The security breach that targeted sensitive data relating to RSA's SecurID two-factor authentication product has cost parent company EMC $66m in the second quarter, The Washington Post has reported. The king's ransom was spent after RSA issued a vaguely worded letter in March warning that undisclosed information had been stolen …
Any news as to the remedy?
Found anyone who is willing to say, off the record, that RSA has either provided them with new SecurID tokens, or told them that would fix the problem?
If the tokens were replaced, that would seem to indicate either the seeds were stolen or there's an implementation weakness. If it's a software update on the server side, a patch to the underlying Oracle database, etc., that's still a problem, but a very different one.
My money is on new tokens.
Re: Any news as to the remedy?
I don't have any definitive news, but Cain & Abel has been able to provide soft token functionality if you can provide a RSA seed file and manually entering the token codes for sync for some time.
Hence - seeds were definitely stolen and the fix will be new tokens with new associated seed files.
The possibility is that customer information was also stolen (i.e. SecurID licence numbers and licensing information) to allow the seeds to easily be tied to a customer which takes the threat from vague to useful against specific customers.
The PIN numbers that were associated with the tokens will still need to be guessed, but the security around these isn't always great (i.e. standardising on 1234 or using sellotaping the PIN code to the back of a SecurID).
Our 50 tokens were replaced FoC last week.
Only used by our own staff so easy enough to swap them out. Obviously a slightly bigger job for banks etc.
75k+ of them here. Don't know if we paid for them or not, just an end user, me :)
This incident was handled in an absolutely disgraceful fashion.
It is wholly unacceptable that RSA has not given enough information for their customers (of one which employs me) to assess the implications of the breach and their pathetic security advice is absolutely worthless.
If I were a customer of RSA, I would be demanding replacement SecurID tokens at the very least. Having seen how seriously they care about their customers' security, only a fool would work with RSA again.
So VMware's sudden massive price increase is a response to this action to recover costs for EMC.
Where is management?
This is RSA F******in' Security for Chrissakes! I have spoken to RSA customers and they are all moving away from SecurID, as the company can no longer be trusted. Two clients told me they were lied to by RSA staff. This is a Sarbanes offense IMHO.
Don't trust what I say though, do your own research. (CYA alert)
I work for a security reseller
It's been good for us. (We sell competiting two-factor solutions, and there's been lots of people jumping ship)
Missing a 0
The cost should of been $660,000,000. Thats with fines and proper replacement .
By how poorly they have handled this. Assuming replacement tokens are the necessary solution they have had more than enough time to start a mass scale swap out program.
I will lay good odds that the breach included seeds and their current actions are a cynical attempt to make the customer loss a slow trickle until everyone forgets it.
Absolutely shocking I would never trust them again.
I work in a helldesk. The day after the attack was announced, I said we would be switching from 4 digit pins to 8 character pins. About a week after that, they announced we would be switching. Two days after that, we had 2000 people forced to change. When I sat down to work, we had 125 people in queue for support with the switch. Our RSA system and call queueing system actually crashed that day.
And yet, the company I will not name will not switch from RSA. Rather, they want to switch all ~35k employees to 8 character pins. I suppose it's probably easier to let us poor underpaid helldesk geeks handle it than to just switch to something that works.
Stuff the cost to RSA
What about the cost to other companies, security agencies and our countries as sensitive information got pilfered because of their cock-up.
Lets talk about THAT!
It may have "cost" RSA $66M in direct cost. But is has cost their customers a whole lot more. Many are places that don't officially exist so there aren't going to be claims, are there.
In terms of overall business, my uneducated guess is that it will cost north of $1B. Trust is hard-won and easily squandered. Sorry guys :)
$66m sounds *way* too low.
LockMart is *huge* and AFAIK almost entirely a govt con-tractor.
That would suggest damm near everyone would need a replacement token.
Starting there and going down their customer list (*how* many banks?) I'd suggest they worked some *very* doubtful accountancy moves to get the figure down that low.
While it *might* be accurate their very poor ongoing PR on the subject continues to leave a very bad taste in the mouth and the suspicion that a lot *remains* to be said.
It's like the head office moved to a little town called "Denial," somewhere in the USA.
In Denial ...
... that's where Pharaoh's daughter found the infant Moses.
(That was HER story, anyway)
And I've been waiting YEARS for an excuse to trot that one out - thanks.
What a JOKE
I know that customers have received FREE tokens from this EPIC FAIL. Its obviously the seed records or else why would the need to reissue them...
And yet still the Banks and Governments departments are refusing to swap out the technology... I mean, how can these people be head of security and still continue to use RSA. We were offered SecurEnvoy for our whole RSA estate and at a hugely discounted cost. All i can say is i'm glad we swapped, it was easy and would never consider RSA again.
The way in which RSA has handled this whole debacle is outrageous. I wonder how much of that $66m was in brown envelopes to persuade CIO's to keep the technology on board?