RSA’s SecurID targeted in data breach

by Steve Ragan - Mar 18 2011, 12:15

RSA, the security side of data management giant EMC, was breached sometime recently, which resulted in information related to RSA’s SecurID tokens being pilfered by the perpetrators. RSA’s two-factor authentication solution is used by millions including government and private sector organizations.

The exact risk to RSA’s customers is unknown, but that won’t stop some from thinking the sky has fallen. This imagined risk is sure to explode thanks to EMC reporting the incident as an APT (Advanced Persistent Threat) level of attack. This type of attack could mean anything from custom Malware, to social engineering, or something else entirely.

In a public letter and separate 8-K filing with the SEC, EMC’s Executive Chairman, Art Coviello, stated that while the information stolen doesn’t enable a direct attack on SecurID customers, it “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

Reporter Dan Goodin at The Register asked EMC a critical question shortly after news of the breach broke. He was curious if the data stolen was in fact the seed values that SecurID tokens use to generate their constantly changing six-digit codes.

If attackers “were able to access the seeds for a specific company, they might be able to generate the pseudo-random numbers of one of its tokens, allowing them to clear a crucial hurdle in breaching the company's security,” Goodin wrote. EMC declined to answer the question.

Frankly, many in the security community were annoyed by the vagueness EMC’s disclosure.

However, this lack of information is no reason to panic or spread bad information. For example, the claims that China is behind the attack because APT was mentioned. There has been no proof of this, so reporting it as fact or using it in a PR pitch is a bit of a stretch.

“Everyone will have their favorite pet theory, but right now none of us know cr** about what really happened. Speculation is one of our favorite pastimes, but largely meaningless other than as entertainment, until details are released (or leak),” commented Rich Mogull, CEO of Securosis.

Speaking of speculation, the list of recommendations EMC provided to customers is fueling the debate over how they were compromised.

In a SecurCare note, EMC urged customers to increase focus on social media applications and websites used by anyone with network access. After that, they recommend customers employ the rule of least privilege while assigning roles and responsibilities on the network, and monitor changes to access levels on any critical systems.

Education, on topics such as avoiding suspicious emails and confirming a person’s identity before handing over sensitive information, was another suggestion. Monitoring Active Directory security, working with Help Desk teams to prevent information leakage, and patching security products and operating systems round out the extensive list.

According to Securosis, organizations can take some actions now, despite the lack of information.

“If you aren’t a [SecurID] customer… enjoy the speculation. If you are, make sure you contact your RSA representative and find out if you are at risk... If you have a token from a bank or other provider, make sure you give them a few days and then ask them for an update. ”

We’ve reached out to EMC for comment. If they offer more information, we’ll update this story. For now, the incident is under active investigation.

Around the Web