Sophos Cloud Optix
Hackers have broken into the servers of RSA, the security division of EMC, and stolen information related to the company’s SecurID two-factor authentication products.
That’s the astonishing announcement made by Art Coviello, RSA’s executive chairman, in an open letter published for the firm’s thousands of corporate and government customers around the world.
Many companies and organizations use RSA’s SecurID tokens – which display a sequence of numbers that change every 30 seconds or so – as an additional level of security when staff log in to their networks. You may also have been given something similar by your online bank, as a means to authenticate that you are who you say you are when you try to access your account.
Coviello doesn’t give much information about the nature of what he calls the “extremely sophisticated cyber attack” against the company, and the precise risk to customers is unclear, but he does say that the stolen information “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
RSA says it will be providing its security customers with “immediate steps for them to take to strengthen their SecurID implementations.”
In a filing with the Securities and Exchange Commission, RSA published the following recommendations:
* We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
* We recommend customers enforce strong password and pin policies. We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
* We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
* We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
* We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
* We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
* We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
* We recommend customers update their security products and the operating systems hosting them with the latest patches.
No doubt more information will begin to come out soon, as RSA’s clients reveal what else they have gleaned from the company.
There’s no mention of it in Art Coviello’s letter to customers, but I would imagine that the firm has informed the computer crime authorities. RSA is, after all, the victim of a criminal act.
OMG, thanks for posting this, how the heck can individuals protect ourselves when these mega security firms are being taken to task over and over again. Jeezuz thanks for posting this, i guess next step will be biometric scanning an then the bad guys will find a way around that too. unbelievable!
Many believe biometric scanning is in fact a bad idea, as biometrics are essentially data points that you share with everyone you meet, every day. Biometrics are the equivalent to walking around with your password tattooed to your forehead; easily forged, but difficult to change yourself.
Even with this data leakage, two-factor authentication (a password you know, a one-time code you have) is stronger than most other authentication methods out there. Unless having the data allows the thieves to find an exploit in the implementation, or includes the serial number to fob mapping and the customer private keys and number seed, the security of two-factor authentication with RSA fobs has been, at worst, mildly eroded.
Even if the fob and customer private keys are now known and there's been an exploit found in the number generation code, the information is useless if your company is enforcing strong password use along with the recommendations posted above.
And that's not even taking into consideration the dangers of theft of biometric authentication (cutting off hands, ripping out eyeballs – yes this HAS happened).
Reminds me of the Blizzard Authenticators for WoW and battle.net gaming service. I wonder if the same company was contracted to make them and if we will see a rise in the number of compromised accounts…
Nah. The system isn't run by RSA. The authentication method is actually quite common. It's called a security token: http://en.wikipedia.org/wiki/Security_token