R S A Hit With An Advanced Persistent Attack

[ritchie58]

Information about RSA's SecurID authentication tokens used by millions of people, including government and bank employees, was stolen during an "extremely sophisticated cyberattack," putting customers relying on them to secure their networks at risk, the company said today.

 

"Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA," Executive Chairman Art Coviello, wrote in an open letter to customers, which was posted on the company's Web site.

 

"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat. Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products," the letter said.

 

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello wrote. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

 

The company said it has no evidence that other products are affected or that personally identifiable data on customers or employees was compromised. RSA, the security division of technology giant EMC, did not elaborate and a spokesman said he could not provide additional information at this time.

 

The tokens, of which 40 million have been deployed, and 250 million mobile software versions, are the market leader for two-factor authentication. They are used in addition to a password, providing a randomly generated number that allows a user to access a network.

 

The tokens are commonly used in financial transactions and government agencies; one source who asked to remain anonymous said SecurID users in those sensitive areas were scrambling to figure out what to do in light of the breach.

 

What exactly did the bad guys get?

Because it's unclear exactly what type of information was stolen, sources told CNET they could only speculate as to what the potential outcome could be for companies using the devices.

 

"It's hard to say [how serious the breach is] until we know the extent of what the bad guys got a hold of," said Charlie Miller, a principal analyst at consultancy Independent Security Evaluators. "Any time a security company gets broken into, it reminds you that it could happen to anybody."

 

He used to work for a financial services firm that "basically ran everything on" SecurID, he said. "They would be very unhappy if they found out" it could be compromised somehow.

 

"The real story here is what was stolen. It definitely seems mysterious," said Ravi Ganesan, an operating partner at The Comvest Group and former founder and CEO of single sign-on provider TriCipher. "SecurID is a token authenticator device that flashes a new number every 60 seconds. The number is calculated from two things, a 'secret seed' unique to that device and the time of day. So your one-time password is output of [that] algorithm."

 

RSA has historically kept their algorithm secret, but that is not a good defense against a sophisticated attacker who could get a software version of the token or the back-end server and reverse engineer the code, Ganesan said. "So what on earth could have been stolen? I certainly hope RSA did not put some back door into the software and that was what got stolen."

 

While details were scarce, hints about the breach could be gleaned from a message to customers filed with the SEC. It recommended that customers increase focus on security for social-media applications and Web sites accessed by anyone with access to their critical networks; enforce strong password and PIN policies; as well as remind employees to avoid opening suspicious e-mails and providing usernames or other credentials to people without verifying the person's identity as well as avoid complying with e-mail or phone-based requests for such information.

 

Additionally, the message said customers should pay special attention to securing their active directories and use two-factor authentication to control access to them; watch closely for changes in user privilege levels and access rights; harden monitor and limit remote and physical access to infrastructure that hosts critical security software; shore up practices against social-engineering attacks; and update security products and patch operating system software.

 

Advanced Persistent Attacks often target source code and other information useful in espionage and involve knowledge of the company's network, key employees, and workings. Attackers use social engineering and exploits hidden in e-mail and other messages to sneak keyloggers and other snooping tools onto employees' computers. Google announced last year that it and other companies had been targeted in such an attack and it later came out that attackers used an unpatched hole in Internet Explorer to get into the company computers. Google said at the time that intellectual property was stolen and that the attacks appeared to originate in China.

How serious is this?

RSA said it is confident that the information stolen does not enable a successful direct attack on any SecurID customers. However, the data could be used to "reduce the effectiveness" of an implementation as part of a broader attack, the company said. There is no evidence that other products are affected or that personally identifiable data on customers or employees was compromised, according to RSA.

 

However, given that SecurID is the most popular form of two-factor authentication and is heavily used in government agencies and financial institutions, a compromise with customer systems could ultimately impact a lot of people. There are about 40 million SecurID hardware deployments and 250 million deployments on mobile devices.

 

Who is behind the attack?

RSA has provided no information publicly as to the origin of the attack. However, sources told CNET that China is a likely bet. Google said the attack against it originated from China, which sources say is using whatever means it can to narrow the technology gap with the U.S. "If this is really APT, it means China," said Rich Mogull, chief executive of Securosis. Likely targets would be in the defense and industrial markets and high-tech manufacturing, he said. "If this is China they're not going to be trying to break into bank accounts."

 

The big question is what data was stolen. Experts wondered if the attackers were able to access a database storing so-called seed data--including unique numbers for each token that, combined with the time of day, are used to generate the one-time passcodes that flash on the devices every 30 seconds or 60 seconds. Attackers armed with that information could potentially use it to create their own pseudo-random numbers and pretend to be someone authorized to access a sensitive network.

 

What should companies with SecurID deployments do?

 

Without more information about what data was stolen, it's difficult for companies to assess the risk. However, high-profile targets should be prepared for anything. "The safe bet is to assume that the system is completely compromised, although that doesn't mean everyone is going to be a target of attack," Mogull said.

 

Any organization using SecurID should make sure they have enabled passwords for accessing sensitive information, use strong passwords, and rotate them frequently, he said. They should also force a password change for accounts with high-level privileges, consider disabling accounts that don't use a password, and set password attempt lockouts so that they are blocked after three tries, he suggests in a blog post.

 

Companies might also want to monitor for multiple accounts that are repeatedly failing authentication attempts and remind users that the serial number of the token should be kept secret. And IT administrators should make sure they are running proper access control and firewall software, as well as updated security software and patch operating systems and other programs being used.

 

RSA issued recommendations to customers that include: focusing on security for social-media applications and Web sites accessed by anyone with access to their critical networks; reminding employees to avoid opening suspicious e-mails and providing usernames or other credentials to people without verifying the person's identity, as well as avoid complying with e-mail or phone-based requests for such information; paying special attention to securing active directories; watching closely for changes in user privilege levels and access rights; and hardening, monitoring, and limiting remote and physical access to infrastructure that hosts critical security software.

 

Are there alternatives for authentication?

There are competing authentication products on the market, but Mogull said he would not advise changing systems, which is an expensive move, just yet. "If this drags out and RSA doesn't tell us for a while what happened, then people maybe will need to switch products. It's way too early to start ripping SecurID out now."

 

One source speculated that the breach will prompt increased interest for the open-source Google-Authenticator one-time passcode generators for mobile devices.

 

While the breach raises many questions for SecurID customers, it's not necessarily a huge black eye for RSA at this point, sources said. No company--security or other--is immune to these types of attacks, according to Mogull. "This is the name of the game moving forward," he said.

 

Updated March 21 at 9:57 a.m. PT to clarify that SecurID tokens can have six-digit or eight-digit codes that display every 30 seconds or 60 seconds.

 

Originally posted at InSecurity Complex by Elinor Mills