Tag Archives: hack

Autopsy of RSA Attack

From the Security Site at ITPRO

The RSA hack was months ago now, but the file and email which helped compromised the security giant has just been found.

By Tom Brewster, 26 Aug 2011 at 15:36

F-Secure believes it has discovered the file and the email which helped crack EMC’s security arm RSA, in what became one of the most famous hacks in history earlier this year.

 

Timo Hirvonen, an F-Secure analyst, doggedly pursued the XLS file used to hack RSA even after others had given up the chase. Hirvonen created a tool to analyse samples for a Flash object, which was used to exploit the target’s system.

“The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG),” an F-Secure blog read.

“When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3 March, complete with the attachment 2011 Recruitment plan.xls. After five months, we finally had the file. And not only that, we had the original email.”

The email which was sent to a single EMC employee, with two others CC’d in, was made to look like it came from Beyond.com, a career network.

The subject line read “2011 Recruitment plan” and the body copy contained just one line: “I forward this file to you for review. Please open and view it.”

Once the file was opened the Flash object was executed by Excel, using a vulnerability to write code on the victim’s machine and then drop a Poison Ivy backdoor to the system. Excel is then closed automatically and the infection is done.

What we think…

It’s clear the email which duped EMC was pretty simple. Certainly it would be unadvisable to trust an email which contains just a single line.

This only emphasises the need for further education amongst workforces about spear phishing. It seems even workers at security firms aren’t getting the message, which would be laughable if the connotations of the RSA hack weren’t so serious.

Tom Brewster, Senior Staff Writer

“After this, Poison Ivy connects back to it’s server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time,” F-Secure said.

“Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.”

As F-Secure noted, the attack itself did not appear to be hugely sophisticated, although as the vulnerability was a zero-day there was no way RSA could have protected itself by patching.

“Was this an advanced attack? The email wasn’t advanced. The backdoor they dropped wasn’t advanced. But the exploit was advanced,” F-Secure added.

“And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we’d say the attack is advanced, even if some of the interim steps weren’t very complicated.”

The hackers who went after RSA wanted the company’s SecureID information so they could hit US Government contractors, including Lockheed Martin.

Following the Lockheed attacks, RSA offered token replacement for customers “with concentrated user bases typically focused on protecting intellectual property and corporate networks.”

Simple Great Passwords v Cracking Dictionaries For Rent

 

Anyone who deals with projector or media players should certainly have good password practices. It would be logical that anyone who passes security keys around should also figure out a pattern for creating passwords.

The article’s idea of putting in the last letter of the site associated with the password is a good first stop. So, the password for dcinematools would start with an ‘s’, and since it is easier to have most letters following be small letter, making the ‘S’ capitalized is a second good stop. 

One imagines that eventually hackers will start putting the letters of typical phrases into their dictionary cracking databases. I find it easier to use the letters of some object that is in front of me all day, but never a whole word. So, if the American Heritage Dictionary is in front of me, I might choose the first three letters from each word, and put a number in between each, with one of them being shifted to a symbol. I also have found that I give numbers based upon sensitivity, so that public sites which might have their data stolen get higher (or lower) numbers while more secure sites get the opposite. 

Like all matters dealing with responsibility for other people’s assets (equipment, art, friendship…), passwords are a sometimes pain, often done away with without penalty, but important that one time that it was required. Having a pattern will, in this case with the human-machine relationship, make things easier the one time that it might matter.