The RSA Breach too Started with a Phishing Email
If there’s one thing the security technology world will find it hard to argue with, it’s the fact that most of the biggest and most devastating cyber-attacks, if not all, start with a phish. This article New Yorker Magazine article talks about North Korea’s army of hackers that steals money from international organizations on behalf of Kim Jong Un’s regime. The article concludes that all their hacks are launched through social engineering. Phishing is the most common form of social engineering.
The security technology world has remained focused on building firewalls and security patches. That’s burying their heads in the sand.
Well, the full story about the famous RSA hack has just come out. Reading it feels like watching a blockbuster and it proves that we’ve all always known social engineering is the biggest cybersecurity threat. Why haven’t we dealt with it yet?
Let’s revisit the RSA story a little bit.
The staff involved in the fiasco have been bound by NDAs for the last ten years. The NDAs have just expired and they are now telling the story.
As revealed at the time, the hackers’ target was the secret keys known as “seeds” that RSA used to manufacture SecurID tokens. SecurID tokens were small fobs that were carried in the pocket and on which one would receive a six-digit code that would prove their identity when trying to access protected systems.
RSA’s clients included banks, government agencies, defence contractors, and many other mega-corporations all around the world. That attack on RSA meant all their clients were vulnerable. According to Wired, Todd Leetham saw the hackers consolidating the stolen keys in another hacked server in real-time. They were retrieved from that server seconds before he could delete them.
For weeks, RSA staff were fighting tooth and nail with their attackers trying to stop them from stealing more seeds. At some point, the company was forced to cut off the data centre’s connection to other systems including its manufacturing plant. They completely crippled the company’s operations to prevent further data loss.
Leetham recalls thinking, “This is an extinction event. RSA is over,” as he watched the hackers rummage through their systems. The very thing that the company banked its whole business on, was about to be obliterated. Those seeds were the company’s most valuable commodity. RSA’s security guarantees to its clients were based on those seeds.
The story is long, but the most interesting part is that when the security analysts finally traced the origin of the breach, it turned to be a phishing email. One of RSA’s employees in Australia had received and emailed with the subject “2011 Recruitment Plan” five days before anyone noticed something was amiss. The email had an excel file attached to it. He opened the attachment and it had a script that executed immediately and planted a malicious software known as Poison Ivy on his computer.
Tim Hirvonen, a researcher at F-secure, analyzed the attack and concluded that the entry point of the attack was not sophisticated. The script in the attachment exploited a zero-day vulnerability (a secret, unpatched security flaw in Adobe Flash). That would never have happened if the victim’s computer was running an updated version of Windows or Microsoft office. Also, the script would not have executed if the victim had limited access to install programs on a work PC.
Enough of the story; The point is, this very devastating attack on RSA started with phishing. Cybercriminals have become innovative with social engineering. It’s a simple way for them to get access to protected systems and it’s working. They no longer have to use brute force. Security technologists might not want to admit it, but all their work is in vain if there’s still no way to deal with social engineering.
The question is if cybersecurity firms are unable to protect themselves, how can they protect others?
User Education is not the Solution
Many IT managers would be quick to recommend user education. We all know that these mega-corporations do a lot of that. They have all the resources they need to educate their staffers and makes them as skeptical as they can get with their interactions online. However, they are still get infiltrated. Social engineering can take many forms and it’s nearly impossible to know which message can be trusted and which one can’t.
Social engineering is being looked at as something that cybercriminals are resulting to in recent times. However, the RSA attack happened in 2011. Up until now, the security technology world has not found a solution for social engineering.
They’ve not found a solution because they’ve always been trying to fix the internet. Ever since that MIT research that declared the internet is broken 16 years ago, the security technology world has been trying to fix the internet with security patches and firewalls.
Thanks to social engineering, cybercriminals don’t have to struggle with knocking down your firewalls. They just have to trick you into opening the doors for them. As much as we hate to admit it, it is working wonderfully for them.
Why is it so easy for cybercriminals to trick you into granting them access to your protected spaces?
It’s simply because they can masquerade as people you know and trust. RSA’s employee opened that email believing it came from within the company.
There is a solution – but it requires doing things differently. It’s about accountability and digital signatures from measurably reliable identities
The Solution is Digital Signatures Everywhere
The solution is finding a trust anchor through which we can reliably measure the trustworthiness of anyone who tries to engage with us online. In other words, we need digital signatures everywhere that are tied to reliable digital identity certificates.
People must be made to act as who they are on the internet. People must be made authentic. Inauthenticity is the sole cause of all the chaos and mayhem that we see on the internet today. When people can hide behind stolen and fake identities, accountability becomes a thing of the past.
PKI (Puzzle Kit Infrastructure) is a technology that has been around for several decades but has never been implemented to its full potential. PKI allows the use of true digital signatures. Digital signatures, here, does not mean the unique patterns that people put down on documents.
In PKI, your device generates two very big numbers. One is private and the other one is public. Using your private key, you create a puzzle that can only be solved you your public number. To digitally sign a file, you attach that puzzle to it. Anyone with your public number can verify that you are the source of a file if that public number can solve that puzzle. If it doesn’t then they know they shouldn’t trust that file.
Watch this three video series for more context.
The rush to build the next impenetrable security patch or firewall is not going to solve the cybersecurity menace. Security technology professionals need to come to terms with the fact that as long as there’s inauthenticity online, all their work will always be in vain. Sooner or later, someone in the networks and systems they’ve worked so hard to secure will be tricked into granting access to criminals. One social engineering attack is all it would take to bring down an entire corporation.