Skip the navigation

Cyberattacks fuel concerns about RSA SecurID breach

June 1, 2011 04:29 PM ET

Based on the reports suggesting that the RSA token was successfully emulated, "one can only assume that the breach of RSA leaked sufficient data to predict the number displayed by a particular token," Johannes Ullrich, CTO at the SANS Institute, said in a blog post. "It may also have leaked which token was handed to what company (or user)," Ullrich said.

RSA's silence probably makes the situation appear worse than it is, said Jeremy Allen, principal consultant with Intrepidus.

Even if the RSA attackers managed to steal more information on SecurID than might have earlier been thought, they would still need to have crucial information to exploit it, Allen said. For an attacker to successfully use a cloned SecurID token, he or she would still need to know the token user's username and pass code to access a particular network service, he said.

For someone to break into Lockheed using the RSA token, the attacker would need at least one Lockheed employee's username and pass code and would have to know which services that person could access.

Other enterprises using SecurID technology need to pay attention to these breaches, analysts said. Until RSA offers more details, companies should keep a close eye on their authentication measures.

"RSA tokens are just one factor of a two-factor authentication scheme," Ullrich wrote. "You will have to enter a PIN or a password in addition to the token ID."

Enterprises should be watching for attempts at guessing passwords and pass codes, he said. "Monitor for brute force attempts and lock accounts if someone attempts to brute force them," he said.

"Enterprises also need to keep an eye on any attempts to log into enterprise systems from unknown or unusual IP addresses," Ullrich warned.

So far, at least two other major defense contractors have already switched from SecurID to other technologies, said Alan Paller, director of research at SANS.

"Both Raytheon and Northrop Grumman made massive changes to their remote security systems immediately upon learning what was taken" from RSA, Paller said. "A senior officer of one of those companies told me that they replaced all of their SecureID tokens with tokens from a different vendor. At the time, this seemed like overkill to some observers, but it now turns out to have been prescient."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at Twitter @jaivijayan or subscribe to Jaikumar's RSS feed Vijayan RSS. His e-mail address is jvijayan@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!