This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

The impact of the RSA token data breach is still undetermined

Share this article:

The RSA SecureID token breach could affect up to 100 million people.

Following the breach last week that led to SecurID two-factor authentication token information being stolen, IronKey CEO David Jevans told SC Magazine that there has been 25 million hard tokens deployed, but that figure is closer to 40 million when soft tokens are taken into consideration, so it is possible that more than 100 million users could have been impacted.

A report by the New York Times said that the SecurID system was being used to secure the identities and assets of more than 250 million people last year.

Jevans said that he believed that the database information would have been bought and sold many times over already and it was going to make the rounds like credit card numbers have.

In terms of the threat, he said that there were two main factors to be considered: the impact of the breach; and what it means for a major security provider to be hit with an advanced persistent threat.

He said: “If RSA can fall then there is little chance for smaller companies. You have got to look at the RSA response, which said that there was a lot of guidance to prevent this from happening to you but not what to do if you deployed a SecureID token. To me it demonstrates how we can be attacked and how using malware, social engineering and users with elevated privileges can bring down one of the major security firms.

“An attacker can ask for serial number of the token and then they are that user. With the serial number of the token they can do an update to Zeus or SpyEye as they have got to input the password and then they are you logging in. I have not heard of anything this large before, as authentication technology is designed to keep the bad guys out and prove who you are and I do not know of an authentication system that has been broken in such a manner.”

Bruce Schneier, chief security technology officer at BT and security blogger, said that it was hard to make any assessments about whether infiltration of the login process was possible and it was uncertain without knowing how SecurID's cryptography works and exactly what was stolen from the company's servers.

He said: “We do not know either and the corporate spin is as short on details as it is long on reassurances. RSA data security is probably pretty screwed if SecurID is compromised. Those hardware tokens have no upgrade path and would have to be replaced. How many of the company's customers will replace them with competitors' tokens? Probably a bunch. Hence, it's in RSA's best interest for their customers to forget this incident as quickly as possible.

“There seems to be two likely scenarios if the attackers have compromised SecurID. One, they are a sophisticated organisation who wants the information for a specific purpose. The attackers actually are on RSA's side in the public-relations spin, and we're unlikely to see widespread use of this information. Or two, they stole the stuff for conventional criminal purposes and will sell it. In that case, we're likely to know pretty quickly.

“Again, without detailed information or at least an impartial assessment, it's impossible to make any recommendations. Security is all about trust, and when trust is lost there is no security. Users of SecurID trusted RSA to protect the secrets necessary to secure that system. To the extent they did not, the company has lost its customers' trust.”

Blogger Steve Gibson said he understood that RSA would be ‘understandably embarrassed', as mistakes do happen. He said: “If employees of a security company are using today's incredibly insecure desktop toy operating systems, bad guys are going to be able to find a way to penetrate even the most carefully guarded connected networks.

“RSA therefore needs to step up to the plate and take responsibility for what has happened. That means recalling every single SecurID device and replacing them all. No company can consider RSA's existing deployed SecurID devices to be secure.”

Avivah Litan, distinguished analyst at Gartner, claimed that the incident should serve as a wake up call on strong one-time password (OTP) user authentication. “A layered security approach is always best and the use of an OTP generator like RSA's SecurID, does raise the bar for the criminals. Many of them will go elsewhere, to non-OTP protected accounts that are easier to break into,” she said.

“The protections afforded by OTP, whether they are generated by dedicated hardware tokens, mobile apps, software tokens or any other factor, they are communicated through user browsers, can be circumvented and defeated. They were an essentially weak form of authentication before the RSA SecurID compromise and they remain so today.

“Maybe this incident will wake companies up to the need for more controls than just OTP-authentication. The latest incident with RSA should serve as a catalyst to acknowledge this fact. So while this incident is indeed yet another piece of bad news, it should be evaluated in context. Thankfully, there are plenty of innovative solutions on the market that can continue protecting our accounts and information.”

Share this article:
close

Next Article in News

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Queen's website hosts controversial tracking technique

Queen's website hosts controversial tracking technique

Advertising tracking called 'canvas fingerprinting' is used on many websites and identifies unique individuals and their browsing habits and works surreptitiously.

Could MH17 sanctions push Russia to cyber warfare?

Could MH17 sanctions push Russia to cyber warfare?

A leading cyber security academic has warned the US and European governments that tougher sanctions on Russia relating to the MH17 airplane crash could result in the start of cyber ...

Snowden, Ellsberg ask hackers to help obscure whistleblower activity

Snowden, Ellsberg ask hackers to help obscure whistleblower ...

Crowds of people came out to see Daniel Ellsberg chat with Edward Snowden at HOPE X conference.