About a week ago we tweeted about the “Open Letter” from RSA to customers, a rather vague letter. If you haven’t read it yet, you can do so here.
To summarise, they basically said “Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. […] Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products.“.
And well that’s about it, they’ve been totally tight lipped since then. There is a link to some ‘updated info for SecurID customers’ – but it’s behind a customer login.
It’s been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product.
For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.
Officials from RSA and EMC have steadfastly refused to give yes or no answers to two questions that have profound consequences for the 40 million or so accounts that are protected by SecurID: Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token’s serial number to its seed leaked?
Without the answers to those two basic questions, RSA customers can’t make educated decisions about whether to continue relying on SecurID to prevent unauthorized logins to their sensitive networks. After all, if the breach on RSA’s servers exposed the seeds and the mapping mechanism, SecurID customers have lost one of the factors offered by the two-factor authentication product.
An RSA spokesman released an updated statement earlier this week that said in part: “Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA’s systems. Even with this information being extracted, RSA SecurID technology continues to be an effective authentication solution for customers.” (Notice the statement didn’t say “an effective two-factor authentication solution.”)
And well seen as though RSA isn’t exactly forthcoming with a detailed statement or at least exactly what has been compromised – people are going to start assuming. The first logical assumption is that SecurID is broken or has been compromised in some way.
This may not be the case, and if so – RSA really needs to clarify that. This is really not the way in which an industry leader should be acting. There are approximately 40 million accounts protected by SecurID and for the past 7 days RSA has refused to answer the two most important questions.
- Can you specifcy what data was lifted?
- And did it include details that could break SecurID?
As to breaking SecurID, well did the attackers steal enough data to allow someone to predict the one-time passwords that SecurID tokens generate?
The latest example of these so-called advanced persistent threats came Wednesday when digital certificate authority Comodo disclosed its private encryption keys were used to generate counterfeit credentials for Google Mail and six other sensitive addresses. The CEO has claimed that the attack, which was perpetrated on an unnamed SSL certificate reseller of Comodo, had the hallmarks of state-sponsored hackers, most likely from Iran, although he provided no convincing proof.
“The security companies who are providing authentication are being directly attacked by the government,” CEO Melih Abdulhayoglu said.
This is precisely the assumption being taken by a security administrator who was in the process of helping a financial institution set up a SecurID system when RSA made last week’s announcement. He told The Reg on Thursday that he’s spent the past week trying to pry meaningful details out of RSA, so far without success.
“If they don’t give me an answer by the end of tomorrow about whether the seeds were taken, I’m returning the product,” said the admin, who asked not to be named because he wasn’t authorized to speak publicly. “Their integrity is just shot. Yes, they got hacked but their response is what’s so troubling. The silence is deafening.”
SecurID’s two-factor authentication may not be broken, but until RSA comes clean and provides some yes or no answers to two simple questions, it’s better to assume it is. The network security you preserve may be your own.
As per usual, don’t trust 3rd party solutions, don’t trust proprietary solutions – if you want to maintain total security – you better manage everything yourself. I think this could really hurt sales for RSA and it’s just about destroying their integrity.
Fine if you don’t want to give explicit details, at least clarify in black and white that SecurID is still totally safe to use.
We’ll be waiting for more news from RSA, hopefully their clarifications will come soon and explain everything properly. Until then, be careful.
Source: The Register
AU says
I wouldnt rule out RSA as a option because:
a) Even if the hackers managed to get access to a list of Token serial numbers with SEED values for each and a list of clients who the token was sold to e.g: Token with serial numbers 1000 – 5000 were sold to Acme Inc,
b) Asuming the found a way to predict one time tokens generated.. Cain & Abel had already reversed the algorithm to get this..
c) There is no way to tie what token was assigned to what user.
d) There is a 4 – 6 digit PIN that must be factored in..
That said.. i would defn say that the effectiveness of the RSA securID authentication can defn be considered reduced. So from a previous reasonably secure to may be lesser..
Bernard says
*) AU your are right if we leave the stupidy of people out of our considerations. But what if I call a user of RSA SecurID and just ask for his TokenID and UserID, because there are some problems with his account. I am sure that the standard user (not admin) isn’t informed about the breach at RSA.
*) As I learned in security, you have always to think about a highly trained and motivated Hacker, which will find ways you haven’t thought about.
With this things in mind I want to refer to the actual diaryentry of the Internet Storm Center, which tells you for which logentries you have to look for, if the Register is right.
http://isc.sans.edu/diary/Making+sense+of+RSA+ACE+server+audit+logs/10618
AU says
Hi Bernard,
Social engineering changes the whole game! No security solution is idiot proof..
I wouldnt be surprised if people emailed their client certs with pass-phrases to attackers..
Thanks for the sans link..
Cheers.