One of the biggest security news stories of the past few weeks was the security breach at RSA, where a still unidentified attacker managed to gain access to email accounts, corporate data, and other information at security firm RSA, which is a division of EMC Corporation. This was especially troubling news, since the RSA SecurID token (pictured below) is used by thousands of companies across the globe to provide secure two-factor authentication services.
Just how the attacker managed to get inside RSA's security system was revealed in a blog post by RSA's Uri Rivner. The method the attacker used to gain access was a comparatively simple one: a series of targeted emails were send to select RSA employees, and the file attachment -- in this case a Microsoft Excel spreadsheet -- was used to deliver malicious code that exploited a security flaw in Adobe Flash to install some software allowing the attacker remote access to systems within RSA.
Here are some additional details from Rivner's post:
The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”
The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls. The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).
As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.
It's currently unclear if the attacker was able to gain access to the code generation algorithm used in SecurID tokens, and both RSA and EMC have been silent on the issue. Given that lack of information IT administrators may want to assume that the logic behind the generation of SecureID codes has been compromised.
I’m currently working on an article that provides some tips, advice, and best practices to help protect you (and your organization) against phishing attacks. Once that article is finished I’ll link to it from here.
Do you currently use RSA SecurID tokens to provide security in your organization? Let me know what you think about the RSA breach news by commenting on this blog post or following me on Twitter.Follow Jeff James on Twitter at @jeffjames3
Follow Windows IT Pro on Twitter at @windowsitpro