{"id":3128,"date":"2011-06-07T10:53:11","date_gmt":"2011-06-07T09:53:11","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3128"},"modified":"2015-09-09T19:37:12","modified_gmt":"2015-09-09T11:37:12","slug":"rsa-finally-admits-40-million-securid-tokens-have-been-compromised","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2011\/06\/rsa-finally-admits-40-million-securid-tokens-have-been-compromised\/","title":{"rendered":"RSA Finally Admits 40 Million SecurID Tokens Have Been Compromised"},"content":{"rendered":"

Well we did say assume SecurID<\/a> was broken back in March when we wrote – RSA Silent About Compromise For 7 Days \u2013 Assume SecurID Is Broken<\/a>.<\/p>\n

With the recent news Lockheed Martin Hacked \u2013 Rumoured To Be Linked to RSA SecurID Breach<\/a> and another US Military sub-contractor compromised through SecurID tokens – RSA have FINALLY<\/strong> come clean about it.<\/p>\n

They basically have to replace all 40 million SecurID tokens out there, imagine how much of a headache that is going to be – and how much is it going to cost? This is going to end up as one hell of a costly hack for RSA<\/a>.<\/p>\n

RSA Security is to replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.<\/p>\n

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.<\/p>\n

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorthm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.<\/p><\/blockquote>\n

What bothers me, from a cryptography<\/a> stand-point at least, is that RSA should not know or even be able regenerate the seed and associated token value for their clients.<\/p>\n

And along side that, surely SecurID<\/a> is used as a part of a two or three factor authentication system, so what happened to the other factors in these hacks? Why were they so easily compromised once the hackers could generate the token values?<\/p>\n

It just amazes me how these security related companies (with military information) can be so lax on security. Even if the token failed – no one should have been able to get in!<\/p>\n