RSA Hack Yields SecurID Secrets

RSA Security, a division of EMC Corp. has admitted that it was the victim of a sophisticated attack that resulted in the theft of secrets related to its SecurID two-factor authentication product.

RSA Security, a division of EMC Corp. has admitted that it was the victim of a sophisticated attack that resulted in the theft of secrets related to its SecurID two-factor authentication product.

The disclosure came in a blog post by RSA chief Art Coviello on Thursday. Coviello said that the company faces attacks every day, but had recently become aware of

“an extremely sophisticated cyber attack in progress,” which he characterized as being “in the category of an Advanced Persistent Threat (APT).” RSA’s investigation subsequently concluded that the attackers had made off with company secrets, including “information…specifically related to RSA’s SecurID two-factor authentication products.”

SecurID is RSA multi-factor authentication technology. SecurID includes a range of technologies used to implement multi-factor authentication tools like one-time password generators and secure access cards. Corporations and other organizations use SecurID to give employees secure access to resources such as corporate networks over virtual private network (VPN) connections, e-mail and other assets.

Coviello said that the company was confident that the stolen information wouldn’t enable a successful attack on any SecurID customers, but that it could be used to “reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” RSA is talking to customers about possible attack scenarios and helping them to “strengthen their SecurID implementations,” Coviello wrote.

RSA, EMC’s security division, is a leading provider of secure authentication solutions and counts government agencies as well as high profile corporations among its customers. It is unclear who is behind the attack, though the term “APT” was originally a code word within military and intelligence circles for the People’s Republic of China.

Whatever the case, theft of secrets related to SecurID could be used generically, or as a component of another, larger attack.

Suggested articles

Discussion

  • Mirco Rohr on

    This could be pain in the ass-  " reducing the effectiveness..". Just to think what could possibly happen if Key/Certificate information was among the compromised data ?

    Look at Realtek - where a digital certificate was stolen - and how it was used afterwards.

    What does this teach us?

    Even security providers are in danger today and they are very attractive targets.

    Every enterprise in the market could be a victim, cybercriminals are interested in getting the   intellectual property of this enterprises. They can sell it, or they can use it. Be prepared for the next cyber attack.

    But in this case, what really peaks my curiosity is that EMCRSA has a DLP solution inhouse( they bought Tablus in 2008), did they use DLP technologies, and to which extent.

    Granted some types of attacks cannot be detected or prevented by standard DLP techniques, the question still stands.


  • themeworks on

    The breach at RSA just goes to show that security by obscurity never works. It's a fundamental principle in security called Kerckhoff's principle - you must assume your enemy has the details of your system. If your authentication relies on some level of operational system "secrecy" to work, it is just a matter of when, not if, the system will be compromised. The problem with traditional shared secret tokens, outside of cost, deployment and custody issues, is that they do nothing to establish context of the mutual authentication. They are merely additional layers of "secret passwords", regardless of how those factors are generated or delivered. Another flaw is that their use is dependent on user input into the browser, the very vehicle that has not yet established trust. The primary issue involved in this breach is the wide applicability of the "secret" elements that were compromised. In a properly architected authentication system, any security failure should be at worst, a one-in-a-row event.  Clearly, a new way of thinking regarding privacy, security and identity is required that departs from the 20th century notion of shared secrets. Try www.liveensure.com.

  • Anonymous on

    themeworks, deep insight man, very deep.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.