Tuesday, April 12, 2011

The RSA Attack

I've worked with RSA Security since my days as an informatics fellow when I first used SecurIDs as part of my early health information exchange work.

Just as I was transparent about the CareGroup Network Outage in 2002, RSA has shared all the details of their recent security breach.

It all started with a well crafted phishing email to a non-technical staff member with the subject line “2011 recruitment plan”.

Attached to the email was an excel spreadsheet that contained an exploit for a known vulnerability in Adobe Flash.

The exploit installed a hard-to-detect remote administration tool named Poison Ivy on at least one RSA computer.   The end result was that an attacker gained access to the RSA network.

The attackers moved from system to system harvesting accounts until they came across those users who had highly privileged access to sensitive systems and data.

An internal staging system was “created” to collect, encrypt and transmit back up lists of usernames/passwords to systems.

Confidential material related to SecurID technology was FTPed to a remote site.

The attackers have not been identified.

The attack was remarkably sophisticated and illustrates the evolution of cybercrime over the past 10 years.    Here are the 4 principal stages:

1st Generation – Because I can
Worms, defacement of web sites

2nd Generation – I can make money
Botnets appear, denial of service attacks, seeking payment to stop attacks

3rd Generation – Organized crime
Large scale management of attacks, coordinated use of tools and techniques, trojans, worms Phishing, targeted attacks

4th Generation – Selling the tools
Tools to perform attacks become “vended” with 24/7 support available, Botnet rentals, sophisticated Id theft services, Licensed Malware appears, Exploit knowledge is sold.  Social Networks just for cybercriminals appear.  Cybercrime supply chains are formalized and fine tuned.

I've described security as a Cold War - the faster we implement protections, the faster the cybercriminals innovate.

Thanks to RSA for sharing their experience with the rest of the industry.


Ivan said...

First, thanks a lot for your blog! I have recently taken a position of a Healthcare architect with a software vending company and your blog contains a lot of information that I am learning from.

I wonder, did RSA notify the enterprises whose employees' identities have been compromised? Did this attack entail major overhaul of securIDs/accounts for any of the RSA's clients?

Alan said...

It has been reported that RSA have been sharing details about what was stolen with certain companies under an NDA.

A detailed account of how the hack was done is available on RSA's own blog:

My 2 cents: Targeted attacks based on research and social engineering are almost impossible to stop. As someone at the NSA stated in December: "The most sophisticated adversaries are going to go unnoticed on our networks. We have to build our systems on the assumption that adversaries will get in."

If you have something that needs protecting, better isolate it and lock it down tight i.e. very restricted physical and network access, and no e-mail, web browsing, etc.

David said...

I'd argue RSA has been anything but candid about the attack. The nature of the compromised data, about which it has been silent, has a huge impact in the efficacy of the two-factor solution.

It would appear, based on the advisories and best practices published by RSA, that token seeds were compromised. If that is true, it's unconscionable for RSA not to disclose the exact threat its customers now face. If not, then RSA needs to explicitly say so.

Great blog, BTW. I just see this incident as an example of exactly what *not* to do in the event of a data breach.

Ryan said...

Sadly, many of these attacks are not brute force, but merely take advantage of under-educated employees with little techincal knowledge. Make an email look the least bit legitimate and they'll open any attachment you provide them.

Basic education on computer and internet security needs to be provided for all employees, especially at companies like RSA, but also in the healthcare world as systems get more exposure to internet. Ignorance is a hacker's best tool.

Guy St. Clair said...

And thanks to you, for sharing this important information, especially the four stages. Very important information that we need to have (and which a lot of folks just don't think about). Appreciate the post.