RSA SecurID hacked: 2FA fob and software compromise?

Egg meets face, as security company 'fesses up to security breach. Are your RSA SecurID keys safe? Or are we panicking too much?

SecurID fob (EMC)
By Richi Jennings. March 18, 2011, 6am EDT.

Update 2, 7.40pm: add comment from Jon Oltsik.

Update 1, 9.55am: add comment from Doug Woodburn.

EMC's RSA says its SecurID two-factor authentication system has been "impacted" thanks to a hack attack. It's not clear whether the company's fob or software 2FA tokens have been compromised. In IT Blogwatch, bloggers push the panic button.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention The animated GIF staring competition...


Robert McMillan bobs up with the news:

The cyber-attack was "recent" and was a so-called Advanced Persistent Threat incident, [RSA] said. ... The type of attack that compromised systems at Google and as many as 100 other companies in late 2009. Hackers ... move about the company's internal networks looking for sensitive data to sneak out.


RSA's SecurID products ... are used on PCs, USB devices, phones and key fobs in about 25,000 corporations to provide an extra layer of security. ... EMC's stock ... was down 1.25 percent in after-hours trading. ... EMC said it "does not believe that the matter ... will have a material impact."

  Dan Goodin wants answers:

Among the unanswered questions was whether attackers got access to the so-called seed values that SecurID tokens use to generate the six-digit numbers. ... If attackers were able to access the seeds ... they might be able to generate the pseudo-random numbers of one of its tokens, [helping] them ... breach the company's security.


Other possibilities include the theft of source code ... or the theft of private cryptographic keys that might allow them to imitate RSA servers or register new employee tokens.


[RSA's] vagueness also generated plenty of criticism among security professionals. ... 40 million ... workers in both private industry and government agencies use the devices.

Nick Farrell sees the irony of an insecure security company:

For those who came in late, EMC touts itself as a top security vendor and its boxes protect highly sensitive computer systems. ... Hackers compromised the widely used RSA technology for preventing computer break-ins.


The company said it is providing "immediate remediation steps" for customers. That means it is fixing the problem as fast as it can.

So what's this Advanced Persistent Threat jargon about, Kim Zetter?

APT attacks are distinctive in the kinds of data the attackers target. ... [They] tend to go after source code and other intellectual property and often involve extensive work to map a company’s infrastructure.


[They] often use zero-day vulnerabilities to breach a company and are therefore rarely detected. ... [They] are known for grabbing a foothold into a company’s network, sometimes for years, even after a company has ... taken corrective measures.


Many intrusions in this category [are] linked to China.

And Doug Woodburn has the reseller PoV:

Andy Kemshall, co-founder of rival 2FA vendor SecurEnvoy, [said] he had been fielding calls from concerned resellers. ... Former RSA executive Kemshall claimed that RSA's customers were still in the dark as to whether or not the ... centrally stored 'seed records' had been compromised.

Meanwhile, Jon Oltsik is all about the smells and bells:

Holy smokes! ... Can anyone still claim that we aren't extremely vulnerable to cyber crime, espionage, and outright attacks? ... If you are in the enterprise IT business, you are under attack -- it's as simple as that.


The security industry is an extremely attractive target. ... We need to know as much as possible to understand what happened and how to prevent the next attack.


And Finally...

The animated GIF staring competition

[Warning: British swearing in comments]

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email:

You can also read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon