Domains Used in RSA Attack Taunted U.S.

Details about the recent cyber attacks against security firm RSA suggest the assailants may have been taunting the industry giant and the United States while they were stealing secrets from a company whose technology is used to secure many banks and government agencies.

Earlier this month, RSA disclosed that “an extremely sophisticated cyber attack” targeting its business unit “resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products.” The company was careful to caution that while data gleaned did not enable a successful direct attack on any of its SecurID customers, the information “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” ...

Some of the domain names on that list suggest that the attackers had (or wanted to appear to have) contempt for the United States. Among the domains used in the attack:

Note that the last domain listed includes the abbreviation “PRC,” which could be a clever feint, or it could be Chinese attackers rubbing our noses in it, as if to say, “Yes, it was the People’s Republic of China that attacked you: What are you going to do about it?” ...

Much of the public speculation about the attack on RSA so far has invoked the term “advanced persistent threat” or APT, which is security industry shorthand for “We’re pretty sure it came from China.” At least as far as the domains that were routed through ChangeIP.com are concerned, that assessment appears to hold up (with the usual caveat that attackers can route their traffic through machines anywhere in the world in a bid to disguise their true location).

“Ninety nine percent of the time, when these guys logged in to one of their accounts to change the IP address for a domain, they were coming from a Chinese address,” Norris said. ...

Interesting as these tidbits of data may be, they don’t answer the questions that seem to be on everyone’s minds about the RSA attack: How much information did the attackers get, and can organizations still trust SecurID tokens as an authentication mechanism? A spokesman for RSA said the company wasn’t yet ready to publicly disclose more details about the attack. Several sources say RSA recently briefed a small group of industry leaders and customers, providing further information about the attack, but those folks had to sign a non-disclosure agreement barring them from discussing the details.

Follow-up details on the RSA hack, which (to me) is big news, seeing as they are the security vendor for major US & multinational firms. Just as big a deal as the Chinese-sponsored attacks on Google & other companies revealed last year. The full article is definitely worth a read if you're technically-oriented.

One of the first reports of the RSA attack made it on FR a couple weeks ago: http://www.freerepublic.com/focus/f-news/2691034/posts

A few more details: http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/

Of course, it could just be that the hackers are from Russia or who knows where else and left these trails to cover their tracks. You never know with these things.

i doubt there is a lot to worry about.
Yes, it's pretty serious depending what got out... but remember, this is used in TWO factor and sometime three factor authentication. The tokens are just one piece of the puzzle required to authenticate a request. Even IF the entire algorithm has been exposed, the patterns are random and you only have a few seconds to use a key... THEN, if you have done your job, your systems are protected again by another layer of password authentication and service filters. In my case, there is also IPS and protocol inspection that traffic must traverse after that.

The most serious damage is that done to RSA as a brand...

I totally agree that this is just one of many factors required from a multi-factor authentication system (for non-infosec readers, the factors can be summed up as “something you have, something you know, something you are,” with SecurID tokens, passwords, and biometrics as examples of each.)

But the SecurID tokens are also a big win for attackers if they’ve been compromised. Phishing attacks (like this one) have shown how easy it is to install a little bit of malware and start collecting passwords by eavesdropping on targeted employees of a company.

Any weakness in SecurID tokens just makes it easier for these hackers to combine that capability with stolen passwords, & take it to the next level and break into even more important two-factor systems. With the RSA attack details it seems they were already “inside” employee’s computers.

now this is just speculation, but engineers know better.
I'll wager one paycheck that the person who was dumb enough to open the file attachment was either is customer service or sales... neither of would have access to critical backend data, source code or other users accounts.

Again, just speculation, but these networks are highly segmented and core data would be in a vault system on top of it all. I would be completely shocked if any technology was stolen, I just don't see it happening.
I'm guessing the chinese now have a comprehensive list of RSA customer phone numbers and email addresses but not much more.

All that said, I hope the fire the individual who was dumb enough to fall for the oldest damn trick in the book.

Of course, it could just be that the hackers are from Russia or who knows where else and left these trails to cover their tracks. You never know with these things.

The odds are very good is that it's Red China.

Man in the middle attacks? Phishing would not do much good unless there is some vulnerability in the token dongles by which a few samples allows reverse engineering the whole bloomin’ thing. Inserting itself into a live session, however, is a piece of cake for malware.

I’m waiting to hear what details RSA will publish of what, exactly, the attackers got on the SecurID system, and hope it’s not much. But with them still being very tight-lipped about it, a little pessimism might be justified.

I think we're beyond the point of RSA making its own decisions. Given the nature of the data contained within systems of RSA's "serious" customers, they may have lost the authority to manage this incident altogether.

Think national security interests. I bet the people writing RSA's press releases earn a government paycheck.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.