Open Hypervisor - Home

The Latest News

Isolating Spears

Karlsruhe, July 28, 2011

RSA, the security company founded by the inventors of the RSA algorithm, was hacked because an employee opened an attachment claiming to contain information about recruitment. As a matter of fact, the attachment contained a zero-day exploit for Adobe Flash. The executed code started to ferry seed data used with RSA’s SecureID tokens to the hacker. This data was subsequently used to attack Lockheed Martin. In the end, RSA offered to replace the tokens (see [1, 3] for details). This kind of attack is called spear-phishing, as a group of specifically selected victims is targeted.

Some comments on the web said that it was the employee’s fault, who should never have opened an attachment from an untrustworthy sender – in particular not as it was filtered away by his Spam-filter [2, 4]. Analysts also stated that RSA should have cared more about training their employees.

However, is it really the fault of the employee to look for a better job and into his inbox? Also, we know that spam-filters sometimes remove important mails. We think that bullet-proof compartmentalization would be a beneficial tool to be used in such cases. It would enable personnel working at critical infrastructures to isolate and examine suspicious files separately from the rest of the system, e.g., in a separate (throw-away) compartment. Alternatively, all emails, or, in this case, all filtered mails, can be held within a separate compartment. In order to get selected information into the corporate system, filters can be configured. Additionally, a central admin-monitored and logged drive can be implemented for inspection and quarantining. This way, compartmentalization can evolve into a useful security tool to help against spear-phishing.

References

[1] Coviello, Art: Open Letter to RSA SecurID Customers. June 6, 2011. http://www.rsa.com/node.aspx?id=3891

[2] Litan, Avivah: RSA SecurID attack details unveiled - lessons learned. April 1, 2011. http://blogs.gartner.com/avivah-litan/2011/04/01/rsa-securid-attack-details-unveiled-they-should-have-known-better

[3] Rivner, Uri: Anatomy of an Attack. April 1, 2011. http://blogs.rsa.com/rivner/anatomy-of-an-attack/

[4] Strassmann, Paul: Cyber Attack on RSA. April 3, 2011. http://pstrassmann.blogspot.com/2011/04/cyber-attack-on-rsa.html