RSA suffered a breach and data loss following an “extremely sophisticated cyber attack.” Their investigation revealed that the information extracted from the company systems is related to its SecurID two-factor authentication products. The news of the incident spread through the community like wildfire and information security professionals are offering their take on this incident. We still don’t know the technical details, but it’s certain that RSA’s brand has taken a big hit.
Each time I read about this “RSA breach”, I wonder if the cryptographic algorithm from Rivest, Shamir, and Adleman has finally been broken.
They should not have reused the name when founding their own company…
Edited 2011-03-20 09:22 UTC
Ha, I thought it was RSA (Royal, Sun Alliance), a large insurance and investment company in the UK that I happen to have at least one policy with…
What about the Republic of South Africa?
It’s SAR – South African Republic
No his right, it is RSA..Republic of South Africa..
Never heard of South Africa being shortened to RSA.
But, yeah SAR is the monetary unit over there…
Uh, hu. Right.
Also, can we please stop using “cyber” when referring to the Internet? Seriously, there’s nothing cyber about it.
Buzzwords won’t save your ass.
I agree!
Ans please no more Web 2.0 (no 2.0), user generated Content (everything is user generated) and clouds (let’s call them cybers
).
Also the topic has been scary. It sounded like “RSA broken”. But it’s just 2011 and apocalypse is planned for 2012!!
Edited 2011-03-20 12:22 UTC
Take away the name “cyberattacks” and “web 2.0”..if it happens…headlines
“Report 80% decrease in “cyberattacks”…but 80% rise in internet exploits…”
“Where has Web 2.0 gone?…say hello to Web 3.0!! the new frontier with added HTML5 and browser API’s!”
Edited 2011-03-20 15:08 UTC
Worst case, whatever had been “stolen” from RSA as a result of the breach can’t be any worse than if one had used an Open Source solution in the first place.
The “security through obscurity” that RSA has enjoyed could be gone now, but we will never know – unless the contents retrieved during the attack are leaked to the public somehow (hard to imagine).
I don’t know much about SecurID (other than the fact that I have a couple of those tokens in my drawer at work for access to customer systems), but I would hope the entire system is open-spec such that it has been audited by the greater security community for potential flaws.
I would imagine that getting your hands on the client/server source code for the SecurID system would be a boon for criminals in order to analyze and discover potential flaws in the software.
You’d think so and you’d be wrong. It’s closed-sauce secret magic all the way. Think of it as a glorified shared secret (ok, it’s more complicated). I had to do a little work with SecurID a while back and I found it odd that companies would put so much trust in it.
On related note, I found it funny that someone in the linked articles (can’t remebmer who, can’t be arsed to check) described SecurID as a pre-determined sequence of random numbers. Uh, hello? It’s ethier pre-determined or random, it can’t be both. This person should probably stay the f–k away from security.
Edited 2011-03-21 04:44 UTC
The worst case is that the entire SecurID system is compromised and rendered useless. Much worse than using an OSS solution in the first place, not to mention that it would probably be the end of RSA. Maybe that’s why they’re trying to tone it down.
Yeah, that was a poor choice of words on my part
Per your previous reply, that’s scary. I would have thought, like RSA encryption itself, that methods used in SecurID was understood by the security community in general.
As for the “pre-determined random number” – I know what they’re trying to suggest – but you’re right, totally non-random. Sounds like pseudo-random with a specific key on every token, combined with a timestamp to seed with – at least that’s my best-guess of the basic premise after seeing how they work.
we just spent 20 grand on fucking hardware tokens.
Yet again we see that those who use security as an argument against open source are proved wrong again (incl http://www.osnews.com/comments/24538)
If the the security software makers are confident of the design of their system, then there is nothing to hide, and nothing to be afraid of if people get access to software maker assets.
Let me repeat that – nothing to be afraid of if bad people get access to software maker assets. The only thing you need to protect is YOUR organisation’s key management system. Not the vendors.
Why is it that the otherwise intelligent security community is really thick when it comes to dealing the cartel of old guard software vendors?
…is probably moot in this instance. The algorithm RSA uses, although proprietary, had already been previously reverse engineered.
The main concern is with the seed records. RSA seeds each token with a unique code, and then provides a record of it to be installed on the authentication server. By tying the seed record to the token serial #, the server knows the six-digit code being displayed at any given time.
The problem is that RSA retains these seed records, unless you request in writing that they destroy them. The fear is that the attackers may have acquired the seed record/serial # combinations. This would be bad, but for someone to utilize it, they would need to know the serial # and PIN number of the token in question, and they would also need to know the code currently be displayed for time synch. This would only be useful in a specifically targeted or possibly phishing type of attack.
Another concern I’ve seen raised is that with access to the seed records, an attacker could discern the specific record belonging to a token by sampling a number of passcodes/time-offset combinations and comparing them to the seed records applied to the algorithm to find a matching combination. Not so sure how effective or possible this would really be though. Even determining the seed key/serial # combo through sniffing traffic would still require knowledge of the PIN number.
A third concern is that someone may have accessed internal data/communications outlining known flaws in the implementation that could then be exploited. This one actually wouldn’t surprise me compared to the other two, I’d really be stunned (and disappointed) to find the seed records were compromised on a machine that wasn’t severely locked down and protected with an air-gap from any corporate network.
RSA’s silence on this is deafening. Due to the design of their tokens, customers don’t have the ability to simply generate new seeds or codes. If the data breach compromises the integrity of the currently deployed tokens (some 40M of them) and RSA can’t isolate exactly which tokens may be impacted, they could be looking at a full-blown recall campaign. This doesn’t even address the challenges of re-engineering to address any existing flaws or exploits, or the damage to their brand or the effort to rebuild customer trust.
Sadly, RSA jumped the shark once EMC acquired them.