Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RSA Says SecurID Hack Based On Phishing With Flash 0-Day

timothy posted more than 3 years ago | from the not-straight-but-chaser dept.

Security 153

Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."

Sorry! There are no comments related to the filter you selected.

And then people wonder (-1)

Anonymous Coward | more than 3 years ago | (#35692402)

Why jobs doesn't want that POS on Iphones or Ipads!

Re:And then people wonder (1, Insightful)

rainmouse (1784278) | more than 3 years ago | (#35692540)

Why jobs doesn't want that POS on Iphones or Ipads!

Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.

Re:And then people wonder (3, Insightful)

node 3 (115640) | more than 3 years ago | (#35692560)

Why jobs doesn't want that POS on Iphones or Ipads!

Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.

How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?

The only thing you got correct in your post is that this was a phishing attack.

Re:And then people wonder (0, Offtopic)

Anonymous Coward | more than 3 years ago | (#35692648)

iOS is quite secure,

Which explains why the iOS is never jailbroken ever.

Re:And then people wonder (1)

node 3 (115640) | more than 3 years ago | (#35692760)

iOS is quite secure,

Which explains why the iOS is never jailbroken ever.

What system is invulnerable to the user itself? Once an iOS device is jailbroken, it's essentially a standard UNIX system. The security system that can be jailbroken is a significant security enhancement beyond any other consumer OS.

Re:And then people wonder (0)

jhoegl (638955) | more than 3 years ago | (#35692828)

iOS is quite secure,

Which explains why the iOS is never jailbroken ever.

What system is invulnerable to the user itself?

Node, you just answered your original question and now should understand the satirical post about using Apple products.

Re:And then people wonder (1)

node 3 (115640) | more than 3 years ago | (#35692854)

You're not being very clear. What OS, including iOS, is invulnerable to users deliberately hacking their own device?

Re:And then people wonder (0)

Anonymous Coward | more than 3 years ago | (#35693050)

You're not being very clear. What OS, including iOS, is invulnerable to users deliberately hacking their own device?

One of the iOS jailbreaking methods was a pure drive-by just by visiting a web site. No user interaction. So you really can't claim that is only about "users deliberately hacking their own device". Drive-by rooting and compromising just by visiting a web site, without user knowing, clearly have implications beyond that.

Re:And then people wonder (0)

Anonymous Coward | more than 3 years ago | (#35693052)

You seem to forget that you can jailbreak your ipod by going to a webpage. That is insecure. --- See that period... I mean it. There is no ifs and or buts about the subject, it can be rooted by going to a web page, that is NOT SECURE!

Re:And then people wonder (2)

andrea.sartori (1603543) | more than 3 years ago | (#35692694)

Including not being vulnerable to Flash exploits?
Not being able to run something is a curious criterion for invulnerability.
If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.

Re:And then people wonder (0)

node 3 (115640) | more than 3 years ago | (#35692776)

Including not being vulnerable to Flash exploits?

Not being able to run something is a curious criterion for invulnerability.

No, it's actually quite logically sound. You can't be infected by something you can't run.

If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.

No need to go to extremes. Simply avoiding significant security risks, like Flash and ActiveX, is a good start.

Re:And then people wonder (1)

andrea.sartori (1603543) | more than 3 years ago | (#35692820)

I hate to bring it to you, but I was not serious.

Re:And then people wonder (0)

node 3 (115640) | more than 3 years ago | (#35692856)

Well, I suppose that's one way to recover from saying something that doesn't make any sense...

Care to clarify the actual purpose of your original reply?

Re:And then people wonder (1)

andrea.sartori (1603543) | more than 3 years ago | (#35692904)

Just for the hell of it: if You can't be infected by something you can't run, the logical consequence would be to never run anything.
But don't take that as something personal. Of course the real thing to do is to avoid significant security risks. (Such as, just to try and stay on topic, fishing a message out of junk and open whatever attachment it comes with.)

Re:And then people wonder (1)

cbiltcliffe (186293) | more than 3 years ago | (#35692950)

Sar-chasm: n: The gulf between a speaker of a sarcastic comment, and those who don't get it...

Re:And then people wonder (0)

emj (15659) | more than 3 years ago | (#35692728)

How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?

Just because iPhone is a cool phone doesn't make it the best at everything.

You can hack an iPhone by visiting a webpage [everythingicafe.com] , it also got hacked the 2nd day of pwn2own. iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.

Re:And then people wonder (1, Troll)

node 3 (115640) | more than 3 years ago | (#35692810)

How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?

Just because iPhone is a cool phone doesn't make it the best at everything.

I wonder where you got the idea that anyone is claiming that it is.

You can hack an iPhone by visiting a webpage [everythingicafe.com] ,

Not anymore.

it also got hacked the 2nd day of pwn2own.

Everything gets hacked at pwn2own.

iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.

You would say that, but that doesn't make it true. Risk requires actual malicious code. Android is many orders of magnitude more risky than iOS, due to the simple fact that there has been plenty of malware for Android (some of which distributed on the Android Market). The only iOS malware that has ever existed has been for jailbroken devices--which is to say, for devices which the user has deliberately compromised the security of their device.

How you can think this is the sign of a "risky" OS is beyond me.

Remember, Google has had to use their remote "kill switch" on multiple occasions. The very same "kill switch" that everyone got all worked up over when it was presumed that Apple had it on iOS, but has never actually used.

Re:And then people wonder (0)

Anonymous Coward | more than 3 years ago | (#35692752)

Isn't flash mainly used as a toy or for entertainment? What work do you need flash for? Plus, you can always watch flash video on the iphone with an app.

So it comes down to games, and the iphone has 3d capability... so really who gives a shit about flash? I don't get it.

Re:And then people wonder (0)

Anonymous Coward | more than 3 years ago | (#35692834)

Stupid web developers who make flash only sites, and dumb managers who think flashy intros are required, nevermind that all flashy intro effects can be done in HTML5 nowadays.

AC because I modded.

And ActiveX (4, Insightful)

EnigmaticSource (649695) | more than 3 years ago | (#35692410)

Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.

Thanks again ADOBE (3, Insightful)

Anonymous Coward | more than 3 years ago | (#35692422)

.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

Re:Thanks again ADOBE (4, Insightful)

gnasher719 (869701) | more than 3 years ago | (#35692726)

Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

100 million iPhone users and 20 million iPad users disagree.

Re:Thanks again ADOBE (0)

Anonymous Coward | more than 3 years ago | (#35692802)

Because all those users do not also own a laptop, right?

Re:Thanks again ADOBE (-1)

Anonymous Coward | more than 3 years ago | (#35692922)

What do toys have to do with that? That's not even the same category.

Re:Thanks again ADOBE (0)

Anonymous Coward | more than 3 years ago | (#35693014)

That's for one device that doesn't exactly matter or have any real use. On the desktop, however, currently it is impossible as so many corporate websites require it.

Re:Thanks again ADOBE (0)

Anonymous Coward | more than 3 years ago | (#35693106)

Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

100 million iPhone users and 20 million iPad users disagree.

They get by by having site owners bend over backwards for them and create apps for them. Half the websites I can use without flash on my iPhone won't work without flash on my laptop unless I purposely use a horribly limited mobile version or someone reverse-engineers the app.

Re:Thanks again ADOBE (1)

Anonymous Coward | more than 3 years ago | (#35693146)

You're saying that (a significant fraction of) all those millions use their iPad/iPod as their only computing device. Doubtful.

Re:Thanks again ADOBE (1)

hey! (33014) | more than 3 years ago | (#35693204)

Sad part is trying to live without Flush [sic] and MS, is darned near impossible.

100 million iPhone users and 20 million iPad users disagree.

** Lightbulb Illuminates ***

Great Scott! They're all zombies! It's a giant army of undead customers animated with Steve Jobs' unholy juju! Aaargh!

Re:Thanks again ADOBE (5, Insightful)

trifish (826353) | more than 3 years ago | (#35692826)

.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.

Re:Thanks again ADOBE (0)

Anonymous Coward | more than 3 years ago | (#35692918)

Erm, to my knowledge, Linux hasn't had a remotely exploitable 0-day exploit for a few years.

Re:Thanks again ADOBE (0)

Anonymous Coward | more than 3 years ago | (#35692968)

Erm, to my knowledge, Linux hasn't had a remotely exploitable 0-day exploit for a few years.

Dream on. Or don't, but provide a citation for this obvious nonsense.

Re:Thanks again ADOBE (1)

HangingChad (677530) | more than 3 years ago | (#35693120)

>Or don't, but provide a citation for this obvious nonsense.

Where's yours? Show your list of Linux zero day exploits. Just declaring they're out there doesn't conjure them. And make sure that they're automated with super user privileges.

Re:Thanks again ADOBE (0)

Anonymous Coward | more than 3 years ago | (#35693138)

neither of you provided a source, so your both idiots.

Re:Thanks again ADOBE (1)

Raghu13 (1084079) | more than 3 years ago | (#35692930)

It is always a question of degree of suspectibility. Comparing Flash/Excel combo with others is a joke and speaks tons about people doing the comparison. Also, another one being PDF. Calling them secure is a joke. One has to be suicidal/kamikaze type in Linux to achieve to get pwned like this. The security in linux is not based on a single point of failure, you will have to often exploit multiple exploits simultaneously to achieve a complete trojan-like remote control of the system, otherwise you will end atmost causing a DoS. Well, as mentioned earlier I cannot speak about people running internet explorer/notepad under WINE in linux ..

Re:Thanks again ADOBE (0)

Anonymous Coward | more than 3 years ago | (#35693414)

.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc

Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.

You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.

Logic fail.

What you just did is the equivalent of saying Ted Bundy wasn't guilty of mass murder because someone else got into a car accident that killed someone.

Yeah, coders on all platforms make mistakes. BFD. There's no INTENT there to cause harm.

But it's INTENT when Microsoft deliberately creates insecure protocols and then uses its monopoly status to shove them down our throats. Unless you think Microsoft's developers and architects are so fucking stupid they don't know that what they're doing is insecure.....

THIS one barely counts as social engineering (4, Insightful)

Sloppy (14984) | more than 3 years ago | (#35693440)

The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.

RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).

Re:Thanks again ADOBE (4, Insightful)

limaxray (1292094) | more than 3 years ago | (#35693450)

I think the difference is that we hear about 0-day exploits in Adobe software on a much more regular basis than in Linux or its associated software stack. It feels like Adobe announces another PDF or Flash vulnerability every month and that they have a complete disregard for secure practices.

Combined with the fact that they still don't have a stable 64-bit release of Flash for any OS makes me feel like they are a bunch of no-talent ass clowns without a sound development process in place.

Oh, and in the Linux world, we use tools like SELinux or Apparmor so a hijacked spreadsheet can't go accessing parts of the system where it doesn't belong.

Re:Thanks again ADOBE (1)

Sloppy (14984) | more than 3 years ago | (#35693352)

This is all Microsoft. It never would have worked, if Excel spreadsheets were actually "documents" (as we think of that word) rather than executable programs. It is fucking insane that people email that kind of thing around. If someone emails you an Excel spreadsheet, you should consider that equivalent to someone emailing you a program with the subject line, "Here, run this. I want your computer."

Note to self: (1)

MyFirstNameIsPaul (1552283) | more than 3 years ago | (#35692430)

Set spam folder to auto-delete incoming.

Wait wait hold up (5, Interesting)

atari2600a (1892574) | more than 3 years ago | (#35692450)

You can embed flash in excel files!? WHY WOULD YOU DO THAT

Re:Wait wait hold up (5, Funny)

Joce640k (829181) | more than 3 years ago | (#35692454)

You don't put background music in the spreadsheets you email to people? Weird. Numbers are so boring without some Slipknot playing.

Re:Wait wait hold up (1)

Anonymous Coward | more than 3 years ago | (#35692458)

to give people infections?

Re:Wait wait hold up (0)

Anonymous Coward | more than 3 years ago | (#35692490)

because you'd want to force them to watch adverts when they open the spreadsheet ;-)

Jezus, some people! (-1)

Anonymous Coward | more than 3 years ago | (#35692656)

Because you can and it makes you kewl!

It's like how /. fucked this site up with JavaShit up the ying-yang because the dumbasses thought that would spiff it up to compete with dogg. All it did for me is make me come here far less often.

Cheers,
A Bof

Re:Wait wait hold up (1)

DNS-and-BIND (461968) | more than 3 years ago | (#35692708)

1. It looks good as a bullet point on a presentation explaining how this quarter's development is coming along.
2. Some manager probably got a bonus for innovation for implementing the feature.
3. You should use Microsoft products as much as possible. Not being able to embed flash into an Excel file might, someday, make someone not use Excel. This would be bad.
4. Because it's technically possible. Why do web browsers store a list of every website you ever visited? Same reason, it's technically possible and easy to implement.

Re:Wait wait hold up (0)

Anonymous Coward | more than 3 years ago | (#35692936)

2. Some manager probably got a bonus for innovation for having someone else implement the feature.

Re:Wait wait hold up (2)

cigawoot (1242378) | more than 3 years ago | (#35692994)

Excel Embeds: Turning Excel files into MySpace pages one sheet at a time.

Re:Wait wait hold up (1)

Bengie (1121981) | more than 3 years ago | (#35693136)

The real question is "why would you open an Excel file from an unknown sender?"

Re:Wait wait hold up (1)

mevets (322601) | more than 3 years ago | (#35693244)

I think the real question is "why do you have to be afraid to open a spreadsheet?".

I know FLASH is just the easiest way to get in - but does excel really need a way to run arbitrary code?

Re:Wait wait hold up (1)

Anonymous Coward | more than 3 years ago | (#35693274)

There are business analysts who write Excel spreadsheets with a macro that refreshes part of the sheet from an ODBC connection. Once upon a time I used such a thing as a rapid-prototype that I later developed into a Java/Tomcat/JFreeChart web application. Look at it this way: spreadsheets are a fancy extension to a calculator. A programmable calculator can run arbitrary code ... but usually does not have an Internet connection and access to all your notes and other spreadsheets on a local filesystem.

I believe Excel does have a "disable macros" option that pops up when you open a new file for the first time. I can't say whether it's 100% effective, as I do not have access to the Excel source code.

Re:Wait wait hold up (1)

jjohnson (62583) | more than 3 years ago | (#35693464)

... after retrieving it from the spam folder, no less.

"Goddammit, there's gotta be pics of Anna Kournikova one of these times..."

Simple question: securid seeds? (5, Interesting)

rtfa-troll (1340807) | more than 3 years ago | (#35692466)

Dear RSA; speaking as a customer; we need a simple answer to the question [zdnet.com.au] :

has the securid seeds database been compromised?

anything else you announce is fluff.

Re:Simple question: securid seeds? (5, Informative)

93 Escort Wagon (326346) | more than 3 years ago | (#35692492)

Dear RSA; speaking as a customer; we need a simple answer to the question [zdnet.com.au] :

has the securid seeds database been compromised?

anything else you announce is fluff.

We use a LOT of SecurID tokens at our university, and the group that manages them has been way too quiet since this happened. But today they sent an email out - no mention of the RSA breach, just that they have decided to "retire the SecurID tokens early to save money" and are replacing them with a different product.

So I'm guessing they think the seeds database has been compromised.

Re:Simple question: securid seeds? (2)

rtfa-troll (1340807) | more than 3 years ago | (#35692672)

Yes; fun fun fun. It's good the way they let a mafia of MSCE certified IT administrators pretend they didn't screw up by choosing SecurID and letting them keep the seed info whilst their real customers, the people who have their systems and data secured with SecurID, don't know squat about what's going on.

Re:Simple question: securid seeds? (0)

Anonymous Coward | more than 3 years ago | (#35692952)

So I'm guessing they think the seeds database has been compromised.

That doesn't mean anything. Maybe they wanted to move away from SecurID for some time. Now that there are rumours and whatnot they may simply have another argument to go ahead. Uncertainty and speculations are a powerful argument when it comes to business decisions.

I worked for a large corporation that banned Blackberry devices for executives and production systems because of the rumours and speculations that foreign intelligence services might have access to their data since BB routed via a foreign country. They had no evidence or official statements, though. Rumours were enough not to touch BB.

That's why MS occasionally swings the FUD club: because it works.

Ditto (3, Interesting)

Kludge (13653) | more than 3 years ago | (#35692998)

At my work we used to use the RSA token and a 4 number PIN that never changed to log into the network (as well as the regular username and password). Five failures to log in would get your account locked out.
Now we have to use our RSA token and an 8 letter/number PIN that changes every 30 days(!) to log into the network (as well as the regular username and password), and the system locks out accounts after only 3 failed log-ins.
They are obviously relying _much_ more heavily on the user selected PIN than before, almost to the point that the token output is irrelevant.

Re:Simple question: securid seeds? (5, Interesting)

rtfa-troll (1340807) | more than 3 years ago | (#35692724)

And just to amplify this with a bit of Wikipedia manipulation; have a look at this edit [wikipedia.org] which comes from 128-221-197-57.emc.com, Where EMC is RSA's parent company, which I found from this article [wordpress.com] which also includes an RSA letter which they are supposedly sending out to customers.

Full disclosure to all affected users; it shouldn't be a matter of dispute. It should be the law.

Re:Simple question: securid seeds? (0)

Anonymous Coward | more than 3 years ago | (#35693220)

See? Why isn't stuff like this on the front page?

Re:Simple question: securid seeds? (1)

AftanGustur (7715) | more than 3 years ago | (#35693006)

The short answer is "The attackers almost certainly stole enough information to compromise the token authentication"

Those in-the-known, i.e. government agencies, have or are adding 3-factor authentication. That is.. In addition to the RSA token and a passcode, they are adding a second passcode, most often the user's intranet password (Windows Domain).

So until they tell me the truth, I will draw my own conclusions from what I know.

Re:Simple question: securid seeds? (2)

wkk2 (808881) | more than 3 years ago | (#35693084)

I think real question is why doesn't the customer initialize the token. There are lots of interface options to initialize a small token: I2C, USB, even IR.

Re:Simple question: securid seeds? (3, Insightful)

hey! (33014) | more than 3 years ago | (#35693246)

Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.

This is going to cost RSA a lot more than sales of its SecureID product. People buy this product, not because they have analyzed the system and decided it is architecturally secure; they bought it because they trusted RSA. RSA was founded by the most illustrious minds in the field. I was looking at some RSA job postings recently, and they don't appear to hire anybody who doesn't have a PhD. RSA is supposed to be the company that knows how to do things right. That means they knowingly produced a system that violated stuff you learn in Chapter 1 of a basic crypto text, and then induced customers to rely on that system for security.

RSA reputation, meet porcelain bowl.

I want to be clear I'm not criticizing RSA for the security breach. I'm criticizing them for inducing customers to rely on a system that becomes irreparably untrustworthy after a single event that was bound to happen sooner or later.

Re:Simple question: securid seeds? (0)

Anonymous Coward | more than 3 years ago | (#35693268)

"Dear RSA; speaking as a customer; we need a simple answer to the question [zdnet.com.au]:"

It looks to me like they are desperately trying to avoid the costs of a recall for all compromised tokens.
Ultimately, I think this avoidance will cost them more in the long run.

Re:Simple question: securid seeds? (1)

Joce640k (829181) | more than 3 years ago | (#35693284)

If I was writing a trojan to hack RSA I wouldn't send the CEO an email saying exactly what was compromised.

In fact I'd try to leave as few traces and as many doubts as possible.

Re:Simple question: securid seeds? (0)

Anonymous Coward | more than 3 years ago | (#35693294)

While it is apparent the fundamental security of SecureID has been compromised (the seeds stolen), it is unfortunate that this question hasn't been answered, except only to government and other high-profile customers.

Worse, beyond all the fluff it is clear that RSA is trying to spin this spear-fishing attack into a great APT story, which will spin and work with their acquisition of Netwitness. While this is obviously fatal to RSA and SecurID, they are busy trying to figure out how to exploit this situation to help them make customers think the Netwitness acquisition is smart and hopefully sell more. Regardless of the spin, RSA has been a long time customer of Netwitness that failed them, and have delayed the announcement to spin things. It will be unfortunate that even if the general public buys into the APT story and the Netwitness acquisition, it isn't going to make up all the lost money.

Now Introducing (0)

AnonymmousCoward (2026904) | more than 3 years ago | (#35692472)

NotSoSecurID

How to secure a computation server (0)

Anonymous Coward | more than 3 years ago | (#35692474)

Is there a way to set up a server "A" that computes some function f(x) for values of x coming from a networked computer "B", and sends the result f(x) back to B, without any chance of any hacker getting hold of the code for f(x)? Some kind of special network that can only send x in one direction, f(x) in the other, and clearly never do anything else even if machine B gets compromised?

Re:How to secure a computation server (1)

cbiltcliffe (186293) | more than 3 years ago | (#35693016)

Yes.
It's called sneakernet.

The "x" comes from computer "B", which is shown on a display. A human operator types "x" into server "A", which has no network connection at all. Server "A" then displays f(x), which the human operator types into a different keyboard connected to computer "B".

In order for this to work truly securely, though, several things have to be true:

- The operator has to have no chance to enter incorrect information by accident, or enter the information in the wrong place. That means this cannot be a general purpose computer, or the operator cannot have access to anything other than the input field for the data. Preferably both.
- The operator has to be completely trusted, otherwise incorrect information could be coded into what should be the f(x) result, by the operator typing in f2(source_code_for_f(x)) instead. This means, basically, the operator has to be you.
- something else I haven't thought of yet, in this idle intellectual exercise.

So, yes, it can be done. But it's certainly not practical.

Someone might suggest having computer "C" in between, which monitors network traffic and only allows x to flow one way, and f(x) to flow the other. But there are problems with this:

- what if computer "C" gets compromised? It could be modified to allow other data to flow from server "A" to computer "B".
- how does computer "C" know that f(x) is _actually_ f(x)? Could it be other data disguised to look like f(x)? The only method guaranteed to work is for computer "C" to know the source for f(), by which it could compare its own f(x) result to that flowing over the network from A to B. If they match, let it pass. This, however, obviously makes hiding the source of f(x) that much more difficult, since it can now be compromised on two different computers, rather than one.

This is why 100% security is impossible. Not because we don't want it, but because there will always be another way to get in, regardless of what has been locked down.

Re:How to secure a computation server (1)

realityimpaired (1668397) | more than 3 years ago | (#35693210)

Wouldn't work. If the hacker can gain control of B, the hacker has the ability to generate enough points of data for x and f(x) to figure out what the function is.

The way RSA does it is better. B doesn't send X, it sends a User ID, which is static. A then looks up in a secure hash what salt User ID corresponds to, and uses that along with system time to figure out what X is, so that it can return f(x) to B. (in other words, to figure out what your secure token is displaying) It's a much more secure way of doing things than what you propose... as long as f(x) remains secure, and as long as the hash table for user ID to key ID remains secure. (especially considering that the "salt" could be anything, from an offset to a transformation to a separate equation to run f(x) through before returning the result)

The big kerfluffle going on with the RSA hack is that RSA is not being forthcoming as to whether or not the hash tables have been compromised. If they have, then f(x) can be easily compromised and everybody who uses an RSA key fob needs to either get a new key fob, or switch to a different method of securing things. Particularly important when you consider the implications of who uses an RSA key fob to secure things: I work for Ma Bell, and one of the systems I can access in conjunction with my RSA key is the DMS. (https://secure.wikimedia.org/wikipedia/en/wiki/Digital_Multiplex_System for those who don't recognize the acronym). Think of the damage that could be caused if the wrong people got access to that system: they could crash the PSTN. (fortunately there is multi-layer security that I'm not really able to discuss, so that kind of breach is extremely unlikely... but this is a very serious breach of security just the same).

Sounds like my girlfriend (3, Funny)

houghi (78078) | more than 3 years ago | (#35692476)

"BIATCH confirmed on Friday that the attack that compromised her high-value NoPrego product was essentially a small, targeted phushing campaign that included a payload of a malicious Flesh object embedded in a broken Trojan."

Re:Sounds like my girlfriend (2)

burni2 (1643061) | more than 3 years ago | (#35692494)

Good Lord, do you mean she is pregnant !? You should buy better condoms, so the Trojan doesn't break.

btw. she is ;)

Re:Sounds like my girlfriend (1)

Scott Scott (1531645) | more than 3 years ago | (#35692592)

Jerry! Jerry!

And I think to myself... (1)

Angostura (703910) | more than 3 years ago | (#35692486)

... would I have fallen for such a phishing attack? And the answer is - yes, quite probably

and I wonder, how would I protect against it? And I come up with very few practical ideas.

Anyone?

Re:And I think to myself... (4, Insightful)

antifoidulus (807088) | more than 3 years ago | (#35692546)

Um, not opening Excel or Flash files on computers that access the database would be a start. Furthermore sanboxing, and lots of it. Not running the most insecure OS on the planet would help too. The people at RSA really should have known better.

Re:And I think to myself... (0)

Anonymous Coward | more than 3 years ago | (#35692562)

Not running the most insecure OS on the planet

I am sure they already upgraded from Windows 95.

Re:And I think to myself... (2)

maxwell demon (590494) | more than 3 years ago | (#35692594)

Not running the most insecure OS on the planet would help too.

Usually as employee you cannot decide that.

Re:And I think to myself... (4, Funny)

Anonymous Coward | more than 3 years ago | (#35692630)

Not running the most insecure OS on the planet would help too.

Where in the article they say that OSX is being used?

Re:And I think to myself... (-1)

Anonymous Coward | more than 3 years ago | (#35693036)

Stop pretending that poorly implemented patented security buzzwords are better security than the good, well written code (and a fair amount of it open-source) that makes up OS X. I'm not saying that it's secure by any means, but it's a darn sight more than Windows. (Pwn2Own doesn't count before you mention it - what would you prefer: a $2000 macbook or a $1000 PC?)

Re:And I think to myself... (-1)

Anonymous Coward | more than 3 years ago | (#35693124)

This is why people should not talk abown pwn2own, it confuses the terminally stupid.

Re:And I think to myself... (1)

MichaelSmith (789609) | more than 3 years ago | (#35692640)

Um, not opening Excel or Flash files on computers that access the database

What if the "database" is an Excel file?

Re:And I think to myself... (1)

cbiltcliffe (186293) | more than 3 years ago | (#35693020)

What if the "database" is an Excel file?

Then RSA needs to be nuked from orbit, as it's the only way to be sure....

Re:And I think to myself... (1)

JaredOfEuropa (526365) | more than 3 years ago | (#35692652)

If I read the article right, it wasn't as simple as that. The people who opened the phising email were regular employees with little or no access to valuable data. The hackers used these accounts as a springboard to get to the employees who do have access to the good stuff. Once you control a few accounts, phishing suddenly becomes real easy... Using something other than Windows doesn't really help anymore at that point.

I do agree with sandboxing: many companies still take a "walled garden" approach to security: they wall off the perimeter and trust everyone who is inside. Even super sensitive data is often protected only by a second walled garden inside the first one, failing to address the issue of compromised trusted accounts.

Re:And I think to myself... (2, Interesting)

Anonymous Coward | more than 3 years ago | (#35692664)

They haven't stated how the hackers progressed from the low value employee workstations to higher value systems...

Although this is just a guess, based on my experience of other organisations they typically use active directory to manage everything from low level employee workstations, to high value servers... Elevating yourself from a low value workstation to domain admin using tools such as incognito, lsadump or hash passing is relatively easy and from there you have a very good chance of getting access to crucial systems...
Even in companies which try to separate critical functions away from general office stuff (which i would assume RSA did) if you take over the sysadmin workstations (which usually are linked to the active directory domain) then you can start keylogging or hijacking their existing sessions and getting into other stuff. Some companies also have central databases containing passwords protected by something as weak as active directory!

Re:And I think to myself... (3, Insightful)

Rich0 (548339) | more than 3 years ago | (#35692970)

Corporate IT security is like a slot machine that costs 25 cents to play, with a payout schedule that pays $1 on average, but one out of every 1M pulls you lose $10M.

The IT manager who ultra-secures their systems gets tons of complaints, and the company becomes less nimble than their competition who don't bother to secure (there is a real cost when you make it harder for your employees to communicate and work together).

So, if you're an IT manager who promotes strong security you quickly lose your job to somebody who doesn't.

Then every once in a while one of these insecure managers pulls the lever and loses the company a lot of money. The manager is blamed for lax security and fired. The replacement will start out being more secure, and once the spotlight is off they'll go back to doing exactly what their predecessor did, and they'll get bonuses because there isn't a repeat of the huge loss and things are just as efficient as before. That must mean he is doing his job right, right?

I've been finding that successful executives these days really are just lucky. They enact risky policies that have short term gains, pocket bonuses from these gains, and try to move on before it comes back to hurt them. Many get terminated, but those who don't shoot way up the ladder. What passes for due diligence at the CxO level isn't about preventing problems, but instead punishing whoever was left standing without a chair when the music stopped.

Re:And I think to myself... (1)

Angostura (703910) | more than 3 years ago | (#35692674)

How about opening an Excel file on a computer that can access a computer that can access a computer that can access the database?

Re:And I think to myself... (1)

IBitOBear (410965) | more than 3 years ago | (#35692716)

Friends don't ask Friends to "open" programs that pretend to be documents, that are run by interpreters that pretend to be office productivity applications, that have full access with administrative privileges, let alone on machines that have any data that anybody actually cares about...

Microsoft... Where do you think your data _didn't_ go _today_?

Re:And I think to myself... (1)

joebagodonuts (561066) | more than 3 years ago | (#35693102)

And I'm sure the people at RSA are doing the same thing that every other large institution/business is doing: Cutting costs. Those imaginary people at RSA you speak of cost money to train and retain. This was bound to happen, as soon as the primary focus switched from providing secure products to maximizing profits. I'm imagining a scenario like this:

Executive 1: Q2 close is coming up. Are we going to make our numbers?
Accountant 1: No sir, it doesn't look like it
Executive 1: Let's cut costs. Lay off some folks, freeze pay increases. I want my bonus.

Time goes by...

Executive 1: Q2 close is coming up. Are we going to make our numbers?
Accountant 1: No sir. Our most popular product was compromised.
Executive 1: Goddamn employees. It's their fault!

I don't mean to bash money-making. I'm a fan. A bit of balance would be nice. Companies don't require to report "record-making profits" every quarter.

Cheap > Quality. Thank you WalMart and Microsoft

Re:And I think to myself... (1)

maxwell demon (590494) | more than 3 years ago | (#35692554)

Well, if it ends up in your junk folder, you simply should ask yourself why it went there. And take a closer look at the email before opening any attachments. I'm pretty sure that a quick look at the headers would have revealed that the originator isn't part of the company.

Of course if they have a collaborator inside the company network (or maybe can send the mail from another compromised company computer) that precaution measure probably won't help.

Re:And I think to myself... (1)

MichaelSmith (789609) | more than 3 years ago | (#35692654)

take a closer look at the email before opening any attachments. I'm pretty sure that a quick look at the headers would have revealed that the originator isn't part of the company.

I noticed a couple of things about windows: users inside the company compulsively send attachments to the point where people open them without thinking. Outlook adds external users to its address book, then hides domain name information when it displays that user. It can be hard to tell what is internal mail and what is not.

Re:And I think to myself... (1)

hey (83763) | more than 3 years ago | (#35692578)

Avoid Excel?

Re:And I think to myself... (2)

Scott Scott (1531645) | more than 3 years ago | (#35692588)

Don't open anything flagged as spam until you've read the full headers?
Don't use Excel as your first option when reading e-mail attachments?
Run off of a read-only file system?
Convert every excel file to CSV before opening?
View using Google Docs or one of its clones? (Not that I advocate using Google's tools in general...)
Open nonessentials on a different computer with restrictive security settings? Don't use Windows?

The possibilities are endless.

Realistically, it's not possible to stop an attacker who's willing to invest serious time and approach in a smart manner. It is, however, possible to avoid being the person in the organization who lets them in. Someone will fall for it, given enough time and a large enough company, and once they have access they won't be interested in tricking you anymore.

Re:And I think to myself... (1)

maxwell demon (590494) | more than 3 years ago | (#35692618)

View using Google Docs or one of its clones?

Yeah, your employer will love it if you open internal company documents (and the document posed as internal company document) through a server of another company ...
</sarcasm>

Re:And I think to myself... (1)

Scott Scott (1531645) | more than 3 years ago | (#35692666)

I don't recall any indication of or basis for a reasonable inference that the Excel file was posed as an internal document. All the article said was that it was intriguing enough for someone to pull it out of the spam folder. General practice in internal IT and network administration is to whitelist internal emails and toss anything suspicious into spam, if not blacklist it entirely.

Again, I'm not a fan of using Google Docs, but I'd much rather let their servers clobber a zero-day than let it in through the front door. I see emails I occasionally think are intriguing, too; that doesn't mean they're from Bob in marketing or that I should open their attachments using the very applications they are designed to target.

Re:And I think to myself... (0)

Anonymous Coward | more than 3 years ago | (#35692852)

It was flash that had the exploit, not Excel. So what if google docs displays the flash content for you unaltered; you're still screwed. Not exactly a solution.

Re:And I think to myself... (1)

Angostura (703910) | more than 3 years ago | (#35692678)

I am reminded of a line from the comedy series "Twenty Twelve". "Is it just me, or is the common thread running though these possibilities that they aren't actually possibilities?"

"Sorry boss, can you pop that spreadsheet onto a floppy for me, so that I can open it on a quarantine machine".

Re:And I think to myself... (1)

Scott Scott (1531645) | more than 3 years ago | (#35692696)

Let's have a look at the simplest. How exactly is not dragging suspicious emails out of your spam folder and opening their attachments an impossible option?

Re:And I think to myself... (1)

rtfa-troll (1340807) | more than 3 years ago | (#35692624)

Don't keep your database of nuclear launch codes on your gaming PC. Use a non networked computer instead.

You would think that Microsoft could stop this (1)

nzac (1822298) | more than 3 years ago | (#35692692)

If they were to add a .nexls (non executables or something similar) file type that companies needing a bit of security could use that only had stuff a normal spread sheet has values, borders, charts, formulas ... (and something similar for word).
Of course it would be hard to add new features to these versions and therefore sell updates and completing products would be able implement the standard pretty quickly.

Re:You would think that Microsoft could stop this (1)

Anonymous Coward | more than 3 years ago | (#35693144)

um, that's what an xlsx file is: no macros. xlsm files have macros. Unfortunately, the older xls files are both.

System security is only as strong as... (1)

Gravis Zero (934156) | more than 3 years ago | (#35692704)

... the Microsoft products used in it.

The epitome of a good attack (1)

guruevi (827432) | more than 3 years ago | (#35692896)

Microsoft, Adobe, e-mail and stupid people. Seriously, the internal security is just as important as external - too bad almost no large organization heeds these warnings and continues to trust all their users and their computers as being safe and secure. My organization thinks because you're on the internal network, you don't need encryption necessarily for passwords and the like, they actually call it the Secure Network whereas the unencrypted wireless and the network that links up to external providers are the only insecure network.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?