Last week, RSA experienced an attack that has breached their system. Information about their multi-factor authentication products (SecurID, Authentication Manager) have been compromised.
There’s not much information right now but this attack seems to be geared toward stealing intellectual property and does not affect any current or potential RSA customers. An open letter to customers went out last Thursday and Friday from RSA regarding the breach.
Being in the IT security industry as long as I have, I know that breaches like this happen to numerous companies more times than the public is ever made aware of. So, despite RSA being a security company, they are certainly not immune. It would be nice if they shared more information with the public about the current situation, but they’re walking a fine line sharing their security information because they don’t want to divulge anything that will benefit the attacker or future attackers.
We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.
RSA Executive Chairman Art Coviello stands by his above statement that customer information is not at risk, and I agree. It will take a considerable amount of work to reverse engineer RSA’s authentication infrastructure. There is an algorithm that generates token codes, token serial numbers, token records, customer created pass codes and revolving keys. One single part can’t be used to gain significant information about any other part. I don’t think we’ll see cloned tokens floating around being used to log into people’s accounts. There are too many variables. Even if this happens, RSA would just reissue new tokens and seed records to resolve the issue.
In their letter to customers, RSA provides some recommendations to help customers strengthen their security.
Overall Recommendations from RSA:
RSA strongly urges customers to review all documents referenced in this note. Based on customer requests for prioritization of remediation, below are the most important remediation steps being recommended to customers:
- Secure your Authentication Manager database and ensure strong policy and security regarding any exported data (see Best Practices Guides for specific instructions).
- Review recent Authentication Manager logs for unusually high rates of failed authentications and/or next token code events, both of which could indicate suspicious activity (see Authentication Manager 6.x and 7.x Log Guidelines and Best Practices Guides for specific instructions).
- Educate your help desk and end users on best practices for avoiding social engineering attacks such as targeted phishing (see Best Practices Guides for specific instructions).
- Establish strong PIN and lockout policies for all users (see Best Practices Guides for specific instructions).
The Best Practice Guidelines are available from: RSA SecurCare Online (SCOL).
Letter from Art Coviello: http://www.rsa.com/node.aspx?id=3872.
Wired Article: http://www.wired.com/threatlevel/2011/03/rsa-hacked/.
Photo Credit: Don Hankins