Forgot your password?
typodupeerror
Crime Security The Military IT Your Rights Online

RSA Admits SecurID Tokens Have Been Compromised 219

Posted by CmdrTaco
from the hey-i-have-one-of-those dept.
A few months ago, RSA Servers were hacked, and a few weeks ago Duped tokens were used to hack Lockheed-Martin. Well today Orome1 writes "RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman — one of them confirmed by the company, others hinted at by internal warnings and unusual domain name and password reset process."
This discussion has been archived. No new comments can be posted.

RSA Admits SecurID Tokens Have Been Compromised

Comments Filter:
  • Re:Dear Customers... (Score:4, Informative)

    by fuzzyfuzzyfungus (1223518) on Tuesday June 07, 2011 @08:48AM (#36361774) Journal
    If they need to check the list of seeds they've already used, their seed length is arguably way, way, way too short. With sufficient seed length, the risk isn't quite zero; but it is so vanishly close that it doesn't matter.

    Since the algorithm that the tokens use is public knowledge, anybody can, for a given seed, compute the token display value at time T. If the seed-space were so small that RSA needed to do duplicate checks, rather than just resting assured in the fact that they'd need to issue a fob to every proton in the universe before the risk of duplication rises above 1%, then there would be the theoretical danger that an attacker could just brute-force things by computing each seed chain, and then inferring the target fob's seed by sampling its output at one or more times and seeing which seed chain it matched...
  • Re:Dear Customers... (Score:5, Informative)

    by PIBM (588930) on Tuesday June 07, 2011 @09:18AM (#36362078) Homepage

    I remembered reading about this, and the failure mode were quite important to me. Let me quote wikipedia on this:

    Section 4.1.1 of the specification describes additional attacks that may require mitigation, such as differential power analysis. If a product contains countermeasures against these attacks, they must be documented and tested, but protections are not required to achieve a given level. Thus, a criticism of FIPS 140-2 is that the standard gives a false sense of security at Levels 2 and above because the standard implies that modules will be tamper-evident and/or tamper-resistant, yet modules are permitted to have side channel vulnerabilities that allow simple extraction of keys.

Lo! Men have become the tool of their tools. -- Henry David Thoreau

Working...