Risk
3/18/2011
12:47 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

RSA Breach Leaves Customers Bracing For Worst

RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.

RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.

RSA has more than 70% of the two-factor authentication market, according to IDC. It has shipped some 25 million authentication devices so far. RSA's SecurID tokens periodically generate a random numerical value that is used to access IT resources. Typically high-value resources.

That's why many customers, including two I spoke with last night, were disheartened to learn that RSA not only suffered a significant breach that was characterized as an Advanced Persistent Threat (APT), but that its SecurID system was compromised to some extent as detailed in Coviello's letter:

Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

When discussing the situation with the security manager at a bank based in the midwest, that uses the SecurIDs to protect its administrative systems, he expressed considerable concern about the viability of the devices to adequately protect the bank: of part of the cryptographic algorithm has been compromised. "We're going to be extraordinarily vigilant for anything out of the ordinary around our access controls until we learn more," he said. He asked not to be identified.

In an e-mail exchange with Scott Crawford, managing research director at Enterprise Management Associates, he said it would be speculation to try to determine the nature of the risk. "But as they say, "reducing the effectiveness" would seem to mean that attackers were seeking ways to circumvent or defeat SecurID in some way. Two-factor authentication is typically used to protect higher-sensitivity access or assets, and SecurID is a popular two-factor authentication product, so the objective would appear to be to find ways to gain access to assets/resources protected by SecurID," he said.

"There is a larger issue here," Crawford added. "The security of security measures themselves. If you can gain control of the measures that control and protect an asset, you may gain the asset itself...something for security and management vendors -- and their customers -- to consider more seriously."

In an interview with the New York Times, cryptography expert and inventor Whitfield Diffie, a VP with the Internet Corporation for Assigned Names and Numbers, speculated that the attackers may have pilfered the "master key used as part of the encryption algorithm."

The worst case, he said, would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems.

That's something many RSA customers are considering quite seriously today.

SEE ALSO: RSA SecurID Customers Fear Fallout From Targeted Attack On Security Firm

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Yeah, my cookies were deleted too!!"
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.