5.29.2011

they know kung foo

Like many companies, my employer makes use of RSA SecureID tokens as part of it's security system, so when RSA (one of the worlds largest encryption software vendors) got hacked earlier this year I payed attention.  And laughed a little, I mean c'mon, really?

A few days later a memo was circulated around the office reminding all of us cube monkeys to be wary of anyone seeking information about our tokens and describing some enhancements to our security.  Based on that and RSA's public statement I, like some others surmised that by finding out the serial numbers of tokens in use the hackers might be able to work out all the one time passwords they would generate without needing access to the token itself.

According to a couple reports (and unfortunately for Lockheed Martin) it seems that guess was correct.

Whoever grabbed the RSA data used it, and likely quite a bit of other dark wizardry to penetrate the networks of one of the most sophisticated technology and aerospace government contractors operating today. Of course, they say that "our systems remain secure; no customer, program or employee personal data has been compromised".  But then again, RSA said "we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers" after their hack.

As of about 20 minutes ago when I logged on to review the memo I mentioned my token was still working fine, but I expect that to stop any moment now.  Good thing too, it's pretty beat up.  The serial number has rubbed right off so I guess I'm safer than most.

Interesting times indeed.