Caution urged in wake of RSA security breach

No need for panic, but keep eye on RSA products, analysts say

The relatively scant information released by EMC's RSA security group on Thursday in connection with the theft of SecurID authentication technology code is fueling considerable speculation about the nature of the breach and its impact on enterprises.

Several security analysts today urged companies that are using SecurID to review their authentication measures and to shore them up if necessary. Until RSA releases further details on the breach it is best to assume that SecurID is vulnerable, they added.

"Don't panic," said Rich Mogull, an analyst with Securosis. "Until we know the attacker, what was lost, the vector of a potential attack," and the extent to which SecurID may have been compromised, it's hard to make a risk assessment, Mogull said.

But for the moment at least, enterprises should assume that SecurID is no longer an effective second factor of authentication, he said. "Review passwords tied to SecurID accounts and make sure they are strong," Mogull said. "Consider disabling accounts that don't use a password or PIN and set password attempt lockouts."

In an embarrassing admission for a security company, RSA said on Thursday that unknown intruders had stolen information relating to its SecurID technology in what it described as "extremely sophisticated cyber attack against RSA".

The company expressed confidence that the stolen information would not enable a direct attack against SecurID. But it added that the information could potentially be used to reduce the effectiveness of the technology.

SecurID is used for two-factor authentication purposes. The technology is available from RSA in the form of hardware and software tokens that are capable of generating random one-time passwords every 60 seconds.

The technology is designed to be used in conjunction with passwords to deliver a second layer of authentication for accessing systems and networks. Over 25,000 enterprises, many of them in the financial sector and government, currently use SecurID tokens to protect access to high-value applications and data.

Though RSA has not disclosed which or how much SecurID information was stolen, the mere fact that the company is warning of reduced effectiveness is troubling, said John Pescatore, an analyst with Gartner.

That statement guarantees that the breach is a "big deal for SecurID users," Pescatore said.

"SecurID tokens are very expensive and users dislike them, but they have always been a strong replacement for reusable passwords," he said. "[But] if the security provided is at risk, the pain may be more than the gain."

Pescatore dismissed RSA's claim that it was the victim of a sophisticated Advanced Persistent Threat (APT) attack, a kind of low, slow highly targeted attack most commonly associated with Chinese hackers.

RSA's claim is "disingenuous," Pescatore said. "It is trying to deflect attention from RSA's failure to protect their systems. Any security company with any threat experience has been dealing with targeted threats for several years."

SecurID is a proprietary algorithm that is designed to produce random numbers in a pre-determined sequence, according to a description of the technology by the Intrepidus Group. The sequence is used by an RSA authentication server to essentially validate that a person logging in, actually has the token in their possession, Intrepidus said in a blog post today.

Each token features a "seed" that determines the sequence of 6-digit numbers generated by that token. The seed ensures that the numbers are produced in a sequence that is unique to each token. The SecurID algorithm ensures that there are literally an infinite number of potential sequences that can be generated by each token, making them almost impossible to crack, says Intrepidus.

Even so, there are circumstances under which this assurance can be weakened, Intrepidus noted. One example is where an attacker somehow manages to get a list of all seeds and their associated token serial numbers. Another scenario is if attackers manage to get a list of seeds and the corporations to which they have been assigned.

The worst case scenario is if hackers found any documentation showing an inherent weakness in the algorithm that would allow them to generate valid pass codes for hardware and software tokens, said Jeremy Allen, principal consultant with Intrepidus.

"Unless something is fundamentally broken there is no need to panic", Allen said.

Aleksandr Yampolskiy, director of security and compliance at Gilt Groupe, said that even if the hackers had managed to steal the SecurID algorithm, pulling of attacks will still remain very hard.

"Even if details of the pseudo-random number generator are advertised to the world, unless the seeds plus [the token holder's passwords] are revealed," attacks are not possible, he said.

"The individual customer passcodes are stored on servers in individual companies -- not in RSA," Yampolskiy said. "So hackers should not be able to get access to these."

"I would recommend people follow general security recommendations," Yampolskiy said. In addition to ensuring strong password and PIN policies companies should also ensure their critical systems are properly patched.

"Closely monitor access to critical systems, and implement log aggregation to monitor their access," he said. "Consider installing host-intrusion detection systems on critical servers which use machine learning algorithms to differentiate good software from the bad unknown viruses."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

Read more about data security in Computerworld's Data Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securitysecuritySecurity Hardware and Softwaredata protectionemc

More about APTEMC CorporationGartnerRSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place