InformationWeek Home
4/1/2014
07:55 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Researchers: RSA Adopted Second Tool That Might Have Helped NSA Surveillance

RSA adopted a technology extension for secure websites that may have allowed faster cracking of RSA's flawed Dual Elliptic Curve.

A group of university researchers has discovered that the RSA security company adopted a second tool that may have made it easier for the National Security Agency to spy on users.

According to an exclusive news report published Monday by Reuters, a group of professors from Johns Hopkins, the University of Wisconsin, and the University of Illinois is planning to publish a report which states that RSA adopted a technology called the “Extended Random” extension for secure websites, which may have allowed faster cracking of RSA’s flawed Dual Elliptic Curve technology.

RSA has been under fire since December, when Reuters reported that the security company had accepted $10 million to use the security-flawed Dual Elliptic Curve encryption technology, which allegedly provided a "back door" that enabled the NSA to tap encrypted electronic communications.

According to a preview of the university research that was provided to Reuters, the Extended Random extension could help crack a version of RSA’s Dual Elliptic Curve software tens of thousand times faster.

In response to the research, RSA told Reuters that it had not intentionally weakened the security of any product and that Extended Random had been removed from RSA’s software within the last six months because it was not popular.

"We could have been more skeptical of NSA's intentions," RSA Chief Technologist Sam Curry told Reuters. "We trusted them because they are charged with security for the US government and US critical infrastructure."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/1/2014 | 3:33:36 PM
Re: Trust but don't verify
Whether you are RSA or a major retailer (Target), this type of "bad press" will make CIOs or CISOs think long and hard about deploying apps or in this case extensions that can reflect badly on your organization. Before pushing out an app like this, much security testing should have been performed and it may have been but apparently it was not enough. Target apparently was warned about the potentially vulnerable POS devices but refused to act appropriately. I think maybe they are second guessing that decision now.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/1/2014 | 3:11:53 PM
Re: Trust but don't verify
In Italy we say that two clues are a test. The situation is really embarrassing, a real disaster for the American cyber security industry.
The distrust of the U.S. government and major companies who collaborate with it could have serious repercussions on a global scale in the coming months.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
4/1/2014 | 10:10:24 AM
Trust but don't verify
I'm a forgiving gal, so I want to give RSA the benefit of the doubt... but I don't know if I can. I hope that they've taken some lesson from this, and that they'll start getting the technologists more involved in the business decisions that contributed to this debacle. I also hope that the engineers have incorporated some new process to check for this kind of nonsense in the future.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: good one 
Current Issue
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2001-1594
Published: 2015-08-04
GE Healthcare eNTEGRA P&R has a password of (1) entegra for the entegra user, (2) passme for the super user of the Polestar/Polestar-i Starlink 4 upgrade, (3) 0 for the entegra user of the Codonics printer FTP service, (4) eNTEGRA for the eNTEGRA P&R user account, (5) insite for the WinVNC Login, an...

CVE-2002-2445
Published: 2015-08-04
GE Healthcare Millennium MG, NC, and MyoSIGHT has a default password of (1) root.genie for the root user, (2) "service." for the service user, (3) admin.genie for the admin user, (4) reboot for the reboot user, and (5) shutdown for the shutdwon user, which has unspecified impact and attack vectors.

CVE-2002-2446
Published: 2015-08-04
GE Healthcare Millennium MG, NC, and MyoSIGHT has a password of insite.genieacq for the insite account that cannot be changed without disabling product functionality for remote InSite support, which has unspecified impact and attack vectors.

CVE-2003-1603
Published: 2015-08-04
GE Healthcare Discovery VH has a default password of (1) interfile for the ftpclient user of the Interfile server or (2) "2" for the LOCAL user of the FTP server for the Codonics printer, which has unspecified impact and attack vectors.

CVE-2004-2777
Published: 2015-08-04
GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet for the administrator account, (2) webadmin for the webadmin administrator account of the ASACA DVD library, (3) an empty value for the gemsservice account of the Ultrasound Database, and possibly (4) gemnet2002 for the gemnet2002...

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!