Under the NDA, RSA is sharing far more detail regarding a "worst-case scenario" about how the RSA SecurID token system can be undermined by an attack, and offering more clarity about remediation. There's cause to believe RSA is itself remediating SecurID, with a source close to RSA saying the security issues brought to the fore should not impact future RSA SecurID customers.
RSA is starting to speak a bit more about what happened during the break-in.
For one thing, RSA employees were tricked by a targeted phishing attack using a spreadsheet containing an Adobe Flash zero-day vulnerability (CVE-2011-0609), said Uri Rivner, head of new technology for identity protection and verification, in a recent RSA blog post. The subject-line lure, he says, was "2011 recruitment plan.xls," which was apparently so enticing, one RSA employee even retrieved it from a spam filter, where it had been caught. Clicking on it allowed the attacker to take over the machine.
"They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high-value targets, which included process experts and IT and non-IT specific server administrators," Rivner writes.
The attacker set up staging servers as "key aggregation points" and "then they went into servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction," according to Rivner's RSA blog."The attacker then used FTP to transfer many password-protected RAR files from the RSA file server to an outside staging area at an external, compromised machine at a hosting provider." The attacker stole away with the files from there.
The Adobe zero-day vulnerability, now patched by Adobe, allowed the attacker to control the victim's machine at RSA and use a variant of a long-known hacker tool called Poison Ivy to set up a command-and-control system aimed at extricating data.
Sam Curry, chief technology officer, marketing, at RSA, says the NetWitness NextGen security-monitoring product, which RSA has used for three years, was instrumental in detecting the attack in progress. "It helped us to identity it," he says.
Coincidentally, RSA has been in discussions to acquire the company NetWitness, which it did on April 1 and announced just this week.
Read more about wide area network in Network World's Wide Area Network section.