How RSA got hacked resulting in multiple defense contractors getting hacked

http://www.f-secure.com/weblog/archives/00002226.html

faillll

Saw this on r/netsec…still never ceases to amaze me how effective human idiot attacks can be.

I figured nobody would really appreciate it…

However its funny the billions that get spent on cyber defense and this really simple attack opened up the whole thing lol

We have those things at work.

We run them at my school. Kinda funny how “secure” can only mean so much. :wink:

hey man, nothing is 100% safe… Just need to beef up your security the best you can, be prepared for when a breach DOES occur, and have good lawyers on standby lol.

Social Engineering baby. humans are the weakest link in infosec. Def cool info about embedding a flash object in the excel sheet.

Scary shit.

I work for ingram micro/rsa I deal with these secure is products daily…this has been a real head ache

lol… amazing how far you can get because people still don’t think twice before opening random email attachments.

It was pretty sweet when RSA goes “yea we got hacked we didn’t lose anything”

Then all this shit happened a few weeks later

Social Engineering will never be “prevented”. People are idiots, and unfortunately these are the consequences. No matter how many times you scold people they’ll just do the same thing again and again. Like I said in a previous thread, we have a user who manages to infect her machine almost monthly. I’m almost positive most of them are from those “UPS could not deliver your package, click the file to receive it” or w/e they say.

A lot of what happens now are highly targeted attacks where people spoof an email that looks a lot like what you would expect.

Also instead of just having a blank document include some fake content like a new corporate policy or some bs so people don’t think they just got pwned.

Usually what I see, is the:

EMAIL ACCOUNT UPGRADE

Your E-mail box has reached its maximum limit of 20 GB of storage and Your account will be disabled if you do not update now.

dyc.edu To upgrade your account, please click the link below and follow the instructions to upgrade to more storage space.

http: //quadlightjobs. com/phpform/use/webmail/form1. html (<----Dead Giveaway…WTF kinda website is that)

Your account will remain active after you have confirmed your account successfully.

The email comes from a brain (dot) net (dot) pk. (<—Are you kidding me?) Yet people still click on them.

I’ve also seen where they mask the .bat or .exe file with a .doc extension and people click on them…a little more sophisticated, but preventable.

Usually it works like this

Gather info linkedin/google/fb/monster/everywhere

Find sample company PDF and figured out HR/IT email addresses

Fake an email with correct signature and everything from IT department about some new policy or small policy change attach PDF and send over

You only need 1 person to open the PDF so if you hit a larger company :tup:

Once you’re inside their network on a work station is pretty easy to move around dump local admin password decrypt etc etc

Users are idiots. That is why firewalls are becoming more advanced than ever to monitor traffic going in and out of networks and going well into the application layer.

The new boxes we are putting in are going beyond the ports and going into the data stream to monitor connections and make sure that, for example, your HTTP connection is actually HTTP traffic and not hiding other protocols in it like botnets and data streams. SSL connections are now decrypted, file mime types are being checked and not just extension to prevent .exe’s being renamed to .zip, .doc, etc., and when a session is open, the data is still monitored to make sure that your session stays in the application that is allowed. We can even dig into the data packets and look for strings of data matching credit card numbers, ssn, or other sensitive strings that can raise flags of someone exporting important information.

It makes administering easier too becuase if you have a application that is a web page that runs on a non standard prot, it can also be allowed through without forcing it to be on port 80.

Being in the security mind set, I am all for blocking everything and give me a reason to allow something. One idiot user can ruin my day.

Its not all their fault but you gotta make sure you lock down things to prevent the “Oops” by a user. I have gotten a call from a “IT Provider” and said they got my number from our CIO and said they would be sending me an email. Simply can find me on LinkedIn, see that I work for a company, find their notable people on a financial site for the company and go from there. Most places have a switch board that can send a call to you from the outside. Social engineering is not that hard.

DLP technologies are pretty useful

However a lot of malware that steals track 2 credit card data just encrypts it before it leaves the network or gets store to the PC.

Ya. There is other filters and stuff that can be applied. For example traffic going to domains that are less than 30 days old, certain connection states, and greater enforcement on PCs that are handling sensitive data. Most companies doing financial stuff too usually lock their users into a Citrix environment to prevent a lot of hacks too.

Computer are getting smarter but people are getting more dumb…

People aren’t necessarily getting more dumb, the attacks are getting more sophisticated and more common and more believable to the general user.

Previously, you would get a simple blanket email that asks you to click a link and verify your “lost” password and account information from a common provider like AOL, Chase Bank, etc. Sometimes it would be some free screen saver or script that the person would click to infect their PC.

Now, with social networking, information about people is more blatant than ever and building the trust relationship needed for social engineering is easier than ever. Out of 600 people on Facebook that I am friends with, most of them provide basic details about home town, current town, family, maiden names, birth dates, and even travel history and previous places they lived. Comparing information between that and a simple web crawl, I can get information to build a simple trust relationship with that person and get them to expose personal and even internal information about their job like passwords, IP addresses, equipment used, etc.