In the 2004 techno cop thriller, I Robot, the serenity of life with computerized robots used as servants and for public services is disturbed by one rogue element – human-like reasoning.
That’s the same element it turns out that disturbed the serenity and shook the foundation of RSA’s SecureID, which was engulfed in a hack a few weeks ago. The hack that was originally described as “extremely sophisticated” now appears to be a common spearphishing attack exploiting a since-patched zero-day vulnerability in Adobe Flash.
In other words, a user was social engineered into opening a file that contained a nasty payload. In addition to his/her rogue tools, the hacker needed only one other item; an email address tied to a potentially lucrative big company domain name. The attack is nothing new and perhaps is one of the frightening aspects in light of the email address thefts in this week's Epsilon revelation.
RSA laid out the anatomy of the attack on its network in a blog post.
The blog describes how an RSA employees pulled an email out of quarantine, opened the enclosed Excel spreadsheet labeled “2011 Recruitment Plan,” and unwittingly launched the exploit. A remote admin tool was installed and used to control the user’s machine. From there, user account exploration and elevation of privileges began to fan out in an attack called an advanced persistent threat (APT).
Unfortunately, RSA, which was speedy with its initial disclosure of the attack, has yet to disclose the sensitivity of the data compromised.
But the details of the spearphishing strike on end-users pours fuel on concerns coming out of the Epsilon breach, which is spread over 40 companies and millions of users.
The company is admitting that email addresses were stolen, but that no other sensitive data was taken.
Perhaps that comes later.
Armed with the email addresses of users, spearphishing attacks can be targeted through employees at specific large companies. It doesn’t have to start at the top, in fact, the RSA attack involved neither “high profile or high value targets,” according to the company.
These attacks are the kind of exploits that hit at the weakest part of the network, the human element.
The lesson perhaps for those engulfed in the Epsilon mess is that distrust rather than trust is a better way to manage an in-box. Companies are best advised to (again) educate the human end-points of their networks.
RSA helped ferret out its problem with a tool from NetWitness, a company that RSA-parent EMC bought yesterday and announced its addition to the RSA security team.
The bottom line is that security defenses are being redefined, attack vectors are shifting, and the good guys need to get more layers and sophistication.