Forgot your password?
typodupeerror
Crime Security The Military IT Your Rights Online

RSA Admits SecurID Tokens Have Been Compromised 219

Posted by CmdrTaco
from the hey-i-have-one-of-those dept.
A few months ago, RSA Servers were hacked, and a few weeks ago Duped tokens were used to hack Lockheed-Martin. Well today Orome1 writes "RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman — one of them confirmed by the company, others hinted at by internal warnings and unusual domain name and password reset process."
This discussion has been archived. No new comments can be posted.

RSA Admits SecurID Tokens Have Been Compromised

Comments Filter:
  • by cultiv8 (1660093) on Tuesday June 07, 2011 @08:50AM (#36361234) Homepage
    Sit back peoples, get some popcorn, this should be interesting...
  • Anybody know? (Score:4, Interesting)

    by fuzzyfuzzyfungus (1223518) on Tuesday June 07, 2011 @09:01AM (#36361322) Journal
    Are there any big, important checkbox-compliant certifications that RSA's customers might have been using the (Not Cheap) RSA tokens to obtain that, as a consequence of this sordid episode, might no longer be attainable with RSA gear? That seems like it would be a fitting punishment for RSA's questionable security practices and even more questionable disclosure practices; but I'm afraid that I haven't wrapped my head around the alphabet soup of compliance acronyms in different areas enough to know.
  • Re:Cyber intrusions (Score:5, Interesting)

    by TerranFury (726743) on Tuesday June 07, 2011 @09:08AM (#36361382)

    ...and 1947 turns the dial on its rotary phone to call both '92 and '84:

    From here [theorem.net]:

    It is worth noting that the Greek word for governor is k u ße r n a n . In 1947, Norbert Wiener at MIT was searching for a name for his new discipline of automata theory- control and communication in man and machine. In investigating the flyball governor of Watt, he investigated also the etymology of the word k u ße r n a n and came across the Greek word for steersman, k u ße r n t V . Thus, he selected the name cybernetics for his fledgling field.

    In other words...

    (Cyber = steering/adjustment/feedback) + (net = networks/interconnection) + (ics = study of)

  • Our secure tokens are Yubikeys [yubico.com]. We use RFID for physical access and the challenge response protocol for authentication.

    We didn't like the thought of having to trust a 3rd party with our keys, so we run our own authentication services and use our own "seeds". This way we have one less attack/exploit surface (the MFG) to worry about -- Looks like it paid off for us this time!

    Key Lifecycle Management

    Re-configuration of YubiKeys by customers

    For high security environments, customers may select not to share the
    AES key information for their YubiKeys outside of their organization.
    Customers may also for other reasons want to be in control of all AES
    keys programmed into the Yubikey devices. Yubico therefore supports the
    use of a personalization tool to reconfigure the YubiKeys with new AES
    keys and meta data.

    If RSA has your keys... are they really secure?!?!!

  • Re:Dear Customers... (Score:5, Interesting)

    by clodney (778910) on Tuesday June 07, 2011 @10:02AM (#36361916)

    Admittedly for a company in the security business they get a big fail on this one.

    But I suspect that properly securing them is more difficult than it would appear to the outside observer. At one job I had, we had a signing key of some sort, which was on a USB key in a sealed envelope in a safe. We only took that key out when it needed to be used, which was maybe once a year. Easy enough to observe all the necessary precautions, even if it felt like overkill.

    But remember that RSA presumably manufactures these tokens every single day. So the seed values have to be handled correctly all the time, and that makes the air gap restrictions tremendously onerous to comply with. The seed values need to be known to the authentication servers, and customers will likely demand that RSA could provide them the necessary data to reload authentication servers in the event of a major crash (yes, I know, backups, etc. - but the real world is not always like that).

    So I suspect that RSA themselves was hurt by the classic security vs usability tradeoff. They need ongoing access to the data that they need to keep secure, and the security restrictions impacted usability, to the point where the policies were weakened, either officially or just by being sloppy.

    Defenders have to be good all the time. Attackers only have to succeed once.

The study of non-linear physics is like the study of non-elephant biology.

Working...