The recent successful breach of systems at leading authentication company RSA exploited a previously unknown security flaw in Adobe Systems’ Flash player and remote-control technology associated with Chinese spying efforts, the company has disclosed.
RSA revealed the breach two weeks ago, warning banks, government agencies and other customers that use its SecurID tokens with fast-changing passwords to revisit their access policies. Though RSA said then that the hackers should not be able to defeat RSA clients’ authentication systems directly with information they may have gleaned, they said the data could be used as part of a broader electronic assault.
The lack of detail on the attack has frustrated customers and fanned speculation, with some in the security industry saying that the damage was limited and others saying that the tens of millions of SecurID tokens in use should be replaced.
In a conference call with industry analysts on Friday and subsequent blog posts, RSA shed no more light on what the hackers had obtained. But they did say more on how they had fallen victim to the same sort of attack they are hired to ward off.
Company officials said that the hackers e-mailed groups of employees at RSA, which is a unit of storage concern EMC and that the e-mails included a Microsoft Excel spreadsheet as an attachment, labelled “2011 Recruitment Plan”.
When opened, the attachment exploited a hole then in most versions of Flash, now fixed by software updates from Adobe, that gave the attackers control of at least one user’s machine. The control technology was a version of what is called Poison Ivy, which was also used in GhostNet, described by analysts as a large Chinese spying operation.
The RSA hackers harvested the login credentials of more company users, connected to other RSA employee machines and then raised the level of access that the machines’ users were entitled to, eventually getting into computers with information about how SecurID works. The data were encrypted and transferred out of the company.
One irony, according to Gartner security analyst Avivah Litan, is that RSA sells fraud-detection systems to banks that could not only have detected the attack, as RSA eventually did, but stopped it midstream.
Such systems look for unusual behaviour by users’ machines, such as attempts to access new parts of the network.
In a blog post, RSA executive Uri Rivner said that the rash of major breaches at big western companies showed that the industry as a whole needed to share information and come up with better defences. He said security firms should “define and execute a new defence doctrine based on information sharing, deep analytics and advanced threat management”.