SecurID Customers Left To Assume The Worst

It has been nearly a week since RSA revealed that its SecurID multifactor authentication technology might have been exposed via a targeted attack waged against the security firm. Ever since, SecurID customers and security experts have been trying to read between the lines of the company's closely guarded warning to interpret just what happened and whether the technology could ultimately be compromised.

Without all of the details from RSA, many SecurID customers have concluded that they must assume and prepare for the worst-case scenario: that the one-time password keys for the multifactor authentication technology were stolen or exposed.

RSA did provide customers with some additional, albeit sketchy, information yesterday via email. One security officer at a large enterprise says the email appears to confirm suspicions that the attackers stole information that combined with other intelligence they could glean through social engineering attacks would allow them to pretend to have a specific token.

RSA's shocking revelation late last week that it had been the victim of an advanced persistent threat (APT)-type attack was a chilling reminder that even security companies can't escape the threat of infiltration by a determined attacker.

"[The] persistent threat can affect any corporation, and no one is immune," says Ondrej Krehel, information security officer for data risk management and forensic services at Identity Theft/911. "The lesson learned is that even the biggest players in the industry can be breached and their treasures taken."

But without specifics from RSA about just what the bad guys got their hands on, many enterprises are drawing their own conclusions, says Scott Crawford, managing research director for Enterprise Management Associates.

"They are left fearing the worst, that SecurID has been compromised in some meaningful way. The fact that RSA emphasized protection for other authentication factors, and the system itself in deployment suggests to customers that if the passcode system itself has been compromised, it raises the bar for protecting other authentication in their multifactor authentication schemes," Crawford says, citing enterprises he has spoken with.

Word of the breach came in a carefully worded open letter from RSA executive chairman Art Coviello on the company's website, and RSA also has provided some general recommendations for SecurID customers here. But the passage in Coviello's letter that has many customers nervous is this one: "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

Many security experts are recommending that customers plan for the worst-case scenario, and are offering them advice and guidance. Brandy Peterson, chief technology officer for FishNet Security, says without specifics from RSA, it makes sense to consider that some or all of this information has been stolen and is potentially up for sale.

"Bottom line -- in the worst-case scenario, the attackers would have information that allows them to generate tokencodes for the specific tokens a given customer has purchased. Note that most or all of this information is only required to manufacture and distribute the tokens, and is not necessarily maintained after the tokens are delivered," Peterson blogged today. "Since this is a multifactor authentication solution, it is important to understand what the attackers could not have stolen directly from RSA. This is not to say that they do not or will not have this information in their possession, just that they did not get it from RSA."

Peterson says the attackers would need to grab a victim's usernames, PINs, and token serial numbers tied to the PINs, token time offset, and customer configuration information, such as the PIN length, username conventions, and other deployment-related intelligence. They would also need applications to authenticate to SecurID.

But there's still no confirmation from RSA whether token serial numbers, algorithms, or other customer details were exposed. So all SecurID customers can do is follow RSA's relatively generic recommendations, and to supplement them with their own worst-case contingency planning.

Dave Jevans, chairman of the Anti-Phishing Working Group and founder and chairman of IronKey, says he believes that RSA's own IT administrators inadvertently picked up some malware while on Facebook or other social networks, and that the attackers used either phishing emails or other social engineering ploys to spread malware in the company.

And that mention of "active directories" by RSA? Jevans maintains that the attackers "did expand their footprint inside of RSA through Active Directory and other systems to gain access to internal databases of secret keys for the OTP systems."

Jevans has sided with the worst-case scenario camp: "It is my personal (not my company's) belief that the SecurID OTP secret key database has been stolen. This is my personal opinion. If it is true, then there are massive attack vectors that are now open to companies that rely on OTP for authentication," he said in a statement. "As RSA has said publicly, they recommend a multilayered security architecture to detect and prevent breaches."

"One can only speculate how government and corporate customers are affected, if any encryption and authentication technology is critically affected, and to what extent," Identity Theft/911's Krehel says. "More entities should ask questions about their security posture. How well did they prepare to detect and remediate hacking incidents? Are there any competitors or state-sponsored threats to their organizations? What is a likelihood of being the target?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.