AT A SECURITY CONFERENCE in Spain led by Kaspersky Lab, high-level figures from RSA Security and Adobe talked about the infamous incident earlier this year that saw RSA SecureID information taken in a zero-day attack.
Criminals used a zero-day vulnerability in Adobe Flash player to penetrate RSA defences through an embedded Flash file in an Excel email attachment. A spear phishing attack, it targeted regular employees of RSA Security disguised as a recruitment form. It breached the RSA systems, even though it first went to Microsoft Outlook's spam folder.
Criminals then managed to install malware called 'poison ivy', which established a connection to the hackers' command and control server and requested commands from the network.
"I talked to a major defence contractor. They said welcome to the club," said Uri Rivner, head of new technologies at RSA Security.
"We have a lot of evidence about what happened to us and what happened to other folks, that the team that hacked us is very organised and had a lot of practice. I can compare them to the Navy Seals team six, which hit Osama Bin Laden."
"Think about this sort of group, very organised and experienced, going after specific targets, with most of the activity you never know about."
David Lenoe, head of product security and incident response at Adobe speaking at the same event said, "I think at the time we already been aware of the vulnerability, so RSA didn't need to report it to us. We were working on a fix at that point."
"We do have a good relationship with RSA, but in this specific case we didn't need a lot of collaboration because it was a known issue. But as soon as we hear of a new exploit in the wild, our concern is not so much how it got done, it's about the issue fixed and getting it out to customers as quickly as possible."
"I think it's the world we're living in. This stuff is happening and it's not so much about pointing fingers, it's more about sharing information. Whether it's about customers or vendors." µ