RSA Silent About Compromise For 7 Days – Assume SecurID Is Broken

About a week ago we tweeted about the “Open Letter” from RSA to customers, a rather vague letter. If you haven’t read it yet, you can do so here.

To summarise, they basically said “Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. […] Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products.“.

And well that’s about it, they’ve been totally tight lipped since then. There is a link to some ‘updated info for SecurID customers’ – but it’s behind a customer login.

It’s been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product.

For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.

Officials from RSA and EMC have steadfastly refused to give yes or no answers to two questions that have profound consequences for the 40 million or so accounts that are protected by SecurID: Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token’s serial number to its seed leaked?

Without the answers to those two basic questions, RSA customers can’t make educated decisions about whether to continue relying on SecurID to prevent unauthorized logins to their sensitive networks. After all, if the breach on RSA’s servers exposed the seeds and the mapping mechanism, SecurID customers have lost one of the factors offered by the two-factor authentication product.

An RSA spokesman released an updated statement earlier this week that said in part: “Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA’s systems. Even with this information being extracted, RSA SecurID technology continues to be an effective authentication solution for customers.” (Notice the statement didn’t say “an effective two-factor authentication solution.”)

And well seen as though RSA isn’t exactly forthcoming with a detailed statement or at least exactly what has been compromised – people are going to start assuming. The first logical assumption is that SecurID is broken or has been compromised in some way.

This may not be the case, and if so – RSA really needs to clarify that. This is really not the way in which an industry leader should be acting. There are approximately 40 million accounts protected by SecurID and for the past 7 days RSA has refused to answer the two most important questions.

  • Can you specifcy what data was lifted?
  • And did it include details that could break SecurID?

As to breaking SecurID, well did the attackers steal enough data to allow someone to predict the one-time passwords that SecurID tokens generate?

The latest example of these so-called advanced persistent threats came Wednesday when digital certificate authority Comodo disclosed its private encryption keys were used to generate counterfeit credentials for Google Mail and six other sensitive addresses. The CEO has claimed that the attack, which was perpetrated on an unnamed SSL certificate reseller of Comodo, had the hallmarks of state-sponsored hackers, most likely from Iran, although he provided no convincing proof.

“The security companies who are providing authentication are being directly attacked by the government,” CEO Melih Abdulhayoglu said.

This is precisely the assumption being taken by a security administrator who was in the process of helping a financial institution set up a SecurID system when RSA made last week’s announcement. He told The Reg on Thursday that he’s spent the past week trying to pry meaningful details out of RSA, so far without success.

“If they don’t give me an answer by the end of tomorrow about whether the seeds were taken, I’m returning the product,” said the admin, who asked not to be named because he wasn’t authorized to speak publicly. “Their integrity is just shot. Yes, they got hacked but their response is what’s so troubling. The silence is deafening.”

SecurID’s two-factor authentication may not be broken, but until RSA comes clean and provides some yes or no answers to two simple questions, it’s better to assume it is. The network security you preserve may be your own.

As per usual, don’t trust 3rd party solutions, don’t trust proprietary solutions – if you want to maintain total security – you better manage everything yourself. I think this could really hurt sales for RSA and it’s just about destroying their integrity.

Fine if you don’t want to give explicit details, at least clarify in black and white that SecurID is still totally safe to use.

We’ll be waiting for more news from RSA, hopefully their clarifications will come soon and explain everything properly. Until then, be careful.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities

, ,

Latest Posts:

ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.
RandIP - Network Mapper To Find Servers RandIP – Network Mapper To Find Servers
RandIP is a nim-based network mapper application that generates random IP addresses and uses sockets to test whether the connection is valid or not with additional tests for Telnet and SSH.
Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.

3 Responses to RSA Silent About Compromise For 7 Days – Assume SecurID Is Broken

  1. AU March 25, 2011 at 3:11 pm #

    I wouldnt rule out RSA as a option because:

    a) Even if the hackers managed to get access to a list of Token serial numbers with SEED values for each and a list of clients who the token was sold to e.g: Token with serial numbers 1000 – 5000 were sold to Acme Inc,
    b) Asuming the found a way to predict one time tokens generated.. Cain & Abel had already reversed the algorithm to get this..

    c) There is no way to tie what token was assigned to what user.

    d) There is a 4 – 6 digit PIN that must be factored in..

    That said.. i would defn say that the effectiveness of the RSA securID authentication can defn be considered reduced. So from a previous reasonably secure to may be lesser..

  2. Bernard March 29, 2011 at 7:21 am #

    *) AU your are right if we leave the stupidy of people out of our considerations. But what if I call a user of RSA SecurID and just ask for his TokenID and UserID, because there are some problems with his account. I am sure that the standard user (not admin) isn’t informed about the breach at RSA.
    *) As I learned in security, you have always to think about a highly trained and motivated Hacker, which will find ways you haven’t thought about.

    With this things in mind I want to refer to the actual diaryentry of the Internet Storm Center, which tells you for which logentries you have to look for, if the Register is right.

  3. AU April 1, 2011 at 2:05 pm #

    Hi Bernard,

    Social engineering changes the whole game! No security solution is idiot proof..
    I wouldnt be surprised if people emailed their client certs with pass-phrases to attackers..

    Thanks for the sans link..