Back in April, I discussed the March breach in security at RSA. After I posted my article, I was contacted by a friend of mine that works for a certain “Three Letter Acronym” agency whose name and organization will remain un-named. My friend asked me if I might happen to know exactly what was compromised at RSA? While I couldn’t be certain, I suggested what I (and maybe most of you) had already heard via news channels, media, and security contacts. While I know more details on what actually happened, I don’t know specifics. From my knowledge, what was known to be compromised was possibly the algorithm seed, and maybe the key generation time. The algorithm itself, has been publically known for years. From a security standpoint, this is like having a key, but not sure which lock it fits into.I told my friend that there shouldn’t be too much to worry about, because while there’s enough pieces compromised to launch a brute force attack (basically, an educated guess that is retried until you succeed), there shouldn’t be enough to do a more damaging attack. Brute force attempts are fairly easy to spot, mitigate, and deny access. My friend was put, at least a little, at ease. That was until last week…
I received notification that sometime last week, a very large U.S defense contractor that uses SecureID tokens from RSA to provide two-factor authentication (something you have, and something you know; think of your Bank Card and your PIN) for remote VPN access to their corporate networks. Before Monday morning an alert went out, and all remote access to the internal corporate network was shutdown. Employees were notified that remote access could be down upwards of a week, possibly more. For telecommuters, this meant you either came into a branch office, or you simply could no longer work. Two days ago, my friend told me, a notification that every person who had an RSA SecureID token, would be getting a new one. This process, as I discussed in my earlier article, would take at least a few weeks to funnel out to everyone.
Along with this, all users (over 100,000 of them) would be required to change their passwords. The amount of help desk related issues this causes, simply means that administrative level files and access have almost assuredly been compromised.
From what I can tell, whomever hacked RSA, had now come into possession of the algorithm for the current tokens, and had then managed to install a key-stroke logger somewhere on the network. With both of these pieces, that unknown lock I discussed earlier in this article was now known.
While this was an expected outcome (most security folks like myself, have been awaiting such a breach), it was not enough to circumvent this from occurring. Shortly after the RSA breach became public knowledge, most companies that relied on SecureID for authentication, started requiring a second form of password before access to the network was granted. This, though as you can probably tell, would not resolve the issue if a key-logger was in place, as the hacker would know the password the minute it was typed.
I am a “Glass Half Full” sort of person, so I guess the silver lining in this story is that my friend and his staff were able to spot the intrusion, and acted appropriately to mitigate any further incidents. Kudos are warranted for such a feat as this is not an easy task. Although the aftershocks caused by this incident will be many, and far into the future.
While I am sure this is not an isolated incident, it is a major one, and one of the first public ones. At the time of this writing, I can state I know of others as well. This is not the first successful hacking attempt using the compromised SecureID technology. It certainly won’t be the last…
What concerns me most though, is that RSA has not been as forthwith in providing full disclosure about what was compromised and how vulnerable we are. RSA, if you’re listening, pretending like this didn’t happen and keeping it all secret, does not help things, it only makes them harder to track.
Even given all of the issues raised in this article, I don’t see anyone abandoning RSA or the SecureID product it sells. While most networks exchange token information over a secured and encrypted network path, this is only a false sense of security. My friend, and his organization can now attest to this.
If this can happen to a very secure network, employing some really talented security staff and products, it can happen to others as well. How far this will lead, and what sort of national secrets will be exposed now that such an attack has publically been proven to work, only time will tell.
Posts
