
Why was it accessible?
Why was this database of seed numbers (or something similar) on a machine that was connected to the net? Anything that critical should have an air gap.
RSA has offered to replace its customers' security tokens following confirmation that an important customer had come under attack, in an incident made possible by an earlier high-profile hack against RSA's systems. SecurID, RSA's two-factor authentication system, uses a token which generates a pseudo-random six-digit passcode …
I'm guessing that you need to know the seed numbers to veryify that the number someone typed in from their card is correct.
Since the number they type in goes across the net, I'm guessing that the machine that verifies it also has to be on the net.
If the machine verifying the number is on the net, then the seed to check it against must also be on the net (or at least a list of the correct numbers for the next 'x' weeks). OK, I guess you could argue it would be possible to have a challenge-response system over RS232 so the actual seed database is not on a networked machine, but that probably doesn't scale well :)
What you're talking about is the verification database at the customer site, the ones *using* the RSA tokens. They only have the seeds + serial numbers for their own user base, so gaining access to the authentication server will not compromise another company's security.
RSA has *ALL* the seeds + serials, but they dont need to be accessible because noone authenticates against it. It needs to be able to punt a seed + serial pair to the token manufacturing machine, and generate a file of pairs to go with each batch of tokens being sent out, but as you can see those data flows are output only. I see no need for that machine to allow incoming connections at all (and there are ways to physically guarantee that an output flow is output only), but it seems RSA saw things differently.
RSA is in meltdown, the open letter regarding the token replacment offer is on their website, customers have seen this, and are asking questions.
Couple that with the very ambiguous statement of "An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks."
Not a single bit of information for their resellers/partners though......
RSA are making it look as if they want to replace tokens but only if they really really have to !
"An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks."
Option A) There are hundreds of thousands of SecurID customers out there that just buy RSA on a lark of sorts, because in this day and age companies just have piles of money lying about....
Or option B) Nearly ALL of RSAs SecurID customers bought the service to "protect intellectual property and corporate networks"
RSA really needs to get serious about this, issue one of the great all time mea culpas and tell ALL their SecurID customers that RSA will do what is needed to give ALL customers a modicum of security once more. Anything else is going to end in the complete destruction of RSA as a company. The way things are right now, I wouldn't buy paperclips from them, and if I was a SecurID customer I'd be calling the lawyers to formulate a legal strategy vs. RSA should I get hacked through compromised keys....
We got the following response (this is after Lockheed, L3, etc):
>....XXXX has no security risk as standard procedures are followed and multiple security elements are used. Tokens for which the validity is less than 12 months will not be replaced for free, but will be charged as usual....
WTF? RSA screws up security, and then charges us to fix their problem?!? I am so glad we have "no security risk", and that a sales droid can spot this from the US via email.
The reality is that our compromisable tokens with 11 months left to go can be replaced at our cost, with the new tokens having the *same* end date (that is, in 11 months we can go buy hundreds more).
You mention that "Experts have speculated that hackers may have made off with a portion of its seed number database but this remains unconfirmed. From that point it would only be necessary to match serial numbers of tokens to portions of the stolen database to circumvent the protection offered by SecurID tokens."
RSA hasn't released details of what was taken, but let's assume this is true. The attacker would still need additional information to circumvent the protection - the PIN that goes with the token, the username of the employee, and the particular serial number token used by that employee. The attackers would still need to mount a not insignificant social engineering attack. As a SecurID user we have been told the manufacturing process has been changed and the new tokens being shipped are secure.
...All of which isnt that complicated when the average webmuggles idea of a good secure password is either their mothers name - or the ever popular 'passwordx' where x = the number of braincells they lost in the last 20 minutes.
The more separate physical stages you put into a security system - the more at risk it is at.
And everyone seems to have missed the point - even if you have a PIN and Code over and above the SecurID - if the latter is lost or stolen - there goes your access to your account or whatever.
Nothing is ever entirely secure - there are ways of even getting past biometrics - but anything is better that something like SecurID that was a poor joke 10 years ago and isnt any funnier now.
Given that the perps seem to have conducted the following "not insignificant" actions :
Cracked whatever security RSA had in place.
Obtained remaining credentials for both LHM and others.
Your comment is tantamount to saying our only protection is to hope we dont get hit next.
How many CIO's would be willing to bet their company on the assumption that none of their users will be comprised.
Essentially they should rightly be assuming that they are defenceless.
Let's translate for everybody:
"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers" == "we hope that nobody works out how to use the data they've got". Oh, bugger. This presumably means that they did not immediately start replacing keys, so I'd say they are culpable for any subsequent loss.
And now that real break-in attempts have been performed, we get:
replacements for "concentrated user bases typically focused on protecting intellectual property and corporate networks" == "Replacements for any big corporates with big legal budgets".
Ha!
Two things might have been stolen:
1. The seed database for active and some future tokens
2. The algorithm to generate the seed from the token serial number.
In the case of 1, why were they keeping this data at all...? Theoretically it would allow them to duplicate tokens. Why would they need this...?
In the case of 2, even using the token serial (printed on the case) as an input in ANY form into the seed generation algirithm is fugly security practice.
RSA need to confirm what happened and why (we know the *How*).
AC as I used to support RSA among other products at a helldesk in a previous life and still work in the IT security industry.
My recommendation for organisations that use RSA tokens and who feel they may be likely targets for the hackers who have the stolen information is to look at reducing or removing all uncontrolled end points where they are used. For example, if possible only allow remote access from company provided assets on which you have up to date protection from malware. This should reduce the likelihood of a key logger (widely suspected as being the method used to obtain enought information to fake the token).
This is the one we've been waiting for. A strategic hit on the keeper-of-the-keys to some of the worlds most valuable data.
With the perpetrators moving so fast after the initial hack to hit the most tactically valuable targets this is 'work' being done on an extremely professional basis.
If they haven;t dome it already my advice would be to anyone using RSA tokens to immediately get a crisis team together and identify your critical data assets - that's the stuff that ruins you if you lose it. and put up another defensive ring around it,
If data is critical to the survival of your business - don;t dick about, don;t rely on not being hit. Even if it means going back to passwords until you can either get the new RSA tokens up and running or you can get something else in.
Also shame on RSA - "Guys, you';re in the business!"
Damn. I work in the IT Security industry. I just can't find myself how to tell any of our clients that they might be 0wned if they're using these tokens. Even worse, one of my online banking services uses the SecurID tokens! Fortunately, they also use a zillion extra security measures, including extra auth questions if I ever log on from a *different* PC.
Hopefully, most systems secured by these tokens have some other layer of security in addition to SecureID; some are even inaccessible from the outside. Sill a big FAIL for RSA :(