The fallout from the March attack on RSA has arrived. Per the news agencies—and the excellent blog post by Bob Cringely—several large defense contractors (Lockheed Martin, L-3, and potentially Northrop Grumman) were attacked using the information stolen in the March attack. The tokens associated with the stolen information should now be considered compromised. Recent events indicate that it’s very likely that the stolen information can be used to mount attacks on other RSA customers, and not just defense contractors.
RSA SecurID customers should demand replacement tokens, and the delivered tokens must be manufactured after implementation of RSA’s post-attack security procedures. Until RSA customers receive the replacement tokens and endure the subsequent pain and suffering of distributing them, customers should follow RSA’s instructions that were received after the initial attack.
While we are talking about the protection of SecurID token information, the attack vector that organizations dismiss at their peril is the on-premises secure storage of the token information. I have seen many seed record CDs (OK, floppies back in the day) on the desks of system administrators or sitting on top of the SecurID server. Also, the token information can be retrieved out of the server by the knowledgeable SecurID system administrator.
The reputation of the RSA SecurID OTP technology may be badly tarnished due to this attack. However, the real damage is limited to the token information that was stolen. In other words, tokens created by RSA after the attack should not be vulnerable, assuming that RSA’s new precautions are effective. By the way, did you notice that most of RSA’s competitors were publically quiet after the March attack? You can bet that that they were shoring up their OTP security. We’ll be talking about stronger authentication at the Catalyst Conference.
- Perspectives on OTP Authentication and Migration (blog)
- SecurID Redux (blog)
- Just What Happened to SecurID? (blog)
- Road Map: Replacing Passwords with OTP Authentication (research document – subscription required)
- Analysis: Lockheed hack highlights cyber-blame snags (Reuters)
- InsecureID: No more secrets? (Bob Cringely’s blog)
- Data Breach at Security Firm Linked to Attack on Lockheed (New York Times)
- Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks (Wired)