RSA discloses phishing-attack data breach details

RSA, the security division of EMC, has revealed the firm's data breach in mid March was the result of a spear phishing attack. The spear phishing attack exploited an Adobe Flash vulnerability that was unpatched at the time.

RSA, the security division of EMC, has revealed the firm's data breach in mid March was the result of a spear phishing attack. The spear phishing attack exploited an Adobe Flash vulnerability that was unpatched at the time.

RSA quickly reported it had suffered a breach of information related to the firm's SecureID two-factor authentication product, but has since been tight-lipped on details.

The company has faced strong criticism of its approach, but the secrecy was aimed at keeping the attackers in the dark as much as possible while the breach was being investigated, executives told Computer Weekly.

In a conference call with analysts on Friday, however, RSA revealed that a small group of RSA employees was targeted by phishing e-mails.

According to Gartner analyst Avivah Litan, the phishing e-mail displayed the title "2011 Recruitment Plan" in the subject line.

The e-mails landed in the users' junk folders. "At least RSA's SPAM filters were working, even if their social engineering training for employees was not," Avivah Litan wrote in a blog post.

Attached to the e-mail was an Excel spreadsheet with recently discovered Adobe Flash zero day flaw CVE 20110609.

With the trojan downloaded, the attackers harvested credentials and made their way up the RSA food-chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system, said Litan.

The targeted data and files were stolen and sent to an external compromised machine at a hosting provider. RSA saw the attack, using its NetWitness, and stopped the attack before more damage could be done.

"RSA came clean and told its customers immediately about the attack (which is something other companies have not done) and should be credited for handling a bad situation as well as it can," said Litan.

But, she said, they relied on yesterday's best of breed tools to prevent and detect the attack, which means RSA was unable to stop the attack in real time.

RSA sells fraud detection systems based on user and account profiling which use statistical Beysian models and rules to spot abnormal behaviour and intervene in real time to re-authenticate users and verify the authenticity of suspect access, behaviour or transactions.

"They should have applied these techniques to their own internal systems. They need to stay innovative and apply the lessons learned from serving their clients to their own internal enterprise systems," said Litan.

RSA needs to make it possible for the innovation to bubble up quickly into products and services they not only sell and implement at customer sites, she said, but that they use themselves internally.

Read more on Privacy and data protection