselves – still didn’t have enough protection and tools to stop an attack.

Why this attack happened is arguable, but EMC could have an issue of not updating their laptops (that leave the building) as regularly as updates are available. Yet, if a government-backed hack intends to get into a corporation, a better protection policy will still be subject to many IT network strikes.

While we can place blame on IT employees and management, it may be a more constructive conversation to discuss what allowed these hacking groups into the network. The nature of this attack started with getting the names of low level employes – that have very little knowledge of corporate private information.  The hackers intended to get these employees to open fake email attachments. Variables to this attack include:

1) consistent and publicly advertised corporate email addresses
2) laptops that are potentially not being regularly patched with current flash updates, Microsoft office updates, Microsoft operating system updates and possibly updated and high quality anti-SPAM filters
3) zero day exploits – (an attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer)
4) workforce laptops that are possibly not as protected as necessary
5) a potential lack of IT policies and regular training of employees of ways to get infected.

It is not clear to anyone outside of RSA whether these laptops were updated as quickly as Adobe has offered up Adobe Flash updates to their users (distributed at irregular monthly intervals), Microsoft security updates, Microsoft Office security updates, antivirus definition updates, DNS protection, anti-SPAM protection, spyware protection, VPN client updates, firewall firmware updates, etc.

With this list of IT security variables that we DO KNOW that could have played into this attack, it is easy to see that it may be nearly impossible to claim RSA has been neglectful.  Any company that must keep their mobile workforce up to date and secure is a very difficult mission, and probably much more difficult than what critics and pundits have ever had to deal with in their experience.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s