RSA has more than 70% of the two-factor authentication market, according to IDC. It has shipped some 25 million authentication devices so far. RSA's SecurID tokens periodically generate a random numerical value that is used to access IT resources. Typically high-value resources.
That's why many customers, including two I spoke with last night, were disheartened to learn that RSA not only suffered a significant breach that was characterized as an Advanced Persistent Threat (APT), but that its SecurID system was compromised to some extent as detailed in Coviello's letter:
Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.
When discussing the situation with the security manager at a bank based in the midwest, that uses the SecurIDs to protect its administrative systems, he expressed considerable concern about the viability of the devices to adequately protect the bank: of part of the cryptographic algorithm has been compromised. "We're going to be extraordinarily vigilant for anything out of the ordinary around our access controls until we learn more," he said. He asked not to be identified.
In an e-mail exchange with Scott Crawford, managing research director at Enterprise Management Associates, he said it would be speculation to try to determine the nature of the risk. "But as they say, "reducing the effectiveness" would seem to mean that attackers were seeking ways to circumvent or defeat SecurID in some way. Two-factor authentication is typically used to protect higher-sensitivity access or assets, and SecurID is a popular two-factor authentication product, so the objective would appear to be to find ways to gain access to assets/resources protected by SecurID," he said.
"There is a larger issue here," Crawford added. "The security of security measures themselves. If you can gain control of the measures that control and protect an asset, you may gain the asset itself...something for security and management vendors -- and their customers -- to consider more seriously."
In an interview with the New York Times, cryptography expert and inventor Whitfield Diffie, a VP with the Internet Corporation for Assigned Names and Numbers, speculated that the attackers may have pilfered the "master key used as part of the encryption algorithm."
The worst case, he said, would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems.
That's something many RSA customers are considering quite seriously today.