RSA attacked

Devilsbane

I'm actually surprised that this hasn't already been brought up yet. Caution urged in wake of RSA security breach - Computerworld

But for the moment at least, enterprises should assume that SecurID is no longer an effective second factor of authentication, he said. "Review passwords tied to SecurID accounts and make sure they are strong," Mogull said. "Consider disabling accounts that don't use a password or PIN and set password attempt lockouts."

Though RSA has not disclosed which or how much SecurID information was stolen, the mere fact that the company is warning of reduced effectiveness is troubling, said John Pescatore, an analyst with Gartner.

Devilsbane

Another read:
What the RSA breach means for you (FAQ) | InSecurity Complex - CNET News

And the official release: Open Letter to RSA Customers

tiersten

Pfft. I thought you meant RSA encryption from the topic. Look up Bleichenbacher for a novel attack on certain implementations of RSA.

colemic

We are actually following this pretty closely. Trust me, there are a LOT of people about to pee their pants because RSA won't say what was stolen. (Most likely the seed keys). They are being incredibly vague about what happened, and people are up in arms over it. (as they should be.) There are even stories out there that claim that NSA had built a backdoor into the whole SecurID system.

RSA could tank if they don't give answers soon as to what was compromised - they will see a stampede towards the exits.

Devilsbane

We have also sent out information to our employees over here about protecting their serial number, pin, and token code. We have also decreased the lockout threshhold and increased the minimum pin from 4 to 6 in order to up the security.

RSA is in a tricky spot. Yes we want to know exactly what was stolen, but there is a possibility that by releasing exactly what was taken before they have a chance to clean up the mess that they could open up a bigger hole. For example, maybe the hackers think they got one thing but really got something else?

Anyway, sit back and wait and see what happens, and beef up our own security just to play it safe.

tiersten

A few years back, somebody managed to reverse engineer or leak the algorithm for an older version of the tokens. If you could acquire the file that was entered into the server then you could generate the number for any specific time you wanted. It wasn't very practical because you needed that file but insiders could have managed to cause some trouble.

I assume what has been stolen is some kind of database which correlates the serial number stamped on the back with the contents of those files.

Forsaken_GA

colemic wrote: »

We are actually following this pretty closely. Trust me, there are a LOT of people about to pee their pants because RSA won't say what was stolen. (Most likely the seed keys). They are being incredibly vague about what happened, and people are up in arms over it. (as they should be.) There are even stories out there that claim that NSA had built a backdoor into the whole SecurID system.

RSA could tank if they don't give answers soon as to what was compromised - they will see a stampede towards the exits.

RSA has quietly let some partners know what happened through backend channels. Unfortunately, this is something that if anyone who does know exactly what happened were to leak it to a public web site, it would cost them their jobs, which is why you're going to find alot of people being very tightlipped about it.

All I can say from my end is that there is cause for concern (which should be blatantly obvious), but it's not as bad as some of the horror stories are making out.

lordy

I have heard rumors that master keys exists. These supposedly allow to generate valid codes for a SecurID authentication.

If this is true and the master key(s) have indeed been stolen then you could just put your token in the bin. I really hope it's not true but there is often some truth in rumors...

Forsaken_GA

lordy wrote: »

I have heard rumors that master keys exists. These supposedly allow to generate valid codes for a SecurID authentication.

If this is true and the master key(s) have indeed been stolen then you could just put your token in the bin. I really hope it's not true but there is often some truth in rumors...

Not entirely true. If you're relying solely on the token code, you're implementing it wrong anyway, and have far too much faith in the product. You should be implementing PIN's to go along wiht the token codes.

I think I can safely say this - There are ALOT of companies out there that are presently reevaluating their PIN policy in regards to the secureID tokens. Some of them are enforcing changes in those policies. Take that, along with what RSA has said publicly already, and you can probably make an educated guess as to what was compromised.

Devilsbane

Not only the pin here, but you will need to authenticate with AD before even getting the chance to use your RSA pin and token.

colemic

Forsaken_GA wrote: »

Not entirely true. If you're relying solely on the token code, you're implementing it wrong anyway, and have far too much faith in the product. You should be implementing PIN's to go along wiht the token codes.

I think I can safely say this - There are ALOT of companies out there that are presently reevaluating their PIN policy in regards to the secureID tokens. Some of them are enforcing changes in those policies. Take that, along with what RSA has said publicly already, and you can probably make an educated guess as to what was compromised.

I interpreted what he said as being that the master key wouldn't need a PIN to provide authentication. If NSA had a backdoor built in (master key) in exchange for the right to export the technology, well... who knows. Crazier (and dumber) things have happened, I guess.