Is it time for RSA to open up about SecurID hack?

Three months after RSA was hacked, some say the company should disclose more about the incident.

For any company that makes its living selling security, it's a nightmare come true. This week, RSA Security admitted that hackers who broke into its network three months ago had stolen information about its SecurID tokens and then used that information to attack a customer, Lockheed Martin.

RSA seems to think the vast majority of its customers aren't directly threatened by the hacking incident, but the company's reputation has taken a hit. And users and pundits alike have blasted RSA for not being clear about exactly what was taken, and how it could affect them.

Calls for more disclosure about the March hacking incident only got louder this week, after Lockheed Martin confirmed that it was reissuing RSA tokens company-wide in response to the attack, and after RSA began offering to replace tokens for any customers who asked.

By not disclosing what happened, RSA is making it hard for customers to understand the risks they face and make informed decisions, said Thierry Zoller, practice lead for Verizon Business Luxembourg. "It's time for them to come clean," he said. "By not coming clean they are creating more fear, uncertainty and doubt than necessary."

RSA has said the hackers were sophisticated, but it has been vague about what exactly they managed to steal. The best the company could do this week was to confirm that "the attack resulted in certain information being extracted from RSA’s systems that is related to RSA SecurID multi-factor authentication products."

Even without a clear answer from RSA, some security experts took the Lockheed Martin incident as proof that the hackers who broke into RSA's systems are now able to clone SecurID tokens and use them to break into networks.

If that were true, here's how an attack might work.

Attackers appear to have gained access to RSA's database of seed numbers, called "token records" in RSA parlance. These numbers are essentially the building blocks used to create the six-digit log-in numbers that RSA tokens generate every sixty seconds or so. The tokens are widely used by governments, contractors and banks to add a second layer of security alongside computer passwords.

With a seed number in hand, a technically savvy hacker could figure out what log-in number a SecurID token would generate at any given time. The trick, however, would be to figure out which particular token a victim was using. That's not obvious. RSA says it has shipped about 40 million tokens, so it would take some work to link a particular seed number to a particular user's SecurID token.

A criminal might be able to achieve this by posing as a network administrator and emailing a victim, telling them to visit a Web site and to log in with their password and SecurID login number. With just a couple of successive log-ins, hackers could figure out which of the millions of seed numbers was used to generate the log-in numbers. Or they could identify the seed numbers by asking victims to enter their tokens' serial numbers, say as part of a security audit, and then look that serial number up in their stolen database.

Whether all RSA customers need to worry about this type of attack is unclear. It may be that whoever hacked the company was only looking for seed numbers associated with a particular customer -- Lockheed Martin, for example. It could also be the case that the hacker is about to publish all of the seed numbers on a public website, sending all SecurID customers scrambling for cover. It may be that RSA doesn't actually know how much data was taken.

The lack of a clear explanation has led to a lot of chatter among security experts.

"The RSA situation has been going on for a couple months now, with no shortage of rumors swirling about what was lost, and no real guidance from RSA on the risk to their customers (at least none outside of NDA)," wrote Dan Kaminsky, an independent security researcher, in a recent analysis.

The confusion has caused some perception problems for RSA about its products, said the chief security officer at one company who spoke on condition of anonymity because he didn't want to jeopardize his company's relationship with RSA's parent company, EMC. "As a buyer right now, their name is just something I'd stay away from," he said. "Do you want to tie your reputation to them and not know enough?"

RSA said it can't say any more about what was taken, or by whom, for "security reasons." People familiar with the situation said disclosing exactly what data was taken could potentially harm the reputation of some RSA customers, which is something RSA is taking pains to avoid.

Christopher Ipsen, chief information security officer for the State of Nevada, said his organization plans to take RSA up on its offer to reissue SecurID tokens. But he said he understands why RSA might be reluctant to release details of the attack. "You don't want to give too much information out about the exploit," he said. "But there is an appropriate time when full disclosure is imperative."

Three months after the RSA attack, how far away is that "appropriate time"?

"I think we're really close," Ipsen said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags rsa securitysecuritylegalcybercrime

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?