RSA back in the news: whose website hasn’t been breached?

As you may remember RSA, the vendor the SecurID authentication tokens, was hacked in March 2010. The resulting data breach affected many of RSA’s 25,000 global customers who use over 40 million of these devices.

The SecurID is one half of a “two-factor” authentication method. “Two-factor” indicates the user must successfully login using a memorized password or PIN, as well as a six-digit code found on the SecurID; with the device furthering providing security by generating a new code every 60 seconds.

The use of SecurID authentication tokens was once thought to be one of the most secure login methods in the world because of its use of a device-unique secret seed number. Without this number (or the device itself, of course), it would be virtually impossible to guess what the correct six-digit code might be at any time of the day.

But, as with most security methods, there is always a back door. The geek-speak version of this “back door”: it was a zero-day Flash exploit, embedded in a spreadsheet sent through a “spear-phishing” attack, to gain access to RSA’s network.

In more human terms, this means that an RSA staffer opened up an Excel spreadsheet hidden in a cleverly crafted email, falling victim to a spear-phishing attack. The malicious spreadsheet took advantage of a recently discovered, but not yet fixed, security flaw know as zero-day Flash exploit, to run a malicious application that grabbed RSA data.

The breach into RSA’s servers allowed the hackers to steal device-unique secret seed numbers for SecurID devices already in the field. Definitely an ‘Oh My’ moment in security history.

A Much Larger Cyber Attack

While the media frenzy that closely followed the March 2011 RSA breach was fascinating to watch, I am riveted by the much broader picture painted by Brian Krebs in a report to congress. In his blog post “Who Else Was Hit by the RSA Attackers,” Kreb suggests that the RSA breach was just a small part of much larger, organized cyber attack on major corporations around the word.

Krebs’ report indicates that RSA was just one of over 760 companies worldwide that were compromised by the same hacker organization. To give some magnitude to this statement, it should be noted that almost 20% of the 760 compromised companies are found in the US Fortune 100 list. A short list of some of the more notably compromised companies include Charles Schwab & Co., Cisco Systems, eBay, Facebook, Google, IBM, Intel Corp., the Internal Revenue Service (IRS), the Massachusetts Institute of Technology, Motorola Inc., Northrop Grumman, Research in Motion (RIM) Ltd., and Verisign.

Krebs reported on a distributed 340-node Command and Control (C&C) network that appears to be at the heart of this worldwide attack. What this means is that hacking organization has either set up its own attack networks or have secretly taken over servers and networks of unsuspecting companies around the world to use in these attacks. What is even scarier is that fact that this 340-node C&C network was (and probably still is in some cases) collecting data from 760 breached companies.

Of particular interest in the breakdown of the C&C servers is the fact that 290 of the total 340 C&C servers can be found in China—a country long suspected of supporting government-sponsored hacker organizations. The following chart provides a geographical breakdown of the 340 C&C networks.

[caption id="attachment_19363" align="aligncenter" width="500" caption="Geographic location of over 340 control networks used in the attacks."]The geographic location of over 340 control networks used in the attacks.[/caption]

Whose Website Hasn’t Been Breached?

In a recent interview with CNNMoney, Dave Javans, chairman of Ironkey, a maker of a security-focused Web browser stated “the only companies that haven’t been compromised in some way, shape, or form are either insanely small, lucky or secure.” Based on the evidence provided by Kerb, it appears that his statement rings true. To add even more wonder to the pervasive attacks, Jevans went on to say, “I’m sure 90% of these companies are just finding out they’ve been hacked along with the rest of us. They don’t even know they’ve been penetrated.”

In his article “Massive hack hit 760 companies,” David Goldman suggests, “hacks are almost a form of currency in the cybercrime economy. Hackers launch cyber attacks on as many victims as they can in order to sell them to interested third parties.” This is a longer ways of repeating my own often-used quote of “data is the currency of cybercrime.”

With this new information coming on the heels of an August 2010 report by McAfee of a long-term, wide-ranging, global attack on 72 organizations, one wonders which companies outside of the ones pinpointed either don’t know they have been breached or have decided not to report it.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure Web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Alan is an expert in Web security - from evaluation to Web development and remediation.