RSA Hacked, SecurID a Little Less Secure Now
Hacked, but not compromised.
Many corporations rely on RSA's SecurID as part of its data security solution. Even the U.S. Department of Defense uses EMC's RSA SecurID technology.
In a somewhat frightening development, EMC has revealed that it's been hacked. Those using the RSA authentication technology need not go into a full panic just yet, as EMC doesn't believe that the information stolen creates a full hole.
Art Coviello, Executive Chairman of RSA, wrote in an open letter to customers:
Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.
- Flash 10.2 Launched for Android 2.2, 2.3 and 3.0
- Preorder $379 WiFi-only Dell Streak 7 Now
- NYT's Subscription Service Kicks in March 28
- Superyacht Features Retractable Eco-Sail
- NASA's Messenger Enters Orbit of Mercury
- Solaris V1: Solar-powered LED Watch
- VIDEO: Gameloft Rips WoW for iOS MMORPG
- Nokia Tech Allows Video Chapter Tagging
- EA Releases, then Pulls, the Crysis 2 PS3 Demo
- Mike Tyson Deals With Your Angry Birds Addiction
- Is It Time To Break Up AT&T Again?
- Microsoft Shuts Down Rustock Botnet
- It's a Bike... It's a Box, It's Boxycle?
- Nintendo 3DS Launches this Sunday, Brings Eggs
- Polyply: The Stand for iEverything
- DIY Motion Sensing LED Steps
- Porsche Selling $845,000 Hybrid 918 Spyder
- Microsoft Suing Barnes & Noble Over Nook
- Facebook Now Valued at $85 Billion
whats secure ID ?
Security is almost always an illusion of safety.
The net is never safe...ask a hacker.
SecurID is a time-based one-time password authentication technology that's been in use for well over a decade. You carry a device which provides a continuosly changing code (often displayed onscreen). You add a PIN number to this (a step handled in adifferent ways), and then type the result into a webpage, VPN login, etc. A server running an algorithm within the target for access evaluates your entry, and decides if it's valid. If it is, you're in.
It's "two factor", because you need the token and your PIN. These OTP (one-time-password) technologies are pretty good, but most have flaws (SecurID is not the best, technically), and all pale in comparison with PKI authentication.
It's an inside job. Someone with in-depth knowledge of the security design. our CIA doesn't use this, its not leet enough.
SSL was cracked some years ago. And we still use that too.
I don't see this as a big problem, really.
I know a CFO using this technology, and there is no way anyone but the person who gave him his password is aware of it, so its still a 'two part' process, like the other poster said.
So a company that specializes in security got the crap hacked out of them and no one noticed until after it was done? Tell me again why anyone uses a product from this company? If I were using RSA in my company, they could expect to get their crap back.
SSL was cracked some years ago.
Really? Do tell.
This is what they want you to believe.... Do you want to take the red pill or the Blue pill Neo?
Well at least they own up to vital information being stolen from them...
I just wonder how bad that this problem will be in the future for all user's that will rely on this technology...
nothings secure in 21st century!
This is what they want you to believe.... Do you want to take the red pill or the Blue pill Neo?
the blue?
My company uses SecureID to get into the VPN. After that, you need a regularly expiring, strong password to go anywhere.
My company uses SecureID to get into the VPN. After that, you need a regularly expiring, strong password to go anywhere.
Really? Do tell.
I agree with your tone in responding -- trouble is, people say "cracked" like it means it's totally broken. In truth, there are many levels of "cracking" for even simple systems.
In the case of SSL, there are various "cracks", the most interesting of which was the protocol's lack of robustness in communicating alogrithm selection during key agreement. This could lead to a man-in-the-middle attack. So, "crack" == "could lead".
In truth, for most of the value that SSL protects, there are typically easier ways to get in. SSL isn't (and wasn't) perfect, but it's far from the weakest link.
Really? Do tell.
Some root certificate authorities still use MD5 hashes to sign their certificates. MD5 has a weakness that has been known for about 15 years, but which was only really publicly exploited in 2005 (and more impressively in 2008). Basically, it is possible that two documents with different content could have the same MD5 hash.
Using that weakness, some researchers purchased several thousand dollars worth of regular SSL certificates from a public certificate authority. They then used a bunch of PS3s to generate an intermediate certificate authority certificate with the same MD5 hash as one of the certificates they had purchased. Because the MD5 hash for their regular SSL cert matched their intermediate CA certificate, they were able to use it to sign their intermediate CA certificate. This gave them the ability to generate and sign other SSL certificates. They have released their research to the public, and most certificate authorities don't use MD5 hashes any more, but the SHA1 hash that most of them use now is also vulnerable to collisions (although to my knowledge, an exploit of SHA1 has never been demonstrated).
Anyway, with the above methods, any one with about $50,000 could purchase enough computing power to generate a MD5-signed CA certificate and perform a man-in-the-middle attack on any website without the end-user knowing that anything was happening. I don't have $50,000, but I can think of plenty of people/organizations that do . . .
Dam the ad's
It might be cracked, but I still think fully breaking it will be unfeasible for a number of years.