Blog

**Updated** RSA Breached: SecurID Affected

By Rich

You will see this all over the headlines during the next days, weeks, and maybe even months. RSA, the security division of EMC, announced they were breached and suffered data loss.

Before the hype gets out of hand, here’s what we know, what we don’t, what you need to do, and some questions we hope are answered:

What we know

According to the announcement, RSA was breached in an APT attack (we don’t know if they mean China, but that’s well within the realm of possibility) and material related to the SecureID product was stolen.

The exact risk to customers isn’t clear, but there does appear to be some risk that the assurance of your two factor authentication has been reduced.

RSA states they are communicating directly with customers with hardening advice. We suspect those details are likely to leak or become public, considering how many people use SecurID. I can also pretty much guarantee the US government is involved at this point.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

What we don’t know

We don’t know the nature of the attack. They specifically referenced APT, which means it’s probably related to custom malware, which could have been infiltrated in a few different ways – a web application attack (SQL injection), email/web phishing, or physical access (e.g., an infected USB device – deliberate or accidental). Everyone will have their favorite pet theory, but right now none of us know cr** about what really happened. Speculation is one of our favorite pastimes, but largely meaningless other than as entertainment, until details are released (or leak).

We don’t know how SecurID is affected. This is a big deal, and the odds are just about 100% that this will leak… probably soon. For customers this is the most important question.

What you need to do

If you aren’t a SecurID customer… enjoy the speculation.

If you are, make sure you contact your RSA representative and find out if you are at risk, and what you need to do to mitigate that risk. How high a priority this is depends on how big a target you are – the Big Bad APT isn’t interested in all of you.

The letter’s wording might mean the attackers have a means to generate certain valid token values (probably only in certain cases). They would also need to compromise the password associated with that user. I’m speculating here, which is always risky, but that’s what I think we can focus on until we hear otherwise. So reviewing the passwords tied to your SecurID users might be reasonable.

Open questions

  1. While we don’t need all the details, we do need to know something about the attacker to evaluate our risk. Can you (RSA) reveal more details?
  2. How is SecurID affected and will you be making mitigations public?
  3. Are all customers affected or only certain product versions and/or configurations?
  4. What is the potential vector of attack?
  5. Will you, after any investigation is complete, release details so the rest of us can learn from your victimization?

Finally – if you have a token from a bank or other provider, make sure you give them a few days and then ask them for an update.

If we get more information we’ll update this post. And sorry to you RSA folks… this isn’t fun, and I’m not looking forward to the day it’s our turn to disclose.

Update 19:20 PT: RSA let us know they filed an 8-K. The SecureCare document is linked here and the recommendations are a laundry list of security practices… nothing specific to SecurID. This is under active investigation and the government is involved, so they are limited in what they can say at this time. Based on the advice provided, I won’t be surprised if the breach turns out to be email/phishing/malware related.

No Related Posts
Comments

While it would be interesting to know the details of how the attack took place, they are mostly irrelevant for RSA’s SecurID customers. What I hope RSA will share with the community is:

1. How the knowledge of RSA’s SecurID *algorithms* might provide the attacker with an advantage in bypassing token-based authentication.

2. How the knowledge of RSA’s SecurID *implementation* might provide the attacker with an advantage in bypassing token-based authentication.

RSA’s open letter keeps these aspects of the breach ambiguous, which prevents its customers from assessing the risk that the incident places upon their organizations.

—Lenny Zeltser (zeltser.com)

By Lenny Zeltser on


A couple of years back we had a security manager from a large financial institution come and lecture us at University as a guest lecturer.

I remember him gloating over their 2 factor authentication implementation and I had to tell him that it was not THAT secure, at the end of the day the little SecurID device runs some code inside and like any other code, that is susceptible to being reproduced and exploited.

He replied no, there is really no danger. Maybe I’ll email him to say hello, told you so ;)

By Nick T. on


Thanks for the thoughtful writeup. This is helpful information.

By Andrew Pollack on


APT…we are going to hear this over and over.  Most organizations of any worth have probably been compromised by APT actors.  Night Dragon, Aurora…it’s been around quite a while (years).  Most people don’t know how to find it, most security tools don’t stop it, but eventually something will catch it, but it will likely take some time.  Unfortunately lots of consultants and vendors are beginning to offer some type of APT solution.  The fact is, one doesn’t exist.  That’s the point of APT.  Unless you know what you are looking for, and what their TTPs are, you don’t stand much of a chance.  The days of buying tools or bringing on consultants to solve these types or problems are gone, if they were ever here.  What it comes down to, is good old data analysis, along with some information sharing.  Yes, you actually have to look at your data, perform intrusion analysis, intelligence analysis…go figure.  We can’t just buy a tool.  Someone is going to take one for the team.  Just hope it’s not your organization.  BUT, if it is, share what you learned so we can all learn.

By Bob Huber on


While you guessed at the meaning of the term “Advanced Persistent Threat”, I Googled it and found the correct definition:

An Advanced Persistent Threat (APT) involves advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government. The global landscape of APTs from all sources is sometimes referred to in the singular as “the” APT.

By Derek Brooks on


Were the keys that reside in each token compromised? Will EMC RSA replace those comprimised tokens for free?

Shouldn’t the EMC SIEM have detected this APT attack?

By OLsen Gripper on


Derek, one minor error, reference to “the” APT is a term of art with specific meaning, not a collective.  If I tell you any more I’d have to kill you.  :-)  ‘nuff said?

A point about APTs in general, and “the” APT in particular is that the offense has gotten a big lead in this area, and they are eating our lunch.  Bob Huber made a very good point.  There are places where schools churn out students who produce the APT elements, practice against various targets, and have turned it into a pervasive reality.  The need for a paradigm shift from defending the network to accepting it is compromised has been voiced by some observers, now it needs to be embraced by all of us.

By Unnamed Source on


APT is, when boiled down to it’s basic form, is a branding used to identify the current attack vectors organizations already experience, eg malware, rogueware, web vulnerabilities, etc. The one distinction about APT is the persistence nature and global scope of the attack scenario. Instead of infecting as many computers or files, for example, an APT’s target is more precise and targeted to learn as much about the target over a period of several months. Therefore, the current methods used as a defense are sufficient when used in conjunction with a proactive monitoring and auditing program.

By Mark Wireman on


The whole point of two factor authentication is two _indepenent_ authentication mechanisms.  This very basic principal architecture is such that if one if completely comprimised, the other acts as a layer of protection.  As such, if properly implemented, this really shouldn’t be a big deal to an individual corporation.  For RSA, it means potentially re-distributing SecureID with new keys, and so understand for them this may be costly, but from a security perspective, if you are doing your job right, this is noteworthy but not front-page news.

By gonzarthegreat on


It is safe to assume that this involves more than just about the algorithm/source code.  The algorithm behind SecurID token code generation has been public for years now:  it is AES-128 in EBC mode, used to hash the following 3 pieces of input:

1) A 128-bit token-specific random seed
2) 64-bit representation of the current date and time
3) Token serial number (32-bit)

The security of the scheme does not depend on the knowledge of the algorithm.  If a database containing the mapping between token serial numbers and the random 128-bit seeds they were injected with were stolen, however, that would be a big problem.

<a >Reflections on Security</a>

By Jacob Gajek on


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.