back to article RSA won't talk? Assume SecurID is broken

It's been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product. For seven days, reporters, …

COMMENTS

This topic is closed for new posts.
  1. Fuh Quit
    Thumb Up

    Agreed

    You have to consider the silence and lack of detail is because of something. A strong password is ok as one factor but the whole point of a OTP is to increase the complexity for the attacker by more than doubling it.

    1. Giles Jones Gold badge

      Dongles

      But hardware dongles are no protection against exploits. You can still exploit bugs and security holes in an OS to gain access.

      The RSA token is comparable to any other dongle designed to secure or prevent piracy, they work for casual users but proper hackers will get past them.

  2. Mark 65

    Can someone enlighten me

    Everywhere I've worked that uses RSA secureid tokens for external access has the following process...

    1. Get token for user

    2. "salt" number created from a subset of the digits displayed on the device at a point in time and told to IT - presumably so the end user doesn't choose something stupid.

    3. User logs in with username, password, salt + current displayed digits.

    Even if you can predict the digits and you've got the user's username and password you still need that salt number too and any commercial/corporate network will lock-out long before you could brute-force it. Do others use the tokens in a less secure manner?

    Obviously this weakens things a lot but you still need to link a user to a token then predict the token value as well as obtain their credentials - seems like you'd find an easier way in using cold hard currency.

    1. Anonymous Coward
      Anonymous Coward

      Nearly but not quite...

      Step 2 is wrong. You don't tell the IT person the next number: the IT person tells you to use the first or last 4 digits from the next number to be displayed by the token. That way the IT person never gets to see it.

      The salt embedded in the token is unaffected by this and it is that - or the mapping of that to the token serial number - which may have been compromised but RSA are not saying.

    2. Anonymous Coward
      Anonymous Coward

      Varies

      I've had Securid key tokens from different companies. One gave me the salt (I think of it as a PIN) on a piece of paper, the second gave me the URL of an identity management panel where I was directed to enter a PIN of my choosing. Neither required a password in addition to the PIN+current displayed digits.

    3. Anonymous Coward
      Happy

      Post it

      Can we assume the Salt number is on a post it note attached to an IT monitor so its readily available for help desk calls ;-)

    4. It wasnt me
      Thumb Up

      Congratulations

      You read the article.

      There are 2 factors to the authentication. Assume 1 is now insecure. That leaves a single factor. Which isn't what you paid for.

      Ooops, look what I did, I paraphrased it yet again.

      1. Mark 65

        @It wasn't me

        What I'm putting forward is that perhaps one of the factors isn't compromised. If you used this salt+current number method along with network username and password then I don't believe the RSA token is compromised due to 2 parts being necessary for this one factor. Perhaps the current number part may be but then you don't know the salt or the username and password. Either way I think you're better off trying raw currency that hitting up a system with access logging and account lockout.

  3. Chris King Silver badge
    Flame

    EMC/RSA are doing themselves no favours by clamming up...

    I've already had several salescritters ring me up and e-mail me to say "SecureID is totally broken, come and talk to us about this new security product you've never heard of before - oh, and we just happen to be exclusive UK disties".

    If I'm being targeted this way, you can bet that they've got elevator pitches ready for people further up the food chain - and my employer doesn't even use SecureID.

    You can even bet that some CxO's in some organisations are asking their IT people "who owns this RSA mob, and do we have any more of their stuff ?" - the loaded question that really means "Can we move away from these guys if we have to ?"

    (Yes, yes, I know that means their SAN hardware, VMware, Legato, Documentum and whatever else they've assimilated since I last blinked - but even so, it's going to be asked in some places)

    Flames, because somebody at EMC must be feeling the heat right now...

  4. Quxy
    Boffin

    Screwed, basically

    SecurID tokens effectively have only 5-digit serial numbers (the first 4 digits are the expiry year), and tokens are apparently issued to end customers in consecutive blocks. Since SOP at most of the companies I've worked with is to assign the last 4 digits of the serial number as the PIN, the safest thing is to assume that the SecurID system no longer provides ANY protection against the unknown parties that hacked into RSA's insecure network.

    1. Galidron
      Unhappy

      Why would you do that?

      That seems like a very silly way to generate a pin. I personally use an alphanumeric pin longer then 4 characters.

      1. Someone Else Silver badge
        Badgers

        Well...

        You have an IT group that is rather enlightened. In my experience w/ SecureID, one IT group did let me choose my own >= 4 character "PIN", the other assigned me a 4-digit PIN tha was immutable.

    2. Anonymous Coward
      WTF?

      Eh?

      Quxy,

      Looking at the three securid tokens i have currently, the serial number is 9 digits long.

      The expiry date is 02/28/14.

      The serial number begins 2106.

      There is no correlation between the expiry date and the serial number.

      So "SecurID tokens effectively have only 5-digit serial numbers (the first 4 digits are the expiry year)" is bollocks. I also don't know anyone who issues pin numbers based on the serial number of the token. Anyone who does is an idiot. There is no need for anyone except the end user to know the pin, not the RSA admins, not the IT director, nobody else. There is literally no need for anyone else to know it. There are mechanisms to generate a PIN without the admins knowing it, but for the end user to know it.

      You cannot blame a technology for a failure to implement a technology properly on the part of the people implementing it. You might as well say UNIX passwords are intrinsically broken because someone set the root password as "password"

      All that said, I entirely agree with the general tone and thrust of the article, RSA have been done and their token security is seriously compromised.

    3. MrCheese
      FAIL

      @ Quxy

      Last four digits of the serial as the PIN?!?! Really?? Well you guys aren't doing yourselves any favours regardless of what's happen to RSA, SOP here and anywhere else I've been is that you choose your own four digit PIN, it's entirely unique this way.

  5. A. Lewis

    Worrying indeed.

    The only thing we've done so far is to e-mail all of our SecureID users and re-iterate good practice in big letters, i.e.: don't write down or tell anyone your PIN or serial number...

    I don't think abandoning RSA is an option, budget-wise. But we're very keen to hear what's going on...

  6. Andy Watt
    Unhappy

    Share prices, credibility...

    But not one shred of decency. Honesty has to be the watchword of a company in that industry, surely? If fatally compromised, pack up the system and call it a day. No other approach. Big money sue, but bigger if they stay silent and other companies fall one by one.

    "Cryptogeddon" - it's well and tru.y ON.

  7. trarch
    FAIL

    Making a bad situation worse

    If hackers really did get to the crown jewels, thus compromising SecurID's security, RSA shouldn't hestitate for even a moment to reveal this information publicly. They cannot be taken seriously as a security vendor if the security of their customers is not their highest priority.

    I would have thought the best option would be for them to assume the worst - yes, by all means refresh customers' memory regarding best security practices, but how about also telling them something along the lines of 'While we investigate, assume SecurID is broken and take necessary measures to mitigate its loss', as opposed to keeping quiet and hoping for the best.

  8. Anonymous Coward
    Anonymous Coward

    Title

    Well, RBS have said that they've been advised there is no issue & have advised staff the same. I'd imagine we're a BIG customer so might get more info than others?? Or not...

    1. Steve Evans

      RBS.....

      Well RBS is owned by the UK government these days, and we all know how much the UK govt knows about IT!

      1. Paul 172
        Troll

        Witty title

        @Steve Evans... Dont be a troll.... There are 1000's are really smart IT folk in RBS

      2. Paul 172
        Troll

        Witty title

        @Steve Evans... Dont be a troll.... There are 1000's of really smart IT folk in RBS

        1. Anonymous Coward
          Anonymous Coward

          @paul

          1000s at the moment, but we're all being booted out if favour of offshore workers.

          Because why would you employ UK tax payers, when the UK tax payer has bailed you out?

        2. Steve Evans

          @Paul 172

          Twas a joke!

          http://dictionary.reference.com/browse/joke

    2. Anonymous Coward
      Anonymous Coward

      Well

      We advise RBS on security. And we've advised RBS no such thing, because like everyone else, we simply don't know. Why would a company tell it's big customers, but not it's smaller ones? So only the big ones leave?

    3. Anonymous Coward
      Anonymous Coward

      Not entirely accurate...

      RBS have advised staff that no group or customer information has been compromised by the attack, it doesn't say anything about the ongoing security of the SecureID tokens. It then goes onto the Security 101 blurb about keeping passwords secure etc.

    4. Anonymous Coward
      Anonymous Coward

      Yep...

      I also work at RBS and our intranet page on the issue is very clear. RSA have been in touch and there is no stolen data that could compromise our SecureID tokens. It goes on to say that our IT security (and RSA) _really_ want to know if anyone approches us in any way (in public, on facebook, etc, etc) presumably because this would create a trail back to the people who hacked RSA.

      I wonder if lots of the contact from RSA to companies has been very hush hush? After all, if they're discussing ways to try to find out who the hackers were, they maybe don't want to broadcast what they're doing?

      1. Pascal Monett Silver badge

        "our intranet page on the issue is very clear"

        I'm sure that the hackers have read it and are in complete agreement.

  9. Carl W

    Assigning the last 4 digits of the serial number as the PIN

    LOL, just LOL.

    After all the standard advice of not writing down PINs, these companies make it easier by using PINs that are already written down. And on the token itself!

    I used to laugh because my great gran had the password to her money box etched into the top surface, but now it's SOP? LOL.

    1. Quxy
      Happy

      Yep!

      At various times I've received SecurID tokens from four different Fortune 500 firms, and every one of them has used the last four digits of the serial number as the PIN.

      1. Anonymous Coward
        Anonymous Coward

        That's is truly shocking

        Not only using the didits in the serial number, but only using a 4 digit PIN in the first place. RSA terminology has a lot to answer for here - tell people to think of a PIN and they immediately think 4-digit number, when in fact it can be alpha numeric and longer than 4 digits - they used the wrong words, they should have called it 'password' which is what it is.

        1. The Indomitable Gall

          Re: That's is truly shocking

          @AC

          " RSA terminology has a lot to answer for here - tell people to think of a PIN and they immediately think 4-digit number, when in fact it can be alpha numeric and longer than 4 digits - they used the wrong words, they should have called it 'password' which is what it is. "

          It's not just that -- long-term SecurID users will remember the limit credit-card sized SecurID tokens with an onboard keypad for PIN entry, and the PINs were therefore restricted to 4-digit numerical PINs.

          Even when overhauling technology, there's an attempt to paint it as the same thing -- RSA presumably didn't want to scare people off by changing the process too much and making it seem like something new....

      2. Anonymous Coward
        Anonymous Coward

        Well

        The correct way to do it is to issue the token in new pin mode, ie, without a pin. First time it's used you'll be prompted to choose a pin, which is then set. That's assuming you can securely get the token to the end user. If not the RSA admins can set the PIN to be the last 4 digits of the next tokencode to show up (or last 6, whatever). The end user waits for it to change, remembers that PIN, the RSA admin never knows it, and there's no way to output the upcoming tokencodes.

        Unless you happen to have nicked the seed files, and the source code that is ....

      3. Anonymous Coward
        Anonymous Coward

        call EMV

        If any of them were financial firms, I'm sure EMV would love to pay you a finders fee. Unless one of them was E, M, or V.

    2. Anonymous Coward
      Anonymous Coward

      Really?

      Every company that I've worked for has given me a token with a PIN delivered separately, the token has to be activated from *inside* the corporate network and the first thing you have to do is change the supplied PIN.

      The lack of security by design in companies you have worked at, doesn't reflect on RSA.

  10. Yet Another Anonymous coward Silver badge

    RSA customers can't make educated decisions

    Yes they can - if your security supplier is refusing to tell you about a security breach then there is only one educated decision you can make.

  11. Andrew Punch
    Paris Hilton

    Should be rekeying, not be silent

    If RSA has had a breach of both the seed and mapping - it should be absolutely possible for them to discard the compromised seed and the mapping key. Then they can create a new seed, a new mapping key and start issuing new tokens to ensure their customers remain secure.

    Paris also has some trouble securing her intellectual property...

  12. Anonymous Coward
    FAIL

    So, it's a triumph then?

    scnr....

  13. The Cube

    RSA were a good company whom you could trust

    Then they got bought out by EMC who used their special EMC version of the midas touch which turns everything they touch into the same kind of useless overpriced shit which people keep buying because they spend so much money on selling it to you.

  14. Anonymous Coward
    Anonymous Coward

    system password generation

    This is how one big firm generates new passwords for its internal service accounts:

    take a word from the dictionary

    capitalise the first letter

    perform substitutions:

    y/oies/0135/

    turn off the force change on login.

    err... that's it.

  15. SilverWave
    Black Helicopters

    So could they just be waiting to roll out new fobs?

    OK so that's a LOT of fobs..... but may that explain the delay... buying time?

    1. The Original Ash
      FAIL

      Then they should say that!

      We'd all like to hear "Existing tokens can now be compromised by revealing the serial number; Don't do that. Increase your second factor security for the time being. We're generating new seeds and buying new tokens in as we speak. Japan silicon fab'ing being down has made this slow, but not impossible. Be patient, and contact your supplier for availability of patches and tokens. There will be no charge for replacement of tokens."

      What we have instead is week-long silence on an important issue, specifically affecting one of the most paranoid groups of people in the world (IT security folk and network admins). It couldn't be a more idiotic move on their part.

  16. JaitcH
    WTF?

    "state-sponsored hackers, most likely from Iran": Where's the proof?

    Just because Iran is on many countries bad list why pick on them? All of a sudden they have unbefore heard of expertise whereas China, Russia and a few others have the knowledge and have used it before.

    Let's have the proof so we can judge the accuracy of the accusations.

    1. XMAN

      IP addresses

      I think it's got something to do with the IP addresses being traced back to Iran. But as noted, if one has the expertise to carry out this hack, then they'd no doubt also have the expertise to spoof their location.

  17. Anonymous Coward
    FAIL

    No Win Situation

    1) If they were to admit their security has been compromised then they lose all credability as a Security Provider and their business goes down the toilet.

    2) If they don't say anything, then people will just assume 1).

    1. Ken Hagan Gold badge

      Re: No Win Situation

      You missed out

      3) They disclose full details of the compromise, spend a boat-load of their own money reinventing their infrastructure, and issue "new everything" to all existing customers free of charge.

      That *might* be sufficient to restore faith.

      I imagine Comodo will be watching closely.

  18. amanfromMars 1 Silver badge
    Happy

    With further light reference to the earlier ... Looking at things from A.N.Other's Vantage Point.

    It's all perfectly true, you know, but you just don't want to believe it, or are not smart enough to realise it :-) Does that mean that they think we are stupid and easily fooled? Are they wrong or dead right? And who exactly are they when they are at home? ...... http://www.theonion.com/video/cias-facebook-program-dramatically-cut-agencys-cos,19753/

    IT's only Sp00fing of course, isn't it, and all part and parcel of the New Reality for CHAOS, that Conflicts with the surreal shaming and blaming of dumb traditional spooks lurking in the shadows, with Novel News and Fab Views of what can be done whenever hiding in plain sight and hanging out with nerds and geeks and the free-willed and free-wheeling chicks ...... the Post Modern Future Fundamental and Elementalist Meek into Cryptic XSSXXXXistentialism for Mass CritICQuality?

    Crikey .... Friday again, already. Where does Time fly away to?

  19. Anonymous Coward
    Unhappy

    I don't want anyone to know I work in IT anymore...

    So you effectively hold the keys to the world corps networks via the SecureID mechanism and you place this info somewhere where someone managed to obtain it illegally?

    No matter what happens it'll be a slap on the wrist and business as usual, just like the loss of USB keys with details of the vulnerable and just like the leaking of credit card details, the losses get bigger and bigger, the interest in dealing with them goes down.

    Does anyone with any clout care any more enough to haul these cretins through the justice systems? This is our data being exposed and it's just another "naughty cock-up", tee-hee! Sooner or later when someone asks me what I do for a living I won't tell anyone I work in IT, I'll lie and say something like I pick up dogs**t on the local streets for the council, at least I might get some respect rather than be thought of an IT bozo who can't stop losing personal info on computer systems.

    1. hplasm Silver badge
      Unhappy

      Council turd collector won't do it-

      You'll be lumped in with 'Useless overpaid civil servants'

      You will need to be a dogshit consultant.

      Oh wait- useless, overpaid... etc.

      You won't win.

  20. John Smith 19 Gold badge
    FAIL

    "The silence is deafening."

    And so speculation (which is *all* pretty much all the comments are) fills the space instead.

    This *both* a technical *and* marketing fail.

    Technical because they appear to have assumed that this information would *never* get out. If you're going to behave in that way you'd better be *very* paranoid about where you keep it, who has access to it (does you CFO *really* have that MBA from Harvard?), what it's connected to (nothing preferably) and what information can be downloaded from it and to what output media. Not to mention having an *equally* secure backup system elsewhere in case of earthquake/flood/terrorist assult/whatever.

    Given that these are the *core* components of what makes RSA valuable to *customers* even the *impression* that they have fallen into the wrong hands does severe damage to the reputation of the brand.

    It's a Marketing fail because when the s**t happened (so much for the assumption) they appear (and that's *all* we can say about their response) to have *no* plan in place to handle this. Which suggests

    a) They are making it as they go along in full headless chicken mode. Might be serious. Might not be *less* serious but they can't *quite* find the right words, or get approval to say them.

    b) It's *really* bad and they they *can* fix it but their customers are going to take a *lot* of pain.

    c) It's *really* bad and they can't fix it as who needs a backup up plan for something which will *never* happen? IOW They be f**ked (and so are their customers).

    Anyone remember when Evian got contaminated with Phenol some years ago? Company came clean (no pun intended) within 24 hours. Explained what had happened and what they were doing about it and what customers could do about it.

    Result. People continue (rightly or wrongly) to trust Evian as their preferred water supplier.

    For a company with turnover in the 100s of $m (billion+?) this is a *very* poor response.

    1. Anonymous Coward
      Anonymous Coward

      asterisk abuse

      TL DR

      The damn asterisk proliferation made it annoying

    2. Chris 3
      Stop

      It wasn't Evian...

      ... it was Perrier. Don't see that about as much these days, do you?

      1. John Smith 19 Gold badge
        Happy

        @Chris 3

        The programme I saw this on compared their handling of their situation with that of Coca-Cola's "Desani" processed tap water and the discovery that they seemed to be introducing Bromates into it.

        Perrier are still in the water business world wide. Coca-cola pulled out in Europe*.

        *You could just pour some tap water through a Brittas filter and leave in the fridge for a while but that would not give you the added Bromate. OTOH Bromates are a known carcinogen, so you might not them.

  21. Anonymous Coward
    Anonymous Coward

    letters and/or digits

    "Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token's serial number to its seed leaked?"

    Is this security through obscurity?

  22. Lord Elpuss Silver badge
    FAIL

    Seems clear to me

    From the RSA "Open Letter to Customers" (http://www.rsa.com/node.aspx?id=3872):

    "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

    So they're clearly stating on the website that the 2FA combination HAS been compromised, and are apparently communicating this to customers (whilst presumably advising them to strengthen the remaining one factor).

    Appears now to be a case of "We now know the situation is serious, but don't have a fix yet", a situation technically known as a WBF: We Be F*cked.

  23. Anonymous Coward
    Thumb Down

    Concerns

    Any properly secure crypto system has to have revocable keys. If RSA don't have a contingency plan to replace all SecureID tokens in circulation with ones with a different seed then I would be very concerned about their attitude to security - regardless of whether this incident has compromised the seed.

    Secondly, I would be very concerned if the seed was stored on any internet connected computer, regardless of the firewalls or other security measures between it and the internet. The only security I would properly trust with the keys to the kingdom (which SecureID seeds are) would be an airgap and a Faraday cage with proper TEMPEST controls.

    Not talking about it in public though is reasonable if they are talking about it with clients in a free and open way. And no, by clients I don't mean every one of us who carries one or more of these things around in our pockets, I'm talking about the companies they work with. To be honest at the moment, it is unclear whether they are addressing things appropriately.

  24. Andus McCoatover

    Er, hang on..

    Nokia uses SecurID.

    Microsoft ex-boss now in Nokia.

    Microsoft cracks that pesky, but deviously clever Ruskie-bot.

    -erm?

  25. Anonymous Coward
    Coat

    Single Factor Single Sign-on

    Oops - this from a few weeks ago...

    "Single Sign-On offers the benefits of minimising password management headaches for firms. RSA has taken this idea and applied it to cloud services, such as email. Secure logins to these services will be facilitated via RSA SecurID technology in much the same way as the technology has long been applied to remote access."

    http://www.theregister.co.uk/2011/02/16/rsa_cloud_security_push/

    Time to re-issue the marketing material?

  26. blue1111

    Can someone explain to me

    why RSA needed to hold this information in the first place?

    Surely as soon as the token is transferred to the client, and the seed has been handed over (via whatever means) and inputted to the client's RSA server, RSA itself need no longer be in the loop, since the authentication secrets are no longer any of their business.

    For RSA to hold the authentication secrets for all of its clients seems like a disaster waiting to happen. Even if they hadn't been stolen, does this mean that there are a bunch of RSA employees potentially walking about anyway with the authentication secrets for all of their clients in their pocket?

    Real security, yeah.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019