RSA Explains How It Was Hacked

In the end, even computer security companies suffer from the kind of human failings that make securing computers such a challenge. That’s at least one lesson to draw from the explanation from RSA, the company which makes the widely used security tokens like the ones in the picture. It disclosed last month that it had come under an “extremely sophisticated attack,” and that some information concerning the tokens has been taken by unknown attackers.

Initially, it released no details about how the attack was carried out. Now, RSA–which is a unit of storage giant EMC–has gone into some detail concerning how its systems were breached, in a blog post by Uri Rivner, whose title is Head of New Technologies, Identity Protection and Verification. It all started with phishing emails. Over the course of two days, two groups of emails were sent to a small group of employees, none of them high profile, nor apparently especially senior. Though RSA doesn’t spell out who received them, the emails may well have gone to the human resources department or some other quiet corner of the company. The emails contained an Excel spreadsheet attachment entitled “2011 Recruitment Plans.” Naturally it was created to look just believable enough that one of the employees who received it fished it out of the spam folder to which it was initially directed and opened it. You can probably fill in most of the blanks from here.

The spreadsheet contained a Zero-day exploit that took advantage of a weakness in Adobe Flash, which has since been patched. Through that hole, attackers were able to install anything they wanted on the target machine. They chose a version of a program called Poison Ivy RAT, and in this case RAT stands for “remote administration tool,” a program that is used to control one computer from another in a different location.

Armed with remote access to the target machine, the attackers then set about gaining deeper access to RSA’s corporate network. Like a person masquerading as a real employee searching a company’s building for a set of master keys, these attackers carried out a series of attacks designed to escalate the level of access they had to the system. They gathered login credentials from the relatively low-level accounts they compromised at first, including usernames, passwords, and domain information, then went after higher-value accounts with more access.

Once that was done, they started working on the real job: Finding the data they wanted to steal, and then extracting it from RSA’s systems. They gathered what they wanted, collected it in a “staging area,” compressed it, and then downloaded via FTP.

Still unexplained at this point: What information was taken, and does it in any way affect the integrity of its own security products? When the attack was first disclosed, the company said that some information about its SecureID products was taken by the attackers. This has led to a lot of questions and speculation by security pros who naturally have to think about the worst-case scenario, and frankly, there are many for which the adjective “worst” would apply.

The big looming question is whether or not the attacker gained access to the seeds–the random keys embedded in each token–that are used to generate the constantly changing numeric codes that appear on the device’s display. For instance, in one scenario described by David Scheutz of the Intrepidus Group, the attackers might have found a list of seeds and token serial numbers. Once you have the serial number of an individual token, you can then create your own token that would allow you to impersonate that user on whatever systems they use.

That scenario, which is only one of four on Scheutz’s list, is potentially pretty scary. As of 2009, some 40 million RSA tokens were in use securing networks at companies large and small and at numerous government agencies. And aside from the hardware tokens, software that mimics them runs on some 250 million smart phones.

When it first revealed the attack, RSA said it was “confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” though it did say it thought the information taken would make attack easier. Hopefully RSA has more to say about all this in the coming days.

Separately, EMC said today it has acquired privately held NetWitness, which specializes in network security analysis. NetWitness provides “precise and pervasive network visibility” which gives companies the ability to detect and cope with “advanced threats” while automating the investigation process. NetWitness will operate within RSA. Financial terms have not been disclosed, but judging by the description of this attack, it seems like a timely acquisition.