RSA Chief: Last Year's Breach Has Silver Lining

alphadogg writes "Last year's industry-shaking RSA Security breach has resulted in customers' CEOs and CIOs engaging much more closely with the vendor to improve their organizations' security, according to the head of RSA. Discussing the details of the attack that compromised its SecurID tokens has made RSA sought after by companies that want to prevent something similar from happening to them, Executive Chairman Art Coviello said in an interview with Network World. 'If there's a silver lining to the cloud that was over us from April through over the summer it is the fact that we've been engaged with customers at a strategic level as never before,' Coviello says, 'and they want to know in detail what happened to us, how we responded, what tools we used, what was effective and what was not.'"

And you know the fire that burned down your house?

The good news is that you're now engaging more closely with the fire department and your insurance agent.

Incredible

It's really quite incredible to me how little attention this got and how RSA has emerged unscathed from this disaster.
 

Re:Incredible

[kestasjk]

If what I think happened happened.. did I really not read about it until now?

Re:Incredible

Maybe you were following Libya or something at the time because it was well reported, particularly the resulting Lockheed Martin breech. (Well reported in tech circles that is, no not Google circles)

Re:Silver Lininig for their Bottom Line

Tokens were replaced for free...but don't let the facts get in the way of a good story!

And did they answer?

[marcosdumay]

Everybody knows that their customers want to know such things because they asked in a quite vocal maner just after the troubles, and werre simply dismissed by RSA. So, now RSA issues a PR stating that their customers want to know if they are secure, and not teling if they gave any answer. Quite funny what some spin can create.

Anyway, why should anybody buy a product from RSA anymore?

Re:And did they answer?

[LifesABeach]

Is it spin? Or smoke?

Re:And did they answer?

RSA appeals to morons who what a scapegoat in case things go wrong. RSAs damage control team comes in and masturbates the morons masters and woo them with sweet words and larger promises who then sell bigger contracts at a substantial discount.

Never buy from these cretins again based on how they handled this breach.

Re:And did they answer?

[TemporalBeing]

Everybody knows that their customers want to know such things because they asked in a quite vocal maner just after the troubles, and werre simply dismissed by RSA. So, now RSA issues a PR stating that their customers want to know if they are secure, and not teling if they gave any answer. Quite funny what some spin can create.

Anyway, why should anybody buy a product from RSA anymore?

It's not so much if they are secure, but how did they detect the breach, etc. That is some very important information for a lot of people - even people that don't use RSA products - as it can help detect or prevent security issues elsewhere. It's kind of like saying, "Your system had a Monkey B virus; what did you do to detect and remove it?"

Re:And did they answer?

[Juser]

They blew us off. We had been (what we thought as) high profile customers ever since it was Security Dynamics (15 years?) and RSA took FOREVER to tell us if soft tokens were impacted. After reading Coviello's response. I'm glad we moved to another solution.

Re:And did they answer?

[marcosdumay]

Changing "people are mad at us, and won't trust us unless we evidence that we changed" into "see? People care about us" well... Could get any name you want :)

its amazing what publicity

[v1]

you can get out of a bit of damage control

Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes. You pay them the big dollars because they're supposed to already know what they're doing and have good practice already in place the day you shake hands.

This is just their P.R. people clawing for some way to put a little positive spin on their blunder.

Re:its amazing what publicity

[vlm]

You pay them the big dollars because they're supposed to already know what they're doing and have good practice already in place the day you shake hands.

Actually you pay them because its faster / better / cheaper than doing it yourself, not because they are perfect. If 50% of the population is below the median, they only have to achieve a 50% median solution to capture about 50% of the market. The actual percentages are probably much higher, regardless they certainly don't have to be 100% perfect to make money.

The other reason you pay money is to have someone else to blame for the inevitable headaches. As long as your boss yells at them for an outsourced solution instead of you for an insourced solution, that was money well spent.

Re:its amazing what publicity

[vlm]

Whoops third reason is lemming like behavior. If your biggest competitor gets his complete stored credit card and customer list posted on the pirate bay as a torrent, or maybe on wikileaks, you can guarantee your boss is going to want a detailed explanation of why your data is not posted there too, isn't our company at least as good as the competitions?

So it doesn't matter, if you're lemming like boss wants to be just like X and X buys secureid, well guess what you're doing next week?

Re:its amazing what publicity

[swillden]

Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes.

Especially when the "unrefined" processes were mind-bogglingly stupid and betrayed such utter incompetence.

There's no way the RSA token master keys should have been stored in anything other than a FIPS 140-2 level 4 (or 3, but that would be mildly lame) host security module, with tight logical and physical access controls.

Sounds like spin!

[lophophore]

We had our technology stolen, because we can't secure our own network, our customers suffered intrusions as a result... and this is a good thing!

This guy should be the White House Press Secretary!

Re:Sounds like spin!

It's both spin and truth. Just in case you have never fucked up anything before (what are you, 3 days old?), let me tell you how fucking up works for me:

1. You fuck up
2. You bear the cost of that fuckup
3. IF you survived, that cost is now in the past, and you quit dwelling on it. ;-) Or to phrase that another way: once things can't possibly get any worse, everything that happens is good.
4. You learn. You probably won't fuck up in the same way, ever again.

Of course if you look at the overall net gain, it's negative. If you look at just the last step, though, you've come a long way.

Re:Sounds like spin!

[AngryNick]

RSA is now an EMC company...the kings of spin and purveyors of BS.

Slight bit different. The fire dept burned down.

[khasim]

And since the fire department burned to the ground, more home owners are contacting the fire department to help with their home fire defense.

What the? Does that make any sense to anyone?

... Coviello says, 'and they want to know in detail what happened to us, how we responded, what tools we used,

Ah, that makes sense now.

Not "dude, u r teh awesome!!! How can I get some of that awesome for myself?"

More like "dude, where were your fire extinguishers? Smoke detectors? What model were they? Did they give ANY alarm? HOW THE HELL DID YOU LET YOUR FIRE DEPARTMENT BURN DOWN? And is there any way to tell if I am in danger?"

FTFY

[CanHasDIY]

'If there's a silver lining to the cloud that was over us from April through over the summer it is the fact that we've been getting phone-raped by customers... as never before,' Coviello says, 'and they want to know in detail what the fuck happened, how we fucked up so badly, how the fuck we're going to fix it, and why the fuck they should still be our 'customers'."

The really awesome part...

[Chibi+Merrow]

Is that the worthless corporate scumbags who own the company I work for (and force us to use RSA keyfobs) thought very hard about what to do about this spectacular failure on RSA's part, and came up with this solution: Get new keyfobs from RSA!

RSA's only job was to be trustworthy. None of their technology is a trade secret, and once they produce the fobs there's no need to interact with RSA whatsoever. There IS NO technology to steal on their networks.

And yet they kept the keys. The only purpose served by keeping those keys is allowing someone to decrypt their customers encrypted traffic. The keys are completely unnecessary for any other reason once the fobs have been made. If they're doing their job right, it wouldn't matter if terrorists came in and held a gun to the CEO's head, nevermind if their network was secure. The key fobs do not depend on them in any way to function once they're produced.

Their only job was to be trustworthy, and they have failed spectacularly.

So I'm expecting raises and bonuses all around for the execs, while a couple worker drones (who probably questioned keeping the keys in the first place) get axed. SNAFU.

Re:The really awesome part...

[hedwards]

Well, better than changing companies that new company might not be trustworthy.

Re:The really awesome part...

The keys arent used to decrypt network traffic - they're used as a seed for the RSA algoritm to generate the one time passwords http://seclists.org/bugtraq/2000/Dec/459

Re:The really awesome part...

Still, why does RSA need a copy of the keys?

Re:The really awesome part...

[c0mpliant]

The only purpose served by keeping those keys is allowing someone to decrypt their customers encrypted traffic

Ahem, don't know how to burst your buble, but RSA Tokens do not "encrypt" your traffic, it is a form of Two Factor Authentication(2FA). There is a big difference between the two.

Also if you are using the tokens properly, you will not just be using what is on display on the token, but also PIN number that is combined with whats on display.

As for why they kept the seeds, I don't know, but if you have your network properly secure, the compromise of the seeds does not instantly make your 2FA redundant. Yes you are instantly more vunerable to social engineering attacks. So even if "terrorists" put a gun to the CEO's head (which is such a typical cop out to any situation) they could only get the seed which unlocks only one part of the token passcode.

Re:The really awesome part...

[MeGotLotsaDots]

Funny how people gravitate to sinister motives and conspiracy theories. Has any stopped and thought about all the companies that don't even have a process to backup seed records? What happens when they lose that CDROM or whatever the records are held on? I bet they call RSA to give them a copy of the records. If RSA tossed the records, then anytime a customer loses the records they end up with a useless pile of fobs.

Re:The really awesome part...

[Chibi+Merrow]

Ahem, don't know how to burst your buble, but RSA Tokens do not "encrypt" your traffic, it is a form of Two Factor Authentication(2FA).

You're not bursting my bubble. I'm well aware that they're for two-factor authentication. However, we happened to use that for a VPN login. :)

Re:The really awesome part...

[Chibi+Merrow]

Yes, because it would be much worse to KNOW you had a bunch of useless fobs as opposed to NOT knowing you had a bunch of useless fobs because the company kept the keys without telling you and someone stole them. :)

bs

[snero3]

That's BS. We tried on a number of different occasions to speak to them and they weren't having a bar of it. This story is just marketing spin

Re:Slight bit different. The fire dept burned down

[LifesABeach]

And in a unrelated news event, The farmer has started communicating to neighboring farm's about closing the barn doors after the live stock in the barn had left.

Re:Silver Lininig for their Bottom Line

[Lumpy]

Paypal did not replace tokens for free. I'm still running with my old token as they have not responded with my question as to when they will be replacing it.

Re:Silver Lininig for their Bottom Line

well, I still have the same token I had at least 6 month before the breach

I have to call it ...

[DaMattster]

This is a load of crap. If anything, I think the entire RSA incident should serve as an impetus to look for open source, community supported solutions. Security through obscurity works only in government, CIA stuff.

Re:I have to call it ...

The algorithm used by the RSA fobs is well known, or just use OATH and RFC 6238.

Re:Silver Lininig for their Bottom Line

[msauve]

Paypal doesn't use RSA tokens. They use ones from Symantec (which they bought from Verisign).

Re:And you know the fire that burned down your hou

[hedwards]

I was just thinking something along those lines. The silver lining in being mugged is knowing how to report a mugging. Doesn't really sound particularly helpful and definitely not helpful enough to justify being mugged. And unless you're new to the country you should already know how to report the crime.

Likewise, all those RSA officers ought to be terminated for incompetence. It doesn't take somebody with credentials to realize that it was going to happen eventually. Making somebody physically take a disc or registration data to a machine that creates the certs and a disc back and they would have been in the clear from that attack. It's not that expensive to do that.

Re:Silver Lininig for their Bottom Line

While they may have been free, RSA didn't offer to pay for the cost of actually doing the replacement down to the end user level. Distribution, setting PIN, etc. is a major project. I know I still have my same old token. Our company security analysts reviewed the risk with the business and they decided the cost to do the replacement was not justified by the small risk.

News Flash

Incredibly disgraced security company's chief PR person proudly tells media that Titanic sinking was good for business in an attempt to save company. "More and more passengers are sailing with us because they want to learn how the Titanic sank."

Re:And you know the fire that burned down your hou

I crapped in my pants. But the good news is I know that there were peas in my burger.

Backdoor

It seems to me that the breach at RSA exposed a back door in their implementation.

"Coviello says they want to know..."

[John+Hasler]

...why they should continue doing business with RSA.

"And you know the fire that burned out your car?"

There, fixed that for you.

Wait, not a lesson in Single Points of Failure?!

[VortexCortex]

RSA seeds the tokens. They keep the database of token seeds. You can't seed your tokens yourself.

This means you put your trust in RSA, not only that they won't give you defective tokens, but also that they will never have a security breach that compromises your keys.

This is why I use Yubikey. I still have to trust the manufacturers' QA team and technology, but I also get to run my own authentication servers, and SEED MY OWN DAMN KEYS. Such that WE control our security; There is no single central point of failure, like there was/is in RSA's case.

This shit isn't rocket surgery folks: HERE AT RSA WE MAKE YOU PUT ALL YOUR EGGS IN ONE BASKET WITH EVERYONE ELSE'S. WHAT CAN POSSIBLY GO WRONG!?!

I'm not a paid spokesperson for Yubico, but I am outraged that people refuse to use superior products with better security than that moronically designed clusterfsck of a security model that RSA is selling. It's like no one has even tried to look for something better, even after being burned.

I warned my company of this eventuality, and we stopped using RSA. When the RSA breach happened I made popcorn and watched their "security theater" burn. Since the victims have learned nothing I keenly await the sequel.

Re:"And you know the fire that burned out your car

The car was in the garage.

Cash-in

Sounds like RSA made a bunch of cash from professional services as a result of their own incompetence.

Re:Wait, not a lesson in Single Points of Failure?

[MeGotLotsaDots]

Funny how the mindset is that if we simply controlled/hosted the software/authenticator, we'd be secure. Keep in mind the average company is not very secure, and whether they use Yubikey or whatever, the attacker just has to hack the authentication server and they can generate however many Yubikey passwords they want. So there is still a single point of failure, and now it's the complete responsibility of the customer's IT dept.

Some people use a safe deposit box at the bank because they trust that the bank will keep stuff safer than they can. It's a personal decision. Neither is better or worse, smarter or dumber.

RSA security posture: work in progress

[przemekklosowski]

It's great that the RSAremote hack helped, but there's more work to do. For instance, SELinux developer Dan Walsh is struggling with RSA's PAM module for SecurID: http://danwalsh.livejournal.com/48571.html/ RSA recommends turning off enforcing mode, instead of fixing whatever the underlying problem is--not exactly the excellence you might expect from a prominent computer security outfit.

Read the blog---Walsh suspects there's more shenanigans lurking in their code.