RSA detailing SecurID hack to customers sworn to secrecy

RSA has started providing more detail into the mid-March attack on its SecurID token-based authentication system, but to get a fuller story you have to be an RSA customer willing to sign a nondisclosure agreement (NDA).

An NDA means that you agree to keep secret what RSA would be willing to tell you. Sources say RSA is reaching out to its largest customers, especially those in sensitive industries, to get IT executives to sign such NDAs.

ANALYSIS: Should you stop using SecurID tokens?

However, some RSA customers say they aren't willing to do that.

"RSA was asking that I sign an NDA," says Ron Gula, CEO at Tenable Network Security, which uses SecurID tokens for authentication. "I'm suspicious. Why hide it?"

Gula said he doesn't want to feel his hands are tied by agreeing to an NDA, though he hopes in the end it's "all a non-issue" about something that RSA will speak about soon anyway. But it's making him uneasy and he's looking at using other authentication products.

Jon Oltsik, senior principal analyst at Enterprise Strategy Group, says he did sign an NDA. "Let me put it this way, I learned a little more," he says, adding that as an analyst, he doesn't know whether he heard the same discussion RSA is sharing with its customers. He notes RSA is starting to discuss the topic of the break-in more. "We're in uncharted waters. They're trying to be cautious."

"I didn't want to sign an NDA. I think I need to be independent," says Bill Nelson, president of the Financial Services - Information Sharing and Analysis Center (FS-ISAC), the industry forum for collaboration against critical security threats, which interacts with government agencies such as Department of Homeland Security. IT-ISAC uses SecurID, and there's nothing known publicly related to the RSA data breach and SecurID so far to alter the decision to use it, Nelson says.

RSA itself says it has "executed a massive outreach program" that has reached more than 60,000 customers with its security notes about the painful topic, and there have been discussions with more than 15,000 customers by phone, more than 5,000 customers via conference calls and "hundreds of face-to-face meetings." RSA declines to say how many customers have been offered or declined an NDA briefing.

Nelson said he decided to decline to sign an NDA to get yet more information that would be secret. He notes many IT-ISAC members, however, some of whom were angry at first, have signed an NDA, and are now sworn to secrecy.

Nelson says he doesn't know what's in the NDA briefing from RSA. But much of the discussion from RSA in the wake of the March breach disclosure has been about best-practices deployments of the RSA SecurID token system.

Tales have been told over the years about poor implementation of SecurID, where lax security practices were followed, Nelson notes. "They're addressing poor implementations of their products," he says.

Sources close to RSA say not all RSA SecurID customers are being approached to sign an NDA, which means they would not be offered privileged information.

Under the NDA, RSA is sharing far more detail regarding a "worst-case scenario" about how the RSA SecurID token system can be undermined by an attack, and offering more clarity about remediation. There's cause to believe RSA is itself remediating SecurID, with a source close to RSA saying the security issues brought to the fore should not impact future RSA SecurID customers.

RSA is starting to speak a bit more about what happened during the break-in.

For one thing, RSA employees were tricked by a targeted phishing attack using a spreadsheet containing an Adobe Flash zero-day vulnerability (CVE-2011-0609), said Uri Rivner, head of new technology for identity protection and verification, in a recent RSA blog post. The subject-line lure, he says, was "2011 recruitment plan.xls," which was apparently so enticing, one RSA employee even retrieved it from a spam filter, where it had been caught. Clicking on it allowed the attacker to take over the machine.

"They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high-value targets, which included process experts and IT and non-IT specific server administrators," Rivner writes.

The attacker set up staging servers as "key aggregation points" and "then they went into servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction," according to Rivner's RSA blog."The attacker then used FTP to transfer many password-protected RAR files from the RSA file server to an outside staging area at an external, compromised machine at a hosting provider." The attacker stole away with the files from there.

The Adobe zero-day vulnerability, now patched by Adobe, allowed the attacker to control the victim's machine at RSA and use a variant of a long-known hacker tool called Poison Ivy to set up a command-and-control system aimed at extricating data.

Sam Curry, chief technology officer, marketing, at RSA, says the NetWitness NextGen security-monitoring product, which RSA has used for three years, was instrumental in detecting the attack in progress. "It helped us to identity it," he says.

Coincidentally, RSA has been in discussions to acquire the company NetWitness, which it did on April 1 and announced just this week.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Enterprise StrategysecuritylegalRSA SecurIDcybercrime

More about Adobe SystemsBillEMC CorporationLANNextGenRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts