Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/7/2011
04:01 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Replacing RSA SecurID Tokens Not So Simple

There are plenty of in-house logistics -- and no guarantees that the new tokens won't be eventually compromised, security experts say

Should all RSA SecurID customers take the company up on its new offer to swap out their authentication tokens as a precaution?

Not so fast, security experts warn. While RSA says it will provide replacements for SecurID tokens to allay security concerns in the wake of its breach and the subsequent related breach at Defense contractor Lockheed Martin, the move might be only a temporary fix if the attackers who compromised RSA's SecurID servers indeed got the seed files. And replacing tokens takes more than a hardware-swap: There are logistics, such as enrollment and getting the help desk involved, and the tokens then must be redeployed with Active Directory so that the back-end VPN system recognizes it, for example.

But some RSA customers say they still don't have enough information from RSA to determine whether they are actually at risk. RSA still hasn't come clean with all of the details on what the bad guys stole. If the seeds were compromised, for instance, then SecurID customers who replace their tokens might have to do so again at another time.

"Customers need to ask RSA why new tokens matter. Does getting a new token mean I'm more secure? That's the question that needs to be asked," says Marcus Carey, a security researcher with Rapid7. "Companies need to know that this isn't a 'token' gesture."

RSA late yesterday confirmed that a breach last month at its customer Lockheed Martin was tied to an attack in March on its own systems. RSA chairman Art Coviello said in a blog post that on June 2 his firm determined that SecurID data stolen from RSA "used as an element of an attempted broader attack on Lockheed Martin."

Coviello said the attack on Lockheed appears to be part of a targeted attack on Defense contractors, that it doesn't "reflect a new threat or vulnerability in RSA SecurID technology," and that the remediation steps it had recommended for customers would "help to deliver the highest levels of customer protection."

Security experts say Coviello's latest post appears to confirm that some of the SecurID seeds were compromised in the attack against RSA. "There's no mention of why it's not going to happen again or what has been done to make the seeds more secure," says Max Caceres, a security expert. "It's unclear what you are getting out of taking [on] that cost [of replacing tokens]," he says.

Token replacements aren't for every organization, he says. "Every company is different. They should be cautious about how they go about doing that. They need to talk a little more with RSA to understand what has changed now if they do the replacements, and get more assurances around what the security benefits by replacing tokens," Caceres says.

"It's unclear if six months down the road you'll have to replace them again," he says.

Marcus Ranum, CTO at Tenable Security, says that if you're not a big Defense contractor, then you probably don't need to get new SecurID tokens. A bigger problem is protecting your firm from social-engineering attacks to grab user credentials, he says. "You need to make sure your IT staff is particularly careful about social engineering," he says.

Even so, RSA's offer to replace the tokens is good timing for a "refresh" for customers' keyfobs, he says. "That will reset the clock for another five years," he says.

Other experts say replacing the tokens is better than doing nothing now that the cat is out of the bag. "There's a good chance you lost the reason you moved to two-factor authentication in the first place. You could now be left with one-factor," says Tsion Gonen, corporate vice president of products and marketing at SafeNet. "Our view is you have to do something about it … otherwise, you're back to [just] a username and password."

Gonen suggests that at a minimum, RSA customers should have replaced their tokens and changed passwords months ago when RSA admitted it had been hacked. Still, it's no surprise that Lockheed Martin and others did not. "People are change-averse," Gonen says.

And there's always risk associated with relying on an outsourced seed model, like RSA's for SecurID. SafeNet's Gonen says this refresh is also a chance to take seeds in-house. "Make sure you program the token yourself," says Gonen, whose firm offers such a product.

Maybe RSA will offer the option for users to "own" the seeds themselves and program their own tokens at some point as well, he says.

Meanwhile, RSA's Coviello did say in his post that the company will add extra factors for strong authentication to SecurID. "We will continue to invest heavily in both our SecurID and our risk-based authentication technologies. We will provide additional factors for strong authentication. We will integrate these solutions with our cybercrime intelligence to better identify suspicious behavior targeted at networks, transactions and user sessions," he wrote.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...