Slashdot Mirror
RSA's Servers Hacked
Khopesh writes "EMC subsidiary RSA was the victim of 'an extremely sophisticated cyber attack' which resulted in the possible theft of the two-factor code used by their SecurID products." The Boston Herald has a short article on the intrusion.
Update: 03/17 23:54 GMT by T : Reader rmogull adds "With all the hype that's sure the explode over this one, we decided to do a quick write-up to separate fact from speculation."
These guys aren't like HBGary - RSA basically invented huge portions of modern cryptography. I'm interested in seeing the specifics on how this happened.
I can imagine how this is going to play out when the IT folks at my company find out about this. They'll panic, revoke all the SecureID cards, and then no more working from home until something much more complicated, unreliable, and probably requiring Windows7 is found to replace it.
Crap!
Am I part of the core demographic for Swedish Fish?
Real Secure? Ahahaha
Be relentless!
They didn't have a two factor authentication process around accessing their source code.
... pass the popcorn. This might get interesting. ^_^
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
This is just the opening that lawmakers need to promote panic and obliterate resistance to their 'protective legislation', which will surely be filled with special interest items buried in legalese.
...omphaloskepsis often...
,,,RSA's Hackers Served
Otherwise RSA looks pretty dumb but if they label it "extremely sophisticated" even it it isn't people then give the company pass. Perhaps it was. Perhaps it wasn't and without additional information we won't know.
Accessing the source code wouldn't be helpful, see http://en.wikipedia.org/wiki/HOTP
What would be dangerous is if they stole the serial# secret initializer mapping, or the key to decode the mapping if it is algorithmic. Then you can reproduce any key with just its public serial #.
http://notanumber.net/
Does this mean my WoW account is vulnerable!?
Wonder if they'll fess up as to which RSA office was hacked.
Would be nice if more stories here included a non hyped, rational explanation of the situation. Definitely appreciated the writeup from securosis.
The recent Android browser vs iOS browser test could have used one, since the test was flawed, and there is a rational explanation for the difference between Mobile Safari and 3rd party apps tapping WebKit.
Same for all the hyped stories out of Japan causing people to run for iodine tablets on the west coast of the US.
In general I've become so skeptical of anything these days due to the echo chamber of the internet bouncing around hyped, panicked stories with no followup.
From one of the links,
"RSA states they are communicating directly with customers with hardening advise."
LOL@that. What's their advice? To call 916.459.4727 and set up an appointment?
Oh ok, so I guess the Surgeon General saying you should buy Iodide pills as a precaution is baloney and he's nothing but a big conspiracy theorist. The story
The magical number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Fear is good for business. I'm not advocating this is a good thing, however.
In the recent nuclear accident caused by Japan's tsunami, iodine tablet sales soared as you said. War brings up the sales of weapons obviously, both government and consumer (home defense and all that). Fear of robbery/previous example also aids business for security systems. Swine flu tanked pork prices; OK, that wasn't good for businesses but even swine flu infected pork was safe if cooked to FDA standards, and boy did I enjoy all that cheap pork.
The list goes on...
I was expecting a better job from securosis, but then, the first paragraph got right into speculation:
According to the announcement, RSA was breached in an APT attack (we don’t know if they mean China, but that’s well within the realm of possibility) and material related to the SecureID product was stolen.
I stopped reading right there.
This is precisely why security products should be open sourced. The fact that RSA was compromised and some data (potentially alogrithms) on the RSASecureID was obtained, nullifies any F.U.D. that open source is less secure. If these algorithms had been out in the open, there would be no reason to panic because the development community would have access to the very source code and vulnerabilities addressed rapidly. Now the intruders have the keys to the castle and the only entity that can address the ensuing vulnerabilty is EMC.
The Internet has an echo chamber? Can you imagine how loud it will get in here with all of the people on the Internet?! I'm running to the store to get ear plus right now before I suffer irreparable damage! I advise all concerned Internet citizens to head to your local stores for earplugs as we work together to avert this crisis of international proportions, lest we face the case where all of our heads explode as the sound becomes more than we can take.
And, above all, remain calm.
Hi can anyone confirm that this means my Blizzard authenticator is at risk? I use two-factor authentication to login to WoW and it protects my guild bank and all my assets! Were these Chinese attacks were directed against WoW players specifically?
Blame it on HER --> http://xkcd.com/343/
I'm fairly sure that this has happened before. I remember seeing screen caps of their website being hacked. It is interesting, that in spite of this, RSA should still find itself vulnerable to cyber attack. I would make comments about past attempts being benign, but that would be supposition on my behalf.
China is behind this one too. They have been relentless lately when it comes to espionage. Corporate etc.
Oh ok, so I guess the Surgeon General saying you should buy Iodide pills as a precaution is baloney and he's nothing but a big conspiracy theorist.
Yes, it's baloney, though I doubt she is a conspiracy theorist.
I don't use SecureID, but I can imagine how this will play out. News and hype will make the general public aware. They will know their passwords may need to be changed - but don't really know how. There will be millions of e-mails sent out
"This is the RSA, you may be at risk, please send us your current password (to verify your identity) and the new password you would like to use. We apologize for the inconvenience. PS: There is a bank in Nigeria that has $1,000,000 USD deposited into an account in your name. With your password, please send $1,000 USD for the fees to release this money."
Damn, I wish I had mod points for that...
Well, I could (almost) understand people's worry on west coast of the US but people are hoarding iodine tablets here in Finland too! Pharmacies have already sold their stocks.
You don't know what you don't know.
For California residents near the two nuclear plants (of which I am), it makes sense as a precaution. Flyers were even sent in the mail about it last spring, offering free tablets to stash in emergency kits. But this is all for being prepared in case of a local disaster, not one hundreds of miles across a vast ocean.
Something tells me the surgeon general hasn't been properly briefed on the situation, especially considering her comments about being unaware that people are stocking up. Yes, it's bad, but it's not at a scale where anyone should be concerned on the western US coast. There are already people not only buying the tablets, but making use of them. Doing so brings zero benefit, but can cause side effects, some far more harmful then any potential risk from Japan.
Even if some sort of Back Door or Man IN the Middle attack was established, how would this play out?
They would use code to achieve the pin? meh, wouldn't they be better off getting the the pin for RSA Server, kind of tough anyway...
As by the time the user logged on they changing digits would be, well, changed... Even if a new pin mode was entered, I don't see how this attack is possible.
Certainly redirected web pages would catch the users eyes? Maybe? In the form of pop up blocker or Invalid Certificate?
Oh wait, Have Algorithm, insert false digits, run code on GPU's, have key logger(Payload from Trojan) grab the pin, crack the digits, profit.
Damn, suddenly I can see this happening. Time to find a new system for secured access.
PS I wanna punch the guy who did this if it was anyone other than a Trusted source doing a security audit. Unlikely.
In general I've become so skeptical of anything these days due to the echo chamber of the internet bouncing around hyped, panicked stories with no followup.
I keep hearing about that thing, but I don't believe it really exists.
what you said maybe is true !but i think every thing has two sides ...we should see the whole effect of this matter !
Mobile phones have become a necessary part and parcel of everyday life to facilitate mutual communication. In our online store, we sell cheap cell phones which are in high quality but at a low cost. Cheap phones can not only satisfy your communicative needs but also save your money. Replica cell phone is a kind of cheap phone which you can use as a wonderful gift-choice for anyone who wants to use wonderful products. Nowadays, everyone wants to have his or her own mobile phone which can be equipped with the latest technological advancements and whose systems can be easily updated. That is the very exact reason why we provide you desirable cheap phones at a relative low cost. Our store not only offers you the latest cheap phones but also guarantees reliable future after services. At this mobile phones shop , you also easily sort the products and get phones compared so that you can get what you desire, that is, cheap phones at low costs. We have been assuring that you can get cheap phones economically. Just have a look at our mobiles and hope you can get what you need.
coach cell phone strap
How do they know they're communicating directly with their customers? They're giving advice to someone, and their customers are receiving advice from someone, but ...
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
"EMC cyber subsidiary RSA was the cyber victim of 'an extremely sophisticated cyber attack' which cyber resulted in the possible cyber theft of the two-factor cyber code used by their cyber SecurID cyber products."
"Cyber" makes things sound more cool
Here's a conspiracy theory:
These attackers might have a more significant zero-day vulnerability at their disposal than the SecureID system. They might have used that to breach RSA. But with this other vulnerability available for their private use, the greatest risk is that it will be discovered by victims and rendered obsolete. Now that SecureID has been compromised in some ambiguous way, it allows the attackers to ply their original vulnerability against RSA customers with SecureID being the assumed entry-point.
It is a theory.
Seth
$5 / month hosted VPS on linux = awesome!
Yeah, never attribute to malicious intent what can be attributed to stupidity and incompetence.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Really? That's it?!.. This is your entire argument? Basically whatever I say is true because I said so... so there! Really, no effort at all put into any sort of coherent counter argument.
I guess the fact that nuclear fall out from Chernobyl made to it the U.S. and Canada in about 11 (ref 3) days and covered almost all of Europe totally escaped you (ref 1). Or the fact that grains of sand from the Mongolian deserts make it over to the U.S. each year even though it is much farther than the eastern coast of Japan(ref 2). But God forbid people take precautions, that would be un-American I guess.
If you're so against protecting yourself, at least do it for your children, or the people around you, don't be so self-fish.
1. http://www.unscear.org/docs/JfigXI.pdf
2. http://www.a-a-r-s.org/acrs/proceeding/ACRS2006/Papers/T-1_T3.pdf
3. http://www.nyas.org/Publications/Annals/Detail.aspx?cid=f3f3bd16-51ba-4d7b-a086-753f44b3bfc1
The magical number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
(sarcasm) Right, because the Chernobyl release of radiation is equatable to Japan's fortified plants.
Be careful that your apples don't get mutated to oranges.
If they're so fortified, where is the radiation coming from?! I guess they should just send everyone back to their homes.
The magical number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
No, she's not a conspiracy theorist, but she sounds surprised by the question and obviously she'd emphasize more medical preparedness, despite the downside of causing a panic.
Yes, it appears to be baloney.
Suggest you have a read of this:
http://www.theregister.co.uk/2011/03/14/fukushiima_analysis/
You mean someone opened an email attachment on their Windows computer?
>> Once you pass a certain point, people become far more vulnerable than technology, so improving the technology won't help security.
BINGO!!
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
you should do some research on the radiation half-life of the Japan leaks vs Chernobyl before equating the two.
now go find the announcement that initial radiation readings in california coming from japan are a billion times below health concerns.
you've become a worry-wart dynamo. if only we could harness that energy as an alternative source.
Token seeds are the initial codes that generate the one-time passwords according to a formula.
With the token seeds, an attacker could create duplicate tokens.
Normally, for login purposes RSA securID requires both a PIN (a short password) and the token number, so a duplicate token isn't normally enough to login.
But still a big security problem. RSA is going to have to create & ship a whole bunch of new tokens.
RSA's actions are also disappointing. They have provided no real information just a bunch of vague blah blah blah like use antivirus software, keep your systems patched & up to date, etc.
And I suspect some customers will jump ship to Entrust tokens.
Here's the email RSA sent out to actual customers yesterday:
[header removed]
Subject: RSA, the Security Division of EMC, urges critical actions for SecurID installations
Dear RSA SecurCare® Online Customer,
Summary:
We have determined that a recent attack on RSA’s systems has resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.
Description:
Recently EMC’s security systems identified an extremely sophisticated cyber attack in progress, targeting our RSA business unit. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
Our investigation has revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.
We strongly urge immediate customer attention to this advisory, and we are providing immediate remediation steps for customers to take to strengthen their RSA SecurID implementations.
Affected Products:
The affected products are RSA SecurID implementations.
Overall Recommendations:
RSA strongly urges customers to follow both these overall recommendations and the recommendations available in the best practices guides linked to this note.
* We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
* We recommend customers enforce strong password and pin policies.
* We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
* We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
* We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
* We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
* We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
* We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
* We recommend customers update their security products and the operating systems hosting them with the latest patches.
For RSA product-specific recommendations, please follow the links below to the Security Best Practices Guides for each product. If you are unable to access the files via RSA SecurCare, please contact support at:
[removed]
Really? That's it?!.. This is your entire argument? Basically whatever I say is true because I said so... so there!
Really, no effort at all put into any sort of coherent counter argument.
I have no interest in arguing with hysterical idiots. That goes for anti-vacciners, truthers, birthers, moon-landing-hoaxers, and you.
(And for what it's worth, since I wear a dosimeter, I really do know how much radiation I am exposed to.)
If someone's gonna get fucked, might as well enjoy it.
... Windows firewall breached??? :-)
Lets see, Chernobyl was an accident where the entire reactor blew open, and threw nuclear fuel all over the site. The building was also on fire for days, and the Russian government was trying to hide the accident until radiation detectors in Sweden detected a problem. Yeah, it spread a ton of really bad radiation and particles around because of it, and it was the worst nuclear power disaster in history, behind the disasters of intentionally setting off bombs.
In Japan, only the outer containment buildings have blown up, and yes there is some damage to the inner building and reactors inside. The nuclear fuel is still well contained, even in the storage pools, isn't active at the levels the Chernobyl fuel was, and fires at the site have been short lived.
Huge difference. And yes, as of today, a full week after the initial earthquake, and several days after spikes in radiation, very minute readable amounts have made it to the US. This radiation is not harmful in the quantities present, as it has long since dispersed, and doesn't contain any of the particles really dangerous to human health. Those iodide pills people are taking are still doing 0 good, but to present health risks for other reasons to those using them.
Odds are today you will encounter more radiation by simply driving in the smog covered city, or walking by a microwave then you would from the incident in Japan. Radiation is a fact of life, and would be even if we didn't have any technology or industry. There is a difference between radiation and deadly radiation.
And this whole panicked response from ZDRuX sadly proves my point about the echo chamber.
If you want to do some honest research, instead of looking at the worst power disaster and extrapolating, start here:
http://mitnse.com/page/2/ - Scroll to the bottom and read the oldest, then read the newer stories. It's constantly being updated, and has been a great source of non hyped, overreaction based news about the situation.
The reason it's baloney is that your thyroid can handle the amount of fallout you'd get, but your liver won't be able to sustain prolonged exposure to those levels of iodide.
The reason the gp didn't back up his argument is that it's not an argument; it's an assumed (yes, assumed) fact, kind of like the effects of gravity, the effects of stepping in front of a moving train, and other daily occurrences. Sure, there are outliers, but when you realize what the iodide tablets are used for and how they affect you, you realize pretty quickly that it's pure baloney.
IF Japan has a catastrophic meltdown, the Americas will have a few day's warning before the fallout hits. At THAT point, people in specific areas might want to consider having iodide pills on hand (they have an expiry date, so don't get them too soon). Remember that it could be months before one of the reactors suffers a meltdown, if any of them ever do. Also, the only one to really worry about is reactor 3, which contains plutonium. If this one goes, the fallout will definitely raise radiation levels for the foreseeable future (although probably about as much as sleeping beside a box of brasil nuts or carrying your cellphone in your pants pockets while away from a cell tower).
I don't know if you noticed, but most people didn't start popping iodide pills after Chernobyl, and we're still here (and mutation levels, etc. haven't changed from before the disaster over most of the planet). You get more radiation from standing out in the sun than you got from Chernobyl fallout in most of the world -- and that disaster was significantly worse than the Japanese situation is ever likely to get to.
Back to the topic: leaking the RSA data definitely increases risk, but it doesn't even compromise the keyfobs, let alone the full two-factor security process. What it DOES do is make all aspects of the two-factor process compromisable purely by going after a specific target (as they now have all the extra information not held by the target). Kind of like with the reactors: disaster is now possible, but not unavoidable. As long as the target's serial DB and issuing key are not compromised, two-factor is still as strong as it was before the breakin.
You should hang more on thrusted sites, like slashdot. Oh, wait...
I have done research and have been showing you the evidence to support my arguments. You however, have done nothing of that sort. You say the radiation readings from Japan are a "billion" times lower than ones from Chernobyl, yet to fail to provide any evidence or explanation as to how you came to that conclusion so quickly, full well knowing the situation cannot be assessed so quickly after the tragic accident.
Perhaps you'd like to tell us what exactly "below health concerns" is? Is it the same type of harmless radiation that the U.S. government said was present at the Three Mile Island nuclear facility? Because that "safe" radiation caused an increase in lung cancers all over the area in a span of SIX YEARS, and yet you come out nearly 2 weeks after a much bigger accident in Japan and declare everything is safe, but have zero proof.
That's fine, I can see you're not here to actually present any credible proof or a coherent argument, you're just here to act cool because it's trendy to laugh in the face of possible danger (we don't know just how dangerous or not this "plume" will be). So you sir, have yourself a good day, and I really wish you are right and all the best to yourself and your family - I hope the plume misses all of us, and has no effect on anyone.
http://ehpnet1.niehs.nih.gov/docs/1997/105-8/correspondence.html
The magical number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
[quote]You are not RSA's customer, people like Blizzard [blizzard.com] and PayPal [paypal.com] are their customers. You are a customer of their customers.[/quote]
This event drew my interest because my H's company is a customer, with a LARGE population of the US in their databases. Each of us being hacked before authenticators in WoW, I find it interesting that Blizzard/WoW were breached last year at this time (from China?)
I seriously doubt this was social engineering, more like using Blizzard.net/Paypal etc., as discovery/practice/refinement. Let's hear it for privatization! I remember the talks and memos with DoD when NSA fought the likes of EMC2 having this kind of control. There are some things better left in the hands of the government...I think I'm going to grab a coffee can now and bury my savings in the dirt.
If you're so against protecting yourself, at least do it for your children, or the people around you, don't be so self-fish.
http://hps.org/documents/kifactsheetbrief.pdf