Risk
3/18/2011
12:47 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

RSA Breach Leaves Customers Bracing For Worst

RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.

RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.

RSA has more than 70% of the two-factor authentication market, according to IDC. It has shipped some 25 million authentication devices so far. RSA's SecurID tokens periodically generate a random numerical value that is used to access IT resources. Typically high-value resources.

That's why many customers, including two I spoke with last night, were disheartened to learn that RSA not only suffered a significant breach that was characterized as an Advanced Persistent Threat (APT), but that its SecurID system was compromised to some extent as detailed in Coviello's letter:

Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

When discussing the situation with the security manager at a bank based in the midwest, that uses the SecurIDs to protect its administrative systems, he expressed considerable concern about the viability of the devices to adequately protect the bank: of part of the cryptographic algorithm has been compromised. "We're going to be extraordinarily vigilant for anything out of the ordinary around our access controls until we learn more," he said. He asked not to be identified.

In an e-mail exchange with Scott Crawford, managing research director at Enterprise Management Associates, he said it would be speculation to try to determine the nature of the risk. "But as they say, "reducing the effectiveness" would seem to mean that attackers were seeking ways to circumvent or defeat SecurID in some way. Two-factor authentication is typically used to protect higher-sensitivity access or assets, and SecurID is a popular two-factor authentication product, so the objective would appear to be to find ways to gain access to assets/resources protected by SecurID," he said.

"There is a larger issue here," Crawford added. "The security of security measures themselves. If you can gain control of the measures that control and protect an asset, you may gain the asset itself...something for security and management vendors -- and their customers -- to consider more seriously."

In an interview with the New York Times, cryptography expert and inventor Whitfield Diffie, a VP with the Internet Corporation for Assigned Names and Numbers, speculated that the attackers may have pilfered the "master key used as part of the encryption algorithm."

The worst case, he said, would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems.

That's something many RSA customers are considering quite seriously today.

SEE ALSO: RSA SecurID Customers Fear Fallout From Targeted Attack On Security Firm

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?