About a year ago, I wrote a post about an interesting experiment conducted by three researchers at the University of Michigan, which revealed that RSA 1024 bit private key encryption could be cracked using a simple and inexpensive piece of hardware device.
However, the case of the current successful attack carried over the network of the US defense contractor tells a slightly different story about the RSA SecurID systems and its impenetrability, in particular, and about network security, in general. Although one could argue that successfully targeting a major player in the military industry and compromising the infrastructure of an organization whose purpose is actually to provide protection are the highlights in this case, I strongly believe that the focus should be elsewhere. If we dissociate the circumstances from the name of the actors involved in this troublesome situation, I believe that the focus should be on the following three aspects pertaining to computer security:
First and foremost, the RSA data heist was based on one of the simplest (yet, as we can see, most efficient) methods of unauthorized information harvesting, i.e. a combination between a targeted spam campaign and a phishing raid exploiting an Adobe Flash zero-day vulnerability. This proves – once again – that old-school cybercrime methods are still valid and productive, as long as there is a weak link to be exploited in the security chain.
Which leads us to the second important aspect in this case, i.e. the human factor. No matter how advanced a defensive system is, all you need to breach it is a refined social engineering mechanism and some gullible users. This is more than enough to circumvent spam filters or bypass a security suite, not to mention bringing an entire organization down to its knees.
Last but not least, I guess that this case clearly shows that IT&C security is never a local or individual issue. With the advent of Web 3.0, designing and implementing network and resource defense based on an insular strategy and without taking into consideration the scale of interconnectivity or, to be more specific, interdependence of safety devices and tools at work is as perilous as securing your home front door with a single lock (the key to which you decide to hide under your very own mat, in the end).
Safe surfing everybody!
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.