The Green Sheet Online Edition
April 11, 2011 • Issue 11:04:01
Did hackers gain insight into RSA's methodology?
RSA, the security division of EMC Corp., reported that its network was hacked and that information relating to its SecurID two-factor authentication product was stolen. RSA's SecurID products are used on PCs, USB devices, phones and key fobs in about 25,000 corporations. They provide a level of security beyond user names and passwords when accessing virtual private networks or other systems containing sensitive information, such as financial data.
In a two-factor authentication process, the traditional user name and password combination is often the first factor. The second factor can be a SecurID token that, in conjunction with back-end software, generates an authentication code every 30 to 60 seconds using a random key or "seed." A user gets into the network by typing this authentication code.
Authentication's effectiveness possibly reduced
In a statement posted on RSA's website, the company's Executive Chairman Art Coviello said, "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."
Paul Martaus, President and Chief Executive Officer of payments industry consulting firm Martaus & Associates, said it appeared from the statement that the hackers might have obtained the "blueprints" behind RSA's SecurID product.
"The methodology is what is important here - the algorithm - how RSA goes about generating these keys," he said. "The hackers don't necessarily have access to the keys, and they don't necessarily have the ability to get into RSA's customers' sites, but they may have the blueprint that will allow them to develop the capabilities to do so."
Nicholas Percoco, Senior Vice President and head of Trustwave's SpiderLabs said, "There are many steps that would need to be completed to have a successful attack against an organization using RSA SecurID tokens for authentication."
He added that the attacker would need additional bits of specific information, such as the serial number of the token and the end user's PIN, which theoretically could be obtained through a targeted phishing attack against an RSA customer.
Date of breach a determinant
Regarding the likelihood of a direct attack, Percoco said, "If this breach took place just two weeks ago, then the likelihood is probably rather low at this point. ... If it took place a year ago, then it means the criminals have had access to this data for a whole year and may have been launching attacks to get this type of information from customers of a specific organization."
RSA provided recommendations on its website to customers on how to maintain security on their networks, including enforcing strong password and PIN policies, re-educating employees on avoiding suspicious emails, and reducing the number of employees who have access to administrator accounts.
Percoco noted that, beyond the generic recommendations offered by RSA, each company has to determine its own response to the news of the data breach. "I guess it's a judgment call," he said. "I would venture to guess that unless there is some major vulnerability that has been exposed that we're just not aware of in the system, leaving this authentication mechanism in place until you have more information is probably better than just switching it all to static user names and passwords."
He did point out that other mechanisms can provide two-factor authentication. "Some organizations may say 'We're not going to take the risk,' and they can go down the path of swapping out [RSA's] technology for some other technology," he said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.