InformationWeek Home
4/1/2014
07:55 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Researchers: RSA Adopted Second Tool That Might Have Helped NSA Surveillance

RSA adopted a technology extension for secure websites that may have allowed faster cracking of RSA's flawed Dual Elliptic Curve.

A group of university researchers has discovered that the RSA security company adopted a second tool that may have made it easier for the National Security Agency to spy on users.

According to an exclusive news report published Monday by Reuters, a group of professors from Johns Hopkins, the University of Wisconsin, and the University of Illinois is planning to publish a report which states that RSA adopted a technology called the “Extended Random” extension for secure websites, which may have allowed faster cracking of RSA’s flawed Dual Elliptic Curve technology.

RSA has been under fire since December, when Reuters reported that the security company had accepted $10 million to use the security-flawed Dual Elliptic Curve encryption technology, which allegedly provided a "back door" that enabled the NSA to tap encrypted electronic communications.

According to a preview of the university research that was provided to Reuters, the Extended Random extension could help crack a version of RSA’s Dual Elliptic Curve software tens of thousand times faster.

In response to the research, RSA told Reuters that it had not intentionally weakened the security of any product and that Extended Random had been removed from RSA’s software within the last six months because it was not popular.

"We could have been more skeptical of NSA's intentions," RSA Chief Technologist Sam Curry told Reuters. "We trusted them because they are charged with security for the US government and US critical infrastructure."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/1/2014 | 3:33:36 PM
Re: Trust but don't verify
Whether you are RSA or a major retailer (Target), this type of "bad press" will make CIOs or CISOs think long and hard about deploying apps or in this case extensions that can reflect badly on your organization. Before pushing out an app like this, much security testing should have been performed and it may have been but apparently it was not enough. Target apparently was warned about the potentially vulnerable POS devices but refused to act appropriately. I think maybe they are second guessing that decision now.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/1/2014 | 3:11:53 PM
Re: Trust but don't verify
In Italy we say that two clues are a test. The situation is really embarrassing, a real disaster for the American cyber security industry.
The distrust of the U.S. government and major companies who collaborate with it could have serious repercussions on a global scale in the coming months.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
4/1/2014 | 10:10:24 AM
Trust but don't verify
I'm a forgiving gal, so I want to give RSA the benefit of the doubt... but I don't know if I can. I hope that they've taken some lesson from this, and that they'll start getting the technologists more involved in the business decisions that contributed to this debacle. I also hope that the engineers have incorporated some new process to check for this kind of nonsense in the future.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1774
Published: 2015-04-28
The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

CVE-2015-1863
Published: 2015-04-28
Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries.

CVE-2015-3340
Published: 2015-04-28
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.

CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.