SecurID by obscurity: It's only a matter of time

At a time when most user passwords were as complicated as 123456 or 'password' and 'enterprise security' was still a laughable oxymoron, SecurID was a revelation

I still remember that sunny day, late last century, when I and a handful of journos descended on the North Sydney offices of a small company called Security Dynamics, which had introduced what it said was a foolproof security method: a token that used a secret and encrypted algorithm to generate time-sensitive passcodes to enable two-factor authentication.

At a time when most user passwords were as complicated as 123456 or 'password' and 'enterprise security' was still a laughable oxymoron, SecurID was a revelation – and managed to become a standard in enterprise security for over a decade. Then, earlier this year, it was hacked and its new owners – EMC, which bought subsequent SecureID owners RSA Security in 2006 for $US2.1 billion – found themselves staring down the barrel of a security public relations disaster.

I was at an EMC conference on the day the SecurID hack came to light, and was in a security session where an RSA staffer told concerned attendees details were still emerging but there was no need to panic. Yet.

Hope knows no bounds; panicking came shortly after, of course, as the company shifted into overdrive to restore customer confidence with an epically-scaled token-replacement program designed to counter what many saw as a cone of silence around the event.

But it was only this week, as RSA holds its European conference, that we learn the attack was apparently – I think the correct legal term is 'allegedly' – coordinated by two hacker groups working under the employ of an unnamed nation. An old bait-and-switch approach was used to distract EMC from the real hack that was going on until it was too late, and 15 years of customer confidence in RSA security was undone in an instant.

Forensic details about the SecurID hack will continue to emerge over time, but for the purposes of this discussion they are not relevant; the point is that yet another security protection, which was at the time held to be unbreakable, fell in a cloud of ignominy, embarrassment, and considerable expense to both RSA and its reputation.

This week, we have the similar news that Sony has been hacked again, and that Victoria will replace 1.1 million myki public-transport smartcards, after revelations that the cards had been hacked by German researchers who used side-channel attacks to sniff out the system's encryption key. This came as sad news for Victorians, who have been hoping for years myki would be scrapped altogether and for many of whom a bulk cancellation would have been most welcome.

One doesn't know whether Myki designer NXP contemplated that researchers would figure out a way to suck data off the card by reading the electromagnetic pulses generated while it works, but that's exactly what they ended up doing. Yet apart from the momentary inconvenience and expense of replacing millions of SecureID tokens and Myki smartcards, these security misadventures highlight one inexorable truth of security: it's only a matter of time.

No matter what protections you put in place, no matter how many bits of encryption you use, no matter how carefully you screen your personnel, no matter how enthusiastically your security bods assure you that a particular piece of hardware is secure – it is being proven time and again that nearly any security can be compromised given enough determination and time.

Vendors rely on the integrity of security for their corporate survival, but researchers take every new protection scheme as an intellectual challenge and absolutely will not stop until they have figured out some way to break through its defences. They are hackers at heart and, thankfully, usually bound by some sort of ethics that ensures such faults come into the public eye when they're discovered rather than after they have been ruthlessly exploited by nefarious types.

Security executives at Lockheed Martin, the targets of the SecurID hackers' attention, might disagree. But for CSOs charged with ensuring corporate security, hackers' philosophical motivations are a distant issue compared with their immediate concern: providing a security perimeter with the nous to meet corporate governance requirements around data protection and access control. Updated SecurID tokens may use an updated algorithm and hash, but they have been compromised once and there are surely hundreds of time-rich hackers now dedicated to repeating the accomplishment.

Given these and other high-profile breaches, it's clearer than ever that all security is security by obscurity – not in the classic sense of hiding information by staying off the radar, but in a newer sense that suggests even the best security perimeter will be breached given enough time.

No matter what you've done to protect your networks, rest assured that the hackers are figuring out their way around the technology you're using. And whether they're doing it out of pure intellectual challenge or for more nefarious purposes, compromise is only a matter of time. This knowledge should prevent complacency and drive CSOs to clutch their backup, data integrity and disaster mitigation plans just that little bit more tightly when they go to sleep at night.

How have these and other high-profile breaches affected your corporate security posture? Do you still feel safe?

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySecurID

More about EMC CorporationetworkLockheed MartinRSASecurity DynamicsSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts