RSA Fail - Security Lessons Unlearned

Friday, March 18, 2011

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

After reading the public disclosure of RSA being compromised, my eyebrows were raised because of the sensitivity of applications under RSA's umbrella.

The wording from RSA is a bit puzzling:

"We have determined that a recent attack on RSA's systems has resulted in certain information being extracted from RSA's systems... does not enable a successful direct attack" on customers but could potentially compromise guarded networks in a "broader attack" in the future.

Seems to be "ye old cover your behind" type of statement. We don't know/understand what is going on...

Security Fail

Aside from their statements, security pros have to wonder about the security state as a whole, when the founders of "two factor" key fobs take a hit. From an external point of view, one would believe that in the event someone compromised a machine inside of RSA, their own security - two factor key fobs - would have prevented escalation between other machines.

Speaking from the attacker perspective, in order for me to "extract certain information," as an attacker I would have to know where it is being housed. In order to do so, I would have to either know exactly where this information is located beforehand, or fiddle around with their systems enough to know that I stumbled upon the jackpot.

Think about this as a security professional performing a "blackhat" test against RSA. So somehow I manage to get into one of their systems, so what? Where have I landed? I could use deductive reasoning and say something like: "development.db.rsa.com" looks promising, let me get in there.

Herein lies the problem:

1) If RSA was using two factor authentication, the likelihood of me getting on that machine is unlikely.

2) There is no guarantee I hit the jackpot, I am using deductive reasoning in "going for the gold."

3) How much time would/should/do I spend before I potentially trigger an alarm.

Outside of those obvious tidbits, as a security professional, I wonder how long were the attackers or attacker, inside of their network. In the case of my #2 (deductive reasoning), I would like to believe someone was asleep at the helm considering that I would think RSA would have some form of Data Loss Prevention in place or SIEM.

DLP may have prevented or at least alerted someone to an anomaly. This makes me believe that far too many companies are too smug in their security state of mind: "It won't happen to us, we're Company X" where the company is not taking security seriously.

Many times I have pointed it out and I will do so again: "Extrusion Prevention." [2] I fail to understand why many security engineers simply don't get it. There is nary an attack I can think of that cannot be detected and deterred. It is a matter of one's approach and view of attacks.

From the "herding instinct" [3] too many security engineers and pros have relied too much on the concept of building higher walls to keep out attackers. You cannot stop someone from knocking on your door period. You CAN always stop your employees from ANSWERING that door, especially when you know by now, there is no one at the other side and you are wasting your time and resources answering that door.

Furthermore, we have the following statement: "While the U.S. government has been aware of the attack and working with the company on plugging the security breach for more than a week" [4] Such a disgusting statement when we have to think that they have been fighting this for a week now. We would think that RSA has the equipment in place to drop their servers from connecting TO AN ATTACKER, yet we see "plugging the security breach for more than a week."

The statement makes me think of the following analogy: "A house has a hole on the side of the wall. The water is on and running out of the house. We're fighting to plug that hole. In the meantime, water keeps leaking out." Suggestion? Turn off the damn water while plugging the hole. Certainly you can stop that water from leaving. My impression is that people are scrambling in circles not knowing/understanding what to do.

So what have I learned from what was said about this breach? Security companies are likely too smug/set in their old ways. Security professionals don't understand what hackers do. RSA likely didn't use their own products.

There is a HIGH likelihood of insider help here; to think that an attacker walked in the front door and knew exactly where to go is preposterous. Maybe RSA and other companies can send their existing security staff to Real World Security Practitioner training [5] in order for them to see what hackers do in order to learn this and how to counter attackers in real-time.

[1] http://latimesblogs.latimes.com/technology/2011/03/emc-rsa-security-hacked.html
[2] http://en.wikipedia.org/wiki/Extrusion_detection
[3] http://en.wikipedia.org/wiki/Herd_behavior#Herd_behavior_in_human_societies
[4] http://abcnews.go.com/Blotter/dod-private-contractors-potentially-vulnerable-rsa-cyber-attack/story?id=13162204
[5] http://www.peaksec.com/training/real-world-security.html

Possibly Related Articles:
5869
Network Access Control
Hacks RSA Authentication DLP breach Two-Factor
Post Rating I Like this!
Default-avatar
Tamer Ibrahim RSA likely didn't use their own products.I disagree they are using it but not efficient when it comes to real attacks. i think these products only meant for internal threats (i.e. employees)

Such sophisticated attacks shall be considered when evaluating IT security products.
1300474092
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Funny thing is I always see the term: "sophisticated attacks" ... Not once have I seen a company that's been compromised spill the beans on "what makes this so sophisticated" which almost always leads me to believe someone walked right through the door with a typical client side and in an effort to save face, it becomes labeled "sophisticated."

On the flip side of this, I think of the amount of vulnerabilities even I have discovered in a few applications (SAP, IBM, CA) that go unreported/undisclosed that it still leads me to believe that companies scream "sophisticated" for anything that would embarassment.

XSS is not sophisticated, client sides are not all that sophisticated. This coupled with the fact that whomever attacked RSA went straight for the gold lead me to think of an insider collaboration pulled off via client side.

1300475007
Default-avatar
Tamer Ibrahim Oquendo,

I agree with you, and i would like to see a detailed report about what happened and what went wrong, is it a missing administrative or technical or physical control.
I wounder if they the courage to publish such report
1300475835
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo The likelihood of this happening is the likelihood that you can play 5 lotteries tomorrow and hit all 5. This is part of the problem with "non-disclosure" of security incidences. While on the one hand I can see the need to keep information mum, when it comes to "sophisticated" attacks, I think companies can collectively benefit from stating: "Hey this is what happened to us, how they got in" where another company can throw their guards up. However, should the compromise consist of something insanely stupid such as a password not being changed, a 10 year old exploit someone overlooked, it is likely an embarrassment to a security company that is supposed to be setting examples.
1300476240
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.