Risk
3/18/2011
12:47 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

RSA Breach Leaves Customers Bracing For Worst

RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.

RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.

RSA has more than 70% of the two-factor authentication market, according to IDC. It has shipped some 25 million authentication devices so far. RSA's SecurID tokens periodically generate a random numerical value that is used to access IT resources. Typically high-value resources.

That's why many customers, including two I spoke with last night, were disheartened to learn that RSA not only suffered a significant breach that was characterized as an Advanced Persistent Threat (APT), but that its SecurID system was compromised to some extent as detailed in Coviello's letter:

Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

When discussing the situation with the security manager at a bank based in the midwest, that uses the SecurIDs to protect its administrative systems, he expressed considerable concern about the viability of the devices to adequately protect the bank: of part of the cryptographic algorithm has been compromised. "We're going to be extraordinarily vigilant for anything out of the ordinary around our access controls until we learn more," he said. He asked not to be identified.

In an e-mail exchange with Scott Crawford, managing research director at Enterprise Management Associates, he said it would be speculation to try to determine the nature of the risk. "But as they say, "reducing the effectiveness" would seem to mean that attackers were seeking ways to circumvent or defeat SecurID in some way. Two-factor authentication is typically used to protect higher-sensitivity access or assets, and SecurID is a popular two-factor authentication product, so the objective would appear to be to find ways to gain access to assets/resources protected by SecurID," he said.

"There is a larger issue here," Crawford added. "The security of security measures themselves. If you can gain control of the measures that control and protect an asset, you may gain the asset itself...something for security and management vendors -- and their customers -- to consider more seriously."

In an interview with the New York Times, cryptography expert and inventor Whitfield Diffie, a VP with the Internet Corporation for Assigned Names and Numbers, speculated that the attackers may have pilfered the "master key used as part of the encryption algorithm."

The worst case, he said, would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems.

That's something many RSA customers are considering quite seriously today.

SEE ALSO: RSA SecurID Customers Fear Fallout From Targeted Attack On Security Firm

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?