InformationWeek Home
4/1/2014
07:55 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Researchers: RSA Adopted Second Tool That Might Have Helped NSA Surveillance

RSA adopted a technology extension for secure websites that may have allowed faster cracking of RSA's flawed Dual Elliptic Curve.

A group of university researchers has discovered that the RSA security company adopted a second tool that may have made it easier for the National Security Agency to spy on users.

According to an exclusive news report published Monday by Reuters, a group of professors from Johns Hopkins, the University of Wisconsin, and the University of Illinois is planning to publish a report which states that RSA adopted a technology called the “Extended Random” extension for secure websites, which may have allowed faster cracking of RSA’s flawed Dual Elliptic Curve technology.

RSA has been under fire since December, when Reuters reported that the security company had accepted $10 million to use the security-flawed Dual Elliptic Curve encryption technology, which allegedly provided a "back door" that enabled the NSA to tap encrypted electronic communications.

According to a preview of the university research that was provided to Reuters, the Extended Random extension could help crack a version of RSA’s Dual Elliptic Curve software tens of thousand times faster.

In response to the research, RSA told Reuters that it had not intentionally weakened the security of any product and that Extended Random had been removed from RSA’s software within the last six months because it was not popular.

"We could have been more skeptical of NSA's intentions," RSA Chief Technologist Sam Curry told Reuters. "We trusted them because they are charged with security for the US government and US critical infrastructure."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/1/2014 | 3:33:36 PM
Re: Trust but don't verify
Whether you are RSA or a major retailer (Target), this type of "bad press" will make CIOs or CISOs think long and hard about deploying apps or in this case extensions that can reflect badly on your organization. Before pushing out an app like this, much security testing should have been performed and it may have been but apparently it was not enough. Target apparently was warned about the potentially vulnerable POS devices but refused to act appropriately. I think maybe they are second guessing that decision now.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/1/2014 | 3:11:53 PM
Re: Trust but don't verify
In Italy we say that two clues are a test. The situation is really embarrassing, a real disaster for the American cyber security industry.
The distrust of the U.S. government and major companies who collaborate with it could have serious repercussions on a global scale in the coming months.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
4/1/2014 | 10:10:24 AM
Trust but don't verify
I'm a forgiving gal, so I want to give RSA the benefit of the doubt... but I don't know if I can. I hope that they've taken some lesson from this, and that they'll start getting the technologists more involved in the business decisions that contributed to this debacle. I also hope that the engineers have incorporated some new process to check for this kind of nonsense in the future.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partnerís Role in Perimeter Security
Title Partnerís Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3090
Published: 2014-09-23
IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3101
Published: 2014-09-23
The login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.

CVE-2014-3103
Published: 2014-09-23
The Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http...

CVE-2014-3104
Published: 2014-09-23
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3105
Published: 2014-09-23
The OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account n...

Best of the Web
Dark Reading Radio