Accentuate the positive, obfuscate the negative

In a remarkable blog post Uri Rivner, RSA's "Head of New Technologies - Identity Protection and Verification Solutions" (who makes up these titles?) outlines the recent attack which may have compromised the company's SecureID token-based access controls.

In a remarkable blog post, Uri Rivner, RSA's "Head of New Technologies - Identity Protection and Verification Solutions" (who makes up these titles?) outlines the recent attack which may have compromised the company's SecurID token-based access controls.

Remarkable in that it was highly detailed in some areas and quite obfuscatory in others.

ANALYSIS: Did hackers nab RSA SecurID's secret sauce?

It appears that it all started with a typical phishing attack:

"The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn't consider these users particularly high profile or high value targets. The email subject line read '2011 Recruitment Plan.'"

Then comes the first obfuscation:

"The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled '2011 Recruitment plan.xls.'"

Did only one employee open the attachment, did only one have to pull it from their spam folder, who was the listed sender of the email, was the header forged, etc. -- so much we really want to know, need to know, in order to properly evaluate the situation.

Mr. Rivner assures us that these were mere peons who got the email: "you wouldn't consider these users particularly high profile or high value targets." And, in an addendum: "When you look at the list of users that were targeted, you don't see any glaring insights; nothing that spells high profile or high value targets."

So how did "high value targets" get acquired? Uri tells us: "The thing is, the initial entry points are not strategic enough for the attackers; they need users with more access, more admin rights to relevant services and servers, etc."

Here's the meat of the attack:

"The attacker first harvested access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators."

Aha! So how did this get accomplished? Rivner is strangely quiet on that score. If the initial targets were, indeed, low-level nobodies, how is it possible to do privilege escalation? The intruder needs the ability (or needs to control someone with the ability) to perform an escalation to the necessary privilege level. You can't create that out of thin air!

UPDATE: RSA detailing SecurID hack to customers sworn to secrecy

Either there's a major hole in RSA's internal security (people with privileges they shouldn't have) or there's holes in the operating systems they're using, or the high-level people were duped in much the same way as the low-level folk.

Which was it, Uri?

Read Rivner's posting for yourself and you decide: Is this an explanation, an attempt to grasp some glory out of the situation ("RSA detected this attack in progress"), or merely attempting to blame it all on some social-networking lab rat who ignored rules about opening strange attachments?

I'll have more on this saga in the coming weeks, but for now my advice stays the same as it was when this news first broke: If you're a SecurID customer, immediately put into place a search for a replacement multi-factor authentication plan.

Learn more about this topic

Does RSA SecurID have a US gov't-authorized back door?

EMC/RSA acquires electronic threat detection firm NetWitness

About 50 clients hit by Epsilon email marketing breach

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey 2021: The results are in