September 20, 2019

Zero Day Exploit in Flash was Used to Crack Open RSA’s Servers

Two weeks ago RSA revealed in an open letter to its customers that its servers where compromised by, what they called, “an extremely sophisticated cyber attack”. As a result information relating to RSA’s SecurID two-factor authentication products was extracted from RSA’s systems.

Now, Avivah Litan, an analyst at Gartner Research, has revealed that the hackers used the recently revealed zero day exploit in Adobe’s Flash.

The hackers started their attack by sending phishing emails to groups of RSA employees. The emails were cheekily titled “2011 Recruitment Plan”. Attached to the email was an Excel spreadsheet with the recently-discovered Adobe Flash zero day flaw CVE-2011-0609. In turn this allowed them to download trojans onto RSA’s system where they started hacking until they finally gained privileged access.

Litan does praise RSA’s openness about the attack, but there are questions about RSA’s internal security especially since they sell a fraud detection systems based on user and account profiling that should spot abnormal behavior and intervene in real time.

RSA’s Servers Hacked – Reduces Effectiveness of SecurID

RSA has revealed in an open letter to its customers that its servers where compromised last week by an extremely sophisticated cyber attack and as a result certain information was extracted from RSA’s systems.

RSA go on to say that some of the stolen information relates to RSA’s SecurID two-factor authentication products which could potentially be used to reduce the effectiveness of a SecurID.

RSA’s SecurID two-factor authentication mechanism consists of a “token” (either hardware or software) that generates an authentication code at fixed intervals (usually 30 or 60 seconds) using a built-in clock and the card’s unique factory-encoded seed. To authenticate a user needs to enter a PIN and the number generate by the token.

Although unclear, it is supposed that the hackers have managed to get hold of a list of the seeds assigned to various tokens.

SecurityWeek got in contact with Kenneth Weiss, the original inventor of the SecurID: “The SecurID technology I designed and patented has never been breached in 25 years of use. This unfortunate breach of security at RSA speaks to the quality of their internal security not the security of the SecurID token. The possession of 40,000,000 random SecurID seeds is meaningless unless a subset can be associated with a particular one of 30,000 worldwide clients and then intern directly associated with a particular client user. Even if such identification were possible, an attacker would also have to know the particular user’s PIN. This information is not stored on RSA computers.”

Online Banking SMS Authentication Messages Open To Attack

RSA LogoRSA are publishing a report warning of increasing attempts by cyber criminals to intercept online banking SMS messages which are used to authenticate users for online services.

Authentication tokens (normally a randomized six digit number or similar code) sent by SMS are becoming more and more popular. For example, The Commonwealth Bank of Australia claims that 80% of its online customers use their NetCode SMS service for authentication and have recently announced that the service will now be mandatory for “higher risk” transactions. The knock-on effect will be that hackers will increase their efforts to intercept these SMS messages to gain access to online accounts.

This warning comes at a time when it is now possible to eavesdrop GSM phones with cheap off-the-shelf equipment. Of course, a two step authentication process (username/password and then authentication token) is much better than just simple login authentication. However a better and more secure approach is the use of a hand held card reader which in combination with your bank card and PIN generate a unique, one-time code for use during login.

You can read more about this on ZDNet Australia.