Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
This forum is in permanent archive mode. Our new active community can be found here.
RSA's Corporate Network Security Breached
This has been kicking around the tech news for a couple of weeks now, but it seems like the fallout is still uncertain as details slowly leak about it.
First, a little background for those who need it. RSA was founded by three MIT professors who invented the RSA public/private key crypto algorithm (the letters "RSA" are the initials of their last names). A few years back, they were purchased by EMC and are now marketed as "the security division of EMC." Anyway, at least at first glance, you'd think these guys would know a thing or two about security given their backgrounds.
One of their main products is SecurID two-factor authentication. In a nutshell, this consists of a hardware (usually a fob with a little LCD display on it) or software gizmo (they have them for smartphones like the iPhone) that spits out a new single use password once a minute or so. This would be combined with a regular password to authenticate you with whatever server/service you're logging on to -- such as a corporate VPN (which is where I had experience using it). Since the passwords generated by this gizmo are only valid for a minute at a time and a hacker would need both this gizmo and the password of the user associated with it (each user has a unique gizmo), it makes it that much harder to gain unauthorized access.
Well, while RSA hasn't come clean about it, rumors abound that the database containing the mappings between the gizmos' serial numbers and whatever security keys are used to calculate the one-time passwords may have been stolen, therefore nullifying the effectiveness of their product (though not similar products by other companies, mind you).
The attack basically consisted of figuring out the corporate emails of employees at RSA via social networking sites, emailing them innocuous-looking attachments that contained remote access trojans, and gaining access to the corporate network via those trojans -- a basic spearphishing attack. You can read up a bit more on it at Ars Technica.
It'll be interesting to see the fallout of this. As I used to work for EMC (twice) and still know folks there, I've heard about some of the draconian IT policies that they've implemented in response to this attack. They even went so far as to purchase a company that specializes in detecting malware such as this in order to cope. Now, my current employer doesn't use SecurID, so it's not affecting me, but I wouldn't be surprised if some of you are affected.
First, a little background for those who need it. RSA was founded by three MIT professors who invented the RSA public/private key crypto algorithm (the letters "RSA" are the initials of their last names). A few years back, they were purchased by EMC and are now marketed as "the security division of EMC." Anyway, at least at first glance, you'd think these guys would know a thing or two about security given their backgrounds.
One of their main products is SecurID two-factor authentication. In a nutshell, this consists of a hardware (usually a fob with a little LCD display on it) or software gizmo (they have them for smartphones like the iPhone) that spits out a new single use password once a minute or so. This would be combined with a regular password to authenticate you with whatever server/service you're logging on to -- such as a corporate VPN (which is where I had experience using it). Since the passwords generated by this gizmo are only valid for a minute at a time and a hacker would need both this gizmo and the password of the user associated with it (each user has a unique gizmo), it makes it that much harder to gain unauthorized access.
Well, while RSA hasn't come clean about it, rumors abound that the database containing the mappings between the gizmos' serial numbers and whatever security keys are used to calculate the one-time passwords may have been stolen, therefore nullifying the effectiveness of their product (though not similar products by other companies, mind you).
The attack basically consisted of figuring out the corporate emails of employees at RSA via social networking sites, emailing them innocuous-looking attachments that contained remote access trojans, and gaining access to the corporate network via those trojans -- a basic spearphishing attack. You can read up a bit more on it at Ars Technica.
It'll be interesting to see the fallout of this. As I used to work for EMC (twice) and still know folks there, I've heard about some of the draconian IT policies that they've implemented in response to this attack. They even went so far as to purchase a company that specializes in detecting malware such as this in order to cope. Now, my current employer doesn't use SecurID, so it's not affecting me, but I wouldn't be surprised if some of you are affected.
Comments
The idea behind products like Yubikey and SecurID is sound, although I'm not enough of an expert to compare the implementations to see which one did it better. It looks like Yubikey has you set up your own infrastructure as opposed to relying heavily on a "black box" that RSA sells you and that ties in to a big database back at the mothership.
We just had to change our passwords because of this attack, but I wonder if we'll just have to switch to a completely different security system.
It does strike me as interesting that RSA even had an avenue where such an attack was possible. Why would you keep information like that on a machine on a network? Keep it completely separate from everything else and use physical security to control access.
I didn't say this is a smart way to do it... but it certainly is an easy way to do it. Especially if you figure they may have quiet a bit of hubris seeing as how they're RSA.
As a result, you have crazy laws being proposed advocating an internet kill-switch.
This is how they infected the uranium enrichment systems in Iran. While the computers on those systems were not connected to the internet, the computers used by the scientists and technicians operating those systems were. So a technician downloads a driver update for the enrichment control computers over the internet to a USB drive, infects said USB drive in the process, and the worm jumps from the USB drive to the enrichment control computer after it's plugged in to install the driver update.
There aren't enough good IT/CS/CE/SE people in the world to handle the world's technology needs. So you end up with situations like this.
However, it's also true that the "Mission Impossible" computer is useless. A non-networked computer effectively doesn't exist for any practical purpose: a hard drive in a safe would serve the same purpose. There are better solutions that are effectively secure, and the real failure was with the operators and the network security team. ;^)
I do agree that the failure in this case is with the admins/operators/security team. It should not have been possible for a low-level HR or finance person's (which appear to be the targets of the initial spearphishing attacks) machine to access machines containing sensitive data such as the SecurID database.