Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSA Admits SecurID Tokens Have Been Compromised

Posted by CmdrTaco on Tuesday June 7, 2011 @12:48AM from the hey-i-have-one-of-those dept.

A few months ago, RSA Servers were hacked, and a few weeks ago Duped tokens were used to hack Lockheed-Martin. Well today Orome1 writes "RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman — one of them confirmed by the company, others hinted at by internal warnings and unusual domain name and password reset process."

1 of 219 comments (clear)

Min score:

Reason:

Sort:

Re:Dear Customers... by PIBM · 2011-06-07 02:18 · Score: 4, Informative

I remembered reading about this, and the failure mode were quite important to me. Let me quote wikipedia on this:
Section 4.1.1 of the specification describes additional attacks that may require mitigation, such as differential power analysis. If a product contains countermeasures against these attacks, they must be documented and tested, but protections are not required to achieve a given level. Thus, a criticism of FIPS 140-2 is that the standard gives a false sense of security at Levels 2 and above because the standard implies that modules will be tamper-evident and/or tamper-resistant, yet modules are permitted to have side channel vulnerabilities that allow simple extraction of keys.