Caution urged in wake of RSA security breach

No need for panic, but keep eye on RSA products, analysts say

The relatively scant information released by EMC's RSA security group on Thursday in connection with the theft of SecurID authentication technology code is fueling considerable speculation about the nature of the breach and its impact on enterprises.

Several security analysts today urged companies that are using SecurID to review their authentication measures and to shore them up if necessary. Until RSA releases further details on the breach it is best to assume that SecurID is vulnerable, they added.

"Don't panic," said Rich Mogull, an analyst with Securosis. "Until we know the attacker, what was lost, the vector of a potential attack," and the extent to which SecurID may have been compromised, it's hard to make a risk assessment, Mogull said.

But for the moment at least, enterprises should assume that SecurID is no longer an effective second factor of authentication, he said. "Review passwords tied to SecurID accounts and make sure they are strong," Mogull said. "Consider disabling accounts that don't use a password or PIN and set password attempt lockouts."

In an embarrassing admission for a security company, RSA said on Thursday that unknown intruders had stolen information relating to its SecurID technology in what it described as "extremely sophisticated cyber attack against RSA".

The company expressed confidence that the stolen information would not enable a direct attack against SecurID. But it added that the information could potentially be used to reduce the effectiveness of the technology.

SecurID is used for two-factor authentication purposes. The technology is available from RSA in the form of hardware and software tokens that are capable of generating random one-time passwords every 60 seconds.

The technology is designed to be used in conjunction with passwords to deliver a second layer of authentication for accessing systems and networks. Over 25,000 enterprises, many of them in the financial sector and government, currently use SecurID tokens to protect access to high-value applications and data.

Though RSA has not disclosed which or how much SecurID information was stolen, the mere fact that the company is warning of reduced effectiveness is troubling, said John Pescatore, an analyst with Gartner.

That statement guarantees that the breach is a "big deal for SecurID users," Pescatore said.

"SecurID tokens are very expensive and users dislike them, but they have always been a strong replacement for reusable passwords," he said. "[But] if the security provided is at risk, the pain may be more than the gain."

Pescatore dismissed RSA's claim that it was the victim of a sophisticated Advanced Persistent Threat (APT) attack, a kind of low, slow highly targeted attack most commonly associated with Chinese hackers.

RSA's claim is "disingenuous," Pescatore said. "It is trying to deflect attention from RSA's failure to protect their systems. Any security company with any threat experience has been dealing with targeted threats for several years."

SecurID is a proprietary algorithm that is designed to produce random numbers in a pre-determined sequence, according to a description of the technology by the Intrepidus Group. The sequence is used by an RSA authentication server to essentially validate that a person logging in, actually has the token in their possession, Intrepidus said in a blog post today.

Each token features a "seed" that determines the sequence of 6-digit numbers generated by that token. The seed ensures that the numbers are produced in a sequence that is unique to each token. The SecurID algorithm ensures that there are literally an infinite number of potential sequences that can be generated by each token, making them almost impossible to crack, says Intrepidus.

Even so, there are circumstances under which this assurance can be weakened, Intrepidus noted. One example is where an attacker somehow manages to get a list of all seeds and their associated token serial numbers. Another scenario is if attackers manage to get a list of seeds and the corporations to which they have been assigned.

The worst case scenario is if hackers found any documentation showing an inherent weakness in the algorithm that would allow them to generate valid pass codes for hardware and software tokens, said Jeremy Allen, principal consultant with Intrepidus.

"Unless something is fundamentally broken there is no need to panic", Allen said.

Aleksandr Yampolskiy, director of security and compliance at Gilt Groupe, said that even if the hackers had managed to steal the SecurID algorithm, pulling of attacks will still remain very hard.

"Even if details of the pseudo-random number generator are advertised to the world, unless the seeds plus [the token holder's passwords] are revealed," attacks are not possible, he said.

"The individual customer passcodes are stored on servers in individual companies -- not in RSA," Yampolskiy said. "So hackers should not be able to get access to these."

"I would recommend people follow general security recommendations," Yampolskiy said. In addition to ensuring strong password and PIN policies companies should also ensure their critical systems are properly patched.

"Closely monitor access to critical systems, and implement log aggregation to monitor their access," he said. "Consider installing host-intrusion detection systems on critical servers which use machine learning algorithms to differentiate good software from the bad unknown viruses."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Read more about data security in Computerworld's Data Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags data securityemcdata protectionSecurity Hardware and Software

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?