Tue 5 Apr, 2011
Tags: computer security, internet security, network security, social engineering
RSA, a well-known manufacturer of two-factor authentication systems based around cryptographic tokens and developer of numerous other security-based products, announced last month that their security had been compromised, specifically that surrounding their flagship SecureID tokens. Yesterday, they finally revealed some of the details behind how that particular compromise happened.
The description given by the WSJ above is one of an attack carried out with ‘sophistication’–but looking deeper in reveals that this is apparently face-saving propaganda, given that the description matches up with a textbook social engineering-mediated trojan installation.
In short, a spearphishing campaign–a phishing campaign focused at a specific person or group–was carried out to solicit a person with some level of privilege into opening a document in which was embedded malicious code–in this case, an Adobe Flash object. This malicious code proceeded to install what’s known as a RAT–a remote-access trojan–which connected to a remote server to allow the infiltrator to observe his target’s activities and gain access to secured information.
At that point, the infiltrator was able to package and upload private information concerning the cryptography used in the SecureID token system to a server that he controlled elsewhere.
As per the usual texbook example–and the phrase is chosen deliberately, given that it is, in all respects, materially identical with the majority of examples given in this text on social engineering–the target was induced to deliberately open a suspicious attachment. Said attachment had been put into the ‘spam’ bucket (though attachments had not been stripped, as best practices would dictate for such arrangements) and it was deliberately retrieved and opened by the target at the infiltrator’s inducing.
This cannot be stressed enough: the initial infiltration was accomplished through mundane means, by convincing the target to act against standard security policies.
It was only through the user’s deliberate violation of standard secure practices that the infiltrator was able to gain access to the network and carry out his work.
There were a few other failures in security that this appears to put into play–RSA has several products that they market specifically to prevent these sorts of infiltrations, to detect and counter intrusions; these were apparently not in use inside the company, which rather places doubts on their effectiveness. Attachments, as mentioned above, were not automatically stripped from external emails; this is fairly standard practise with any reasonably well-administered mailserver, as it cuts down the possible attack surface significantly. The corporate firewalls did not, apparently, block outgoing FTP traffic to sites not known-good; this allowed for easy exfiltration of private company data.
Any one of these failures has the potential for a breach; all of them together combined to make that breach much easier and much less detectable than it might have been otherwise.
To RSA’s credit, they at least determined that a breach had happened before they were notified by some outside agency; oftentimes, insufficiently secure networks are infiltrated and no notice is taken of any odd function or other telltales of intrusion until, for instance, the company domain is blacklisted for being a spam origination point.
The countermeasures to prevent this sort of breach are obvious: secure the corporate network according to standard best practices. Ensure that all users are fully aware of security policy, and ensure that all users follow said policies–even if that means disabling the accounts of executives until they have time to receive training. Configure the mailserver to strip out unknown attachments–frankly, in an enterprise of that scale, email attachments are entirely unnecessary; a CMS should be used for departmental file storage and sharing.
The SecureID product is probably, given RSA’s extreme reluctance to disclose what information was leaked, irreperably compromised–at least until such time as RSA develops a new algorithm and a new implementation for it.
RSA can learn some lessons from this breach, but it remains to be seen if they will put those lessons into practice.