Extremely sophisticated cyber attack against RSA
The network of one the world’s largest and trusted security firms has been breached, and an unknown amount of information about its popular multifactor authentication technology has been stolen. Customers are worried about what form potential attacks could take.
The SecurID information that was stolen would not allow attackers to launch a successful direct attack on existing SecureID customers, Art Coviello, executive chairman of RSA Security, a division of the data management company EMC Corporation, wrote in an open letter to customers posted on the company’s Website March 17. However, the company acknowledged the information could be potentially used to “reduce the effectiveness” of an existing SecurID deployment as part of a broader attack.
The RSA announcement touched off intense speculation about whether RSA’s popular SecurID tokens, which are carried on key chains and in wallets of millions of corporate and government users, have been significantly compromised.
The system is intended to provide additional security beyond a simple user name and password by requiring users to append a unique number generated by the token each time they connect to their corporate or government network.
A potential weakness that could be exploited involves a factory-installed key called a seed. Typically 16 characters, it is different for each token and is stored on a corresponding computer server program, which authenticates the session each time a user connects to a secure network.
If the database containing customers seeds was taken, the intruder might still not know which user had which seed, but cryptographers said it would be possible to use a reverse-engineered version of the RSA algorithm to determine that information by simply capturing a single log-in session. That would be a potentially serious vulnerability that could be exploited by a sophisticated attacker.
RSA notified the federal government, whose agencies widely use the tokens to guard access to its networks, some time before the public announcement was made. On Wednesday, the Computer Emergency Readiness Team in the Department of Homeland Security posted a “Technical Information Paper” on its Web site describing a set of security practices meant to limit vulnerability to attacks based on the stolen information, according to a person close to the organization.
What the actual risk is and what precautions a user of the key fobs and wallet-size cards depends on what was taken in the theft.
The worst case is that the vulnerability created by the theft might require companies to replace the secure tokens; the vulnerability might also force RSA to rethink the design of its SecurID system.