Login  |  Register  |  Contact

**Updated** RSA Breached: SecurID Affected

You will see this all over the headlines during the next days, weeks, and maybe even months. RSA, the security division of EMC, announced they were breached and suffered data loss.

Before the hype gets out of hand, here’s what we know, what we don’t, what you need to do, and some questions we hope are answered:

What we know

According to the announcement, RSA was breached in an APT attack (we don’t know if they mean China, but that’s well within the realm of possibility) and material related to the SecureID product was stolen.

The exact risk to customers isn’t clear, but there does appear to be some risk that the assurance of your two factor authentication has been reduced.

RSA states they are communicating directly with customers with hardening advice. We suspect those details are likely to leak or become public, considering how many people use SecurID. I can also pretty much guarantee the US government is involved at this point.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

What we don’t know

We don’t know the nature of the attack. They specifically referenced APT, which means it’s probably related to custom malware, which could have been infiltrated in a few different ways – a web application attack (SQL injection), email/web phishing, or physical access (e.g., an infected USB device – deliberate or accidental). Everyone will have their favorite pet theory, but right now none of us know cr** about what really happened. Speculation is one of our favorite pastimes, but largely meaningless other than as entertainment, until details are released (or leak).

We don’t know how SecurID is affected. This is a big deal, and the odds are just about 100% that this will leak… probably soon. For customers this is the most important question.

What you need to do

If you aren’t a SecurID customer… enjoy the speculation.

If you are, make sure you contact your RSA representative and find out if you are at risk, and what you need to do to mitigate that risk. How high a priority this is depends on how big a target you are – the Big Bad APT isn’t interested in all of you.

The letter’s wording might mean the attackers have a means to generate certain valid token values (probably only in certain cases). They would also need to compromise the password associated with that user. I’m speculating here, which is always risky, but that’s what I think we can focus on until we hear otherwise. So reviewing the passwords tied to your SecurID users might be reasonable.

Open questions

  1. While we don’t need all the details, we do need to know something about the attacker to evaluate our risk. Can you (RSA) reveal more details?
  2. How is SecurID affected and will you be making mitigations public?
  3. Are all customers affected or only certain product versions and/or configurations?
  4. What is the potential vector of attack?
  5. Will you, after any investigation is complete, release details so the rest of us can learn from your victimization?

Finally – if you have a token from a bank or other provider, make sure you give them a few days and then ask them for an update.

If we get more information we’ll update this post. And sorry to you RSA folks… this isn’t fun, and I’m not looking forward to the day it’s our turn to disclose.

Update 19:20 PT: RSA let us know they filed an 8-K. The SecureCare document is linked here and the recommendations are a laundry list of security practices… nothing specific to SecurID. This is under active investigation and the government is involved, so they are limited in what they can say at this time. Based on the advice provided, I won’t be surprised if the breach turns out to be email/phishing/malware related.

—Rich

No Related Posts
Previous entry: FAM: Technical Architecture | | Next entry: Friday Summary: March 18, 2011—Preparing for the Worst

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Lenny Zeltser  on  03/18  at  12:39 AM

While it would be interesting to know the details of how the attack took place, they are mostly irrelevant for RSA’s SecurID customers. What I hope RSA will share with the community is:

1. How the knowledge of RSA’s SecurID *algorithms* might provide the attacker with an advantage in bypassing token-based authentication.

2. How the knowledge of RSA’s SecurID *implementation* might provide the attacker with an advantage in bypassing token-based authentication.

RSA’s open letter keeps these aspects of the breach ambiguous, which prevents its customers from assessing the risk that the incident places upon their organizations.

—Lenny Zeltser (zeltser.com)

By Nick T.  on  03/18  at  12:48 AM

A couple of years back we had a security manager from a large financial institution come and lecture us at University as a guest lecturer.

I remember him gloating over their 2 factor authentication implementation and I had to tell him that it was not THAT secure, at the end of the day the little SecurID device runs some code inside and like any other code, that is susceptible to being reproduced and exploited.

He replied no, there is really no danger. Maybe I’ll email him to say hello, told you so ;)

By Andrew Pollack  on  03/18  at  02:12 AM

Thanks for the thoughtful writeup. This is helpful information.

By Bob Huber  on  03/18  at  03:56 AM

APT…we are going to hear this over and over.  Most organizations of any worth have probably been compromised by APT actors.  Night Dragon, Aurora…it’s been around quite a while (years).  Most people don’t know how to find it, most security tools don’t stop it, but eventually something will catch it, but it will likely take some time.  Unfortunately lots of consultants and vendors are beginning to offer some type of APT solution.  The fact is, one doesn’t exist.  That’s the point of APT.  Unless you know what you are looking for, and what their TTPs are, you don’t stand much of a chance.  The days of buying tools or bringing on consultants to solve these types or problems are gone, if they were ever here.  What it comes down to, is good old data analysis, along with some information sharing.  Yes, you actually have to look at your data, perform intrusion analysis, intelligence analysis…go figure.  We can’t just buy a tool.  Someone is going to take one for the team.  Just hope it’s not your organization.  BUT, if it is, share what you learned so we can all learn.

By Derek Brooks  on  03/18  at  02:49 PM

While you guessed at the meaning of the term “Advanced Persistent Threat”, I Googled it and found the correct definition:

An Advanced Persistent Threat (APT) involves advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government. The global landscape of APTs from all sources is sometimes referred to in the singular as “the” APT.

By Emir Ruzdic  on  03/21  at  02:16 AM

We don’t know if this was really an APT. EMC would like to make us believe that this was “extremely sophisticated cyber attack” which is the only way they can justify the breach. This is damage control for EMC right now and there is only two ways they can spin this. Admit of bad security practices or make us believe the extrimity and sophistication of this master plan to take over the world and that no one is safe. This is just a theory.

By tamer  on  03/22  at  11:55 AM

One point, what went wrong with other RSA products such as DLP and RSA envision, where these products should be able to detect such type of attacks, even though ATP is a slow attack.

Correct me if i am wrong, DLP should be able to detect transferring of sensitive information, envsion should detect anomalies in the logs and correlate all event during the period of attack.

Thoughts please

By Jason  on  03/22  at  10:08 PM

It’s painfully obvious this situation is serious.  Typically when executive management communicates and when the communication is vague (at best), the issue is something more serious.  I’m sure RSA is scrambling to make changes to their technology.  In the mean time, we (customers) sit in a “window of opportunity.”  Perhaps at some point, Wikileaks will correlate all the data and present some meaningful information.

By nightjoe  on  06/24  at  07:36 PM

Bob H is correct.  Admins need to persistently take an advanced look at their data.  Back when I had a job, I would spend 1 Hr. a day doing this.  You can rely on this tool and that tool.  The tools are just that, tools.  It’s great to have the help; but, a company needs a trained Admin who looks at the data each day.  It’s kind of a dull job.

I speculate it is more likely that RSA had a weak system that got broken into.  The dual key customer information was not protected well enough.  Using the info will be tough because the perpetrator will need to do a brute force attack to find the matching password. 

Good security starts at home.  Don’t outsource your systems to some opaque corporation.  RSA/EMC is the one who can’t be trusted.

Name:

Email:

Remember my personal information

Notify me of follow-up comments?