Sowing the Seeds of Token PanicBy Mike Rothman
It was just a matter of time. After the EMC/RSA breach in March, the clock started ticking relative to the seeds being used to gain access to something important. According to Bob Cringely, that has now happened with a very large US defense contractor having their remote access network compromised.
Since it had been a pretty slow news week (how long can we talk about the LinkedIn IPO?), now every beat reporter will write 10 articles on the impact of this new attack. It’s just a matter of time before we see picketing at RSA HQ, demanding new tokens for all. We’ll see the old timers talk about the good old days to time sharing. Security folks will be called before the executive team to discuss the exposure and whether the tokens are still worth a damn. Wash, rinse, repeat. We’ve seen this movie before.
Now I don’t have any inside information about this new attack. But the reality of two factor authentication means you need both something you have and something you know. If 2FA is based on an RSA token (and the seeds were stolen), then the attackers have the token. But they don’t have the code (something you have) required to gain access. Unless the device was compromised separately using a different attack, mostly likely a key logger to capture the passcode. The loss of the seed does not compromise your network. But the loss of the seed and the passcode will. That’s an important distinction.
Is the inevitable panic justified? Of course not. We are presumably dealing with APT, which means they will get into a network by whatever means necessary. Advanced or not. They got the seeds, and then compromised a device with remote access. Game over. They are in. Let’s just say a company tossed all their RSA tokens and brought in someone else. Guess what? Then the attackers would compromise a device already on the network, taking the 2FA out of play.
And that’s really the point. Remember the words by any means necessary. Sure, RSA will likely have to stamp out millions of new tokens. Customers will demand no less. Yes, it will cost them money, but it’s a drop in the bucket for a company like EMC. Yes, issuing new tokens will stop this specific attack vector. But it will not stop this specific attacker.
So panic all you want. They are still going to get in. Which underlines the key point in Cringely’s article. “The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it.” We’ve been talking about reacting faster and better for years. Significant network and system monitoring, and if you are specifically a targeted organization, network full packet captures are not options anymore.
What should you do? Use the panic to your advantage. These are some pretty good data points to push through the funding for that full packet capture gear or a new network/systems monitoring service, eh? Or maybe the application white listing technology for those devices with access to critical stuff. Whatever the specific controls you need to add, strike while panic is cresting. Now that’s what I call making lemonade out of a bunch of lemons.
Photo credits: “Panic!” originally uploaded by Memphis CVB