RSA break-in: it was the Flash Player's fault
On its company blog, RSA has released details about the server break-in it reported about two weeks ago. According to Uri Rivner, head of the company's "Consumer Identity Protection" division, the intruders used a backdoor that they installed using infected emails. The emails reportedly contained an Excel spreadsheet with an embedded, specially crafted Flash file. When the spreadsheet was opened, Flash Player started the Flash applet to play the file. A flaw that has since been fixed by Adobe enabled the attackers to inject code into the system and execute it there. F-Secure has described an attack scenario that involves the same exploit.
RSA said that two variants of infected emails with an attachment called "2011 Recruitment plan.xls" were sent to a group of RSA employees over two days. Apparently, one of the targeted employees retrieved the email from a spam folder and opened it. The intruders used the exploit to install the widely known and freely available Poison Ivy "remote administration tool". The tool allowed the attackers to spy on the user's server access credentials, log into the server and escalate their access privileges (via further vulnerabilities). This gradually allowed them to work their way into the systems that interested them.
There, they harvested data and copied it to other servers on the internal network, where they combined, compressed and encrypted the information before transferring it to an external FTP server. The attack was similar to the Google hack in early 2010, when attackers exploited a hole in Internet Explorer to install a backdoor and eventually work their way through to Google's single sign-on system.
However, RSA has yet to disclose which data was actually harvested, and whether the intruders managed to obtain, for example, the "seeds" and serial numbers of SecurID tokens. The seeds would allow them to derive the constantly changing OTPs. It is currently only certain that the incident has "affected" token security. However, security experts have come to expect the worst and are now assuming that SecurID tokens no longer provide any security, and that the system must be regarded as having been cracked. This could also be indicated by RSA's recommendation that customers enforce strong password and pin policies. The company has also recommended that customers closely monitor their infrastructure for suspicious activities.