RSA Silent About Compromise For 7 Days – Assume SecurID Is Broken

About a week ago we tweeted about the “Open Letter” from RSA to customers, a rather vague letter. If you haven’t read it yet, you can do so here.

To summarise, they basically said “Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. […] Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products.“.

And well that’s about it, they’ve been totally tight lipped since then. There is a link to some ‘updated info for SecurID customers’ – but it’s behind a customer login.

It’s been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product.

For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.

Officials from RSA and EMC have steadfastly refused to give yes or no answers to two questions that have profound consequences for the 40 million or so accounts that are protected by SecurID: Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token’s serial number to its seed leaked?

Without the answers to those two basic questions, RSA customers can’t make educated decisions about whether to continue relying on SecurID to prevent unauthorized logins to their sensitive networks. After all, if the breach on RSA’s servers exposed the seeds and the mapping mechanism, SecurID customers have lost one of the factors offered by the two-factor authentication product.

An RSA spokesman released an updated statement earlier this week that said in part: “Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA’s systems. Even with this information being extracted, RSA SecurID technology continues to be an effective authentication solution for customers.” (Notice the statement didn’t say “an effective two-factor authentication solution.”)

And well seen as though RSA isn’t exactly forthcoming with a detailed statement or at least exactly what has been compromised – people are going to start assuming. The first logical assumption is that SecurID is broken or has been compromised in some way.

This may not be the case, and if so – RSA really needs to clarify that. This is really not the way in which an industry leader should be acting. There are approximately 40 million accounts protected by SecurID and for the past 7 days RSA has refused to answer the two most important questions.

  • Can you specifcy what data was lifted?
  • And did it include details that could break SecurID?

As to breaking SecurID, well did the attackers steal enough data to allow someone to predict the one-time passwords that SecurID tokens generate?

The latest example of these so-called advanced persistent threats came Wednesday when digital certificate authority Comodo disclosed its private encryption keys were used to generate counterfeit credentials for Google Mail and six other sensitive addresses. The CEO has claimed that the attack, which was perpetrated on an unnamed SSL certificate reseller of Comodo, had the hallmarks of state-sponsored hackers, most likely from Iran, although he provided no convincing proof.

“The security companies who are providing authentication are being directly attacked by the government,” CEO Melih Abdulhayoglu said.

This is precisely the assumption being taken by a security administrator who was in the process of helping a financial institution set up a SecurID system when RSA made last week’s announcement. He told The Reg on Thursday that he’s spent the past week trying to pry meaningful details out of RSA, so far without success.

“If they don’t give me an answer by the end of tomorrow about whether the seeds were taken, I’m returning the product,” said the admin, who asked not to be named because he wasn’t authorized to speak publicly. “Their integrity is just shot. Yes, they got hacked but their response is what’s so troubling. The silence is deafening.”

SecurID’s two-factor authentication may not be broken, but until RSA comes clean and provides some yes or no answers to two simple questions, it’s better to assume it is. The network security you preserve may be your own.

As per usual, don’t trust 3rd party solutions, don’t trust proprietary solutions – if you want to maintain total security – you better manage everything yourself. I think this could really hurt sales for RSA and it’s just about destroying their integrity.

Fine if you don’t want to give explicit details, at least clarify in black and white that SecurID is still totally safe to use.

We’ll be waiting for more news from RSA, hopefully their clarifications will come soon and explain everything properly. Until then, be careful.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities

, ,

Latest Posts:

dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.

3 Responses to RSA Silent About Compromise For 7 Days – Assume SecurID Is Broken

  1. AU March 25, 2011 at 3:11 pm #

    I wouldnt rule out RSA as a option because:

    a) Even if the hackers managed to get access to a list of Token serial numbers with SEED values for each and a list of clients who the token was sold to e.g: Token with serial numbers 1000 – 5000 were sold to Acme Inc,
    b) Asuming the found a way to predict one time tokens generated.. Cain & Abel had already reversed the algorithm to get this..

    c) There is no way to tie what token was assigned to what user.

    d) There is a 4 – 6 digit PIN that must be factored in..

    That said.. i would defn say that the effectiveness of the RSA securID authentication can defn be considered reduced. So from a previous reasonably secure to may be lesser..

  2. Bernard March 29, 2011 at 7:21 am #

    *) AU your are right if we leave the stupidy of people out of our considerations. But what if I call a user of RSA SecurID and just ask for his TokenID and UserID, because there are some problems with his account. I am sure that the standard user (not admin) isn’t informed about the breach at RSA.
    *) As I learned in security, you have always to think about a highly trained and motivated Hacker, which will find ways you haven’t thought about.

    With this things in mind I want to refer to the actual diaryentry of the Internet Storm Center, which tells you for which logentries you have to look for, if the Register is right.

  3. AU April 1, 2011 at 2:05 pm #

    Hi Bernard,

    Social engineering changes the whole game! No security solution is idiot proof..
    I wouldnt be surprised if people emailed their client certs with pass-phrases to attackers..

    Thanks for the sans link..