Phishing emails were sent to RSA email addresses. These were collected filtered to a Spam folder. One employee opened the spreadsheet with an embedded Flash file using a previously unknown "zero-day" exploit (security flaw). Malicious code was inserted into the employee's PC to create a remote administration tool. This program allowed remote commands to be inserted to the PC from the attacker's remote system. This was used to harvest account details on other computers of the organization. Gathered information was then sent as an encrypted file and traces of the attack removed.
This form of attack primarily exploits human nature, rather than technical flaws in systems. The attacker collects information about people and procedures of the organization, so they can appear to be from that organization. Once in the system, the attacker will periodically try different forms of attack, over a period of hours or days. Interestingly, the attacks are being mounted by human workers, over a normal working day, with breaks for morning tea and lunch.
The RSA attack was detected by an RSA administrator noticing unusual activity in the logs, with the account of a former employee being reactivated, apparently by that administrator. NetWitness tools were used for investigation and the assistance of US and UK government security agencies.
SecurID two-factor authentication was compromised to some extent (the token devices used by companies and government agencies). The RSA devices were not completely compromised as the attacker will still not know the user's PIN (typically four digits).
L-3 Communicators and Lockheed Martin were later attacked, apparently using the RSA information. This suggests these attacks were by a nation state, not by a criminal gang. RAND advised the US military that it was not feasible to respond in kind to a cyber-attack. The US Government recently warned that a cyber-attack on the USA may result in a conventional military response. It may be that this warning is in due to the attack on RSA and other recent attacks, the details of which have not been made public.
The security problems have now been fixed by RSA.
Government agencies and large corporations will now routinely vet the use of Facebook and other social networking sites by their staff, to identify vulnerabilities (the PLA has banned China's soldiers from using social networking). This is something that other smaller organizations may also wish to consider. A simple precaution for all users is to check that their spam filtering, virus detection and operating system software is up to date.
One way to reduce the opportunity for such attacks would be to use simple text based document formats. In the RSA example, a Flash file was used. If Flash files were not permitted on the organization system, this attack would not be possible. One way would be, for example, to convert all documents at the organization boundary into a set of HTML and related web based formats.
Branch Forum - JulyProtecting Your Keys from Trent and Schrödinger’s CatIn this session we look at a couple of recent well publicised and serious exploits in PKI and two factor authentication. We look at the issues and potential vulnerabilities in contemporary key management systems, such as reliance on trusted third parties, and assumptions of limitations in attackers’ capabilities. What options are there for mitigating risk in contemporary systems?Secure management of keys is one of the most difficult problems in practical cryptography.
Key management systems have been widely deployed by large commercial and financial organisations, as well as government, and military users. They manage key material for financial and credit card transactions, personal identify information, intellectual property, and state and military secrets. Key material is used to protect information in transit, in databases, in file systems, on laptop hard drives, and on portable media.The issues and potential vulnerabilities in contemporary key management systems are similar to those in traditional IT systems and services. The impact of an IT system compromise can be great, but the impact from a compromise of the key management system will be far worse.
Contemporary security architectures include best practice features such as strong authentication, proven protocols, secure logging, intrusion detection and prevention, and well-known, approved, and trusted cryptographic algorithms.
Almost all systems rely on trusted third parties, and must make assumptions about limitations in attackers’ capabilities to break ciphers. Is third party trust necessary? Vulnerabilities in PKI are exploited in commercial monitoring products, and at least theoretically, if not in practice, by government, military, criminal and other undesirable organisations and individuals. Non-cryptographic attacks earlier this year on suppliers of trusted elements in security architectures demonstrate some of the issues arising from dependence on a trusted third party. ...
From: "Protecting Your Keys from Trent and Schrödinger’s Cat", ACS 6 July 2011