Adobe issued a security advisory on March 14 warning users that a vulnerability had been discovered in Adobe Flash, as well as the authplay.dll function included in Adobe Reader and Adobe Acrobat. The flaw was being exploited in limited attacks which included a malicious Flash (SWF) file embedded within a Microsoft Excel (XLS) file attachment. Apparently, someone within RSA received that email attachment, opened the Excel file, and clicked on the Flash file–compromising his PC and giving the attackers complete access to the system.
Adobe released an update for Flash, Acrobat, and Reader (except for Reader X for Windows because the sandbox security already mitigates the threat) about a week after announcing the zero-day threat. I don’t know if RSA has implemented those updates yet, but hopefully it has.
The lesson here is that even if you are RSA–a company virtually synonymous with security, the namesake of the biggest security conference of the year, provider of two-factor authentication solutions relied on to protect systems and data around the globe–one well-timed social engineering attack, and a little human error is all it takes for an attacker to get inside and gain access to sensitive information.
The bonus lesson is that it is bad PR to call an attack “extremely sophisticated”, and then have to face the embarrassment when it is discovered that it was just an average, ordinary phishing attack–especially for a security company.]]>
The information shared in the letter is concerning for customers, but what is even more concerning at this point is what is not being shared. RSA has been scarce on details–basically just saying that it is “confident” there is no immediate threat of an exploit resulting from the hack, and that it has “no evidence” that any other products are impacted. But, other than that, RSA just wants customers to not panic, and have faith that RSA has everything under control.
Art Coviello’s letter states, “As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”
The problem is deciding who gets to define “as appropriate”. Many customers feel it would be “appropriate” for RSA to be much more forthcoming with details about what information, specifically, was compromised by the hack so customers can better understand the threat and be armed with information necessary to determine the scope and impact of the potential threat, and take proactive steps to guard against any potential SecurID hacks.
Perhaps, RSA is unsure whether the attackers even really realize what they have, and they fear that divulging too many details could exacerbate the problem by pointing would-be attackers in the right direction. That seems like a reasonable possibility. But, for now RSA is just being vague about the details of the SecurID hack, and what RSA isn’t saying seems to be more revealing than what RSA is saying.]]>
For those who may be out of the loop, “jailbreak” is the term used for circumventing the security controls of iOS and gaining root access to hack the device and let you customize and configure it in ways that Apple would never allow.
Many people swear by jailbreaking, and consider it a “right” of sorts that they should be able to modify their iGadget of choice to fit their needs without getting Steve Jobs approval. Fair enough. But, the fact that iOS is so easily hacked to gain root access is not a great sign for the security of the mobile OS overall.
As organizations embrace smartphones and consider deploying tablets en masse, the security and stability of the platform are important factors to consider. There are a growing number of enterprise tools coming to market to enable IT admins to configure, monitor, and maintain remote devices like smartphones and tablets, and some of those are able to identify devices that have been jailbroken.
That is at least a band-aid, or a step in the right direction. But, Apple should be looking seriously at what it can do to protect iOS and prevent jailbreaking. No software is perfect, but iOS 4.3 was hacked in under 24 hours. Breaking into the OS should at least be a challenge requiring some effort and not just a trivial walk in the park.]]>