I still remember that sunny day, late last century, when I and a handful of journos descended on the North Sydney offices of a small company called Security Dynamics, which had introduced what it said was a foolproof security method: a token that used a secret and encrypted algorithm to generate time-sensitive passcodes to enable two-factor authentication.
At a time when most user passwords were as complicated as 123456 or 'password' and 'enterprise security' was still a laughable oxymoron, SecurID was a revelation – and managed to become a standard in enterprise security for over a decade. Then, earlier this year, it was hacked and its new owners – EMC, which bought subsequent SecureID owners RSA Security in 2006 for $US2.1 billion – found themselves staring down the barrel of a security public relations disaster.
I was at an EMC conference on the day the SecurID hack came to light, and was in a security session where an RSA staffer told concerned attendees details were still emerging but there was no need to panic. Yet.
Hope knows no bounds; panicking came shortly after, of course, as the company shifted into overdrive to restore customer confidence with an epically-scaled token-replacement program designed to counter what many saw as a cone of silence around the event.
But it was only this week, as RSA holds its European conference, that we learn the attack was apparently – I think the correct legal term is 'allegedly' – coordinated by two hacker groups working under the employ of an unnamed nation. An old bait-and-switch approach was used to distract EMC from the real hack that was going on until it was too late, and 15 years of customer confidence in RSA security was undone in an instant.
Forensic details about the SecurID hack will continue to emerge over time, but for the purposes of this discussion they are not relevant; the point is that yet another security protection, which was at the time held to be unbreakable, fell in a cloud of ignominy, embarrassment, and considerable expense to both RSA and its reputation.
This week, we have the similar news that Sony has been hacked again, and that Victoria will replace 1.1 million myki public-transport smartcards, after revelations that the cards had been hacked by German researchers who used side-channel attacks to sniff out the system's encryption key. This came as sad news for Victorians, who have been hoping for years myki would be scrapped altogether and for many of whom a bulk cancellation would have been most welcome.
One doesn't know whether Myki designer NXP contemplated that researchers would figure out a way to suck data off the card by reading the electromagnetic pulses generated while it works, but that's exactly what they ended up doing. Yet apart from the momentary inconvenience and expense of replacing millions of SecureID tokens and Myki smartcards, these security misadventures highlight one inexorable truth of security: it's only a matter of time.
No matter what protections you put in place, no matter how many bits of encryption you use, no matter how carefully you screen your personnel, no matter how enthusiastically your security bods assure you that a particular piece of hardware is secure – it is being proven time and again that nearly any security can be compromised given enough determination and time.
Vendors rely on the integrity of security for their corporate survival, but researchers take every new protection scheme as an intellectual challenge and absolutely will not stop until they have figured out some way to break through its defences. They are hackers at heart and, thankfully, usually bound by some sort of ethics that ensures such faults come into the public eye when they're discovered rather than after they have been ruthlessly exploited by nefarious types.
Security executives at Lockheed Martin, the targets of the SecurID hackers' attention, might disagree. But for CSOs charged with ensuring corporate security, hackers' philosophical motivations are a distant issue compared with their immediate concern: providing a security perimeter with the nous to meet corporate governance requirements around data protection and access control. Updated SecurID tokens may use an updated algorithm and hash, but they have been compromised once and there are surely hundreds of time-rich hackers now dedicated to repeating the accomplishment.
Given these and other high-profile breaches, it's clearer than ever that all security is security by obscurity – not in the classic sense of hiding information by staying off the radar, but in a newer sense that suggests even the best security perimeter will be breached given enough time.
No matter what you've done to protect your networks, rest assured that the hackers are figuring out their way around the technology you're using. And whether they're doing it out of pure intellectual challenge or for more nefarious purposes, compromise is only a matter of time. This knowledge should prevent complacency and drive CSOs to clutch their backup, data integrity and disaster mitigation plans just that little bit more tightly when they go to sleep at night.
How have these and other high-profile breaches affected your corporate security posture? Do you still feel safe?