News:

And we're back!

Main Menu

RSA SecurID system hacked

Started by MadImmortalMan, March 21, 2011, 12:38:57 PM

Previous topic - Next topic

MadImmortalMan

The RSA Security Conference this year is over. Would have been cool if this happened the same week.



Quote

Information about RSA's SecurID authentication tokens used by millions of people, including government and bank employees, was stolen during an "extremely sophisticated cyberattack," putting customers relying on them to secure their networks at risk, the company said today.

"Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA," Executive Chairman Art Coviello, wrote in an open letter to customers, which was posted on the company's Web site.

"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat. Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products," the letter said.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello wrote. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

The company said it has no evidence that other products are affected or that personally identifiable data on customers or employees was compromised. RSA, the security division of technology giant EMC, did not elaborate and a spokesman said he could not provide additional information at this time.

The tokens, of which 40 million have been deployed, and 250 million mobile software versions, are the market leader for two-factor authentication. They are used in addition to a password, providing a randomly generated number that allows a user to access a network.

The tokens are commonly used in financial transactions and government agencies; one source who asked to remain anonymous said SecurID users in those sensitive areas were scrambling to figure out what to do in light of the breach.

What exactly did the bad guys get?
Because it's unclear exactly what type of information was stolen, sources told CNET they could only speculate as to what the potential outcome could be for companies using the devices.

"It's hard to say [how serious the breach is] until we know the extent of what the bad guys got a hold of," said Charlie Miller, a principal analyst at consultancy Independent Security Evaluators. "Any time a security company gets broken into, it reminds you that it could happen to anybody."

He used to work for a financial services firm that "basically ran everything on" SecurID, he said. "They would be very unhappy if they found out" it could be compromised somehow.

"The real story here is what was stolen. It definitely seems mysterious," said Ravi Ganesan, an operating partner at The Comvest Group and former founder and CEO of single sign-on provider TriCipher. "SecurID is a token authenticator device that flashes a new number every 60 seconds. The number is calculated from two things, a 'secret seed' unique to that device and the time of day. So your one-time password is output of [that] algorithm."

RSA has historically kept their algorithm secret, but that is not a good defense against a sophisticated attacker who could get a software version of the token or the back-end server and reverse engineer the code, Ganesan said. "So what on earth could have been stolen? I certainly hope RSA did not put some back door into the software and that was what got stolen."

While details were scarce, hints about the breach could be gleaned from a message to customers filed with the SEC. It recommended that customers increase focus on security for social-media applications and Web sites accessed by anyone with access to their critical networks; enforce strong password and PIN policies; as well as remind employees to avoid opening suspicious e-mails and providing usernames or other credentials to people without verifying the person's identity as well as avoid complying with e-mail or phone-based requests for such information.

Additionally, the message said customers should pay special attention to securing their active directories and use two-factor authentication to control access to them; watch closely for changes in user privilege levels and access rights; harden monitor and limit remote and physical access to infrastructure that hosts critical security software; shore up practices against social-engineering attacks; and update security products and patch operating system software.

Advanced Persistent Attacks often target source code and other information useful in espionage and involve knowledge of the company's network, key employees, and workings. Attackers use social engineering and exploits hidden in e-mail and other messages to sneak keyloggers and other snooping tools onto employees' computers. Google announced last year that it and other companies had been targeted in such an attack and it later came out that attackers used an unpatched hole in Internet Explorer to get into the company computers. Google said at the time that intellectual property was stolen and that the attacks appeared to originate in China.

Updated at 7:06 p.m. PT with reaction, more details, and background throughout.

Read more: http://news.cnet.com/8301-27080_3-20044455-245.html#ixzz1HFxm4JdK


Think I'll do some shorting of the parent company EMC.
"Stability is destabilizing." --Hyman Minsky

"Complacency can be a self-denying prophecy."
"We have nothing to fear but lack of fear itself." --Larry Summers

MadImmortalMan

Quote
Open Letter to RSA Customers



Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

Our first priority is to ensure the security of our customers and their trust. We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customers' relevant partners.

We regret any inconvenience or concern that this attack on RSA may cause for customers, and we strongly urge you to follow the steps we've outlined in our SecurCare Online Note. APT threats are becoming a significant challenge for all large corporations, and it's a topic I have discussed publicly many times. As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.

Sincerely,

Art Coviello
Executive Chairman, RSA



lol oops
"Stability is destabilizing." --Hyman Minsky

"Complacency can be a self-denying prophecy."
"We have nothing to fear but lack of fear itself." --Larry Summers

jimmy olsen

Chinese? Russians? Organized Crime?
It is far better for the truth to tear my flesh to pieces, then for my soul to wander through darkness in eternal damnation.

Jet: So what kind of woman is she? What's Julia like?
Faye: Ordinary. The kind of beautiful, dangerous ordinary that you just can't leave alone.
Jet: I see.
Faye: Like an angel from the underworld. Or a devil from Paradise.
--------------------------------------------
1 Karma Chameleon point

Darth Wagtaros

I go with the Chinese in these cases since it is usually them.
PDH!

CountDeMoney

We dealt with this last week.  No biggie.