Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Was This the Phishing E-mail That Took Down RSA?

Soulskill posted about 3 years ago | from the hello-sir-madam dept.

Security 165

alphadogg tips this IDG News report: "'I forward this file to you for review. Please open and view it.' As a ploy to get a hapless EMC recruiter to open up a booby-trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major U.S. defense contractors including Lockheed Martin, L-3, and Northrop Grumman. The e-mail was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever."

cancel ×

165 comments

Sorry! There are no comments related to the filter you selected.

Testing (-1)

Anonymous Coward | about 3 years ago | (#37218104)

Yes

All it takes (1)

Anonymous Coward | about 3 years ago | (#37218112)

is one careless user. How many secretaries, finance weenies, inside sales or middle managers at RSA actually are part of that "most respected computer security" knowledge at the company? I'm guess they have a lot of people who know nothing about security, much like every other company.

Re:All it takes (2)

jhoegl (638955) | about 3 years ago | (#37218178)

Actually, if you have proper network, server, and file access constraints, you can limit exposure depending on the person that gets phished.

That said, most companies think convenience > security.

Re:All it takes (4, Insightful)

Skarecrow77 (1714214) | about 3 years ago | (#37218322)

Being the most secure company on earth is awesome until you go out of business because nobody could get any work done and make the company any money.

There is a balance between convenience and security.

Re:All it takes (4, Insightful)

AngryDeuce (2205124) | about 3 years ago | (#37218428)

There is a balance between convenience and security.

Of course there is, but given how often these problems are happening as of late, it seems clear that very few of these companies are finding that balance. One would think the inconvenience of higher security would pale in comparison to the inconvenience of rebuilding your reputation after the entire world watches your organization get brought to it's knees, or lose copious amounts of proprietary data, due to ridiculous things like phishing expeditions.

Re:All it takes (4, Insightful)

gclef (96311) | about 3 years ago | (#37219004)

Well, that's an interesting question: how much business *does* a company actually lose by being embarrassed in an event like this? Companies keep getting hacked (Citigroup, Sony, TJmaxx, RSA), but they don't seem to be going out of business because of it, or even taking that much of a financial hit...so I'm beginning to suspect that there isn't that much impact after all.

So, if there's no real financial impact aside from PR and cleanup, why should they bother being secure?

Re:All it takes (0)

datapharmer (1099455) | about 3 years ago | (#37218456)

Yes. the balance is security >= convenience. If your security fails and you embarrass/endanger your customers or expose your secrets to your competition you go out of business, so the convenience has no intrinsic value. Being inconvenienced is different than not being able to get things done, and good security is rarely much of an inconvenience, because overly complex systems tend to have flaws that are missed due to their complexity. In many cases simple=best.

Re:All it takes (1)

somersault (912633) | about 3 years ago | (#37218636)

If your security fails and you embarrass/endanger your customers or expose your secrets to your competition you go out of business

You didn't really pay attention after all the Sony hacks etc this year, did you?

Re:All it takes (1)

AngryDeuce (2205124) | about 3 years ago | (#37218820)

But Sony's reputation is pretty damaged right now. They've already lost hundreds of millions of dollars in the costs to clean up the mess and had to slash prices of their hardware to spur sales. The timeline on this is going to be years long, not months.

Re:All it takes (1)

somersault (912633) | about 3 years ago | (#37219024)

Damaged in who's eyes? Slashdot's? There have been seemingly hundreds of data breaches in the news this year, and while the Sony one is the biggest, I don't think most people have been that bothered. I was a little appalled, but the only thing I had to do was phone my bank and ask for a new credit card, which took 60 seconds.

Re:All it takes (1)

Zilog (932422) | about 3 years ago | (#37219006)

If cost of security > business value then out of business. Convenience is an empiric way to estimate effective cost of security.

Re:All it takes (1)

Bert64 (520050) | about 3 years ago | (#37219206)

Security is a cost, both in terms of convenience as well as financial...
However the paybacks from security are not obvious, you could make no effort on security whatsoever and still get lucky, or you could make a significant effort and still get hit by sufficiently skilled/determined (or lucky) hackers.

You are right about complexity tho, the more complex you make a system the greater the chance of overlooking something.

Unfortunately, the industry is dominated by large companies that have products to sell, products are generally bought by non technical managers and simplicity is a very hard sell to someone who doesn't understand, so you have lots of vendors selling ever increasing complexity.

Re:All it takes (1)

delinear (991444) | about 3 years ago | (#37218602)

But for a firm whose bottom line is securing your access, the balance should be heavily tipped in favour of security. We know security is inconvenient, that's why we pay a firm to handle it. We don't want said firm to just do what's convenient, or we'd just do it ourselves, much cheaper.

Re:All it takes (1)

Runaway1956 (1322357) | about 3 years ago | (#37218948)

Most assuredly, there is a balance. It's been said many times, that if you're really concerned about security, you won't ever connect your machine to the internet.

But, when people are connected, they should be AWARE that they are in an insecure environment. Sounds like these security contractors failed to educate their employees, not to mention that they failed to properly secure their networks. Reading an email from Joe Random Stranger is certainly not in any security protocols that I have ever heard of! Opening an attachment in that email? DUHHH!

Re:All it takes (1)

Kell Bengal (711123) | about 3 years ago | (#37219190)

Except it didn't appear to be from J. R. Stranger; it was spoofed to appear to come from a recruitment website that they had used with before. The attachment was a .XLS named "recruitment strategy 2011" or somesuch, which is a perfectly plausible thing to get from a recruiter you've worked with in the past. This was a targeted attack, not just malware spam.

Re:All it takes (1)

arth1 (260657) | about 3 years ago | (#37218344)

In theory. In practice, when the boss tells you to remove a hurdle by giving untrustworthy resources access to a trusted resource, it's bad for job security to say "no because it's bad for corporate security".

Re:All it takes (1)

Pope (17780) | about 3 years ago | (#37218406)

Bullshit. You escalate to *his* boss and explain why you won't violate company security policies.

Re:All it takes (1)

MichaelKristopeit423 (2018892) | about 3 years ago | (#37218450)

then your boss' boss will know that your boss is unable to manage their team effectively and fire your entire team.

you're an idiot.

Houston, we have a problem. (3)

luis_a_espinal (1810296) | about 3 years ago | (#37218916)

Dude, c'mon...

then your boss' boss will know that your boss is unable to manage their team effectively and fire your entire team.

Because that is not a hypotesis but a logically inevitable consequence. Your logic is awesome.

you're an idiot.

Noooo, he's a professional. His job is to escalate and let the chips fall where they may, and in the unlikely chance of getting fired, he goes to get another job. Yeah, yeah, even in this bad economy, that's what you do.

Barring some streneous condition (having a newborn baby or a shitload of medical bills) if someone doesn't escalate things when necessary due to fear of getting fired (an implication of a near complete lack of alternatives) one has to wonder what type of technical value if any such a person has to offer considering that he surrenders his professional duties to that kind of unspoken, on-the-job black-mailing and/or ZOMG! phear of getting hopelessly unemployed.

Re:All it takes (3, Interesting)

datapharmer (1099455) | about 3 years ago | (#37218502)

I've found you don't want to work for companies that don't listen to their IT departments as that is bad for job security. A smart boss will listen to a reasoned explanation as to why something is a bad idea. If they don't you should work for them as a consultant and not as an employee - companies with bad IT policies make great clients for consultants, because they spend far more on IT than companies that listen to their IT staff.

Re:All it takes (1)

pyrosine (1787666) | about 3 years ago | (#37218488)

This isnt necessarily true - unless you have entirely separate networks for departments that dont need access to another department's resources, there will still be access elevation bugs that can be exploited. Phishing the login of someone as basic as the cleaner (dont ask me why they would have computer access) could quickly elevate to root access - opening up other computers on the network to attack

Re:All it takes (5, Insightful)

Hatta (162192) | about 3 years ago | (#37218240)

So why did the non-security support staff have access to the same network the private keys were on? It doesn't just take one careless user, RSA should know about defense in depth.

Re:All it takes (5, Insightful)

fuzzyfuzzyfungus (1223518) | about 3 years ago | (#37218478)

My understanding is that the attack proceeded in multiple steps and that knocking over a soft target was just a convenient opening move. Anybody who can be cracked just by duping some support person is Doing It Wrong; but it is hard to imagine a structure where having access to one or more low privilege accounts wouldn't make an attacker's life somewhat easier.

Now, as for the broader question of why RSA retained the seed keys for a nontrivial slice of the US's more security-touchy corporations in any remotely online-accessible form, or why those customers accepted that arrangement... There are not words enough to condemn that level of folly.

Re:All it takes (0)

Anonymous Coward | about 3 years ago | (#37218676)

So why did the non-security support staff have access to the same network the private keys were on? It doesn't just take one careless user, RSA should know about defense in depth.

Pawn, to rook, to bishop, to queen, to king.

Re:All it takes (5, Interesting)

WreckDiver (685191) | about 3 years ago | (#37219122)

I worked for RSA for 4 years, both before and after EMC acquired them (I was not working there when the break-in occurred). The security experts at RSA are not the people that are running EMC corporate IT. When the acquisition occurred, RSA IT was one of the first groups to be let go. EMC IT policy seemed to be more worried about meeting regulations for compliance than for implementing security policies that actually made sense.

Re:All it takes (1)

Hijacked Public (999535) | about 3 years ago | (#37218262)

You are paraphrasing the last line of the article. And it isn't like everyone working on computer security isn't well aware, especially a company that sells a product designed to mitigate user silliness like lousy password.

What is more striking to me is that a bug in some minor piece of convenience software is enough, despite efforts at sandboxing and UAC type prompts and ACLs and firewalls and sniffing and all that, to eventually compromise the most important asset a RSA had.

Re:All it takes (3, Insightful)

garyebickford (222422) | about 3 years ago | (#37218880)

By analogy, this is part of the reason why high security buildings around Washington DC have no windows. Too easy to 'peek' through (using some arbitrary 'peaking' technology), or break in through.

Most normal buildings are only *apparently* secure, since a simple lock pick or broken window gets you in. I think this phishing attack is analogous to the classic Hollywood entry using a glass cutter and shorting across the alarm wiring. This gets you in the building so you can do your dirty work.

Those high security buildings also sometimes have Faraday cages and other systems built into the structure, but that's another story.

Re:All it takes (1)

ObsessiveMathsFreak (773371) | about 3 years ago | (#37218742)

one careless user.

Nonsense. It takes institution wide use of an operating system with systemic security issues. It take a network where a secretaries computer effectively has access to files relating to defence contractors. It takes a tinderbox network, pre-doused in gasoline in order for one tiny spark to ignite such an inferno.

An international military security verifcation network, compromised by a single flash file in an Excel sheet, opened on a secretaries computer; And it's the secretaries fault? Give me a break.

Re:All it takes (1)

fuzzyfuzzyfungus (1223518) | about 3 years ago | (#37218804)

You appear dangerously close to suggesting that something this embarrassing might be the fault of somebody who matters, rather than a cog who should have known better and is 'no longer working for the company', as they say... I'm not sure we can have such talk about our betters here...

Re:All it takes (1)

X0563511 (793323) | about 3 years ago | (#37218892)

You seem to forget the part where this was only the initial attack vector. That's how they got in the front door. It doesn't say how they got into the basement.

computers are now part of modern society (0)

Anonymous Coward | about 3 years ago | (#37218162)

And as such, we need to start expecting people to have basic computer literacy skills so they do not fall prey to such schemes. How many thousands upon thousands of times does it have to happen before people learn?

Re:computers are now part of modern society (2)

jhoegl (638955) | about 3 years ago | (#37218238)

I dunno. How many people still leave their doors unlocked, drive home drunk, text and drive, say something stupid to the wrong person, vote for Republicans (haha, yeah I said it, deal with it), and etc etc.

Shit is not going to stop, so all we can do is react and repair. However, when someone has a specific amount of access, perhaps a security policy and/or security training/certificate are required which would include legal or financial punishment to their lax attention.

Re:computers are now part of modern society (1)

Yvan256 (722131) | about 3 years ago | (#37218246)

Well, some people need to be burned a few times before learning. And there's new schemes every day. Multiplied by the planet's population.

A couple centillion times should do it.

Re:computers are now part of modern society (1)

Hijacked Public (999535) | about 3 years ago | (#37218308)

Or we can start expecting the people who have chosen to specialize their careers in preventing this type of thing, to ensure that a spreadsheet cannot exploit a bug in animation software to gain root access to the entire network.

Cost accounting may prevent either solution from being possible, who knows.

Re:computers are now part of modern society (1)

fuzzyfuzzyfungus (1223518) | about 3 years ago | (#37218874)

And as such, we need to start expecting people to have basic computer literacy skills so they do not fall prey to such schemes. How many thousands upon thousands of times does it have to happen before people learn?

Hear, Hear! I can't tell you how many secretaries and mailroom minions I've had to fire because they couldn't detect zero-day vulnerability exploits!

More... (-1)

Anonymous Coward | about 3 years ago | (#37218164)

The first time the niggar approached me.
I rebuked him, much as my Father did before me.

The second time the niggar approached me.
I gave him money, to hasten his departure.

The third time the niggar approached me.
I gave him food, to teach the kids active compassion.

The fourth time the niggar approached me.
I gave him my beer, as that's what he wanted.

The last time the niggar approached me.
I sat down and listened.

Lessons are all standard (1)

JoshuaZ (1134087) | about 3 years ago | (#37218172)

Keep your systems separate. If you have important keys and they don't need to be on a network when they aren't in use, don't put them on a network. Don't give people more privileges than they need to do their jobs. That does have the secondary issue that if you go too far in that direction then people will try to get around your security measures and might open up holes in the process, and they won't take security as seriously. So you need to balance that. Also, never open up attachments that you don't know who they are from. This is a really basic point that should be driven into people. And look at the extension of the file, if it looks suspicious don't open it. These are basic points. It is embarrassing that RSA of all companies would apparently have such basic security problems. But it does help drive home a point: if they can be vulnerable to simple phishing and bad attachments so can everyone.

Re:Lessons are all standard (1)

tburke261 (981079) | about 3 years ago | (#37218194)

Anyone who takes security very, very seriously because they have to will talk to you about the Air-Gap. It's a beautiful thing.

Re:Lessons are all standard (1)

Registered Coward v2 (447531) | about 3 years ago | (#37218268)

Anyone who takes security very, very seriously because they have to will talk to you about the Air-Gap. It's a beautiful thing.

Unfortunately, the Sneaker Net can easily defeat the air gap. Of course, the Epoxy Filler Plug defeats Sneaker Net.

So now we have the security geek version of Rock Paper Scissors Spock...

Re:Lessons are all standard (0)

Anonymous Coward | about 3 years ago | (#37218468)

Lizard, Spock

Re:Lessons are all standard (1)

mangu (126918) | about 3 years ago | (#37218654)

the Sneaker Net can easily defeat the air gap

IOW, Nike Air defeats Air Gap.

Re:Lessons are all standard (1, Insightful)

Pope (17780) | about 3 years ago | (#37218452)

And look at the extension of the file, if it looks suspicious don't open it.

You mean the file extension that is hidden by default on Windows for the last decade?

Re:Lessons are all standard (1)

X0563511 (793323) | about 3 years ago | (#37218512)

.. and that excuses it how? IT should set group policy to force that option off and expose it.

We also all know what a disaster having Microsoft involved with any kind of security beyond "feel-good" measures is. No, there is no good-fitting better alternative, but that doesn't change the fact that it's a mess.

Re:Lessons are all standard (2)

_0xd0ad (1974778) | about 3 years ago | (#37218630)

You mean the file extension that actually matched what the file appeared to be (Excel spreadsheet) and had nothing at all to do with the reason this attack was successful?

If I may paraphrase JoshuaZ's point, it was "Turn on file extensions, and don't open files with suspicious extensions". It was also unrelated to this particular security breach, but at least it's still good advice in general.

You could even search through the Windows registry for registered file types with a "NeverShowExt" value set and delete the value. Then even extensions like .url, .lnk, etc. will be visible.

Warning about FTA (3, Insightful)

Hijacked Public (999535) | about 3 years ago | (#37218182)

Looking closer, Hirvonen found that the file seemed to match RSA's description in possible every way.

I assumed this was a poorly translated phishing article and immediately closed my browser window and reinstalled Windows.

Re:Warning about FTA (0)

Anonymous Coward | about 3 years ago | (#37218618)

Good to know, I wouldn't want to F the article anyway...

Please (-1, Troll)

Anonymous Coward | about 3 years ago | (#37218200)

Just stop using Microsoft products. Stop using Windows, Office, Internet Explorer, MSN Messenger.

Oh, you rely on those pieces of shit to work? You built your own prison, now suffer the prison rape.

Re:Please (1)

The-Blue-Clown (1261404) | about 3 years ago | (#37218296)

MS is vulnerable because its the biggest target out there. Android is now the biggest mobile target. As Apple gets a larger share, it will become a target as well. I dislike MS as much as anyone I know, but your statement is simply foolish. ALL systems can be compromised by stupid users. I say stupid and not ignorant. I have more than my fair share of stupid users and pushing them to Linux won't solve it. You can only solve it by building sandboxes around them.

Re:Please (1)

MichaelKristopeit424 (2018894) | about 3 years ago | (#37218496)

You can only solve it by building sandboxes around them.

right... because there have never been any exploits to break out of a sandbox. "solve" doesn't mean what you think it does.

you're an idiot.

Re:Please (1)

NatasRevol (731260) | about 3 years ago | (#37218528)

Bullshit.

Apple was/is the largest mobile target if you include iPod Touches, > 200M devices running iOS. If not, it's a close second to Android.

Stil has an order of magnitude fewer attacks than Android. So biggest target != most attacks. Least secure == most attacks.

Re:Please (1)

The-Blue-Clown (1261404) | about 3 years ago | (#37218642)

Nice one. Missed the point of course. The post was about MS. Specifically if you selected MS you were asking for problems. I was attempting (failed) to point out that if Apple had the same market share they would have lots of problems as well. NO system is secure. Ask RSA.

Re:Please (1)

NatasRevol (731260) | about 3 years ago | (#37218734)

No, I was invalidating your point which was largest == most hit. In actuality, it's most insecure == most hit.

Re:Please (1)

The-Blue-Clown (1261404) | about 3 years ago | (#37218862)

You were attempting to invalidate my comment. Malicious code is written for an intended target. Android a year ago was more vulnerable than today, yet today it is hit more often. Why? What has changed? Its size.

Re:Please (1)

NatasRevol (731260) | about 3 years ago | (#37218972)

That doesn't answer why iOS, with more total users, isn't hit more than Android.

Re:Please (1)

X0563511 (793323) | about 3 years ago | (#37218544)

You're smart enough to understand that some systems are designed better than others. Just because it isn't the biggest target doesn't mean it's secure only via obscurity.

Re:Please (1)

The-Blue-Clown (1261404) | about 3 years ago | (#37218698)

Yes. You are correct. My point was the poster was saying that if one selects MS then they are asking for problems. I'm pretty sure that if Apple had 80+ market share there would be a lot of issues with them as well, despite the control they have over the OS and hardware and developers. Android has even less control than MS so I am certain it will be riddles with exploits.

Re:Please (1)

X0563511 (793323) | about 3 years ago | (#37218850)

Well, I won't argue that a large chunk of the holes we find in MS are found because they are the big target. That said, even if they weren't the holes would still be there. I'm just saying the two really aren't connected (in that fashion) despite the arguments people like to toss about claiming such.

MS is vulnerable. Period. (3, Interesting)

mangu (126918) | about 3 years ago | (#37218772)

MS is vulnerable because its the biggest target out there.

While it's true that few people would try to exploit a system nobody uses, MS does its share of the effort to become insecure.

In this specific case, the first breach was done by a Flash program embedded in an Excel spreadsheet. We are going waaay back to all that DDE/COM/OLE/ActiveX thing that has been opening so many backdoors in Microsoft systems for the last decades. Broken by design.

Re:MS is vulnerable. Period. (1)

The-Blue-Clown (1261404) | about 3 years ago | (#37218868)

Very true.

Re:Please (1)

Forty Two Tenfold (1134125) | about 3 years ago | (#37218540)

PEBKAC.

Re:Please (1)

delinear (991444) | about 3 years ago | (#37218784)

While you are right it would probably help somewhat, it wouldn't defeat phishing attacks which usually rely on "social engineering" (i.e. making someone want to do the thing you want them to do). If you can put the right attack in front of the right user (one with sufficient rights and insufficient knowledge) then no amount of security in the OS will help.

No really new news ... (1)

Registered Coward v2 (447531) | about 3 years ago | (#37218216)

beyond the how part. The most telling part of the article is:

"That's a pretty embarrassing example for RSA," he said. "It tells you that in any reasonably sized company, including a security company, there's someone who will do something really dumb."

The world's second oldest profession has been exploiting that weakness forever. They key to information is not to compromise the leaders; you get in via the support staff. They're not thinking security. It's amazing what a simple phone call can net in terms of information; even if you are up front with what you are looking for and why you want it. The internet just makes it easier to reach them and provides new tools to extract information.

Re:No really new news ... (5, Insightful)

Scutter (18425) | about 3 years ago | (#37218304)

I wouldn't necessarily say it was something "really dumb". It looked like a legitimate e-mail from a legitimate contact, exploiting a zero-day flaw in a system. From a user standpoint, I'm not sure they could have done anything different to avoid getting infected. Users still have to get their work done. Your average user can't spend twenty minutes researching every attachment to make sure it doesn't have a zero-day attack in it.

That said, could RSA as an organization have done anything different to prevent this? Of course they could have, starting with not running an OS that's two major revisions out of date (let's not get into a Windows vs. *nix discussion here). But let's not put all the blame on the user for this.

Re:No really new news ... (1)

Registered Coward v2 (447531) | about 3 years ago | (#37218504)

I wouldn't necessarily say it was something "really dumb". It looked like a legitimate e-mail from a legitimate contact, exploiting a zero-day flaw in a system. From a user standpoint, I'm not sure they could have done anything different to avoid getting infected. Users still have to get their work done. Your average user can't spend twenty minutes researching every attachment to make sure it doesn't have a zero-day attack in it.

While I agree with you in general, and would add that a number of root causes for the infection should be explored, the user did apparently retrieve it from the trash prior to opening it. That tells me either their spam filter causes a lot of false positives and users are used to checking junk mail for real messages, indicating a systemic problem; junk email show up in their inbox and is just flagged, another systemic problem; or, the user really wasn't trained on why email goes to buck and what to do if they think it is a mistake. It's also possible they simply open fit without thinking, in which case it was dumb, IMHO, but being "dumb" was not the only cause and the same thing will happen again unless the event is really investigated to determine various probable causes and fixes put in place.

That said, could RSA as an organization have done anything different to prevent this? Of course they could have, starting with not running an OS that's two major revisions out of date (let's not get into a Windows vs. *nix discussion here). But let's not put all the blame on the user for this.

I agree - the user was the last line of defense that was breached and there were probably systemic issues that let that happen and need to be addressed. I do think the premise of the part of the article I quoted is valid, even if a bit melodramatic; the user is the bets part of the system to exploit and often the easiest which is why it's been the target long before computer technology came on the scene.

Re:No really new news ... (2)

black soap (2201626) | about 3 years ago | (#37219232)

If this was a multi-step attack, rather than just stopping the first phishing email, wouldn't detection anywhere further up the chain also have limited the damage?

frist p5ot! (-1)

Anonymous Coward | about 3 years ago | (#37218244)

aboutG a project you neEd to succeed that he documents

Social Engineering (1, Redundant)

PPH (736903) | about 3 years ago | (#37218258)

IMO, the most cunning instance of social engineering leading to this break in was convincing a security company to use insecure software, like Excel, Windows, and Flash.

Agreed. Google Docs FTW (0)

Anonymous Coward | about 3 years ago | (#37218476)

Yes they should be using Google Docs instead especially on those backend machines.

Re:Agreed. Google Docs FTW (0)

Anonymous Coward | about 3 years ago | (#37218732)

You probably joke, but a lot of exploits would've been avoided if everyone went through google docs for all their "office" needs (or maybe not "google" but some internal equivalent version).

Re:Social Engineering (1)

kevinNCSU (1531307) | about 3 years ago | (#37218536)

If there was such a thing as "secure" software what would be the purpose of a security company?

Re:Social Engineering (1)

Provocateur (133110) | about 3 years ago | (#37218682)

I don't know...to prove that God doesn't exist?

*POOF!*

Re:Social Engineering (0)

rgviza (1303161) | about 3 years ago | (#37218592)

as opposed to open office, linux, and html5?
he heheh hehehehehelmao

The only truly secure software is sitting inert on a cdrom in it's case. The rest of it is vulnerable (either through vulnerabilities discovered or not yet found and the exploits that use them)

If man made it, man can break it. If you don't believe this, you have already lost at the game that has become security. There is _always_ a way and always will be.

You can't rely on secure software to make yourself secure. There's no such thing. Defense in depth and behavior modification are the only things that work and neither has much to do with what software you use..

Re:Social Engineering (0)

X0563511 (793323) | about 3 years ago | (#37218974)

So, since it cannot be done perfectly we should just give up? Is that what you are saying?

The point of security is not necessarily to COMPLETELY stop unauthorized activity, although that is nice. The point is to try to make it prohibitively inconvenient or difficult to proceed.

I can believe it (2)

sandytaru (1158959) | about 3 years ago | (#37218264)

End users aren't always that stupid, but some of them are, and the others can be distracted and not really pay attention and accidentally open something they otherwise wouldn't have. This is why it's vital to have automated spam and virus detection on the backend. A few weeks ago I noticed Exchange catching and cleaning up viruses that were coming from the computer of a manager of one of our client companies - the person in charge of the whole darn operation had managed to get her PC infected. Exchange caught the viruses before they were sent off to other PCs in the network, but we had to completely wipe down that person's computer to get rid of it for good. All because she opened an email forwarded from her son that said "Funny pictures!" with twenty attachments.

Re:I can believe it (0)

Anonymous Coward | about 3 years ago | (#37218918)

All well and good except when its a 0 day, as this was.

I thought macro viruses were dead? (1)

TerranFury (726743) | about 3 years ago | (#37218282)

How do you own someone with an XLS file nowadays?!

(I'm assuming, "How dangerous can it be? It's not an executable!" is exactly what the hapless employee who opened it was thinking too...)

Re:I thought macro viruses were dead? (1)

TerranFury (726743) | about 3 years ago | (#37218370)

Having now read TFA (always a good policy), it looks like a Flash exploit was involved. Maybe the Flash applet was embedded using OLE?

Re:I thought macro viruses were dead? (0)

Anonymous Coward | about 3 years ago | (#37218394)

Not to mention, Excel by default warns you of any files containing macros, and Windows warns you of any privileges you might be escalating for any file. To be infected, this person has to have repeatedly made consecutive poor security decisions.

Re:I thought macro viruses were dead? (2)

ahecht (567934) | about 3 years ago | (#37218418)

It wasn't a macro, it was an embedded Adobe Flash object.

Re:I thought macro viruses were dead? (2)

X0563511 (793323) | about 3 years ago | (#37218608)

So it wasn't just a ball of mud, it was a ball of mud with a nugget of shit in the middle?

Re:I thought macro viruses were dead? (1)

Inda (580031) | about 3 years ago | (#37218434)

This work PC is locked down to the wire. One of my jobs is to wirte Excel spreadsheets including VBA.

Accessing the FSO (File System Object) is childs play. I can read, write and delete anything I have access to on the network.

It's that easy. Still.

And then there's the Window APIs I can access through VBA...

And I'm pretty poor at doing this stuff (but better than 99% of the office workers)

Re:I thought macro viruses were dead? (1)

rgviza (1303161) | about 3 years ago | (#37218606)

get them to click "Run macros" or whatever the dialog says

They Hacked the NSA? Wow! (0)

snsh (968808) | about 3 years ago | (#37218470)

Re:They Hacked the NSA? Wow! (1)

m50d (797211) | about 3 years ago | (#37218538)

Except no. If you've been following this story, it wasn't just defacing their website, the attackers got the crown jewels this time.

Re:They Hacked the NSA? Wow! (1)

Megane (129182) | about 3 years ago | (#37219226)

Except that they hacked RSA. So the first panel would have to say that hackers took down the website of ZIA for the analogy to apply.

Flash Embedded in Excel? (3, Insightful)

Blackeagle_Falcon (784253) | about 3 years ago | (#37218490)

I join F-Secure in asking, "why the heck does Excel support embedded Flash"?

Re:Flash Embedded in Excel? (5, Interesting)

maxwell demon (590494) | about 3 years ago | (#37218696)

Indeed, there should be a strict separation between documents (things you merely view and possibly edit) and programs (things which do something). Unfortunately that line has been crossed by about every document format, from office files (Word, Excel, ...) over HTML (JavaScript) to PDF.

There should be a set of standard document formats which are guaranteed to not contain any executable code whatsoever, so except for possibly exploiting buffer overflows in interpreting code, displaying the documents is safe. It should be impossible by specification to insert any "active content", i.e. programs, in such documents.

Re:Flash Embedded in Excel? (0)

jonwil (467024) | about 3 years ago | (#37218982)

The world would be a better place if Microsoft hadn't invented the garbage known as VBA and VBScript.

Whoever thought that emails should have scripting (or even HTML) should be hit on the back of the head with an IBM Model M keyboard.
Same with the idiots that thought that having programming languages inside documents was a good idea.

Re:Flash Embedded in Excel? (1)

KliX (164895) | about 3 years ago | (#37219064)

Dude, once a stream is being parsed, you are always screwed. There will always be a security hole.

Doesn't matter if the 'executable' code is essentially in the document; or the document itself, running against a parser.

They're really the same thing.

Re:Flash Embedded in Excel? (1)

garyebickford (222422) | about 3 years ago | (#37219066)

Much of the success of Apple, object-oriented systems in general, and later NeXT and the World Wide Web (which was inspired by the NeXT on Berners-Lee's desk), was due to the ability to support 'rich' documents. Back in 1989 being able to send an audio or video file to an associate as part of an email, or incorporate as a natural part of a shared document, was pretty much the 'killer app' for the NeXT. So this raises the question, "How do we define 'executable' in this context?"

For example, a video might have bogus image data that happens to tickle a buffer overflow in the video display program, that causes it to perform a jump into the memory space where the video data resides, which happens to have been specially constructed to execute a hack. There's no 'executable' capability in the video, but in fact it does cause execution of malware.

That's pretty much how many of the simple hacks of the 1990s and later worked. Most of those holes have been closed (I hope), but more sophisticated equivalents will always continue to arise, as systems (including the humans in the loop) continue to change, expand and advance. The best analogy is the disease process in biology, where immune systems can be modeled for use in anti-malware systems. IBM and others have investigated as a model for computer malware protection

Re:Flash Embedded in Excel? (1)

maxwell demon (590494) | about 3 years ago | (#37219286)

I never claimed that such a format would end all security concerns. I even mentioned the possibility of exploiting buffer overflows myself.
However it is a huge difference if attacks can only be done through bugs in the implementation, or if attacks could also happen due to an oversight in the specification, making even completely bug-free implementations vulnerable. For pure-content formats, one can be sure that the specification has no security problems (because it doesn't specify anything executed). Only the implementation vulnerabilities remain.

Re:Flash Embedded in Excel? (1)

owlstead (636356) | about 3 years ago | (#37218922)

And as an engineer, I would say: because it shares a code base with other Microsoft products. But that does not make it less wrong. And the problem is two fold: why does it support it at all, widening the attack surface, and why does allow Excel, and then the OS that it compromises security in such a way. IMHO, talking security is about talking "security layers", and both at RSA and with current operating environments, the layers allow for too much to slip by.

Re:Flash Embedded in Excel? (0)

Anonymous Coward | about 3 years ago | (#37219054)

Why wouldn't it? It can embed Flash for the same reason it can embed bits of Word text, or a video, a PowerPoint presentation, &c. There's nothing wrong with that, and for many people (especially in the corporate world) the ability to embed arbitrary documents in each other is a necessary feature.
The exploit wasn't in Excel, but in Flash. Place the blame where it belongs: the fact that one of the most buggy applications out there has such a big installed base that websites can rely on it for basic functionality, making not having it installed not an option.

Suspicious claim by F-Secure (2)

Trufagus (1803250) | about 3 years ago | (#37218510)

So an anti-virus company, always on the lookup for free publicity, claims that it has come what might have been the e-mail that took down the RSA.

And this makes the news?

In case you hadn't noticed, the anti-virus companies will claim anything to get noticed these days.

Moral of the story.... (4, Insightful)

Lumpy (12016) | about 3 years ago | (#37218554)

If you use a commodity OS inside your secure network. you will get hacked and you will get it knocked over.

If you have a high security network and run windows and office on it, it's not high security anymore.

you run apps and Operating systems rated for the security that are tightened down. only a moron would let someone edit a spreadsheet on a PC that is connected to the secure network. You flip to the insecure network machine for tasks like that. No connections between them other than the eyeballs and fingers of the user.

first.=.. (-1)

Anonymous Coward | about 3 years ago | (#37218580)

anothe8 foldEr. 20

Are you paranoid enough? (0)

Anonymous Coward | about 3 years ago | (#37218658)

I would like to think I would never fall for something like this. But if this email had a return address of someone in the company? That would make it seem VERY legitimate. Of course, if I don't usually receive emails from that person, I might assume the email was misdirected and not open it. Maybe.

As far as my home email is concerned, the only reliable indicator I've found for phishing attempts is bad grammar and spelling. If these attackers get a good grasp of the English language, we're screwed.

RSA doesn't virus-scan email attachments? (0)

Anonymous Coward | about 3 years ago | (#37218910)

The biggest questions left unanswered by all of this are:
1) Why doesn't RSA scan all incoming email and all attachments for malicious payloads?
2) Even if they do, why didn't said anti-virus, IDS, or IPS system they have in place identify this Poison.Ivy payload?
3) If their anti-virus detection measures failed to detect this (apparently) known exploit (Poison.Ivy from the Network World article), what product(s) are they using?

My hunch is that it isn't F-Secure, because the inference is that their products would have detected the problem and quarantined and stripped the email of the attachment before delivering it to recruiter Dum Bass in HR.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>