Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA's Servers Hacked

Posted by timothy on from the blame-israel-everyone-else-does dept.

Khopesh writes "EMC subsidiary RSA was the victim of 'an extremely sophisticated cyber attack' which resulted in the possible theft of the two-factor code used by their SecurID products." The Boston Herald has a short article on the intrusion. Update: 03/17 23:54 GMT by T : Reader rmogull adds "With all the hype that's sure the explode over this one, we decided to do a quick write-up to separate fact from speculation."

25 of 172 comments (clear)

  1. Ouch by the+linux+geek · · Score: 3, Insightful

    These guys aren't like HBGary - RSA basically invented huge portions of modern cryptography. I'm interested in seeing the specifics on how this happened.

    1. Re:Ouch by dAzED1 · · Score: 4, Funny

      likely a soft hack. Insider, or simply seducing an engineer with a cute girl.

    2. Re:Ouch by MrEricSir · · Score: 2

      But do Ron Rivest, Adi Shamir, and Len Adleman have anything to do with RSA the company nowdays? I know they invented some algorithms which bare the name RSA, but that doesn't mean they have (or ever had) anything to do with the day to day operations of RSA the company.

      --
      There's no -1 for "I don't get it."
    3. Re:Ouch by SethJohnson · · Score: 2

      Meh, I'm still unconvinced that the "extremely sophisticated attack"

      That used to be a good assumption to make until the steps required to manufacture the stuxnet worm were revealed.

      The penetrator likely has eyes on a very specific secondary target, and grabbing this information was a preliminary step.. Imagine the resources that could have been applied. I'm betting physical access was required at RSA.

      Seth

      --
      $5 / month hosted VPS on linux = awesome!
    4. Re:Ouch by dfcamara · · Score: 3, Insightful

      Hacking systems very rarely involves breaking cryptography. It's bad reputation for their sys admins but not so for their cryptography experts.

    5. Re:Ouch by interkin3tic · · Score: 2

      a girl who hangs out on 4chan and watches anime is not capable of seducing anybody

      I'm pretty sure that first part, "girl" qualifies as "capable of seducing" at least a few engineers.

    6. Re:Ouch by russotto · · Score: 5, Funny

      OK, well we're talking about crypto engineers, so only the 'girl' condition is essential, not the 'cute' condition.

      It's also essential she not call herself "Eve". The crypto guys catch onto that one immediately.

    7. Re:Ouch by msauve · · Score: 2

      So, by your definition, Henry Ford is still involved with day-to-day operations of the Ford Motor Company?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    8. Re:Ouch by hey! · · Score: 5, Funny

      It's also essential she not call herself "Eve". The crypto guys catch onto that one immediately.

      She fooled them by spelling her nick backwards.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. Crap, crap, crap by pedantic+bore · · Score: 3, Funny

    I can imagine how this is going to play out when the IT folks at my company find out about this. They'll panic, revoke all the SecureID cards, and then no more working from home until something much more complicated, unreliable, and probably requiring Windows7 is found to replace it.

    Crap!

    --
    Am I part of the core demographic for Swedish Fish?
    1. Re:Crap, crap, crap by Anonymous Coward · · Score: 5, Informative

      Are you talking about SecurID smartcards? If so then the hackers wouldn't have any advantage against those. Those use standard PKI and the private key is protected in hardware on each person's specific card.

      What got stolen was the code used in those SecurID tokens. You know those key-fob things that stay in sync based on time and generate a new token every x number of seconds. However, even if the hackers got the algorithms for how that works it still wouldn't help them because the algorithm again uses a set of private data (keys) for each installation. The hackers would have to get that data along with the algorithm they presumably have now.

      In short, this probably means that security will be unaffected. The only difference is now some people know exactly how the time based key fobs work. Which you could figure out anyway if you disassembled the RSA server software. Pretty much what RSA said.

    2. Re:Crap, crap, crap by Shikaku · · Score: 4, Insightful

      Explain that to his manager.

      I'll bet $1337 that GP's scenario will occur anyway.

    3. Re:Crap, crap, crap by jd · · Score: 3, Funny

      Explanations are futile. The CEOs have already been assimilated.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    4. Re:Crap, crap, crap by znerk · · Score: 2

      What got stolen was the code used in those SecurID tokens. You know those key-fob things that stay in sync based on time and generate a new token every x number of seconds.

      It's a conspiracy to hack my WoW account!

      --
      This work is licensed under a Creative Commons Attribution 3.0 Unported License.
  3. Let me guess... by leapis · · Score: 2

    They didn't have a two factor authentication process around accessing their source code.

    1. Re:Let me guess... by abulafia · · Score: 2
      That was my first thought.

      Probably a simpler attack than that, but still a pretty fucking serious hit for a company/brand that depends on rep as much as RSA does.

      --
      I forget what 8 was for.
  4. time for new laws! by swell · · Score: 3, Insightful

    This is just the opening that lawmakers need to promote panic and obliterate resistance to their 'protective legislation', which will surely be filled with special interest items buried in legalese.

    --
    ...omphaloskepsis often...
  5. Good non hype link, now do that for more stories by Drakino · · Score: 5, Interesting

    Would be nice if more stories here included a non hyped, rational explanation of the situation. Definitely appreciated the writeup from securosis.

    The recent Android browser vs iOS browser test could have used one, since the test was flawed, and there is a rational explanation for the difference between Mobile Safari and 3rd party apps tapping WebKit.

    Same for all the hyped stories out of Japan causing people to run for iodine tablets on the west coast of the US.

    In general I've become so skeptical of anything these days due to the echo chamber of the internet bouncing around hyped, panicked stories with no followup.

  6. Argument by DaMattster · · Score: 2, Insightful

    This is precisely why security products should be open sourced. The fact that RSA was compromised and some data (potentially alogrithms) on the RSASecureID was obtained, nullifies any F.U.D. that open source is less secure. If these algorithms had been out in the open, there would be no reason to panic because the development community would have access to the very source code and vulnerabilities addressed rapidly. Now the intruders have the keys to the castle and the only entity that can address the ensuing vulnerabilty is EMC.

    1. Re:Argument by neonsignal · · Score: 2

      While I agree with your argument that scrutiny of algorithms leads to better security, the issue here is that private seeds may have been obtained by those who broke into the systems. Even in an open source security scenario, there still has to be private information (such as the private keys used for signing).

  7. Re:Can someone please... by jd · · Score: 3, Interesting

    I doubt it. The McEliese cryptosystem from 1978 is immune to attack even by quantum computers, whereas current quantum cryptography has already been broken and can be sampled without detection (if the sample rate is about the same as the noise in the system), but highly secure facilities are investing in QC, not McEliese. Why? Because nobody really cares that much, not at that level. Once you pass a certain point, people become far more vulnerable than technology, so improving the technology won't help security. All it might do is attract funding, which is why QC is so good - fully buzzword-compliant - and old tech that's superior is bad.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  8. Re:Can someone please... by jd · · Score: 4, Funny

    I salted the popcorn and it ROT13ed.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  9. Re:Can someone please... by iris-n · · Score: 5, Informative

    Oh come on!

    This is so wrong that I can't believe you're not malicious.

    As your own article admits, there's nothing that stops a quantum algorithm that breaks McEliese being invented tomorrow. There's not even evidence that such an algorithm is unlikely to exist. That's why McEliese is worthless and nobody pays attention to it.

    When you say QC has been broken, you're probably referring to the implementation of BB84 by IdQuantique that was broken by the norwegian quantum hackers. They themselves say that QC is not broken: http://www.iet.ntnu.no/groups/optics/qcr/

    It was only a particular implementation that was broken, not even a particular protocol. That's because it can't be broken. Of course there is not such a thing as perfect security, but BB84 (and other protocols) is based on sound principles, and we have numerous proofs (yes, mathematical proofs) of security for various scenarios.

    --
    entropy happens
  10. here's some unrequested speculation by SethJohnson · · Score: 2

    Here's a conspiracy theory:

    These attackers might have a more significant zero-day vulnerability at their disposal than the SecureID system. They might have used that to breach RSA. But with this other vulnerability available for their private use, the greatest risk is that it will be discovered by victims and rendered obsolete. Now that SecureID has been compromised in some ambiguous way, it allows the attackers to ply their original vulnerability against RSA customers with SecureID being the assumed entry-point.

    It is a theory.

    Seth

    --
    $5 / month hosted VPS on linux = awesome!
  11. Email Announcement by Ara · · Score: 2

    Here's the email RSA sent out to actual customers yesterday:

    [header removed]
    Subject: RSA, the Security Division of EMC, urges critical actions for SecurID installations

    Dear RSA SecurCare® Online Customer,

    Summary:

    We have determined that a recent attack on RSA’s systems has resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.

    Description:

    Recently EMC’s security systems identified an extremely sophisticated cyber attack in progress, targeting our RSA business unit. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.

    Our investigation has revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

    We strongly urge immediate customer attention to this advisory, and we are providing immediate remediation steps for customers to take to strengthen their RSA SecurID implementations.

    Affected Products:

    The affected products are RSA SecurID implementations.

    Overall Recommendations:

    RSA strongly urges customers to follow both these overall recommendations and the recommendations available in the best practices guides linked to this note.

    * We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
    * We recommend customers enforce strong password and pin policies.
    * We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
    * We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
    * We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
    * We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
    * We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
    * We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
    * We recommend customers update their security products and the operating systems hosting them with the latest patches.

    For RSA product-specific recommendations, please follow the links below to the Security Best Practices Guides for each product. If you are unable to access the files via RSA SecurCare, please contact support at:
    [removed]