Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Details about the recent cyber attacks against security firm RSA suggest the assailants may have been taunting the industry giant and the United States while they were stealing secrets from a company whose technology is used to secure many banks and government agencies.
Earlier this month, RSA disclosed that “an extremely sophisticated cyber attack” targeting its business unit “resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products.” The company was careful to caution that while data gleaned did not enable a successful direct attack on any of its SecurID customers, the information “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
That disclosure seems to have only fanned the flames of speculation swirling around this story, and a number of bloggers and pundits have sketched out scenarios of what might have happened. Yet, until now, very little data about the attack itself has been made public.
Earlier today, I had a chance to review an unclassified document from the U.S. Computer Emergency Readiness Team (US-CERT), which includes a tiny bit of attack data: A list of domains that were used in the intrusion at RSA.
Some of the domain names on that list suggest that the attackers had (or wanted to appear to have) contempt for the United States. Among the domains used in the attack (extra spacing is intentional in the links below, which should be considered hostile):
A partial list of the domains used in the attack on RSA
www usgoodluck .com
obama .servehttp .com
prc .dynamiclink .ddns .us
Note that the last domain listed includes the abbreviation “PRC,” which could be a clever feint, or it could be Chinese attackers rubbing our noses in it, as if to say, “Yes, it was the People’s Republic of China that attacked you: What are you going to do about it?”
Most of the domains trace back to so-called dynamic DNS providers, usually free services that allow users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because dynamic DNS services can be used to easily map the domain name to the user’s new Internet address whenever it happens to change.
Unfortunately, these dynamic DNS providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers mange to track the attacking IP address and convince the ISP responsible for that address to disconnect the malefactor. In such cases, dynamic DNS allows the owner of the attacking domain to simply re-route the attack site to another Internet address that he controls.
Sam Norris, founder of ChangeIP.com, the dynamic DNS provider responsible for many of the root domains on the US-CERT’s list, said he terminated all of the accounts on the list as soon as US-CERT published the list on March 18 (although that version of the list does not mention the RSA connection). Norris soon was contacted via email by the account holder who used the prc. dynamiclink. ddns. us domain. Norris said the account holder wanted to know the reason his domain was killed.
“This guy has been emailing me, asking me for the account back, saying things like ‘Hey, I had important stuff on that domain, and I need to get it back,’” Norris said. “The bad guys are definitely interested in getting it back, which means we probably cut off their communications or made it so that they couldn’t clean up their trail afterward.”
Much of the public speculation about the attack on RSA so far has invoked the term “advanced persistent threat” or APT, which is security industry shorthand for “We’re pretty sure it came from China.” At least as far as the domains that were routed through ChangeIP.com are concerned, that assessment appears to hold up (with the usual caveat that attackers can route their traffic through machines anywhere in the world in a bid to disguise their true location).
“Ninety nine percent of the time, when these guys logged in to one of their accounts to change the IP address for a domain, they were coming from a Chinese address,” Norris said.
An illustration of a targeted attack that used Poison Ivy. Image: Mandiant
A closer look at some of the domains also indicates the use of some familiar attack tools that have been associated with previous targeted attacks attributed to Chinese, state-sponsored hackers. For example, one of the few domains on the list not attached to a dynamic DNS service — mincesur .com — has been a well-known download source for “Poison Ivy,” a lightweight attack tool that attackers have used quite a bit in previous pinprick attacks (PDF) to remotely administer hacked systems and to hoover up information from those machines.
Interesting as these tidbits of data may be, they don’t answer the questions that seem to be on everyone’s minds about the RSA attack: How much information did the attackers get, and can organizations still trust SecurID tokens as an authentication mechanism? A spokesman for RSA said the company wasn’t yet ready to publicly disclose more details about the attack. Several sources say RSA recently briefed a small group of industry leaders and customers, providing further information about the attack, but those folks had to sign a non-disclosure agreement barring them from discussing the details.
Since RSA’s initial disclosure, I’ve received many emails from readers asking for my take on the attack. I’ve avoided writing about it because I didn’t have much to add to the initial reporting, which remains very speculative in the absence of more details from RSA. And as I read back over what I’ve written above, I can see this that post seems speculative as well. As for RSA’s technology, I have noted in one story after another that one-time tokens such as those generated by RSA’s SecurID key fobs are better than mere passwords for authentication, but not by much. Today’s attack tools allow the bad guys to control not only the victim’s PC, but also what the victims see in their Web browser. I have written about a number of successful attacks in which the crooks got the information they needed to defeat tokens and empty bank accounts by injecting content into the victim’s browser. The latest attack on RSA serves to increase suspicion, even if unfounded, that its products may not provide sufficient protection to the user.
Related posts:
- Pill Gang Used Microsoft’s Network in Attack on KrebsOnSecurity.com
- Visa Warns of Fraud Attack from Criminal Group
- Zeus Attack Spoofs NSA, Targets .gov and .mil
- NSA on Computer Network Attack & Defense
- Cable: No Cyber Attack in Brazilian ’09 Blackout
Tags: APT, ChangeIp.com, obama.servehttp.com, prc.dynamiclink.ddns.us, RSA, Sam Norris, US-CERT, www.usgoodluck.com
Hidden due to low comment rating. Click here to see.
The Operation Starlight has uncovered the specific malware used in the attack on RSA and has profiled the cne operators as the “entrenched” meaning they will have to fight tooth and nail for their network back. The attackers malware has been used in several other serious intrusions of US organizations. Operation Starlight has also profiled the time the group has maintained undetected presence in RSA which goes back to middle of last year. If you Truly want to know the real deal and are tired of the criminal comments you need to understand the assault on western nations by the Chinese government. Get up and do something about it. Learn at http://WWW.conanthedestroyer.net
Where can I read more about Operation Starlight. Saw mention of it on your blog but no links or more information.
Hidden due to low comment rating. Click here to see.
Deborah: Your description of your computer use seems more reckless than “naive.”
You never patch your XP software? The simplest protection of all and you don’t use it? Yes, you “have to take some personal responsibility … on the internet and perform some (icky) regular PC monitoring and maintenance.” Start by reading some of Brian’s archived “Time to Patch” articles, if you don’t know why it’s important to update MS products.
Even the safest-looking sites can be compromised. That’s why restricting your list of sites isn’t enough. Obviously, if you’ve had even five or less instances of malware that you’ve discovered as reaching your computers and you had to remove them, then you’re not protected to the extent that you could be, even if software security programs are less than perfect. And you can’t and don’t know if you have undiscovered malware, such as bots, if you aren’t using a good program to run scans on your computers regularly. AV programs aren’t perfect, but their scans do find things that you can’t see!
I could go on and on, but …..
It will be interesting to see if the risk to RSA software tokens on Windows is greater than the hardware tokens. The username, password, and PIN can be keylogged for sure, but can the soft token serial number be read directly from a Windows installation?
I don’t suppose IPv6 will make the need for dynamic addressing go away anytime soon, if ever.
Hidden due to low comment rating. Click here to see.
Once you have a rootkit installed on your system, you no longer know if you have a functioning firewall or not. The rootkit loads earlier in the boot process than the firewall, and can change its settings.
The fact that you aren’t getting popup ads or browser redirects doesn’t mean you have a clean system. Successful trojans don’t call attention to themselves or slow your system down. The fact that you were compromised 5 times means you’ll never again know if you have a clean system. I mean, really, that’s like saying you don’t have to use condoms because you’ve only caught HIV 5 times.
If you distrust Windows that much, why run it at all?
Hidden due to low comment rating. Click here to see.
If you were an insider, then you’d have more reason to patch than most. Microsoft’s security strategy, as told by Steve Lipner, is to ship above all other things, then handle remaining issues later. They also have a strong testing process for patches. They didn’t really start employing their Secure Development Lifecycle until Vista development, meaning you aren’t benefiting from any “tear-inducing” or “rigorous” development process. The number of security flaws in recent Windows versions vs previous version easily refutes your claim that you’re safer on an unpatched, older Windows. Hackers have proven to be more dangerous than patches every time and many huge botnets formed so easily due to large numbers of (sighs) unpatched, pre-SP3 WinXP systems. If people like you would upgrade & patch, we’d all be safer.
As for watching what you surf, this does improve your security profile. However, this assumes two things: 1) you can tell a good site from a bad one; 2) attackers can’t use good sites. The first is dubious because modern black hats are very sophisticated at deploying clone sites, fake ad sites, etc. Without comparing certificates, it can be nearly impossible to tell that a site is a duplicate until you start getting dubious charges or emails.
The second issue is becoming more of a problem now. Crooks can use vulnerabilities in legitimate sites to subvert your system. Cross-site scripting attacks are among the more prevalent. A recent trend is using innoculous ads on “good” sites to do evil things, from redirects to their sites to direct attacks on your machine. Sandboxie is a nice product, but can’t prevent all types of attacks, especially those that work within the browser like XSS.
So, you’re better off patching. Best option is to switch to a mainstream form of Linux, use Firefox w/ addons I’ve mentioned, and update whenever requested. I virtually *never* have problems due to updates on Windows or Linux in a non-commercial setting. If you must stay on Windows for web surfing, then you should upgrade to Windows 7, turn on security features, turn off unnecessary services, use Firefox w/ the addons, and let your system Automatically Update itself for critical updates. I can’t remember any friends or family complaining in past six months that an update fried their system. I can remember many people asking how to get a virus off their un-updated system.
So, for all of us, please update your system. I’m not a big fan of spam and DDOS attacks that system like yours are likely to provide.
Hidden due to low comment rating. Click here to see.
I think you’re on the wrong forum …
DeborahS: The problem is you’re an individual who knows enough a) to do what you do, and b) doesn’t mind doing it. You simply aren’t the average user.
Also, your methodology does not scale to corporations.
I usually tell my clients that the number one thing they can do to avoid malware is stay patched, run a firewall, and run Firefox instead of IE. That alone reduces the attack surface massively. If all they do is that, most of them would be unaffected by malware. Running security software beyond that is mostly for those people who insist on clicking on everything they see on the Web.
I’ve read plenty of stories like yours over the years. Someone always claims “I don’t run any security software and I’ve never been hit.”
But then you have to explain why so many people who DO run security software get hit.
The fact that those who run security software do get hit doesn’t mean the software is useless. It just means the situation would be much worse if they didn’t run it.
In other words, cases like yours are anecdotal (read: worthless) evidence that security software is not needed. It’s that simple.
We in the security business always tout that end users need to learn more about computer security and be smarter about running their machines like you are.
But that’s like saying “everyone should come together and love one another.”
It ain’t gonna happen. End of story.
On Bruce Schneier’s blog, I’ve repeatedly said what I say here: “There is no security.” If someone wants what you have bad enough in economic or emotional terms, they’re going to get it. “Security” of any kind just keeps out the “riff-raff”.
The only “security” there is in life is: 1) Live so you don’t have enemies (good luck with that!), and 2) eliminate your enemies before they affect you.
In IT terms, either security is engineered into the infrastructure (OS, networks, etc.) – which in today’s software industry is next to impossible – or the end user has to deal with it himself. In either case, once again, what humans make, humans can bypass.
The worst thing anyone can do is believe they have “security”. It’s always proof they don’t.
@ Richard
Yes, we’ve had this discussion before on Schneier’s blog. I keep thinking you mean to say there’s no “perfect” security that offers protection against “all” threats. To say there is “no security” is somewhat foolish. The definition of security is ensuring certain attributes of one’s assets, such as confidentiality or integrity, are maintained in the face of a set of known or unknown threats and vulnerabilities. Each group chooses which threats and vulnerabilities it will counter.
From this view, which is the common view in IT Security, security certainly can be had. For instance, in web browsing I do a risk analysis that shows numerous classes of attack: plugin or addon-related; widespread or sophisticated; application attacks; XSS; MITM; information leaks. This is a decent list to start with. From that point, one develops countermeasures to these classes of attack wherever possible.
To start with, I’d use a hardened Linux base with MAC and NX support. For those who want more than AppArmor, there is a policy on the web to restrict Firefox via SELinux. Next, I use Firefox for obscurity, then try to defeat web-based attacks with plugins: Adblock Plus; NoScript; Flashblock; HTTPS Everywhere. Added protection would put this on a dedicated machine (e.g. netbook) that loaded via a LiveUSB stick, contents removed from RAM upon power-down. Another scheme is a SELinux or Xen enforced set of VM’s, with trusted and untrusted sites never used in the same VM. And, of course, the system operates behind a NAT-enabled router/firewall.
The resulting scheme let’s me surf the web with confidence that I probably won’t be infected any time soon. I’d say I have security against the threats I focus on. It would take a very targeted attack, along with my IP address, to breach my security. Even then, the breach would have minimal privileges and only last one session. They would have to repeatedly breach my security without me noticing and defeat the MAC scheme to become a persistent threat. How do I have no security? I’ve proven my security in practice by surfing extremely dangerous sites that infected other people without any problems.
So, a person can indeed have security against specific threats or vulnerabilities. A person can have security against entire classes of vulnerabilities with proper design choices and implementation. There is no perfect security, sure, but there is security for those willing to understand and pay for it. The more you want, the more it costs in time, effort and money. This is one reason “perfect” security is impossible. It’s good that I’m not looking for it: I can settle for immunity to 99% of malware, exploits and escalation attacks.
Hidden due to low comment rating. Click here to see.
Don’t mean to be negative but I left a brand new PC connected to the internet alone for 2 hours while it was updating operating system patches and it got malware.
Running an unpatched system that is connected to the internet is not smart, no matter how many precautions you take.
I’ve got a science background, be warned.
“Don’t mean to be negative but I left a brand new PC connected to the internet alone for 2 hours while it was updating operating system patches and it got malware.”
Did you run the malware scanner /before/ starting the update?(The malware might already have existed).
Did you go to /any/ internet sites before running the update, and did they have adverts on them?
As we’ve heard recently in the news, third party adverts on reputable sites can be problematic.
Which software did you use to check for malware and was that downloaded from the internet, ( just checking you didn’t accidentally just go to an internet site between, see point above ).
What was the extent of the malware? I get told about all the cookies on my system when doing a scan, not exactly malicious.
The malware needs to have come from somewhere, which requires user interaction at some level, which just casts doubt over your entire counter argument.
I have to agree with you Dominic, that it is probably malware introduced to the computer by the user when they started the patching process. Or they could have gone to the wrong site and received a “patch.”
However, there are other possibilities that should be considered.
A) A fresh install on a computer at a static IP, attackers might have flagged that IP as being a rewarding place to attack. As the computer was unpatched and presumably unprotected by a proper firewall at that point, it could have been attacked.
B) An infected computer sharing the same network as the unprotected computer, leading to infection.
Most likely, it was still user error. If default settings weren’t tweaked to increase security… Namely that the user has to approve any other changes that happen. But if the user was attempting to speed up the patching process by trying to let it self-automate… Otherwise it could have been expoits used on an unpatched system and poor timing/luck to the user.
It doesn’t require user error. Windows XP with no updates can be compromised without the user doing anything other than connecting to the internet to download the updates.
http://www.sophos.com/pressoffice/news/articles/2003/08/va_blaster.html
http://www.sophos.com/pressoffice/news/articles/2004/05/va_sasserattack.html
I’ve had the same thing happen to me time and time again. I don’t care people say it doesn’t happen, it does. Autopatcher is a godsend, I highly recommend it.
I’ve setup many, many new systems without ever getting them compromised. The key: a HARDWARE FIREWALL!!!!
Of course it goes without saying that none of the other systems on my network have malware (worm) to spread internally. The key is to keep the nasties on the Internet side and nothing beats a hardware firewall for that purpose! Beyond that, malware pretty much relies on user interaction to get invited in.
Brian,
RSA will probably keep silent as long as they can. It’s only in their own interest: if the seed database has been hacked, that would mean big losses for RSA.
None of the RSA tokens can be upgraded, so they would all have to be replaced. With more than 20 million tokens in the wild, that would lead to severe losses for RSA.
Up until now, they’re only released enough information to statisfy the SEC. Unless they have other incetives, they will proably shut up, and hope this blows over.
Roland
Aother thing: the tokens contain a random number, a tine clock, and a serial number. All three are needed to calculate the 6-digiit code in the display.
If RSA stored the random number (highly likely) and the serial numer (likely), than a lot of curretn 2-factor authentication mechanisms are now 1.5-factor mechanisms instead.
I say 1.5, because in most implemantations you also need a 4-8 digit PIN code after typing in the token code.
If you look at the warnings from RSA to their customers, it looks like they’re basically saying: “watch out for social engineers eliciting PIN codes and guessing passwords”. That would only be a danger if the seed database has fallen in the wrong hands.
Roland
DeborahS: “But in a computer literate and security conscious community such as this one, do we really have to stick to the line that absolutely anybody who doesn’t do this is going to lose everything they own tomorrow?”
Well, as I indicated, I don’t take that line and I’m not sure who does. But the opposite line that security software is absolutely not needed as long as you’re paranoid about what processes you’re running is also not realistic.
For those people who don’t take precautions, there is a definite risk which is higher than zero and less than one which can be addressed to a sufficient degree by installing a good antivirus, a good antispyware and an adequate firewall. And since all of those are free for home users from most of the best suppliers, it’s a no-brainer to do so. And for the most part, when I was running Windows XP (I run Linux now and just grin about malware!) and for my clients who do so, this is sufficient to protect most systems that aren’t high-value targets.
The only hard part these days is constantly updating Adobe Flash, Adobe Reader and Java every week because of a new vulnerability.
But nothing will stop a properly phished email if people aren’t suspicious enough. It will always be possible to attack the mind behind the machine.
My suspicion is that eventually the wholesale malware distribution and botnet creation we see today will go away as hackers learn it’s more profitable to go after identity theft on the corporate level – the sort of thing Brian has been documenting for some time now. Rounding up a bunch of credentials for people with $300 credit limits really isn’t worth the effort compared to taking down a couple hundred grand from a corporation’s bank account in one transaction. There may always be the former, but if and when the average user gets wise(r), it may taper off somewhat.
Of course, then the game will shift to mobile phones as it already seems to be doing. There was a discussion on Bruce Schneier’s blog the other day about what happens when your phone holds your credit cards, your driver’s license, your medical records, etc. – and gets hacked or infected with malware. That’s a whole new ballgame. And no doubt the same mistakes on the software industry side and the user side will be made.
@ Richard,
First off the comments on Bruce Shneier’s blog you refer to originated from a paper by Ross J. Anderson over at the UK cambridge computer labs, posted on the http://www.lightbluetouchpaper.org site.
Second off with regards attacks on hierarchical authN/Z systems such as the RSA tokens or the more recent case of SSL certificates.
If you think about it irrespective of the amount of patching etc these organisations do the information they hold on their systems is of such value to attackers that they will find zero-day etc to exploit the systems to get at the information if the architecture of the organisations computers and communications alow it in any way.
Thus they need to have an architecture such that the information cannot be taken of of their systems by attackers, be they attacking across the network or physical entities in the organisations premises.
Such architectures systems policies and procedures are very expensive to implement and maintain and for various reasons don’t fit in with the majority of business models…
Thus too many “up stream” security orginisations have untrustworthy systems on which your “down stream” security rests upon.
This is because their business model is aimed at reducing cost to a minimum whilst also providing low overhead technical support. Whilst your security model is looking to protect significant assets that could be as you note in the 5 to 7 figure value.
That is the risk in the models is very very asymetric.
It is a situation that is going to get considerably worse in the future and will remain an issue as long as we have hierarchical trust systems where part of the hierarchie is outside of y/our control (as is the case with security tokens and CA’s).
Thus it is time we looked for nonhierarchical systems where the risk is either internal to y/our organisation entirely, or with an organisation that accepts a more balanced level of risk, and thus spends the money to either implement the appropriate architecture and/or suitable insurance cover (preferably both).
Agree with your point about risk distribution in the existing infrastructure and how architecture is a part of that.
Really, the only way to have any significant level of security in a networked system is…not to have a networked system.
OTOH, even in that case, with the apparent ease of physical penetration into a lot of these organizations with false identities or inside jobs, even that probably won’t completely ameliorate the problem.
So I would agree that organizations need to take more responsibility for their own security, both in terms of their internal architectures and the improvement of internal security in general.
Unfortunately, I suspect that at some irreducible level we will come up against the basic problems of business management being not terribly competent and thereby refusing to do or being unable to do what is necessary.
Which reduces us back to my “there is no security – suck it up.” Which doesn’t mean one abandons any attempt to have security, it simply means one has to expect and therefore plan for security breaches and their mitigation. Which is what Ross’ paper was about.
Hidden due to low comment rating. Click here to see.
@ Brian,
Eugene “Spaf” Spafford was interviewed by Federal News Radio over the RSA breach,
http://www.federalnewsradio.com/?nid=365&sid=2317326
His basic take is that similar has/is going on all the time due to the insuficiency of the majority of our comercial systems.
Hidden due to low comment rating. Click here to see.
Anyone know where I can access an RSS feed for US-CERT’s EWINs?
Or any of these guys:
- Situational Awareness Reports (SAR)
- Federal Information Notices (FIN)
- Critical Infrastructure Information Notices (CIIN)
- Early Warning Information Notice (EWIN)
- Malware Initial Findings Report (MIFR)
- Malware Analysis Report (MAR)
- GFIRST Alerts
Other than via the GFIRST Portal, since I am only a US citizen?
As one who’s toured the RSA facility in Boston, where they load the securid fobs and have their primary SOC (staffed 24×7), I’m still confused where the data was lost from. The securid fobs, are presumably made in China, but loaded with their key and sealed up in Boston. It’s assumed that the keys, serial numbers and xml files live somewhere in the RSA campus in Boston, where they have no small amount of security measures and detection and response capability. Somebody must have really done something stupid architecturally, or the attackers must have been exceedingly clever.
Phish e-mail to a user?
Or maybe an inside job and/or accomplice?
What is the benefit of the anyone paying RSA mega $’s versus organizations texting message or e-mailing from their own internal servers on a secure pipe to their PDA/smart/ mobile phones an auto generated password for multi-factor authentication only when needed?
Poor choice by US-CERT to release the C2 servers to the general public.
@Bruiser: US-CERT did NOT release the list to the general public. Sh$@theads receiving those documents in trust, released them publicly.
Given that Brian only posted a screencap of the EWIN, one might surmise that one such sh@#head also supplied him with it.
Good call. I hope that’s the last bit of sensitive information US-CERT provides to the Financial and Banking Information Infrastructure Committee and any other groups who are too reckless with the info.
Interesting that you two thought that having these bad domains made public was a negative thing. I’d like to hear why you think the public doesn’t have a right to know about some seriously bad sites? Whatever happened to information sharing?
I hear your point and completely agree, to a point. I’m all about sharing, but only with the ‘good guys.’ Many in the industry rely on information such as this to track these adversaries. Granted it’s a pretty poor indicator, but it is something rather than nothing. Now that this information is in the public domain, you can be sure as heck that the attackers will stop using those hostnames for C2. In a nutshell, releasing this information is bad OPSEC.
Hidden due to low comment rating. Click here to see.
I’d also like to know where to get the notifications for US-CERT EWIN’s. I’ve been subscribed to US-CERT’s alerts for a while, but haven’t found anything on EWIN.
Hidden due to low comment rating. Click here to see.
I am sure you correct probably every nation state with the capability is playing this game right now to be ready for a counterstrike if any serious assets are attacked (such as a power grid or financial backbone)
Brian
With regards the APT angle, it was RSA themselves that said they had analysed the attack as being within the class of APT.
So all subsiquent comment on APT is down to RSA not to others making assumptions.
It may simply be an attempt by EMC RSA to put spin on the attack to make it sound like it was “elite nija attackers” that are impossible to stop rather than their own negligence.
Personaly my money is on negligence based on the little information available and RSA’s behaviour.
If as many suspect it is the “seed database” that has been taken along with information pertaining to ownership of the individual tokens then you have to ask,
‘Why on earth was this on systems that were connected directly or indirectly to networks accessible from a public network?
The bottom line is that SecureID did not fail and is not vulnerable if deployed properly. PEOPLE failed. The human element is and always will be the weakest link. You can see by the detail of the attack, http:www.v3.co.uk/v3-uk/news/2039746/rsa-details-secureid-attack-methodology, that it was social engineering that was the success. Without users doing things they were not supposed to be doing or being tricked into doing this never would have happened.
I overheard two people talking the other day about how they hated logging into a site because they were required to change their passwords every 60 days and could not use any of the previous 5 passwords. The other person then replied, well you know that once you change it, you can instantly change it back to the first password you ever used and you are good to go so you only need to change it once really.
So the bottom line is that technology is not the problem….people are the problem and any organization can spend millions and millions of dollars protecting their assets, but all it takes is 1 person to not follow policy, guidelines, procedure and training and it all falls to pieces.
Hidden due to low comment rating. Click here to see.
People tend to be the weak link because the do not understand what the implications are of dodging around the system. We will never have a system that is capable of defending against all of the ways people can break it unless the system removes the person completely. The big thing that needs to be done is to close this loophole with GOOD training – what are the measures and WHY are they in place and what are the consequences to the overall system of not adhearing to them. All too often security training I’ve seen focouses on alot of policy and procedures that seem like something more for the IT admin and managment and doesn’t directly relate to the “lowly” end user. The end user is not made aware that by dodging the controls they are making it easier for the bad guys to get in.
Hidden due to low comment rating. Click here to see.
I was a memeber of the Navy Reserve for 7 years. Each year we were required to watch a DoD IT security presentation. The presentatition talked alot about laws and directives and later versions even went through a kind of walk through of the hows to keep things secure and what to do if things were found that weren’t secure. The problem was that as reservists we don’t handle much for classified material so virtually all of my fellow reservists treated the training as a joke. The main failures of the training was that (1) it did not illustrate clearly how even us lowly reservists could be a starting point for attacks on the larger system. (2) It did not illustrate how such things as week passwords are easily compromised. (3) It did not illustrate methods of creating a strong password that could be easily remembered instead – like virtually all other IT security training I’ve seen it emphasized creating passwords that met certian complexity requirements (easily defeated with easily guessable patterns) and that the password not be written down. – no password management allowed. This thinking has to change and IT managers need to get more real and come back down the human level.
@prairie_sailor;
Interesting post, and I’ve seen that in some units. I don’t consider the Reserves lowly – I guess it depends on your mission and the unit attitude toward it.
I was in the Active Guard, and we took security very seriously; however we had top secrets because we were a nuclear unit. The internet was just starting; and documents were sent over POTS dedicated phone service, not the public digital switched network of today. Someone would have to have been tapping the line to gain anything, and be using the proprietary protocols and applications we had then, that no longer exist. I saw my first Unix virus, received by floppy disk in 1987, that arrived by mail from Ft. Lee, and it pretty much hosed our system for the entire field exercise.
Fortunately I had my own equipment(IBM MS-DOS), and drove on. Back then, we never put anything above medium security on a PC anyway. Everything was by TM manual, etc., stored in field safes, under 24/7 physical guard.
You’re correct to say this was a human failure. But i dont think we can say RSA SecureID is still secure.
The analysis of its protocol showed its inputs were a 64bit time value and 64bit secret. Due to derivation, time value only has 22bits of real entropy, which is brute forceable. They also refused to state how they generate the device specific secret. This is the critical part.
Clive Robinson suggested they might have a master seed or, Ill add, a weak way of coming up with the secret value. 22bit time plus weak random secret plus SecureID source code = game over. So, SecureID is only secure if the step RSA is quiet about is secure. If theres a weakness, it will be exploitable in semi real time. Reason ismodern hardware can easily catch up to a timing token that uses a 4bit 1Mhz CPU.
Agreed but you actually had a key piece in your statement that is at the root of the problem, plus weak random secret. What can you do if your users have PIN that is 1234 or course that is easily hacked, and who created that? The end user.
ecurity is not meant to be easy or pleasant but far to often people do not do anything about it until it is too late because they do not want to be inconvenienced. Bottom line is that until people really understand the ramifications of weak security nothing will change
Haha, shouldn’t you be crahigng for that kind of knowledge?!
Interesting bit,
Probably Brian and the more advanced readers of this column are already aware, but I read yesterday on this website:
http://tweakers.net/nieuws/73624/rsa-hackers-verkregen-toegang-via-phishing-mails.html
(in Dutch) that the hackers got access to RSA systems via spear-phishing a selected group of employees with… an Excel file containing a 0-day exploit in an embedded .swf Adobe Flash file.
Which I think is the vulnerability about which Brian wrote here:
http://krebsonsecurity.com/2011/03/adobe-attacks-on-flash-player-flaw/
@Deborah Seriously you are using Zone Alarm 6.5. They are on version 9.2.102.000 for the free version. Update zone alarm or switch (because of there scareware tactics by there marketing people) You are using technology from several years ago. What do you think updates are made for, just useless time wasting activities so programmers can keep there jobs? Would love to know what version of flash and java you are using.
I think that some people just don’t update because of laziness and the fact that an interface might change.
Sorry Wrong article. Meant for Computer for rent article. Its late.
You made some nice points there. I looked on the internet for the topic and found most guys will agree with your blog.