RSA, the security division of EMC Corp. has warned customers to be on the lookout for targeted attacks, including suspicious messages and links sent over social media networks in the wake of a sophisticated attack that spilled confidential information about the workings of the company’s SecurID strong authentication product.
In a letter to RSA SecurCare customers, the company said that the information stolen about the SecurID product “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” It advised customers to pay increased attention to signs of a targeted attack, scrutinizing social media applications and suspicious e-mail attachments, among other steps.
The letter was disclosed in a federal 8-K filing with the U.S. Securities and Exchange Commission (SEC) on Thursday. In it, the company lays out a list of recommendations to customers, which are described as “overall recommendations.” It said it is also providing “immediate remediation steps for customers” to “strengthen RSA SecurID implementations.” The company declined to say what those steps are. An RSA spokesperson said the company cannot comment beyond the information provided in the letter to customers and a blog post by Executive Chairman Art Coviello because there is an active criminal investigation regarding the breach.
Security experts had differing opinions about the breach and RSA’s handling of the incident. In an interview with ZDNet’s Australian Edition, security expert Dan Kaminsky said that RSA had an obligation to disclose far more about the incident. Being more forthcoming about what was (and was not) stolen would dampen what he called “fear and speculation” about the extent of the breach, and allow SecurID customers could gird themselves for likely attacks using the pilfered information.
“They haven’t given enough information. What they have given is good advice, but frankly it’s belt and suspenders stuff,” Kaminsky told ZDNet.
But others took the opposite position: praising RSA for the extent of its disclosure.
“I see their recommendations as being similar to what they have done themselves,” said Pete Schlampp, a Vice president of Marketing and Product Management at Solera Networks. “”They’re saying ‘here’s what we learned by being victim of an APT attack and here’s what we suggest to you about how to defend yourself.”
Schlampp noted that, in contrast to other breaches at high profile firms, RSA was able to describe the extent of the breach: what was and was not stolen. The firm’s reaction appeared to be one of a company whose secret blueprints have been leaked, but which remains confident of the construction of its product.
“What we have to assume is that RSA assumes its product is still secure and that there aren’t critical vulnerabilities to be found,” Schlampp said. “If there were, you’d expect the company to be issuing statements about what to do – patch, or don’t use the product. But that’s not what we’re hearing.”
The breach is just the latest in a string of high profile hacks of IT firms by what have been described as “advanced persistent threats” – or APT- a term RSA chief Coviello used in a blog post revealing the incident. Notably, the so-called “Aurora” attacks in 2009 and early 2010 that hit Google, Juniper Networks, Adobe and other firms are believed to have netted attackers significant amounts of sensitive intellectual property. Recent disclosures from the publication of e-mail messages belonging to HBGary, a D.C. security firm, revealed that firms like DuPont, Walt Disney Co., Sony Corp. and others were also targets in that attack. The term has also cropped up in association with recent revelations about what appears to be state-sponsored espionage targeted at the Canadian- and French Governments.
However, the term “APT” is a source of much debate. Its origins trace to the U.S. Airforce, where it was used starting around 2006, to refer euphemistically to nation-state actors, mainly from the Asia-Pacific region. Nations like the Peoples Republic of China is believed to be the direct or indirect source of many targeted attacks against western technology, manufacturing, energy and defense firms, as well as government agencies. In recent years, however, its use has broadened to refer to any sophisticated attacker, whether state sponsored, linked to the PRC or not.
Writing on his blog Taosecurity on Thursday, Richard Bejtlich said that the drift in the meaning of APT can lead to confusion about who or what is behind hacks like that of RSA and, therefore, how serious the threat is. Beijtlich said that an attack aimed at undermining a key technology like SecurID would be consistent with the interests of APT as it was originally defined – as relating to the state sponsored actors.
“It is not outside the realm of APT methodology and targeting to attack RSA in order to access internal details on their authentication technology. We know APT actors have attacked other technology companies to steal their intellectual property, ranging from software to algorithms to private keys, all to better infiltrate other targets,” he wrote.