In the wake of a string of attacks against high-profile users of RSA Security’s SecurID tokens including Lockheed Martin, the company has posted an open letter to its customers, trying to reassure them that the tokens are secure and that the attacks don’t represent a new threat to these businesses. However, the company is now offering to replace SecurID tokens for its corporate customers, a user base of tens of millions of people.
On Monday, RSA Executive Chairman Art Coviello said in the letter that the company surmised at the time of the initial attack on RSA in March that compromised data related to the SecurID tokens that the intrusion was aimed at getting information that would be useful in targeted attacks against defense contractors and other customers in the military-industrial complex. The recent attack on Lockheed martin, which that company said it was able to stop, and other reported attacks on Northrop Grumman and L-3 Communications have done nothing to change that conclusion, Coviello said.
“Against this backdrop of increasingly frequent attacks, on Thursday,
June 2, 2011, we were able to confirm that information taken from RSA in
March had been used as an element of an attempted broader attack on
Lockheed Martin, a major U.S. government defense contractor. Lockheed
Martin has stated that this attack was thwarted,” he said in the letter, posted on the RSA site.
“It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology.
Indeed, the fact that the only confirmed use to date of the extracted
RSA product information involved a major U.S. defense contractor only
reinforces our view on the motive of this attacker.”
In the immediate aftermath of the attack on RSA, security experts speculated that the attackers might have gotten the cryptographic seeds used in the SecurID tokens. RSA officials have not confirmed what the attackers were able to extract during the intrusion in March, but have been working with customers to implement extra steps to shore up the security of the two-factor authentication system.
In his letter, Coviello said that the company is still confident that the steps it is recommending to customers are valid and that the attempt to compromise Lockheed Martin and other defense contractors does not change any of that. However, RSA is now offering to replace SecurID tokens for its corporate customers with “concentrated user bases typically focused on protecting intellectual property and corporate networks.”
It’s not clear how many of RSA’s corporate customers will opt to have the company replace their SecurID tokens. But if it’s even a fraction of the user base of tens of millions of people, it could end up costing RSA a huge amount of money.
RSA also is offering to help other customers who work more with consumers to implement some of the security strategies that it has been recommending since the breach.
“We will continue to work with all customers to assess their unique risk
profiles and user populations and help them understand which options may
be most effective and least disruptive to their business and their
users,” Coviello wrote.