Samples of the ~40 million SecureID Tokens the RSA replaced as a result of the hack.
I am frustrated, the information disclosed by F-Secure about how the RSA was hacked is appalling.
There are lots of layers to security and in all fairness I hold no technical information security certifications. I do know that the weakest link is usually the human being sitting at the keyboard. In this case someone at RSA – a security firm opened an Email that had just:
I forward this file to you for review. Please open and view it.
No signature, nothing, nada. It had an Excel file attached 2011 Recruitment plan. They opened it. They got infected by a zero day flash exploit embedded in the Excel file.
The RSA got “Owned”
I am frustrated because I know this happens every day all over the world and were it not so sad it would almost be laughable how easy it is to compromise computer systems. I could talk about all the apparatus that failed the RSA in this case, but in the interest of time I am going to focus on one:
Why did the RSA allow traffic to a known Malware site?
The site that the payload (Poison Ivy) contacted was mincesur.com which according to F-Secure:
“The domain mincesur.com has been used in similar espionage attacks over an extended period of time.”
WHAT?!?!?
Then why on earth is the RSA allowing it’s systems to access that site? I did an arin.net lookup for the IP address for mincesur.com (119.70.119.30):
I can understand a company like the RSA needing access to the APNIC space, though most of us do not. Specifically though, why would they route traffic to a address/domain that is known to be used in espionage attacks? Since we already established that the user failed to identify a threat what about the other devices and mechanisms in the transaction that occurred between the computer that was infected?
Touch #1 – DNS Lookup
When the Poison Ivy payload asked the DNS system what IP address micensur.com had, the DNS servers at RSA promptly gave them the known threat’s IP address. It is possible and useful to add records for known malicious domains to resolve to something harmless such as loopback 127.0.0.1 (basically the payload would try to connect to local machine itself). Failed.
Bonus info: This can even be over-ridden and handled by a hosts file on an individual computer. (An example is at Malwarehelp.org)
Touch #2 – Antivirus Software
Endpoint Security software can block access to known malware websites. Failed.
Touch #3 – Router
One or more RSA Routers were touched in the process. Without a router a computer cannot communicate with systems outside of its own network. Routers can maintain black lists or null routes to avoid traffic coming from or going to known malicious sites. The router(s) in this case happily sent and received traffic from the known malicious host. Failed.
Touch #4 – Proxy Server (Optional)
Many companies use a proxy server or transparent proxy server to store copies of frequently accessed files to avoid them from having to be downloaded every time. A Proxy server can optionally be used to provide additional protection including domain based filtering. Since micensur.com was a known malware domain this could easily have been blocked by a proxy server. Failed.
Touch #5 – Intrusion Detection/Prevention Device (IDP – Optional)
These are usually definition based devices that look for traffic that matches a known malicious definition. Such as traffic coming from or going to a known malicious website. Failed.
Touch #6 – Firewall
Even many small companies have firewall hardware. Firewalls allow for much more complex rules about what kind of traffic can go where and even when. Firewalls are the ultimate traffic cops for networks. There are a number of ways that a properly configured firewall could have prevented this infection. Failed.
Is it time to re-prioritize?
With so many chances to block this from happening, how is it that a company like RSA, that is involved with security products is not better protecting themselves from threats? I’m sure they have made changes as a result but with a reputation for having things locked down, I find it excruciatingly curious that they allowed traffic to a known malicious site, don’t you?
Is it time push information security higher up the priority list?
Image credit br1dotcom, creative commons.
[…] criminals and countries that harbor them. This idea actually came to me as a result of writing an article about the RSA hack that resulted in a re-issue of all of their secure-ID products. I learned that the host that the […]