I think even I have received that one.
As the company is too small to have a recruitment plan at all, I wasn't fooled.
The theft of secret data related to RSA's SecurID tokens used by 40 million employees to access sensitive networks likely started with a 13-word email, evidence uncovered through a researcher's dogged sleuthing suggests. “I forward this file to you for review,” the unsigned email, sent to four employees of RSA's parent company …
And RSA showed they really master it!
If I get it correctly, remote control software being installed by the doctored Excel file means lower-level employees were having admin rights on their PCs, No really, why do they pay those security architects for ?
SPF and public key crypto have been around for some time now and still an impressive string of very important companies were being penetrated like melting butter because they didn't bother to use them ?
Nice and cuddly guys you 2 are, wanting to fire the guilty. Makes me feel the warm fuzzies.
Not to mention, incompetent yourself. If your cunning security scheme for the company is to hope that somehow, no employee will ever open bogus emails, you're idiots. Three times over.
More to the point is the poster who questions why the PCs were unprotected enough that the malware had admin rights when running. Then how the malware remained undetected locally and the network subsequently detected no intrusions.
Perhaps, as another poster stated, if these computers were sensitive, why where they running Windows? And, packing Flash, a known attack vector?
Also to the point is why Excel is dumb enough to run Flash and why that kind of crap can't be easily filtered out of Excel's exec privileges. Look, I can't even open Excel without it warning me about my own macros. How much does one care about Excel macro warnings when it is dumb enough to repeatedly warn me about my own code?
What is the use case for Excel spreadsheets having embedded Flash? I suspect it is the same use case as Outlook emails running scripts up until a few years ago - M$ finds it extends the user experience and damn the security.
Solely blaming a silly end user for this epic fail should be the last thing a serious security person should do.
You idiot, of course Excel needs Flash ... otherwise who would both to watch the presentations, or even both to open .xls files from the accountants. Management demand Flash be installed so that they can produce attractive Company Reports.
Some people! They just have no idea how companies are really run! You probably think I went to the Harvard Business School for the degree ... Dude, really!
...thanks to the "helpful feature" that is Microsoft's COM, any ActiveX plugin can be inserted into office documents. Of course, Microsoft doesn't care about how flawed and insecure COM is, especially as a feature in Office documents. But why have security when you can have buzzwords and lock-in?
The bigger question is why is a computer with access to secure information being used to access the internet. We develop software. We have a desktop and laptop on every desk. Separate networks, MAC filtering. Desktops are secure, laptops are not. Signs all over the place. Little red stickers on every case, display, keyboard, and USB hub to mitigate any confusion. Anyone who transgresses gets fined or fired. It's in everyone's employment contract including mine. And yes, I have fired employees for exposing IP.
When security is given the correct priority within an organization IP mysteriously becomes secure.
So your network is totally secured?
"When security is given the correct priority within an organization IP mysteriously becomes secure."
You are 100% sure your network is totally secure? Then explain this:
"And yes, I have fired employees for exposing IP."
So it appears you live in a glass house and it has fallen more than once.
RSA uses Windows (fail), does not have enough in-depth security (fail), has never trained staff about basic security (fail). Or worse, a top manager opened that email. A manager of the kind that WANT to have admin access to everything, and is so dull and gullible that he is the perfect target for every phishing scam in the world. Either way, this is an EXTRA SUPER DUPER FAIL.
"...crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file" ???
I wonder how much money these guys have lost to 409 scams and by ordering fake pills. After all, it seems that just about *any* spam is "crafted well enough" for these types.
"Hi, I'm a signature virus. Please copy and paste me to your sig file."
What a shambles. They went to the trouble of finding the virus code and exploit, shared it with the anti-virus community, but since it was actually inside the email (which they could have opened and found the exploit code inside the Excel attachement), it went completly un-noticed?
This is one of the biggest failings of the AV industry - still entirely reliant on signature based recognision of dodgy files, dependant on the assumption people are prepared to send them the malware in the first place.
You can see why simple 0day exploit code and custom malware is both trivial to write, and trivial to avoid detection, with all the patching and AV in the world failing to protect you.