Based on the reports suggesting that the RSA token was successfully emulated, "one can only assume that the breach of RSA leaked sufficient data to predict the number displayed by a particular token," Johannes Ullrich, CTO at the SANS Institute, said in a blog post. "It may also have leaked which token was handed to what company (or user)," Ullrich said.
RSA's silence probably makes the situation appear worse than it is, said Jeremy Allen, principal consultant with Intrepidus.
Even if the RSA attackers managed to steal more information on SecurID than might have earlier been thought, they would still need to have crucial information to exploit it, Allen said. For an attacker to successfully use a cloned SecurID token, he or she would still need to know the token user's username and pass code to access a particular network service, he said.
For someone to break into Lockheed using the RSA token, the attacker would need at least one Lockheed employee's username and pass code and would have to know which services that person could access.
Other enterprises using SecurID technology need to pay attention to these breaches, analysts said. Until RSA offers more details, companies should keep a close eye on their authentication measures.
"RSA tokens are just one factor of a two-factor authentication scheme," Ullrich wrote. "You will have to enter a PIN or a password in addition to the token ID."
Enterprises should be watching for attempts at guessing passwords and pass codes, he said. "Monitor for brute force attempts and lock accounts if someone attempts to brute force them," he said.
"Enterprises also need to keep an eye on any attempts to log into enterprise systems from unknown or unusual IP addresses," Ullrich warned.
So far, at least two other major defense contractors have already switched from SecurID to other technologies, said Alan Paller, director of research at SANS.
"Both Raytheon and Northrop Grumman made massive changes to their remote security systems immediately upon learning what was taken" from RSA, Paller said. "A senior officer of one of those companies told me that they replaced all of their SecureID tokens with tokens from a different vendor. At the time, this seemed like overkill to some observers, but it now turns out to have been prescient."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at 
@jaivijayan or subscribe to Jaikumar's RSS feed 
. His e-mail address is jvijayan@computerworld.com.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
