Westpac may have to replace tens of thousands of RSA SecurID tokens, after a successful breach of their token security system and the exposure of a previously unknown security flaw.
The threat has been linked with Adobe Systems’ Flash player and remote-control technology associated with Chinese spying efforts, the company has disclosed.
According to Westpac sources, the company was told about the problem two weeks ago, but as of this weekend users of the tokens which are used by Westpac customers when transfering from one account to another have not been advised of the security problem.
RSA claim that they advised various Australian Federal Government departments and Westpac to revisit their access policies. The Financial Times said that the lack of detail on the attack has frustrated RSA customers and fanned speculation, with some in the security industry saying that the damage was limited and others saying that the tens of millions of SecurID tokens in use should be replaced.
In a conference call with industry analysts on Friday RSA which is owned by EMC, shed no more light on what the hackers had obtained.
Company officials said that the hackers e-mailed groups of employees at RSA, which is a unit of storage concern EMC and that the e-mails included a Microsoft Excel spreadsheet as an attachment, labelled “2011 Recruitment Plan”.
When opened, the attachment exploited a hole then in most versions of Flash, now fixed by software updates from Adobe, that gave the attackers control of at least one user’s machine. The control technology was a version of what is called Poison Ivy, which was also used in GhostNet, described by analysts as a large Chinese spying operation.
The RSA hackers harvested the login credentials of more company users, connected to other RSA employee machines and then raised the level of access that the machines’ users were entitled to, eventually getting into computers with information about how SecurID works. The data were encrypted and transferred out of the company.
In one blog, RSA executive Uri Rivner said that the rash of major breaches at big western companies showed that the industry as a whole needed to share information and come up with better defences. He said security firms should “define and execute a new defence doctrine based on information sharing, deep analytics and advanced threat management”.
