So the delightful Brian Krebs (I mean that, seriously) posted an article today on the other 760 victims of the RSA attackers. This is not an article about the second wave of victims who got owned because RSA SecurIDs are not so much… you know, secure; rather, it’s about all the other companies that got hit at the same time by the same people that breached RSA. Judging from what Mikko Hyponnen presented at SECTOR and the common C&C infrastructure that Krebs’ discusses, they probably all got nailed by the same exploit. The list, if you’re a little bored, is here (and by bored I mean the article is a good read but going through 760 names takes a certain amount of spare time you could do other stuff with).

I don’t know about you, but if I were on that list, I’d be a little embarrassed. I wonder how many people spent part of their day going through the list looking for any service providers or vendors that had connection to anyone they might care about. I also wonder how many infosec pros then reached out to those providers and asked them if they knew about the breach and whether the breach had any impact on their customers. I bet the answers to those questions were “wait? what? we’re listed where?” and “ummm…. we don’t know”.

Now, the reason I’d be embarrassed about being on this list is follows:

  1. Publicly owned is never good unless you are running a “hack this thing competition”;
  2. Publicly owned and your customers finding out about it from anyone other than you and your media spin doctors is even worse;
  3. Getting owned by an email trojan, circa 1999 Melissa, means a failure not only of your existing defences (spam filters and Anti-X among others) but also of your user security awareness training (you do remind your users not to click on stuff, right? Do you remind them more than once a year?).
The third reason to be embarrassed is what worries me the most; clearly anti-x isn’t enough to hold back the tide. The recent discovery of Duqu after going months undetected is just another indictment against the current state also known as the losing battle. That said, if one wants to complain about something, providing solutions to fix the problem is probably a good idea. So here are a few ideas:
  • El-Al puts all luggage into a pressure chamber to simulate flight conditions in an attempt to trigger any bombs with altimeter triggers. Why can’t we do that to content before we let it in to our network. There are at least two working technologies out there that do the same already but for downloads and attachments. Microsoft built an entire farm of virtual machines, called HoneyMonkey, to find and safely trigger malware. You may not know you downloaded malware, but it’s a sure sign that you’ve got a problem when something starts phoning home.
  • Watch your web filter or proxy logs – see lots of stuff going to funny domain names – that might be a sign of an automated breach extrusion. If you’re running a big enough network, maybe go get a list of known botnet C&C servers.
  • Buy some cloud capacity and run your browsers and email clients in a sort of reverse DMZ using remote desktop or published Citrix apps. That way a breach is limited to a virtual machine which is not inside your core network next to all your deep dark secrets. It works for the military and governments, maybe air gapping isn’t that paranoid.
  • Mandatory email encryption/signing with your business partners – at least that way you know email that came from them really came from them and can be trusted a bit more than the spoofed email that looks like it came from them. Anything not signed gets routed to some quarantine box (maybe the aforementioned reverse DMZ).
  • Give everyone a chromebook – ok, a bit drastic but their fully sandboxed architecture for each application makes your malware infections job that much harder.
Being the cynic that I am (I’m writing on Liquidmatrix, so it’s pretty much a job requirement), there are at least three other things you can do which you probably aren’t:
  • Be absolutely belligerent about any detected infections – where there’s one, there’s probably two. Immediately delete infected files, burn infected systems to the ground – none of this wait and see attitude.
  • Educate users every single month about malware and click on stuff that looks mildly suspicious. While once a month may seem excessive, users forget quickly so remind them often (to steal someone else’s line, I forget exactly who, think of it like user patching).
  • Patch and harden, patch and harden.
So, back to my original question – are you one of the 760? Could you have been?
minor edits: I can’t spell and my grammar is terrible

(Image used under CC from GS1311)


  1. Does it even matter if you’re one of the 760… the 760 are the ones that were “caught with their pants down”.

    If you’re not on that list you better well work hard on the last “three other things you can do”. Otherwise you will end up on the next list. Or the one after that…

    Or the one after that….

    Or the one after that………

  2. amen! sing it loud!

    I think that’s always the point of any infosec posting – it could be you and you’ve probably done nothing at all to prevent it from being you

  3. Job requirements:

    1 – work hard and know a whole lot more about everything
    2 – look like your working hard even when there’s nothing to do but wait (and ideal work then on preventing the next catastrophe – whatever it *might* be)
    3 – have lots of details lined up proving why your not the one that should be fired when something happens and “upper management” gets upset.

    oh yeah: 4 – do NOT let stuff slide just so they think they need to keep you around.

    re: #4 – I’m sure we all know too many admins that never fix stuff completely “for job security”… which is why I listed point #3.

Leave a Reply

Your email address will not be published. Required fields are marked *