Firms deny RSA-style security breach

A number of organisations have refuted the claim that their systems were compromised by the people behind the RSA SecurID hack, following claims in an article by a respected security journalist.

Computers at over 760 organisations contacted the same command and control servers that were used in the attack that gained access to RSA SecurID information, journalist Brian Krebs said in an article on Monday. Organisations including Facebook, Google, Microsoft, BT, IBM, Verisign and Cisco were affected, according to Krebs.

The article suggested that these organisations may have been compromised — with the caveats that internet service providers may be listed due to infected subscribers, and that security companies on the list may have deliberately infected some of their systems. In addition, it was not clear how many systems in the companies were compromised, for how long, or the nature of any information that was taken, said Krebs.

Krebs obtained the list, which was shared with congressional staff, from an unnamed source. The RSA hackers' command and control infrastructure was overwhelmingly based in China, according to Krebs's information. In October, RSA said that two teams of hackers working for a nation state had perpetrated the attack.

Denials

eBay, which was on the list, is among the companies who have denied that their systems were compromised. "eBay was not compromised in any way," the company said in a statement on Tuesday. "We are reaching out to Krebs, asking for him to correct the post."

Microsoft also said it had not been shown any proof of compromise. "We have not seen any evidence supporting the claim," said Jerry Bryant, group manager for response communications at Microsoft Trustworthy Computing.

Security companies Trend Micro and Team Cymru were listed as having infected systems. Trend Micro told ZDNet UK on Tuesday that it had deliberately infected some systems in order to gather data on the command and control (C&C) infrastructure.

"The IP addresses listed as having connected to the C&C were all part of our research network, and were connecting to the C&C purely for intelligence gathering, not as a result of any infection," said Trend Micro EMEA director of security research Rik Ferguson.

No methodology

Team Cymru chief executive Rob Thomas said that Krebs had not described the methodology employed to detect the claimed infected systems. Without a scientific recreation of the detection, it's not possible to say whether the listed companies were "victims" or "false positives", said Thomas.

This leaves all 762 of the listed network providers/IT companies scratching their heads with no place to begin researching this.

– Peer 1 spokeswoman

"We have no evidence of compromise related to incidents at RSA or anywhere else," said Thomas. "The source of this data, and those who revealed and posted it, didn't take the time to contact us, or to share incident details with us. Thus we are unable to investigate further. We hope that those who gathered this data will responsibly disclose it to the potential victims."

Hosting company Peer 1, which was on the list, said that Krebs had not posted any timestamps, specific source or destination C&C IP addresses, or information "to help the various providers narrow down this issue".

"This leaves all 762 of the listed network providers/IT companies scratching their heads with no place to begin researching this," said a Peer 1 spokeswoman. "I can confirm that Peer 1 was not compromised."

ISP response

A number of ISPs pointed out that infected machines could belong to network subscribers, rather than to networks themselves.

Virgin Media said that Krebs had not provided much context about the attacks in his article. "Having checked with our security team, we have not been compromised by this or other attacks," said a Virgin Media spokesman.

BT did not comment specifically on the attack that compromised RSA SecurID token data. It did address the fallout of the attack, which was used as a staging post for an attack on defence company Lockheed Martin.

"BT has a layered approach to security, and uses a variety of authentication factors and systems, so is not reliant any single system for security," said a BT spokesperson.

Facebook declined to comment on Krebs' article, but ZDNet UK understands that Facebook has found no evidence that its systems were compromised, and that it constantly monitors for security threats.

Google, IBM, Verisign, and Cisco all declined to comment. Talk Talk said: "We are aware of this claim and are investigating it." Intel and datacentre provider Equinix were considering their responses at the time of writing.