So how did all of this happen to a company of such reputation in the field of security? It’s been reported (unconfirmed by RSA) that access was gained through a phishing email targeting employees in the HR department with an excel spreadsheet entitled “2011 Recruitment Plans” and a body text of nothing but “I forward this file to you for review. Please open and view it.” No signature, no name, no contact information and presumably unsolicited. All it took was for someone to trust that the mail was legitimate, open the attachment, and unwittingly let the code execute. Supposedly in this case it was an exploit in Adobe Flash that allowed the real attack to be executed, but simple phishing provided the entry point.
So what point am I trying to drive home here? Hackers don’t need to rely on a toolkit of scripts and exploits to gain unauthorized access to networks. Sophistication isn’t a prerequisite for successfully finding a point of intrusion – even primitive social engineering schemes like this one were enough to break into a company like RSA. So next time you get an email that’s asking you for personal information, or someone’s asking questions that are getting a bit too personal, do yourself a favor and don’t answer them, whether it’s over the phone, via email or on the web. Ask your service provider if what you received was really from them and legitimate, and consult one of your nerd friends.
And go buy some antivirus software, I know too many of you are running systems without.
Article comments
1 - Hyperventilatie
It's those attacks where you might lose personal data that are scary indeed. My father was logged into his online banking site a couple of weeks ago when a pop-up asked for his password. Just as a confirmation for the bank. Turned out that was a hacker who was trying to get his information (it had been all over the news, so he knew something was off)
2 - Igor
Never conduct banking business from a computer: it's just too easy to steal. I worked for many years in computer software, and for many years in banking: it's all a house of cards. Bankers are both mentally incompetent and dishonest. For example, no banker I worked with EVER had a balance sheet that balanced out without a "fudge factor", which was usually alarmingly big. No banker I worked with ever really knew if his bank was actually solvent.
Now, I actually walk into my bank and make a cash transaction. When I get a check I walk into a branch of the issuing bank, produce the check and my passport, and withdraw cash. Then I walk into my bank and make a cash deposit.
Of course, I could get held-up by a bandit, but even then I would net out positive on my history of transactions, even if all you count are the accounts that were escheated.