So how did all of this happen to a company of such reputation in the field of security? It’s been reported (unconfirmed by RSA) that access was gained through a phishing email targeting employees in the HR department with an excel spreadsheet entitled “2011 Recruitment Plans” and a body text of nothing but “I forward this file to you for review. Please open and view it.” No signature, no name, no contact information and presumably unsolicited. All it took was for someone to trust that the mail was legitimate, open the attachment, and unwittingly let the code execute. Supposedly in this case it was an exploit in Adobe Flash that allowed the real attack to be executed, but simple phishing provided the entry point.
So what point am I trying to drive home here? Hackers don’t need to rely on a toolkit of scripts and exploits to gain unauthorized access to networks. Sophistication isn’t a prerequisite for successfully finding a point of intrusion – even primitive social engineering schemes like this one were enough to break into a company like RSA. So next time you get an email that’s asking you for personal information, or someone’s asking questions that are getting a bit too personal, do yourself a favor and don’t answer them, whether it’s over the phone, via email or on the web. Ask your service provider if what you received was really from them and legitimate, and consult one of your nerd friends.
And go buy some antivirus software, I know too many of you are running systems without.