Attacks/Breaches
10/12/2011
12:09 PM
Connect Directly
RSS
E-Mail
50%
50%

RSA Pins SecurID Attacks On Nation State

Security firm said it traced the attack on its authentication system to two groups working for one nation state, but declined to name the country.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
RSA has traced the attack against its network, resulting in the compromise of sensitive information relating to its two-factor SecurID authentication system, to two groups, working for one nation state.

Those findings came to light Tuesday, during a press conference at the RSA Conference Europe 2011 in London. "There were two individual groups from one nation state, one supporting the other. One was very visible and one less so," said Arthur Coviello, the executive chairman of RSA, and executive VP at parent company EMC, reported the Inquirer.

But Coviello stopped short of naming the nation state that RSA suspected might be involved. "We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication, and resources involved, it could only have been a nation state," he said.

[Think your intrusion detection and prevention systems are tight? Think again: Most Businesses Don't Spot Hack Attacks.]

Coviello's assertion seems destined to raise as many questions as it answers. "It seems very odd to me for a company to say that they have determined that a country had attacked them, but to not then name the country," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

Furthermore, despite the seeming prevalence of attacks blamed on China--including the so-called Aurora attacks against Google and others last year, as well as the Shady RAT cyberespionage campaign discovered by McAfee this year, Cluley recommended exercising caution. "Inevitably, people are likely to assume that China might have been involved in the attack--but there's nothing in RSA's statements to either implicate China or to back up the claims that any country was involved."

RSA had previously disclosed that it had traced the breach to an advanced attack involving an Excel spreadsheet, named "2011 Recruitment plan.xls," which was attached to a poorly worded email that had been sent to an employee in its financial department. The breach--the full extent of which RSA has yet to detail publicly--has been an embarrassment for the company, given that it sells security software, hardware, and expertise.

At the press conference Tuesday, RSA Security president Thomas Heiser faced sharp questioning as to whether his company had correctly handled the resulting breach notification and cleanup correctly, reported the Inquirer. Notably, RSA delayed offering replacement SecurID tokens to many of its customers, and only later offered them to businesses that it had determined to be most at risk, including military contractors. For others, it instead offered security monitoring services.

"We got out to our top 500 customers relatively quickly," said Heiser, but interfacing with the others took more time. "The challenge was that we have tens of thousands of customers and a lot of them we deal with indirectly, so we were reliant on our marketing press and partners."

Since the SecurID breach, RSA has been sounding a greater alarm over the threat posed by nation states, and recently gathered a group of CIOs in Washington to discuss ways of combating the advanced exploits they're seeing, which often rely on social engineering attacks.

Likewise, in his keynote opening the RSA conference on Tuesday, Coviello said that the three most dangerous groups now attacking businesses online are cybercriminals seeking information that carries a dollar value, hacktivist groups aiming to embarrass businesses, and nation states. "For nation-sponsored attackers behind advanced persistent threats, it's about stealth and sophistication," he said. "Through social engineering they do intelligence gathering--sometimes months in advance of the attack. They learn which end users in corporations or government agencies possess the assets they want."

While such attacks may not appear to be highly sophisticated, they're nonetheless effective. "The attack may start with rudimentary malware and a variety of tools no different from the other groups, or if necessary with a true zero-day exploit. The real differences in sophistication are the concentration of resources behind the attack and the efficiency with which these adversaries operate after gaining entry," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
10/13/2011 | 9:16:59 PM
re: RSA Pins SecurID Attacks On Nation State
I suspect that not naming the country, as someone has already suggested, was likely a business decision. I am curious though to hear more specifics on what makes the company think this has to be a state-sponsored attack, although many governments would have a motive.
Brian Prince, InformationWeek contributor
Dragginbutt
50%
50%
Dragginbutt,
User Rank: Apprentice
10/13/2011 | 10:21:19 AM
re: RSA Pins SecurID Attacks On Nation State
What I find disturbing is that RSA has their CORE business applications tied directly to systems that handle daily internal traffic (Email etc). Seems to me, given the importance of the application and the people it serves, they would have kept the two very much seperated..
Security OBE by arrogance perhaps?.
NoSpin1600
50%
50%
NoSpin1600,
User Rank: Apprentice
10/12/2011 | 5:00:04 PM
re: RSA Pins SecurID Attacks On Nation State
Of course they aren't going to point the finger at China, they probably do business in China and don't want to loose the revenue.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7052
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2.4.9.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7056
Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7070
Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7075
Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7079
Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.