back to article RSA breach leaks data for hacking SecurID tokens

Attackers breached the servers of RSA and stole information that could be used to compromise the security of two-factor authentication tokens used by 40 million employees to access sensitive corporate and government networks, the company said late Thursday. “Our investigation has led us to believe that the attack is in the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Coat

    It is a sad day

    when one of the most trusted security solutions provider (and an industry icon too) admits its security was not that great.

    I must admit it's quite depressing to realize we're on our own now.

    A sobering memo for all CxOs : start looking for really competent people now because hardware&software off the shelf products can clearly no longer replace them. Yes, firewalls and IDS and anti-malware are as good as the people managing them. You DID know that, didn't you ?

    1. Anton Ivanov
      Flame

      Accident waiting to happen

      Well, in this day and age the token key which is used for the seed should be generated on the token by the customer not by RSA. Frankly, it was only a matter of time until this prehistoric solution met its match.

      Secret algo, weak crypto (by 2011 standards), security mostly guaranteed by the "secret" value of the seed and the seed generated by a "trusted" third party.

      In 2011. Yeah... Right...

      1. Anonymous Coward
        Go

        Seed files

        I belive this is why CRYPTOCard have there clients generate there own seed files for tokens

      2. Assumed Name

        Seeds for China

        Generate seeds on the device! Then watch as seeds become as uncommon as fake Rolex watches and pirated DVDs.

        Read the Cyber War book by Richard Clark and you will get a better feel for what is going on here, folks. The petty mudslinging by competitors is drowned out by the sounds of factories cranking out fake Cisco routers with back doors built in...

      3. Pet Peeve
        Boffin

        not really

        It's not a bad idea at all to set the keys in the factory, because then you can do a better job of tamperproofing them. Letting the user reprogram them exposes you to some possible exploits that are MUCH less likely if the chips are never writable at all.

        RSA blew it by keeping the key data someplace it could be stolen (or kept it at all, see my other message). That was the real idiocy here, and it will hurt them badly.

  2. Paul Renault

    The dude which/who wrote the EMC document,

    ..must be the same dude who liked to insert "This page and the next eight pages are intentionally left blank" in the IBM documentation of yore.

  3. Lorddraco

    Who is the best

    Even one of the best got pawned ... mmm .. we just need to do our due diligence in security. Social hacking still the number 1 hack.

  4. Michael Hoffmann Silver badge
    FAIL

    So far, no email from RSA

    Paid up RSA customers using SecurID and we only heard about this through the various tech sites (incl El Reg).

    Not very happy with RSA/EMC right now.

    1. Brian T
      FAIL

      Uber-Fail in customer care

      Agree with previous poster on the RSA/EMC response to customers. Would put a double fail or more. Just about every financial institution of any size uses RSA for admin access. So when will RSA come clean? When will they formally communicate to their customers? And no, Mr. Coviello, I don't read your blog every day. It didn't seem to be a requirement of the contract when I bought your stuff.

      Maybe El Reg can keep asking for information. Clearly customers don't get answers, maybe the press can.

  5. Anonymous Coward
    Unhappy

    How will this impact...

    ...the kind of token authentication systems used by dedicated online gamers. What immediately springs to mind are the large number of World of Warcraft players who use tokens to provide secure access to their accounts - is this the same technology being used?

    I only ask because having an 'authenticator' token system is supposedly the best way to secure your account from fraudulent activity - WoW accounts are pirated and sold with alarming regularity as it is, and the official line is always 'get an authenticator'. Should players be woried about increased attempts at theft?

    1. Mayhem

      Simple answer - it won't

      Different implementation of the same general concept.

      Blizzard uses tokens made by Vasco, so they have different seeds and algorithms to RSA.

      Also, the number provided by the user is compared with those generated on authentication servers within Blizzard, whereas many of the earlier RSA tokens required communication with RSA themselves, instead of a locally installed copy of the software.

      Simple answer - when Blizzard gets hacked and the authentication data is released, then the sky will be falling on you. Likelyhood of this? Extremely low.

  6. Anonymous Coward
    Anonymous Coward

    Wikid Systems?

    Wikid Systems? Really? And they expect to be taken seriously and compete with EMC/RSA et al? Can you see a senior security guy going to do a presentation at board level saying:

    "... and to sum up, I think we should drop the RSA SecureID token for the tokens produced by Wikid Systems"

    I certainly wouldn't because I would like to keep my job...

    1. durandal
      Coat

      re: Wikid Systems?

      "Startup gloating at incumbent's misfortune, full news at 11"

      That said, there is almost certainly a market for 'good enough' two factor authentication where forking out/deploying RSA just isn't going to happen, and funnily that's exactly where Wikid are aiming at.

      I'd never heard of them before this story, so they've got their money's worth from an attributed quote.

      Mine's the one with the password on a post-it in the pocket

  7. Anonymous Coward
    Anonymous Coward

    Oh no??!!!! Tell me it's not the games at risk!

    Blimey. I just thought it was a possible threat to a myriad of government depts and businesses. If I'd known the Dragonbeserkers and Nemocromongers were at risk I'd have written to my MP.

    I've got two types of keyfob - one requires a PIN punched into the keypad to reveal the one-time number. The other reveals one-time number without a PIN, but I append my PIN to the end of the one-time number as I enter it on the terminal. I imagine the latter is most secure, on the assumption that even if someone can generate a valid one-time number they don't know my PIN. Unless they do know it. It's 1111. Not really. It's 0000.

  8. Anonymous Coward
    Happy

    Gaming accounts as safe as your bank account?

    I use Blizzard's authenticator and HSBC's tokens both from VASCO .... I did some research and it appears these guys seed their tokens in a totally offline environment - so no online hacking .

    If you have doubts about RSA is is a no-brainer

  9. Anonymous Coward
    Flame

    404 Letter: Devoid of Content

    Ah, let's see -- yah that is the company that rabidly attacks others for lack of security or raises questions on others' security blatantly abusing them when things happen now cowers in corner cap in hand.

  10. Anonymous Coward
    Anonymous Coward

    Has no one noticed

    That this comes around about the same time as RSA/EMC release a paper on their “new vision for security operations to guard against advanced persistent threats” is released!!!

    http://www.rsa.com/go/press/RSATheSecurityDivisionofEMCNewsRelease_21611.html

    Coincidence.....mmmmmm

  11. taxman
    Pint

    Learn the latest in Online Fraud

    So I went to https://www.rsa.com/node.aspx?id=1331

    Nope. Nothing there about it. Better log out and lock up until later.

    Bet there is going to be a pretty penny made by the government's IT suppliers to 'fix' this.

    Ah. Friday afternoon. Is there a better time to think about beer and bees?

  12. Anonymous Coward
    Anonymous Coward

    Total communications failure

    Just listened in on the customer con-call for this issue and they spent five minutes reading the same statement they sent in the email, 10 minutes teaching us how to design a secure network, set password policies, do backups, physical security, social engineering, user training, blah, blah blah. Exactly ZERO minutes telling us exactly what data was compromised so we can determine the appropriate response for US. They claim they won't tell us "for security reasons" - "it's an ongoing investigation". And then they pat themselves on the back for telling us they were hacked, as they really didn't have any obligation to so to since they feel no customer-identifiable info was compromised.

    I can't begin to describe what a fail this is from a customer perspective. OK, you got hacked. Shouldn't have happened. But to hide FROM YOUR CUSTOMERS what you lost, to give us no realistic way to assess the risk to US, you have failed in your primary mission, which is risk reduction.

    Goodbye RSA. My tokens are going back. Not because you were hacked, but because of how you responded.

  13. Marc 1

    @Anton

    I've heard it said that you're only as secure as your hardware is... Storing the bread and butter on the hardware dongle would seem to me a bad move and open to reverse engineering.

  14. elip
    IT Angle

    emc fail? shocker

    noooo, really?!! an EMC owned company failing at security? Come on guys, EMC essentially represents everything that is wrong with the "industry" these days. I for one am not surprised. Look at their storage and virtualization offerings to see major failures in security 101. I'm sure it's just the EMC culture finally spreading to the RSA side of the house.

    As for the token threat at least with regards to the VPNs: this has a minimal impact/threat vector. Attackers will almost ALWAYS hit the lowest hanging fruit first ---> I support world-wide VPNs where Network Administrators/other privileged users routinely leave their machines logged onto our network from their surely unprotected home networks (you know, 24x7). End users are still our biggest 'persistent threat' followed in close 2nd by the business-minded management that simply ignores our risk analysis and says without fail "we accept the risk, let us stay logged onto the VPNs indefinitely.". They also drop gems like "no, we do not care what our 15000 users plug into our 20000 live network jacks".

    1. Anonymous Coward
      Anonymous Coward

      Examples?

      Can you give us a couple of examples as to their storage/virtualisation security issues?

  15. Joe Montana
    FAIL

    Ridiculous

    The whole design of securid is ridiculous, it was a house of cards waiting to fall and it seems that's exactly what happened...

    Why would you use a system like this whereby the vendor issues the keys? If the vendor issues the keys then you are 100% beholden to them to keep those keys secret... As this story proves, they are clearly unable to manage that.

    Why not use a system where YOU THE CUSTOMER generate the keys? That way, noone else has them so you are not beholden to a third party.

    Also if the algorithms are properly designed, having the code won't help you without the keys either.The DES algorithm is publicly available and has not been cracked for instance, only brute forced because computing power has increased so much since it was created.

    Personally i think that current "best practices" and "security standards" simply aren't good enough. Considering who RSA are, you would *assume* they are far more likely than most to do their due diligence and follow what they believe to be strong security practices... So either they screwed something up really badly, or the standard industry security practices they followed are flawed.

    1. David 9

      DES? Really?

      3DES maybe, but you can't advocate DES in this day and age. Techniques to break DES quicker than brute force were around in the early 80s.

      But RSA using a secret private algorithm really is a breach of cryptography 101.

    2. Grumpy Fellow
      Joke

      Keyed by the vendor?

      Regarding: Why would you use a system like this whereby the vendor issues the keys?

      I know you will find this hard to believe, but over here in the USA, we buy automobiles for many tens of thousands of dollars that are keyed by the manufacturer, not the purchaser. Oh, and when we spend half a million for a house, the keys are furnished by the builder.

  16. J. Cook Silver badge
    Pirate

    Got our letter around 10:15 pm -GMT7 last night.

    We use their appliances at $work, and I also found out about the breach before the email came through. SHould be a fun time over the next couple days.

  17. Anonymous Coward
    Coat

    Physician, heal thyself

    I have nothing more to say....

  18. Anonymous Coward
    Unhappy

    Bad day for RSA

    Leader in encrypted security:

    1. gets hacked

    2. RSA-issued customer encryption IDs taken

    3. Is slow to notify customers affected

    4. Won't tell customers which IDs were taken

    I'd say they just wrote off somewhere between a few hundred million and several billion $ in brand equity, depending on what use the stolen IDs are put to.

    Fortunately, their competitors include those clueless enough to name themselves "Wikid Systems", which is a perfectly fine name if you are making joysticks or perhaps utility or connectivity software, but is a lousy name if you want to sell security to enterprise customers.

  19. Pet Peeve
    Alert

    Always wondered when...

    ... this was going to happen with securid. It's all because of their greed in wanting to remain part of the authentication chain.

    Ideally, an authenticator distributor would manufacture the device, program it, copy the programmed code to a disk for the customer (or print it out), and then immediately delete it, so it's never recoverable again. SecurID does a great job of making the fobs themselves write-only; the programming contacts are buried in plastic, with anti-tamper contacts embedded in the plastic while it's still liquid, so that if you ever try to expose the chip again, it destroys itself. Tried it a couple times with a dremel and really fine bits - no matter how delicate, you can't get enough plastic off without resetting the chip. Compared to all the other fobs I've played with, RSA's are the best designed. Vasco's is nicely solid as well, but not quite up to RSA's standard. The good thing about Vasco is that they don't hide their algorithm.

    But, instead of doing the job RIGHT, RSA did it lucratively. They keep the programing data, and act (at least for some companies) as the authenticating party. Thus, if they get ripped off like this, it's not just one company that is hosed, it's every company they service. I imagine that they are sending out thousands and thousands of new fobs in a panic - the cost of that, and liability for anything lost from the breach before they're replaced, will probably wipe out every extra cent they made from doing this part themselves. BIG mistake.

    Token cards are a fantastic second factor. But you can't mishandle the key material, or you've made the whole system worse than useless.

  20. henrydddd
    Linux

    What do you think?

    When the top security firms cannot stop hacking/virus attempts, how can the little guy stop this kind of activity from happening? Likewise, with future Iphone being cloud based and HP going to a cloud based operating system, do you really thing that organizations going toward a cloud based computing system can assure security? Even on my personal pc, I have at least 3 antivirus/anti-adware packages and I don't feel safe.

    1. Rob - Denmark
      Joke

      At least 3 antivirus/anti-adware packages?

      More than one antivirus package?

      You really should consider having two computers: One that you use for doing stuff, and another for running all that conflicting software.

  21. rossmac2310

    RSA hacked - decade old technology - why the surprise ?

    It was only a matter of time before the fallibility of a decade old security solution was exposed. We at LiveEnsure do not practise security by obscurity but adhere to the core tenets of authentication - one of which is triangulation. You cannot trust the browser and so we step outside the browser in our solution and no key value pairs ( eg the OTP generated by the RSA dongle) are ever transmitted over the wire. Forget about tokens - they are dead in the water !!

    For a solution that solves RSA's current problem check out http://www.liveensure.com

This topic is closed for new posts.

Other stories you might like