5.29.2011

they know kung foo

Like many companies, my employer makes use of RSA SecureID tokens as part of it's security system, so when RSA (one of the worlds largest encryption software vendors) got hacked earlier this year I payed attention.  And laughed a little, I mean c'mon, really?

A few days later a memo was circulated around the office reminding all of us cube monkeys to be wary of anyone seeking information about our tokens and describing some enhancements to our security.  Based on that and RSA's public statement I, like some others surmised that by finding out the serial numbers of tokens in use the hackers might be able to work out all the one time passwords they would generate without needing access to the token itself.

According to a couple reports (and unfortunately for Lockheed Martin) it seems that guess was correct.

Whoever grabbed the RSA data used it, and likely quite a bit of other dark wizardry to penetrate the networks of one of the most sophisticated technology and aerospace government contractors operating today. Of course, they say that "our systems remain secure; no customer, program or employee personal data has been compromised".  But then again, RSA said "we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers" after their hack.

As of about 20 minutes ago when I logged on to review the memo I mentioned my token was still working fine, but I expect that to stop any moment now.  Good thing too, it's pretty beat up.  The serial number has rubbed right off so I guess I'm safer than most.

Interesting times indeed.

2 comments:

Dave Garbe said...

All the security in the world won't stop a user from clicking something they shouldn't, bringing a CD in or sticking an infected USB key in.

We saw earlier this year the case of the nuclear plants that got infected from a usb key.. some invisible virus that eventually found it's way into servers it was engineered to target.

Plus, we're now seeing quantum computing hit (seems like the week for Lockheed) which in theory means every possible password solution can be tried at once.. though in the field I would imagine normal security procedures like "lock account on X invalid attempts" would still work.

It seems like right now what everyone using SecureID needs is a hardware firewall I saw once at FutureShop that promised to block every single port.

Unknown said...

The truth, she comes out :)

http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars