Caution urged in wake of RSA security breach

No need for panic, but keep eye on RSA products, analysts say

The relatively scant information released by EMC's RSA security group on Thursday in connection with the theft of SecurID authentication technology code is fueling considerable speculation about the nature of the breach and its impact on enterprises.

Several security analysts today urged companies that are using SecurID to review their authentication measures and to shore them up if necessary. Until RSA releases further details on the breach it is best to assume that SecurID is vulnerable, they added.

"Don't panic," said Rich Mogull, an analyst with Securosis. "Until we know the attacker, what was lost, the vector of a potential attack," and the extent to which SecurID may have been compromised, it's hard to make a risk assessment, Mogull said.

But for the moment at least, enterprises should assume that SecurID is no longer an effective second factor of authentication, he said. "Review passwords tied to SecurID accounts and make sure they are strong," Mogull said. "Consider disabling accounts that don't use a password or PIN and set password attempt lockouts."

In an embarrassing admission for a security company, RSA said on Thursday that unknown intruders had stolen information relating to its SecurID technology in what it described as "extremely sophisticated cyber attack against RSA".

The company expressed confidence that the stolen information would not enable a direct attack against SecurID. But it added that the information could potentially be used to reduce the effectiveness of the technology.

SecurID is used for two-factor authentication purposes. The technology is available from RSA in the form of hardware and software tokens that are capable of generating random one-time passwords every 60 seconds.

The technology is designed to be used in conjunction with passwords to deliver a second layer of authentication for accessing systems and networks. Over 25,000 enterprises, many of them in the financial sector and government, currently use SecurID tokens to protect access to high-value applications and data.

Though RSA has not disclosed which or how much SecurID information was stolen, the mere fact that the company is warning of reduced effectiveness is troubling, said John Pescatore, an analyst with Gartner.

That statement guarantees that the breach is a "big deal for SecurID users," Pescatore said.

"SecurID tokens are very expensive and users dislike them, but they have always been a strong replacement for reusable passwords," he said. "[But] if the security provided is at risk, the pain may be more than the gain."

Pescatore dismissed RSA's claim that it was the victim of a sophisticated Advanced Persistent Threat (APT) attack, a kind of low, slow highly targeted attack most commonly associated with Chinese hackers.

RSA's claim is "disingenuous," Pescatore said. "It is trying to deflect attention from RSA's failure to protect their systems. Any security company with any threat experience has been dealing with targeted threats for several years."

SecurID is a proprietary algorithm that is designed to produce random numbers in a pre-determined sequence, according to a description of the technology by the Intrepidus Group. The sequence is used by an RSA authentication server to essentially validate that a person logging in, actually has the token in their possession, Intrepidus said in a blog post today.

Each token features a "seed" that determines the sequence of 6-digit numbers generated by that token. The seed ensures that the numbers are produced in a sequence that is unique to each token. The SecurID algorithm ensures that there are literally an infinite number of potential sequences that can be generated by each token, making them almost impossible to crack, says Intrepidus.

Even so, there are circumstances under which this assurance can be weakened, Intrepidus noted. One example is where an attacker somehow manages to get a list of all seeds and their associated token serial numbers. Another scenario is if attackers manage to get a list of seeds and the corporations to which they have been assigned.

The worst case scenario is if hackers found any documentation showing an inherent weakness in the algorithm that would allow them to generate valid pass codes for hardware and software tokens, said Jeremy Allen, principal consultant with Intrepidus.

"Unless something is fundamentally broken there is no need to panic", Allen said.

Aleksandr Yampolskiy, director of security and compliance at Gilt Groupe, said that even if the hackers had managed to steal the SecurID algorithm, pulling of attacks will still remain very hard.

"Even if details of the pseudo-random number generator are advertised to the world, unless the seeds plus [the token holder's passwords] are revealed," attacks are not possible, he said.

"The individual customer passcodes are stored on servers in individual companies -- not in RSA," Yampolskiy said. "So hackers should not be able to get access to these."

"I would recommend people follow general security recommendations," Yampolskiy said. In addition to ensuring strong password and PIN policies companies should also ensure their critical systems are properly patched.

"Closely monitor access to critical systems, and implement log aggregation to monitor their access," he said. "Consider installing host-intrusion detection systems on critical servers which use machine learning algorithms to differentiate good software from the bad unknown viruses."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Read more about data security in Computerworld's Data Security Topic Center.

Tags data securitysecuritySecurity Hardware and Softwaredata protectionemc

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?