After RSA breach, are SecurID tokens in jeopardy?

Hackers may be able to remotely log into enterprise networks after a breach at RSA

The intrusion by hackers of security giant RSA, a unit of EMC, has left customers and analysts wondering if it is still safe to use millions of the one-time passcode tokens used to log into enterprise IT systems.

RSA's Executive Chairman Art Coviello wrote in an open letter on the company's website on Thursday that hackers had mounted an "extremely sophisticated cyber attack" that has put at risk its SecurID product.

SecurID is a two-factor authentication product. Users logging into a corporate IT system would use their username, then enter a four-digit PIN (personal identification number) plus a six-digit, one-time passcode to get access.

The passcode is generated by a token, or a small device that displays a number when it is pressed, although it can also be generated using software only. The number is generated by using an RSA algorithm and a so-called seed record, which is a unique key contained on the token, plus the time of day. When that information is verified by a remote RSA server, the person is allowed into the system. The one-time passcode expires after 30 or 60 seconds.

RSA has a copy of the seed record as well. Although RSA has not specified whether hackers were able to extract seed records from its systems, it could be very bad for RSA customers if they have.

RSA is the "undisputed market leader" in the tech security market with its SecurID authentication and access control products, wrote IDC analysts in October 2010. RSA says SecurID is used by 40 million people in at least 30,000 organizations worldwide.

Hacking tools, including one called Cain and Abel, can calculate the token number using the seed record. This is possible because the algorithm SecurID uses was reverse-engineered and posted on the Internet more than 10 years ago.

The only other information a hacker would need in order to remotely access accounts would be usernames, which could be gained via social engineering, along with the person's four-digit PIN.

"This is feasible, and given the fact that RSA has asked customers to focus on deterring social-engineering-based attacks (whichcould be used to obtain users' corresponding PIN codes), this scenario could be of concern," said Jason Geffner, principal security consultant for Next Generation Security Software, who specializes in penetration testing and reverse engineering.

In a filing with the U.S. Securities and Exchange Commission on Thursday, RSA published the guidance it was giving to customers. In it, RSA said its customers should "re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person's identity and authority."

RSA has not been descriptive about what information hackers have gained access to but said it doesn't appear to pose an immediate threat to the use of SecurID.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," the company said.

RSA's revelation has sparked a wave of concern.

"I can imagine how this is going to play out when the IT folks at my company find out about this," wrote one commentator on the Slashdot IT blog. "They'll panic, revoke all the SecureID cards, and then no more working from home until something much more complicated, unreliable, and probably requiring Windows 7, is found to replace it. "

An official at one of RSA's major U.K. partners that sells SecurID said his company has not received any more information than what RSA had already publicly released. "From all we can see, there's been no compromise to the security of our service," said Stuart Howden, Signify's marketing manager.

Andy Kemshall was RSA's fifth employee in Europe when he started with the company 16 years ago. After working as a pre-sales technical adviser, he left RSA nine years ago to start his own company, SecurEnvoy, which sells a two-factor authentication product that sends one-time passcodes by SMS to a person's mobile phone.

Kemshall said the only way that organizations can completely protect themselves at this point is to unplug their RSA servers until RSA says whether they need to re-issue tokens to customers.

"RSA has not admitted seed records have been compromised but not denied it either," Kemshall said. "If it is related to these seed records, then the only way forward is all of those tokens are invalid and would have to be replaced."

Kemshall, whose product directly competes with RSA, said his phone had not stopped ringing on Friday, with RSA customers asking questions.

Still, Next Generation's Geffner said that no organization can be bulletproof in regard to computer security, as new vulnerabilities are always being discovered and social-engineering attacks target weak links.

"RSA deserves credit for providing the recommendations that they've given to their customers in response to this incident," Geffner said.

Send news tips and comments to jeremy_kirk@idg.com

Join the PC World newsletter!

Error: Please check your email address.

Tags intrusionsecurityrsa securityDesktop securityAccess control and authenticationencryptiondata protection

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?