A day after the world learned of a serious breach at RSA, the Security Division of EMC Corp., involving proprietary...
information concerning its SecurID authentication products, industry experts say the incident likely won't put customers at increased risk.
In an open letter to SecurID customers posted Thursday on the company's website, RSA Executive Chairman Art Coviello wrote that RSA recently detected the attack, which he referred to as an advanced persistent threat (APT) incident. Coviello said attackers extracted "certain information" from RSA's systems "related to RSA's SecurID two-factor authentication products."
Attackers are dropping malware bots and already bypassing multifactor authentication.
The multifactor authentication technology is widely used by banks, financial institutions, government agencies and many other organizations as a key element in stringent authentication mechanisms that safeguard access to sensitive corporate systems and data.
In the letter to customers, Coviello did not reveal specific information on what data was stolen or how it may affect customers, but indicated that the breached information "could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."
However, experts told SearchSecurity.com that most firms have a breadth of security technologies in place beyond SecurID to guard against intrusions, namely technology that can detect anomalies that could raise an early alarm to a potential problem.
Attackers are constantly seeking account credentials and authentication keys, so it wouldn't be farfetched for an attacker to target a two-factor authentications system, said Richard Bejtlich, chief security officer and security services architect for Alexandria, Va.-based incident response firm Mandiant Corp. But companies shouldn't panic, Bejtlich said, because "good crypto works even if an attacker knows how it works."
"Many attacks against crypto are not against the algorithms but against the implementations," he added, "so no one except the people at RSA are really sure what's going on here."
It is likely, Bejtlich indicated, that the attackers used a simple technique -- like a social engineering attack or phishing scam -- to gain access to an RSA employee's machine. The level of sophistication is dependent on how long the attack remained undetected once the attacker began probing RSA's systems.
From there, the attacker's ultimate goal could have been to target a specific part of RSA SecurID implementation to find weaknesses, Bejtlich speculated, or could have been to gather information to see how the authentication system operates inside an enterprise.
"It's like a card player," Bejtlich said. "You're looking for that one little edge to gain a percentage point increase."
The good news, he said, is that most enterprises that invest in multifactor authentication are sophisticated enough to always be on the lookout for potential intruders.
"My guess is that even if it were a case where intruders were in RSA's systems for a long time, it would take months and maybe even longer for them to make good use of the information they stole," Bejtlich said.
While Coviello said the investigation into the attack is ongoing, it is not yet clear how an attacker could potentially utilize the stolen information to exploit SecurID. Scott Crawford, research director for security and risk management at Boulder, Colo.-based Enterprise Management Associates, said that attackers could have stolen anything from SecurID's source code to information on related systems and components that contribute to its effectiveness. For that reason, Crawford said, it is far too early to dismiss the seriousness of the attack and gauge the continued effectiveness of SecurID.
"We need to know more about the nature of the attack and the nature of what was actually captured to say what can be done to mitigate risk factors," Crawford said. "There are certain ways to defeat two-factor authentication that require a level of effort that makes it more difficult for an attacker to pull off, so knowing the functionality of SecurID might aid in feeding directly to other attacks."
RSA's SecurID authentication system works by assigning a seed value to an employee's user ID. On the back end, the RSA system generates a new six-digit code based on the seed value assigned to the user ID. The algorithm is considered pseudorandom, meaning that the six-digit codes aren't always randomly assigned. RSA SecurID competes with ActivIdentity Corp. and Symantec Corp., which acquired VeriSign's authentication business in a $1.2 billion deal last year.
Brad Causey, a security analyst for a U.S. bank, said the RSA attacker may not have even set out to exploit SecurID or even RSA. He speculated that the attacker may have simply gained access to a random victim's machine to steal account credentials and other lucrative data, but upon learning that the victim was affiliated with RSA, the attacker probed further.
"While there is some impact, I don't think it's devastating at all," Causey said, adding that companies with multiple, remote employees are affected the most, but even then they're more than likely using RSA as a third-factor authentication mechanism.
"If I'm an attacker, gaining access to algorithms used to generate RSA tokens won't be of much value," Causey said. "Attackers are dropping malware bots and already bypassing multifactor authentication. They can easily gain access to a victim's session once it's already established."
Causey said companies that use SecureID should heed the vendor's advice and coordinate with their RSA representative to see if there are specific batches or series of tokens that should be replaced. "This is a good reminder to double check your implementation and ensure there aren't any holes, just to be safe," he said.