As you could remember RSA, the Security Division of EMC Corporation suffered a security attack last month. It’s completely ironic because one of the RSA jobs is to prevent these kind of information security attacks.
If you want to know the details there is a lot of information on Internet
You can just Google it and you’ll find hundreds of articles and posts related to this incident.
In this post I will focused on the role of the Flash Platform in this incident.
First of all, yes, the security attack was possible because of a security problem in the Flash Platform.
During the days of the security attack to RSA, Adobe was being questioned about some security breaches with the player. Specifically with a flash movie inserted into a Word document or an Excel document. This second type of vulnerability made possible the information gathering by the attackers. In the words of RSA:
The attacker sent two different phishing e-mail messages over a two-day period with a subject line of “2011 Recruitment Plan” to two small groups of employees who weren’t consider particularly high profile or high-value targets.
The e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder and open the attached excel file. It was a spreadsheet named “2011 Recruitment plan.xls”.
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash Vulnerability.
The vulnerability they were talking about is this: CVE-2011-0609 and today it is already fixed but imagine the damage a third party product can cause to a Information Security firm.
You can see the attack was planned carefully because the e-mail was only sent to the employees less protected. I’m sure if the e-mail had been sent to a security engineer it hadn’t had the same effect.
In this kind of incidents we can prove one of the famous phrases in Information Security:
A chain is only as strong as its weakest link
People in administrative areas are often less secure than in other areas and the knowledge and culture in security is completely different. That’s why they tend to be one of the main target attacks in a company.