Several weeks after RSA announced a breach involving its SecurID two-factor authentication products, the company is aggressively planning changes to some of its manufacturing and shipping processes to address the security of SecurID, according to sources close to RSA.
Climate change in the threat landscape may require reanalysis and retooling of how we design, create and share our IP in safe and secure ways.
Josh Corman, Research Director, 451 Group
Products delivered for SecurID deployments will now consist of multiple shipments, adding extra stages in the manufacturing and packaging process to build in protections, SearchSecurity.com has confirmed through multiple sources. RSA keyfobs ship in a variety of versions and could be ordered in packs of 5 to 250. They are manufactured at facilities in several locations, including China.
“It will still be a [keyfob], it’s still the same architecture and it’s still extremely strong. It’s not as though there was a flaw in the product that was exploited. It’s not as though two-factor is dead and RSA has to come up with something new,” a source said.
Sources wouldn't disclose further specifics, but said the NetWitness network monitoring system enabled the company to ensure the attackers "didn't empty the coffers of RSA or SecurID." In addition, the vendor is hardening protections around all its product proprietary data.
Experts said the move suggests that RSA is putting safeguards in place to guard against cybercriminals obtaining keyfob serial numbers or other identifying information about a token at a single source.
Rich Mogull, founder of Phoenix-based independent information security consulting firm Securosis, said RSA is trying to ensure attackers can’t pull the ID numbers off the keyfobs and combine the information with seed data and a social engineering attack on a customer in the future. Even with the serial numbers, an attack would be extremely difficult, he said. Cybercriminals would need information about the token, access to the customer’s SecurID management server, and information about individual users and their PINs.
“There are still a lot of open questions that when answered by RSA will help us get a handle of the threat and make an accurate risk assessment,” Mogull said. “Changing the shipping processes or rerouting the shipping to other facilities I’m sure would help make attacks even more difficult in the future.”
RSA has not yet confirmed whether its seed records were exposed during the breach, but some experts believe the changes being put in place and its advice to customers suggest that the secret keys used to generate one-time passwords may have been exposed to cybercriminals during the breach, which RSA made public three weeks ago. In addition, one of the sources who declined to be named said that over time new keyfobs would be issued to high-risk customers others could see software changes or both.
Chris Ipsen, CSO of the State of Nevada, which uses SecurID in some of its law enforcement operations, was notified of the breach a day before RSA president Art Coviello went public with the SecurID breach announcement. Ipsen said RSA’s SecurID server has a logging component that can be monitored to look for access patterns and anomalous trends. “So far we haven’t seen anything that gives us pause,” Ipsen said.
“Expectation is that going forward I suspect a component of it will be enhanced and as a result we’ll have a better product than we have now,” he added.
Ipsen said breach notifications are no longer shocking to him, because he “doesn’t expect anything to be secure anymore.” RSA was forthcoming, he said. They did the right thing by talking to customers and then issuing detailed documentation to mitigate against any potential threats.
“You can’t be impassioned about it,” Ipsen said. “You have to be systematic about it, and that’s what RSA is doing.”
The company released more details April 1, calling the breach a classic advanced persistent threat (APT). It began with two waves of spear phishing attacks targeted at low-level employees. The attackers used an attached Excel file titled "2011 Recruitment plan.xls.” One of the employees retrieved the message from their junk mail folder and opened the file, unleashing malware that targeted an Adobe Flash zero-day vulnerability. Once inside, the attackers maneuvered accounts with privileged access and used a remote administration tool to steal data that would eventually be sent via FTP to remote servers.
Response teams were called in to isolate the attack and investigate whether any other systems had been breached, and within hours, the company’s crisis response plan was thrown into full gear. Support staff and engineering teams were conducting briefings with affected customers -- many of those briefings under non-disclosure agreements -- based on the customer’s specific exposure.
Even if the seeds had been breached, experts say the cybercriminals would need to use extremely sophisticated measures, including some luck, to use the data in an attack against companies or government agencies. In the RSA SecurID system, users are given a keyfob that has a factory-encoded key or “seed” used to generate a random token code. Users also set their own four- to eight-digit PIN. The PIN and token code is combined into a password to access a secure server.
While SecurID won’t be redesigned into something radically different, any company that can revamp its engineering, manufacturing or shipping cycles to address the changing threat landscape is smart, said Joshua Corman, research director of the enterprise security practice at the 451 Group.
“Whenever you assume a design is an optimal design, when things around you change, it’s probably a bad assumption,” Corman said. “Climate change in the threat landscape may require reanalysis and retooling of how we design, create and share our IP in safe and secure ways.”
The idea of continuous process improvement is a sound thing to do, even in lieu of security concerns, Corman said. Companies need to dramatically improve visibility and situational awareness to notice if something is happening and stop it before a breach.
“My belief is that as [RSA] is able to reveal more information they will be forthcoming and update not only their clients but also the industry,” Corman said. “Others need to have a detailed and accurate betrayal of what has happened to help them secure their own IP.”