I really wonder if RSA isn’t shooting themselves in the foot with their PR strategy surrounding the breach of their network. As far as I can tell, their plan is to blind everyone with useless (but possibly interesting) details while hoping that no one notices that they haven’t disclosed any information that anyone can actually use.
Let’s look at the information that went out initially. On March 17th, RSA sent a letter to SecurID customers, informing them that RSA had been hacked. However, the only information included other than the fact that the breach centered on the SecurID product was a list of recommendations that could have been written by a student going through a SANS 401 class:
- Enforce strong password policy
- Increase focus on social media security
- Re-educate employees
- Pay attention to your SIEM
- Harden and monitor critical systems
- Examine helpdesk practices for social engineering weaknesses
- Apply patches and updates
Oh…thanks. That really helps folks who are afraid their SecurID tokens now provide as much security as double-ROT13 encoding. Based on the lack of information to help evaluate the risk level, I’m sure many organizations have begun making plans to move away from SecureID (including one organization described by Allen Paller as “one of the largest US defense contractors”).
Maybe RSA will fix this with a follow-up announcement, letting everyone know that they have nothing to fear? They did release a second announcement (almost two weeks later), but I’m not sure it was any more helpful or reassuring than the first.
In a post titled “Anatomy of an Attack“, RSA laid out some of the technical details of the intrusion. The first stage is described in great detail. An attacker sent phishing emails containing a trojanized Excel file with an embedded Flash 0-day exploit. A user opened the file, allowing the attacker to install a copy of Poison Ivy in reverse connect mode.
This unfortunate user is described as being part of a group that was not high profile or high value. But later in the post, the attackers are described as needing more access and getting access to user, service and even domain admin accounts. Wait, how did the attacker go from compromising what sounds like a limited user on a workstation to having domain admin access? Apparently, “digital shoulder surfing.”
Again, we have lots of information we already know (attackers are sending phishing emails and users will launch them), and almost nothing about what we don’t know (how an attacker went from limited access on a limited system to owning the network).
It almost seems like RSA is trying to make the worst of a good situation with their misguided PR plan. They announce they’ve been hacked, but they don’t give any details about what their customer’s risk level is. They yell “APT!!!”, then talk about how the attacker used a well-known tool and common techniques, with no details about the true meat of the attack. They caught the attack in the middle of the operation, but they won’t say that they were able to curtail the attacker’s access from the most sensitive data. Maybe they can’t say more due to legal or other constraints, but at least they could let us know if that was the case.
And what’s with the now-popular use of “APT”, anyway? RSA caught the attack in the early stages, so it wasn’t exactly persistent. The attacker also used common tools and techniques, so not terribly advanced. The use of a Flash 0-day does elevate the attacker to somewhere above script-kiddie level, but Flash flaws are discovered about twice a week… so this isn’t exactly Stuxnet. Maybe there was something amazing in the technical details of the “digital shoulder surfing”, but at this point everything we’ve heard from RSA is “we got hacked by the best… but everything’s cool.”
RSA may be reaching out to SecurID customers directly to share more detailed information about this incident, but if I was in the market for two-factor authentication, I would be severely spooked. It’s funny, because I feel like RSA might have deserved a pat on the back. Their blog post states they caught the hack in progress, which deserve some kudos, even if they didn’t prevent the attack in the first place (prevention is ideal, but detection is a must). Maybe RSA is suffering from the tech geek’s Achilles heel: they have done some good technical work, but they’ve failed to put it into words for the customer/boss.