Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA's Servers Hacked

Posted by timothy on from the blame-israel-everyone-else-does dept.

Khopesh writes "EMC subsidiary RSA was the victim of 'an extremely sophisticated cyber attack' which resulted in the possible theft of the two-factor code used by their SecurID products." The Boston Herald has a short article on the intrusion. Update: 03/17 23:54 GMT by T : Reader rmogull adds "With all the hype that's sure the explode over this one, we decided to do a quick write-up to separate fact from speculation."

14 of 172 comments (clear)

  1. Ouch by the+linux+geek · · Score: 3, Insightful

    These guys aren't like HBGary - RSA basically invented huge portions of modern cryptography. I'm interested in seeing the specifics on how this happened.

    1. Re:Ouch by dAzED1 · · Score: 4, Funny

      likely a soft hack. Insider, or simply seducing an engineer with a cute girl.

    2. Re:Ouch by dfcamara · · Score: 3, Insightful

      Hacking systems very rarely involves breaking cryptography. It's bad reputation for their sys admins but not so for their cryptography experts.

    3. Re:Ouch by russotto · · Score: 5, Funny

      OK, well we're talking about crypto engineers, so only the 'girl' condition is essential, not the 'cute' condition.

      It's also essential she not call herself "Eve". The crypto guys catch onto that one immediately.

    4. Re:Ouch by hey! · · Score: 5, Funny

      It's also essential she not call herself "Eve". The crypto guys catch onto that one immediately.

      She fooled them by spelling her nick backwards.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. Crap, crap, crap by pedantic+bore · · Score: 3, Funny

    I can imagine how this is going to play out when the IT folks at my company find out about this. They'll panic, revoke all the SecureID cards, and then no more working from home until something much more complicated, unreliable, and probably requiring Windows7 is found to replace it.

    Crap!

    --
    Am I part of the core demographic for Swedish Fish?
    1. Re:Crap, crap, crap by Anonymous Coward · · Score: 5, Informative

      Are you talking about SecurID smartcards? If so then the hackers wouldn't have any advantage against those. Those use standard PKI and the private key is protected in hardware on each person's specific card.

      What got stolen was the code used in those SecurID tokens. You know those key-fob things that stay in sync based on time and generate a new token every x number of seconds. However, even if the hackers got the algorithms for how that works it still wouldn't help them because the algorithm again uses a set of private data (keys) for each installation. The hackers would have to get that data along with the algorithm they presumably have now.

      In short, this probably means that security will be unaffected. The only difference is now some people know exactly how the time based key fobs work. Which you could figure out anyway if you disassembled the RSA server software. Pretty much what RSA said.

    2. Re:Crap, crap, crap by Shikaku · · Score: 4, Insightful

      Explain that to his manager.

      I'll bet $1337 that GP's scenario will occur anyway.

    3. Re:Crap, crap, crap by jd · · Score: 3, Funny

      Explanations are futile. The CEOs have already been assimilated.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. time for new laws! by swell · · Score: 3, Insightful

    This is just the opening that lawmakers need to promote panic and obliterate resistance to their 'protective legislation', which will surely be filled with special interest items buried in legalese.

    --
    ...omphaloskepsis often...
  4. Good non hype link, now do that for more stories by Drakino · · Score: 5, Interesting

    Would be nice if more stories here included a non hyped, rational explanation of the situation. Definitely appreciated the writeup from securosis.

    The recent Android browser vs iOS browser test could have used one, since the test was flawed, and there is a rational explanation for the difference between Mobile Safari and 3rd party apps tapping WebKit.

    Same for all the hyped stories out of Japan causing people to run for iodine tablets on the west coast of the US.

    In general I've become so skeptical of anything these days due to the echo chamber of the internet bouncing around hyped, panicked stories with no followup.

  5. Re:Can someone please... by jd · · Score: 3, Interesting

    I doubt it. The McEliese cryptosystem from 1978 is immune to attack even by quantum computers, whereas current quantum cryptography has already been broken and can be sampled without detection (if the sample rate is about the same as the noise in the system), but highly secure facilities are investing in QC, not McEliese. Why? Because nobody really cares that much, not at that level. Once you pass a certain point, people become far more vulnerable than technology, so improving the technology won't help security. All it might do is attract funding, which is why QC is so good - fully buzzword-compliant - and old tech that's superior is bad.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. Re:Can someone please... by jd · · Score: 4, Funny

    I salted the popcorn and it ROT13ed.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  7. Re:Can someone please... by iris-n · · Score: 5, Informative

    Oh come on!

    This is so wrong that I can't believe you're not malicious.

    As your own article admits, there's nothing that stops a quantum algorithm that breaks McEliese being invented tomorrow. There's not even evidence that such an algorithm is unlikely to exist. That's why McEliese is worthless and nobody pays attention to it.

    When you say QC has been broken, you're probably referring to the implementation of BB84 by IdQuantique that was broken by the norwegian quantum hackers. They themselves say that QC is not broken: http://www.iet.ntnu.no/groups/optics/qcr/

    It was only a particular implementation that was broken, not even a particular protocol. That's because it can't be broken. Of course there is not such a thing as perfect security, but BB84 (and other protocols) is based on sound principles, and we have numerous proofs (yes, mathematical proofs) of security for various scenarios.

    --
    entropy happens