×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RSA Blames Nation State For Cyber Attack

Soulskill posted more than 2 years ago | from the guess-we-can-rule-out-the-amish dept.

Security 145

An anonymous reader writes "Security firm RSA has revealed that it believes two groups, working on behalf of a single nation state, hacked into its servers and stole information related to the company's SecurID two-factor authentication products. Speaking at the RSA Security Conference in London, RSA executive chairman Art Coviello described the high profile attack thus: 'There were two individual groups from one nation state, one supporting the other. One was very visible and one less so. We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication and resources involved it could only have been a nation state.' Sophos security researcher Graham Cluley questions how RSA has concluded that a country was responsible for the attack — when RSA is unwilling to name who it suspects. Could it be that the firm is simply applying spin, describing the attack as a 'highly sophisticated Advanced Persistent Threat' to protect its image?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

145 comments

Everyone's going to accuse (5, Informative)

aBaldrich (1692238) | more than 2 years ago | (#37686344)

China

Re:Everyone's going to accuse (1)

hannza (2480742) | more than 2 years ago | (#37686386)

quite possibly. or russia, or north korea.

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37686414)

or Iran.

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37686424)

or Israel

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37686450)

or New Zeland...oh, wait...

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37686886)

... that's not a country.

Re:Everyone's going to accuse (1)

quenda (644621) | more than 2 years ago | (#37686466)

And I suppose China must have been behind Stuxnet as well?
The Chinese are not the only ones in this game.

Re:Everyone's going to accuse (1)

martin-boundary (547041) | more than 2 years ago | (#37686484)

Everyone's going to accuse China

China: "No I'm not"

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37686874)

Herro Prease- PF Chang's is front for hackers

Re:Everyone's going to accuse (4, Interesting)

symbolset (646467) | more than 2 years ago | (#37686518)

China's active in this stuff, as is North Korea, several former Soviet Republics, Israel, Western Europe, and most of South America. Well, to be honest, most of the planet, but everywhere else is where some proxies are. You might as well say "I don't know".

The nation-state claim is based on depth of analysis of technologies, leveraging of classified information not known to be leaked, sophistication of attacks. Also maybe on RSA's desire to say "What can we do against a the dedicated resources of a nation-state?"

This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.

It doesn't require a nation-state's resources to do this. Fifty thousand geeks in their mom's basement will do if a hundred of them are Aspies - and they are. They'll do it for the lulz, and on their backtrace they'll drag a red herring across a nation state if it amuses them to do so. Or they'll taint the Church of Scientology instead if that's their thing this week. It would take a nation-state to fund that level of effort, to coordinate that level of action - unless they do it for free for the lulz and the aspies organize it for them for free because it's a puzzle worthy of their attention. No resources are required except the neighbor's open Wifi because Mom provides the Hot Pockets and Mountain Dew.

/Not saying it wasn't a nation-state, but have no faith in the analysis.

Re:Everyone's going to accuse (2)

ColdWetDog (752185) | more than 2 years ago | (#37686618)

This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.

Not sure how you can come to that conclusion. If the US three letter agencies have a presence in the "dark side" of the Internet, it's not as if they're going to post it on 4Chan. Sometimes you let people get away with things in order not to compromise sources.

From the standpoint of a mere mortal, a dumb poster on Slashdot, we'll never know.

Re:Everyone's going to accuse (4, Informative)

garyebickford (222422) | more than 2 years ago | (#37686840)

I was at a conference in 1999 where a Navy officer spoke. At that time the DoD was in the process of setting up three separate cyber warfare battalions, working on both defense and offense. He did mention that until recently-at-that-time it had been a hard slog getting the brass to wake up, but things were starting to move faster. IIRC a battalion is about 500 'soldiers' plus some number of support staff (Wikipedia sez 300-1200 total).

I would expect that in the 12 years since then the size of this effort has expanded by up to 2 orders of magnitude. There are literally thousands of nondescript buildings in shopping malls and industrial parks all over the country filled with folks doing all sorts of eyes-only burn-before-reading stuff, and I'm sure that a lot of that is cyber warfare research, training and activity. Part of the plan back in 1999 was to enlist major companies in information sharing regarding security threats to the economic infrastructure. Some of that effort got put into CERT early on, but I expect there are more classified levels of that going on.

Keeping the baddies out of Ford, SmithKline or even Proctor & Gamble is almost as important as keeping them out of several levels of DoD. Warfare has always been a fundamentally economic activity.

If I had the head for that sort of thing and were a lot younger I'd think seriously about getting into that - it would make for a very 'secure' future. :)

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687002)

If you were a subscriber here on /. you could read back my comment history where I discussed these things at length not only with outside folks like you, but also with the senior Microsoft program manager who initially resisted, and then came around to my point of view after further outside analysis and discussion with internal experts. They didn't do it as thouroughly as I'd have liked, but they did do it. That's how Microsoft came to deprecate Autorun. I did that. Me, and me only. If you're willing to pay ten bucks and a few days to dredge it out of my comment history, more power to ya. This is /. We don't get to edit or retract here.

Re:Everyone's going to accuse (1)

cheeks5965 (1682996) | more than 2 years ago | (#37686760)

Most of these geeks aren't into it to do crime - it's just where the algorithm action is.

someday i hope you can experience the joys of a woman.

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687030)

I have five children.

Re:Everyone's going to accuse (1)

unitron (5733) | more than 2 years ago | (#37687298)

Maybe they meant the joys of being a woman. : - )

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687440)

Maybe your feeble attempts to rescue this fucktard have something to do with your work relationship to him. He's in deep. Come swim in the tar with us. I would like that. The tar is warm. come on in.

Re:Everyone's going to accuse (1)

EnempE (709151) | more than 2 years ago | (#37686938)

China's active in this stuff, as is North Korea, several former Soviet Republics, Israel, Western Europe, and most of South America. Well, to be honest, most of the planet, but everywhere else is where some proxies are. You might as well say "I don't know".

missed Iran in there, I think most of South America is a big claim, Brazil maybe but the rest of them are happy enough using actual guns to annoy their neighbours

The nation-state claim is based on depth of analysis of technologies, leveraging of classified information not known to be leaked, sophistication of attacks. Also maybe on RSA's desire to say "What can we do against a the dedicated resources of a nation-state?"

Agree, it is the ultimate excuse.

This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet, where folks from all over freely share all sorts of amazing shit. They still don't get it. The dark side is where a lot of really interesting data warehouse technologies come from, years later. Most of these geeks aren't into it to do crime - it's just where the algorithm action is.

I think just some are happy hackers, most others are payed to do it by DoD, or are making a little on the side

It doesn't require a nation-state's resources to do this. Fifty thousand geeks in their mom's basement will do if a hundred of them are Aspies - and they are. They'll do it for the lulz, and on their backtrace they'll drag a red herring across a nation state if it amuses them to do so. Or they'll taint the Church of Scientology instead if that's their thing this week. It would take a nation-state to fund that level of effort, to coordinate that level of action - unless they do it for free for the lulz and the aspies organize it for them for free because it's a puzzle worthy of their attention. No resources are required except the neighbor's open Wifi because Mom provides the Hot Pockets and Mountain Dew.

That is a nice concept but can you imagine trying to manage a joint project of 49,900 geeks and 100 Aspies? it would be like herding lolcats, I think a feat like that would take an amount of hot pockets and mountain dew that would requre some pretty deep pockets. I am not being rude here, I honestly think we are all somewhere on the scale between paris hilton and rainman (both fictional characters) but the lack of social skills would hinder such a project methinks

/Not saying it wasn't a nation-state, but have no faith in the analysis.

True, but this is the security industry we are talking about, where there are 8 billion new viruses every minute and 17 billion new zero days, and whatever else number that you can loosely statistically justify if it proves the value of your product/budget. Nobody really trusts anything anymore.

p.s. That is one awesome ID number you are rocking.

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687056)

>p.s. That is one awesome ID number you are rocking.

Thanks. It's accidental but I like it.

Your post was garbled. I want to respectfully reply, but I can't.

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37687426)

Perhaps I need to do one of those Asperger's tests that they have online, or just stop trying to work and read /. at the same time :)

Thanks for saying garbled and not garbage, such netiquette is rare these days.

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687482)

Here's an easy test: If you think you might have Aspergers, then you don't.

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687590)

That might need some clarification for you norms. The key term is "might". If you were that different from the norms, you would know it. You wouldn't have to have it explained to you. Some of you think you have Aspergers, but you don't. Us Aspies are way different. Hopefully you guys are mature enough now to accept us.

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37687754)

Hmm. So in your expert opinion, am I an Asperger? I am different from us norms, and I know it.

Re:Everyone's going to accuse (1)

EnempE (709151) | more than 2 years ago | (#37687446)

Perhaps I need to do one of those Asperger's tests that they have online, or just stop trying to work and read /. at the same time :)
Thanks for saying garbled and not garbage, such netiquette is rare these days
p.s. Please excuse the accidental AC message, it is this need for multiple browsers that sites like face{tracking}book have made for me.

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687642)

It's pretty simple. If you think you might have Aspergers, then you don't. Aspies don't have doubt, they have unknown quantities.

Re:Everyone's going to accuse (1)

EnempE (709151) | more than 2 years ago | (#37687822)

lol, guess not then.

I have taught some kids with problems of this type, they are brilliant. I feel it is really the world which doesn't measure up to them. Why isn't English phonetic? why do years not always have the same number of days? why do I say "do it like this" when I mean "do a similar but personalized revision of this"?

Anyways, waaaaay off topic now

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687922)

My kids are going through this now. We teach them the alphabet at 6 months, phonetics at 10 months. By two they're reading real books and repairing their own PC. And then they fail the standard test because they won't call out the sounds of letters because to them it's baby talk too embarassing to say. But they can read at a sixth grade level, and write at third - entering kindergarten.

You normals are so fucking retarded. My boy came back from his first day of kindergarten and he had two things to say: "Other people are stupid" and "They don't even have computers". What could I say but "this is how it is. You have to get used to it."

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37686970)

Uhhh, North Korea? Really? Where did the NK hackers learn, well, ANYTHING about modern systems? They certainly couldn't pay foreigners to do it. NK is a non-player in this game. Their IP block is not seen anywhere, ever. How, exactly, would they pull something like this off? They are the most isolated, backward nation on the planet. They are not a threat to anybody.

Hell, I'm pretty sure they don't even have nuclear weapons. They probably just buried a few thousand tons of TNT and blew it up. All we have measured for NK nukes is seismic activity. They could easily bury some weak nuclear material with the TNT to give some sort of impression of radioactivity.

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687114)

How the hell I attracted one of the adherents of the Dear Leader, I don't know - but it were in your better interest to let it go. I'm not some blind commentor, and not disposed to let things go. I mentioned Korea in passing and for your own sake you should let it be. If you make a crusade of it, I will sleep comfortably while you pay for your hubris in a camp where rations are let every other week.

Re:Everyone's going to accuse (2)

cavreader (1903280) | more than 2 years ago | (#37687154)

"This idea basically says Uncle Sam doesn't have any folks trolling the dark side of the Internet yet" I seriously doubt this is the case. The US would have no problem returning the favor. Like China the US government security agencies avoid publicizing their accomplishments and vulnerabilities to avoid disclosing their capabilities.

Re:Everyone's going to accuse (1)

Gordonjcp (186804) | more than 2 years ago | (#37687478)

I can't see it being Israel, since Adi Shamir is actually Israeli himself.

Re:Everyone's going to accuse (1)

symbolset (646467) | more than 2 years ago | (#37687752)

He is who he is, a man. If you make what you are as a people to live and die with a man, then you have chosen your fate because all men die eventually. You know better than that. You've survived 100 iterations of that. What's different now?

Re:Everyone's going to accuse (1)

Tasha26 (1613349) | more than 2 years ago | (#37686696)

If history has taught us anything, the culprit has to be an oil-rich country and the US has to be able to win a war against it... Iran!

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37686946)

china is not a nation state

Re:Everyone's going to accuse (0)

Anonymous Coward | more than 2 years ago | (#37687746)

I'd be willing to bet my money on the USA, UK, or Germany (Given proper odds), given their governments' wishes to spy on even their own people...

Awww, a security firm got hacked? (-1)

Anonymous Coward | more than 2 years ago | (#37686354)

LOL! Total humiliation!

Re:Awww, a security firm got hacked? (2)

Dunbal (464142) | more than 2 years ago | (#37686422)

Yah an it was a COUNTRY that did it mommmmmieeeeeeeeeeeeeeeeeeeeeeeeeeeeeee!

Maybe some hacker got lucky... (1)

Currawong (563634) | more than 2 years ago | (#37686372)

Maybe whoever wrote the virus got lucky, found they'd hit the jackpot with the data and sold it off for a crapload of money?

well we did blame.... (2)

ganjadude (952775) | more than 2 years ago | (#37686388)

Iran for an attempted attack on us soil just today. Maybe they figured (or were coaxed *tin foil hat) that they should just add blame to iran to either to save face (most likely) or to add ammo to the fact that they did in fact back the attack?(end tin foil hat)

Re:well we did blame.... (0)

Anonymous Coward | more than 2 years ago | (#37688408)

(end tin foil hat)

What is that? Some kind of Lisp/VB hybrid? Damn.

Defective as designed. (5, Insightful)

faedle (114018) | more than 2 years ago | (#37686404)

Any design that held all the keys in a central database that was not changeable by the end-user organization was defective-as-designed, IMHO.

Mod parent up. (1)

khasim (1285) | more than 2 years ago | (#37686526)

I would expect such from most companies. But from a company that sells computer security products?

And those products DEPEND upon the seed being secret?

I get the feeling that they're claim this now (MONTHS after the crack) in order to justify their failure.

Who cares if it was a single cracker or a cracker group or a nation employing crackers? If they didn't go in with gunships then it is the same in the end. A cracker got past their defenses and all the way into their vault.

Why was the vault available on-line like that?

Re:Mod parent up. (2)

tlhIngan (30335) | more than 2 years ago | (#37687118)

And those products DEPEND upon the seed being secret?

Um, that's the point of the RSA token. The RSA token is merely a watch that instead of displaying the current time, displays a 6-digit number. That number is basically the output of a PRNG - one cryptographically secure (so hijacking a number or two won't reveal the entire sequence). That PRNG is seeded by a seed value so it generates a predictable set of numbers.

When you register a key, you enter in its ID number, which does a seed lookup so when you log in, the appropriate number can be calculated and compared with what your key should be showing you.

The seed has to be available somehow - the key gets programmed with a seed out of necessity (so it can calculate the proper number), but the log in authenticator also needs the seed. And the authenticator can be made by anyone licensing the technology. Somehow the seed value needs to be transported to the authenticator so all valid users' numbers can be calculated and compared.

The only thing I don't know is when the authenticator needs the seed - does it check against RSA's system or does it just log the seed value internally. Or why RSA keeps the seed once it's been registered (perhaps to allow multiple authenticators to use the same keyfob?).

Re:Mod parent up. (1)

neonsignal (890658) | more than 2 years ago | (#37688184)

Of course, if the generator was based on a public/private key system instead of block cipher (ie, encrypting the time stamp using the private key), then there would be no need for the private 'seed' to be stored anywhere outside of the security token. The number would be a digitally signed timestamp.

Re:Defective as designed. (1)

el_tedward (1612093) | more than 2 years ago | (#37686678)

Bit of a plug for some people I have met, but if you check out Duo Security, they have some neat stuff where you can avoid the whole adding a second password as two factor authentication. Instead, you're authenticating a login through your phone (can either be through their app, or a phone call from a nice robotic lady). They also offer methods similar to RSA's. I don't know off the top of my head if you can configure it to only allow certain types of two factor auth.

Re:Defective as designed. (1)

PopeRatzo (965947) | more than 2 years ago | (#37686852)

Any design that held all the keys in a central database that was not changeable by the end-user organization was defective-as-designed, IMHO.

Private industry: Defective by Design.

Re:Defective as designed. (0)

Anonymous Coward | more than 2 years ago | (#37686926)

I was horrified when I heard about how they operated. I had assumed that these RSA fobs were one-time pad type things where the client's (of RSA) server and the fob were the only copies of the pad.

When I learned how it really worked I was amazed that it hadn't been cracked sooner.

Poor Threat Model (1)

Anonymous Coward | more than 2 years ago | (#37686456)

They only have themselves to blame if their threat modeling didn't take into consideration a possible attack from an entity with the means of an intelligence service or nation. Either that, or they sold their customers a false sense of security.

Unwilling to name for good reason (1)

ThePeices (635180) | more than 2 years ago | (#37686464)

Im not at all surprised that they are not saying what nation they suspect.

RSA cannot prove, beyond reasonable doubt, which country is the criminal. Naming any country without significant proof will cause more harm than good.

They suspect a nation, but without better proof, the media shitstorm that inevitably results, will cause far more harm to the company than the hack itself has.

Re:Unwilling to name for good reason (3, Insightful)

msobkow (48369) | more than 2 years ago | (#37686810)

Then it's unreasonable for them to assume it requires a "nation state" to perform the attacks. Some of the cracker groups out there are very, very skilled and have a lot resources available to them.

But it would be embarassing for them to admit a loosely organized bunch of people could get past their much-vaunted security. Better save face and paint pictures of a ghostly "nation state" so they don't look incompetent.

Re:Unwilling to name for good reason (0)

Anonymous Coward | more than 2 years ago | (#37687170)

Then it's unreasonable for them to assume it requires a "nation state" to perform the attacks. Some of the cracker groups out there are very, very skilled and have a lot resources available to them.

But it would be embarassing for them to admit a loosely organized bunch of people could get past their much-vaunted security. Better save face and paint pictures of a ghostly "nation state" so they don't look incompetent.

Or more likely is that an un-named "three letter" agency has told them not to go around naming names. Sometimes in Intelligence you don't want to reveal too much of what you know, as it will also reveal how you got the information.
There's also the classic method of information "trolling", where you talk a bunch of shit about how you are absolutely sure it was a nation-state, meanwhile continuing your surveillance of the small, independent organization who are sitting around laughing and saying "Oh, look at those incompetent fools, they think it was China/Iran/Korea/Russia/England. Our methods worked so well they have no clue, so we'll keep using the same cover since we think we're safe."

And no, I'm not wearing a tinfoil hat, thankyouforasking. That's just how the game is played.

Re:Unwilling to name for good reason (1)

Frosty Piss (770223) | more than 2 years ago | (#37687330)

Sophos security researcher Graham Cluley questions how RSA has concluded that a country was responsible for the attack â" when RSA is unwilling to name who it suspects.

Why would they lay all their cards on the table? They don't need to prove to you and me that they know who did it, though the perps certainly now know that RSA knows they did it. I mean, that RSA is "unwilling" to tell Sophos does NOT mean that RSA has told no one.

And, RSA and Sophos have commercial interests and relationships in some of the same business markets, why would RSA tell them anything?

Re:Unwilling to name for good reason (1)

stephanruby (542433) | more than 2 years ago | (#37687488)

Just name the country where the tracks disappear. Whether the country was the source, or just used as a patsy. Everyone needs to know where the hackers were last spotted.

So far, only Google has had the balls to do that. If RSA is not willing to risk all its future business with the country in question (like Google did), then they should just pull out from our country. A technology security company can not have two masters.

FAIL (0)

Osgeld (1900440) | more than 2 years ago | (#37686468)

"Security firm RSA has revealed that it believes two groups, working on behalf of a single nation state, hacked into its servers and stole information related to the company's SecurID two-factor authentication products."

Yea real fucking secure there chief.

Surprisingly Poor Security Policy (5, Insightful)

LazLong (757) | more than 2 years ago | (#37686502)

RSA should never have allowed systems containing anything related to SecureID beyond marketing data be connected to a network with an Internet connection. SecureID development should have been restricted to a physically separate (air-gapped) network.

Why would I ever want to trust any security company who would make such a fundamental mistake?

Re:Surprisingly Poor Security Policy (3, Insightful)

Grishnakh (216268) | more than 2 years ago | (#37686520)

Why would I ever want to trust any security company who would make such a fundamental mistake?

Because you like to play golf with their sales rep and he takes you out to expensive restaurants?

Re:Surprisingly Poor Security Policy (0)

Anonymous Coward | more than 2 years ago | (#37686568)

Don't forget the free hats and backpacks!

Re:Surprisingly Poor Security Policy (1)

Anonymous Coward | more than 2 years ago | (#37686592)

No strip clubs? I'll ditch them for another vendor!

Re:Surprisingly Poor Security Policy (0)

Anonymous Coward | more than 2 years ago | (#37687068)

For one, when I worked for the federal government, such actions would be illegal. For another, I wouldn't be caught dead playing golf. But the real and true reason is that I specify/design solutions that best fit the requirements as I have to live with the consequences. A fleeting dalliance can't compete with that.

shouldn't it be obvious which nation is doing it? (1)

Karmashock (2415832) | more than 2 years ago | (#37686550)

I don't say that like I actually know. I'm just saying that clearly one nation or another should benefit more then others especially when you trace how this is used. That nation that benefits is almost certainly responsible. After all why would a third party try to protect a different nation's image? Seems improbably. So it should be fairly easy to guess who is up to no good.

It had to be a nation-state... (5, Insightful)

arglebargle_xiv (2212710) | more than 2 years ago | (#37686570)

...because having to admit "we got 0wned by some random script kiddie" would be just too embarrassing.

Re:It had to be a nation-state... (1)

Mr. Underbridge (666784) | more than 2 years ago | (#37686768)

We have a winner!!!!

Kind of like when you get your ass kicked in a bar fight, when you tell the story the guy was definitely a heavyweight boxer. Couldn't be you just got your ass whupped by a girl.

How do I say "Nation State" (0)

Anonymous Coward | more than 2 years ago | (#37686586)

. . . in Chinese?

security?.. prove it Ahole (0)

Anonymous Coward | more than 2 years ago | (#37686594)

So why is no one auditing these claims of security by RSA...
I guess they left is all on a public FTP...
RSA is just another scumbag big corp stealing from other lazy big Corp... ...But they had pretty pictures in there presentation....

It was really.... (1)

haltline (125737) | more than 2 years ago | (#37686600)

Meanwhile, two teenage boys are laughing their asses off. The would have continued but it was a Warcraft raid night.

That's interesting, but you still messed up. (1)

Eponymous Coward (6097) | more than 2 years ago | (#37686606)

There are lots of groups who would love to have a copy of RSA's SecurID database. Frankly, I don't really care what part of the world the attackers came from. The bottom line is that RSA messed up big time with some very basic stuff. I don't see them as a victim and am a little disturbed that their chairman would have anything other than apologies for their incompetence and poor handling of the situation after the attack. It would be nice for him to also explain how this type of attack could not succeed again.

Really Stupid Assholes. (1)

mevets (322601) | more than 2 years ago | (#37687452)

1. Make up big numbers
2. ....
3. Profit!
Worked for years, until:
4. Totally Fuck Up the very thing you depend on
5. Cry Espionage
6. Bankrupt.
Bye!

Pure spin... even if it's true (5, Insightful)

swillden (191260) | more than 2 years ago | (#37686616)

It really doesn't matter whether this was a targeted, sophisticated attack or not. The fact is that if RSA had done a decent job of securing its keys it wouldn't matter who was attacking them.

Any company with secret keys remotely as valuable as RSAs should have generated them and managed them ONLY in high-security HSMs (host security modules) configured to refuse to ever divulge the keys under any circumstances, except to securely transport them to another HSM. That plus reasonable logical access controls on the HSMs, with separation of authority for all important operations, and strong physical security around the HSMs makes it virtually impossible for any attacker, no matter how skilled, sophisticated or well-funded, to get at the data.

This really isn't rocket science. Lots of banks and lots of other security-conscious companies do this sort of thing all the time. Given who RSA's clientele was, if they'd gone to the NSA and asked for help they'd have gotten all the free consultation they needed from some of the best there are, if they'd needed it. Which they shouldn't have.

Whether it was a sophisticated team from a world superpower or a couple of random script kiddies is really just a question of how much gross negligence.

Not credible (1)

gweihir (88907) | more than 2 years ago | (#37686628)

RSA has good reason to make the attackers as scary as they can. After all, from the details available it sounds like this was a relatively easy hack. Advanced, but easy. If they admit that, they look like the incompetent and arrogant hacks they apparently are.

My advice is to not buy anything from them at least for a few years.

RSA? (0)

Anonymous Coward | more than 2 years ago | (#37686650)

... A sheepish interopter of dubious philogeny and known lack of brains.

LOL

Does it rhyme with "vagina"? (0)

Anonymous Coward | more than 2 years ago | (#37686666)

If RSA is reading this, could you give us a hint as to what country it could be. For example, could you tell us if the nation state rhymes with the word "vagina".

Re:Does it rhyme with "vagina"? (0)

Anonymous Coward | more than 2 years ago | (#37686802)

Hmmm.... let me check for you. Isrina.... nope, doesn't rhyme with vagina.

Re:Does it rhyme with "vagina"? (0)

Anonymous Coward | more than 2 years ago | (#37687198)

If RSA is reading this, could you give us a hint as to what country it could be. For example, could you tell us if the nation state rhymes with the word "vagina".

I know they have a funny accent and all, but "England" does not rhyme with "Bearded Clam".

Bullcrap (2, Insightful)

Oriumpor (446718) | more than 2 years ago | (#37686688)

I spend a week a year listening to crap like this for hour after hour. In 2010 everyone said (and still this year the big Security firms are still clueless) that the PLC attack against the Siemens controllers "Was an extremely sophisticated attack" blah blah blah "nation state" blah blah blah.

This is based on the following:
1. Obviously the 2 signed pieces of code would have required real human assets.
2. The PLC controllers are incredible sophisticated and expensive.
3. The method of infiltration was extremely well planned.

Until earlier this year I was spouting the same crap... then an individual busted Comodo wide open. Then later Diginotar (as if Comodo wasn't evidence enough.) SO Check, #1 no longer requires human assets.
Then I saw a talk that blew #2 and #3 out of the water. A relatively low funded talk ( about 6k) was done, where an individual (not a team, not even two people) was able to identify a direct backdoor that provided shell access into all PLCs of the model applicable in the Stuxnet attack, and could perform the attack without the need of the configuration stations...

THERE WAS NO NEED FOR A USB PAYLOAD TO BOOTSTRAP THE COMPILER! You could actually login, and patch the damn executables on the plc itself using the backdoor.

My conclusion about 30 seconds after these things were demonstrated (on the actual PLCs) was that it probably did take a team of engineers to create the rube goldberg that was stuxnet, but it didn't involve anyone at Siemens (since when confronted with the researchers findings, they acknowledged them, saying they were already aware.)

Since the RSA attack is like three steps down from that, I would say that RSA is trying to perform damage control with their shareholders since in terms of sophistication a user clicking a malicious URL in an email is sooooOoo 1999.

Re:Bullcrap (2)

hism (561757) | more than 2 years ago | (#37687210)

Wait, I don't see how the security beach at Comodo rules out #1. Maybe I'm not understanding CAs correctly, but the two situations have a big distinction. In the Comodo case, somebody breached Comodo, a CA authority, and issued new CAs which could be used by a malicious site to claim that they are some other trusted site. In the case of Stuxnet, already-issued CAs for Realtek and JMicron were stolen to sign malicious drivers. CAs that had already signed legitimate drivers in the past. Aren't these two cases a bit different? I'm not saying that the CAs at Realtek and JMicron couldn't have been stolen without real human assets, but how does the Comodo case change anything?

Re:Bullcrap (1)

Anonymous Coward | more than 2 years ago | (#37687248)

None of this is accurate. Stuxnet was not considered sophisticated for any of the reasons you mentioned, and #1 was literally never suggested by anyone of note as it is obviously untrue. Stuxnet was considered advanced becaused it was covert in a number of ways, targeted a specific air-gapped network, and most importantly it used four different 0-days.

Finally, while it may have been unnecessary to subvert the compiler, the specific target they wanted used them and it was far more covert.

Re:Bullcrap (0)

Anonymous Coward | more than 2 years ago | (#37688132)

I mostly agree, but do you have anything I can read on "(since when confronted with the researchers findings, they acknowledged them, saying they were already aware.)"?

Thanks.

Not that sophisticated... (5, Insightful)

Vellmont (569020) | more than 2 years ago | (#37686770)

The article is correct. APT is merely a buzzword to throw around to make the attack sound sophisticated. It was certainly a good attack, but it's hardly something that requires the resources of a "nation state". Individuals are constantly finding software flaws that are more sophisticated than what RSA was hit by. The attack merely combines social engineering (getting the victim to open the spreadsheet), a hidden payload of Flash packaged inside it, and a flash exploit. None of those are really that sophisticated, or particularly new.

I don't think any details have been given about what happened once the initial machine was owned. But given that RSA is already trying to hack into something resembling "the hack of the century", AND the fact they didn't reveal tokens had been stolen until AFTER a stolen token was used in a Lockheed Martin attack, I'd say the opinion of RSA on who was involved can't be trusted.

Speculation of the attacker based on who has an interest in breaking Lockheed Martin is meaningless. I could come up with a dozen different explanations, all equally plausible that wouldn't involve a nation state at all. Perhaps the first attacker breached RSA, then sold the stolen tokens to some other hacker. Without evidence to keep us honest, we can make up whatever theories we like.

Yes, but RSA's internal procedures are BS anyway (0)

Anonymous Coward | more than 2 years ago | (#37686784)

I'm sure it was a nation state, but RSA is a disorganized circus internally, so I'm sure it wasn't that hard to hack them.

Blame Canada (0)

Anonymous Coward | more than 2 years ago | (#37686786)

They are way sneeker than most people (Americans) think...

iCoffin (-1)

Anonymous Coward | more than 2 years ago | (#37686870)

To celebrate the life of Steve Jobs, in anticipation of his death. Steve Jobs prepard the iCoffin.

A plain white coffin with rounded corners and no hinges as hinges tend to confuse the user. How a corpse can be confused is anyones guess. Maybe Jobs plans to come back as a zombie.

The iCoffin made its debut at the funeral of Steve Jobs. His funeral was not an open casket as opening the casket would void the warranty.

the real culprit is: (0)

Anonymous Coward | more than 2 years ago | (#37687034)

Might as well claim a Leprecaun did it given the evidence RSA isn't coughing up.

seriously... (0)

Anonymous Coward | more than 2 years ago | (#37687086)

why didn't they use their own technology for security (at least, I'm assuming they didn't) ? Because I haven't heard of anyone proving the Reimann hypothesis....

Iran did it.. (1)

AftanGustur (7715) | more than 2 years ago | (#37687186)

Actually, Iran is one of the currently most active APA (Advanced Persistent Adversary) .

Re:Iran did it.. (0)

Anonymous Coward | more than 2 years ago | (#37687536)

At least they don't go around attacking and bombing places to shit.

Re:Iran did it.. (0)

Anonymous Coward | more than 2 years ago | (#37687826)

Hmm, APA, why not change that label in Advance Persistent Entity and get to call them APE's. That seems to match much more closely to what's required for these kinds of hacks. Then again, virtual random monkeys have been able to rewrite Shakespeare's works as well.

Re:Iran did it.. yeah right (0)

Anonymous Coward | more than 2 years ago | (#37688220)

So much shit is being piled on Iran, most of it without any evidence. Seems quite obvious Iran will be next in line after Afghanistan and Iraq. And not just geographically. Such sickening propaganda smear.

No comment from the Elbonian Ambassador (0)

Anonymous Coward | more than 2 years ago | (#37687264)

n/t

How about USA? (0)

Anonymous Coward | more than 2 years ago | (#37687782)

haha, i am amazingly surprised that no one suspects USA!
USA is the most innocent riiighht?
USA isn't the one who is ditching privacy for your public security, right?
oh yeah..

Re:How about USA? (1)

gl4ss (559668) | more than 2 years ago | (#37688098)

usa doesn't act as a nation-state.
only very small nations are capable of that, so it's probably some island state on the pacific.

even if it was a 100 guys from china funded by some government douche, it still wouldn't qualify as china acting, there would be 100 generals who would have been against that it if it had been brought up at a general assembly of the party.

but what real assets would have they recovered using the hack? friggin nothing, they could just buy the necessary cad sw, the necessary automatic 3d cnc routers etc if they really wanted to make something and had a budget.

Don't worry, their Canadian Girlfriend fixed it (1)

Rogerborg (306625) | more than 2 years ago | (#37687958)

Which is handy, because they'd have been really screwed if A Wizard Did It.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...