RSA acknowledged on Monday that a hack at Lockheed Martin was tied to the theft of information on its SecurID tokens. The company offered to replace the tokens for customers, but experts wonder whether RSA should go further and recall SecurID tokens from the market.
After acknowledging that forged SecurID tokens played a role in a recent attack against defense giant Lockheed Martin, RSA, the security division of EMC Corp., said that it will replace the tokens for customers that request it. But some security experts wonder whether the company is going far enough, or whether a full recall of the popular SecurID product is in order.
The announcement extends an offer made to RSA customers in the defense industry to a much wider range of customers. However, Despite RSA’s assurances that the stolen SecurID information is being used in attacks against defense contractors, experts contacted by Threatpost said that there’s little reason to believe that current or future attacks are limited to that sector
“Customers must still rely on RSA’s judgement that the attack targets are limited to ‘defense secrets and related IP'” said Rick Moy, CEO of NSS Labs. “For many organizations this blind faith is not going to fly. RSA could have made a stronger commitment to its customers by issuing clear recall guidelines two months ago.”
The statement on Monday suggests that RSA is taking a dimmer view of the March breach, after strong evidence that the attack at Lockheed was linked to the stolen SecurID data and “seeds” which are used to create the unique login values on the tokens.
In an open letter to RSA customers, Art Coviello, RSA’s Executive Chairman, said that the company confirmed the link between the Lockheed Martin attack and the SecurID hack on June 2, prompting the company to offer to replace SecurID tokens for customers whose SecurID tokens are protecting corporate networks. However, Coviello stood by claims, made in an open letter issued in March, that the SecurID technology was still effective.
“We remain highly confident in the RSA SecurID product as the leading multi-factor authentication solution and we also feel strongly that the specific remediation we have provided to customers will help to deliver the highest levels of customer protection,” he wrote.
An RSA/EMC spokesman ruled out a wholesale recall of the SecurID tokens. “We continue to work with all of our customers to understand and address their unique business characteristics and implement best practices for remediation based on their risk profiles,” he said.
Among other obstacles: fully two thirds of SecurID tokens in circulation are used by consumer-focused banks and brokerages, not firms with intellectual property or trade secrets to protect. For those customers, RSA is offering help implementing so called risk based authentication to supplement the SecurID token. That might include extra question/answer challenges before getting access to an account, or blocking log-in attempts issued from new devices or unusual locations.
However, RSA hasn’t offered discounts or licensing deals to ease the pain of replacement. Customers who wish to get their SecurID tokens replaced are still bound by the terms of their licensing agreement, according to one customer who contacted Threatpost. EMC/RSA said through its spokesman that it didn’t have any information on deals or other discounts offered to customers on replacement tokens or the risk based authentication technology. “We look at that on a case by case basis,” he said.
In his letter, Coviello sought to put the breach at RSA and its customers in the context of a string of recent hacks – including attacks on Google’s Gmail service that are believed to be linked to China, and attacks on Sony, PBS and Nintendo that have been linked to the anarchic hacking group Anonymous and Lulzsec.
But experts point out key differences between those attacks. The hacks of PBS, Sony, Nintendo and other targets were – even by the group’s admission – often trivial exploits of common vulnerabilities like SQL injection.
Not so the RSA hack. “The incident is demonstrating the amount of planning that is going into what is best described as a very organized campaign,” said Michale Assante, President and CEO of the National Board of Information Security Examiners. “The willingness to place resources against targets that will improve your abilities against a primary target and goal is an attribute of organized structure,” he wrote to Threatpost.
Ori Eisen, the founder and CIO of 41st Parameter, a fraud detection technology firm, agreed with that assessment.
“The advance preparation – placing malware on victims’ machines, watching their logins, and learning which seeds match to which accounts – all takes time. That’s why there was so little visible breech-related activity until now,” Eisen wrote.
The attack began with sophisticated, targeted attacks against RSA employees that combined phishing e-mails with malicious Microsoft Excel and Adobe Flash attachments. The attacks were stealthy and targeted, with attackers first compromising low level users, harvesting access credentials from them, then using privilege escalation on non-administrative users in the targeted systems to expand their access to compromised hosts, and then moving on to other high value targets, which included process experts and IT and Non-IT specific server administrators. That, according to an account of the incident published by Uri Rivner, head of RSA’s identity protection division. RSA denied that the integrity of its SecurID product was compromised at the time, but said the information stolen from it could be used to degrade the effectiveness of the tokens, which generate one time passwords that many corporations and governments use to secure remote access sessions and critical systems.
Since March, there have been numerous reports of attacks against RSA customers that are believed to have leveraged the data stolen to compromise sensitive networks.
Reports by Wired.com say L3 Communications was another large defense contractor who suffered a breach related to the RSA hack, but the spokesman said that report hasn’t been confirmed by the company.
Bypassing one time password generators is nothing new, but the RSA hack gives sophisticated hackers the ability to compromise many accounts at once by cloning SecurID tokens, said Eisen of 41st Parameter.
He said focusing on the telltale signs of a compromise was the best approach.
“The attackers in this case are most likely proxying through the victim’s real device, so even with a token in place, critical questions still need to be asked – is this an expected IP address? Is this a known device for the user? Is this a replay attack?”
RSA contends that the information it provided to customers helped to do just that, and may have made it possible to detect the latest breaches and prevent sensitive data from being stolen. A company spokesman said customers are being advised to be on the lookout for unusually high numbers of bad authentication attempts, as well as spear phishing attacks via e-mail or phone that are looking for identifying information about the token or device its connected to.
