The Sandbox
Understanding CyberForensics

Humans the weakest link in cyber security

Details emerged about the notorious break-in at security firm RSA that resulted in the compromise of their SecureID two-factor authentication product and cost parent company EMC a reported $66 million.

What apparently happened is that an email was sent to a few EMC employees that had an Excel spreadsheet attached. reports that the “e-mail message had been spoofed to look like it had come from a generic Webmaster address at recruiting website, and had a subject line “2011 Recruitment plan.” It had been sent to one EMC employee and copied to three others, possibly in the human resources department.”

The email was originally blocked and sent to the junk mail folder of the employees. However, the attached Excel spreadsheet was titled with a subject relevant to the job of one of the  recipients and therefore this employee retrieved the file from the junk mail folder, thinking the email was legitimate.

When the attached Excel file was opened an embedded Flash object was executed which then exploited Adobe’s vulnerability to drop a Poison Ivy backdoor to the system. Poison Ivy back door* is a remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.

The file was closed automatically, but it was too late as the computer was compromised. The malware then connected to a remote server, allowing the attacker full access to the infected workstation and all the user-accessible network drives. Attackers were able to move around the network until they found the critical data they were looking for.

As with many phishing attacks, we see the key to this break-in was an employee who went against normal protocol and opened up a file from an unsolicited source. The spam filter worked but the employee training on security scams failed – which is sad especially when you are a security firm.

If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.

Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (

*Backdoor:W32/PoisonIvy gives the attacker practically complete control over the infected computer. Exact functionality depends on the variant in question but the following are the most common operations available to the attacker (provided by F-Secure).

Files can be renamed, deleted, or executed. Files can also be uploaded and downloaded to and from the system
The Windows registry can be viewed and edited
Currently running processes can be viewed and suspended or killed
Current network connections can be viewed and shut down
Services can be viewed and controlled (for example stopped or started)
Installed devices can be viewed and some devices can be disabled
The list of installed applications can be viewed and entries can be deleted or programs uninstalled
Other functionality includes viewing a list of open windows or starting a remote command shell on the infected computer
Poison Ivy variants can also steal information by taking screenshots of the desktop and recording audio or webcam footage.
They can also access saved passwords and password hashes. Some variants also have a keylogger.

Leave a Reply

Your email address will not be published. Required fields are marked *