Skip to main content

RSA Hacked, SecurID a Little Less Secure Now

Many corporations rely on RSA's SecurID as part of its data security solution. Even the U.S. Department of Defense uses EMC's RSA SecurID technology.

In a somewhat frightening development, EMC has revealed that it's been hacked. Those using the RSA authentication technology need not go into a full panic just yet, as EMC doesn't believe that the information stolen creates a full hole.

Art Coviello, Executive Chairman of RSA, wrote in an open letter to customers:

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations. We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

Read his full letter here.

  • kewlx
    whats secure ID ?
  • nforce4max
    Security is almost always an illusion of safety.
  • dogman_1234
    The net is never safe...ask a hacker.
  • decolingo
    SecurID is a time-based one-time password authentication technology that's been in use for well over a decade. You carry a device which provides a continuosly changing code (often displayed onscreen). You add a PIN number to this (a step handled in adifferent ways), and then type the result into a webpage, VPN login, etc. A server running an algorithm within the target for access evaluates your entry, and decides if it's valid. If it is, you're in.

    It's "two factor", because you need the token and your PIN. These OTP (one-time-password) technologies are pretty good, but most have flaws (SecurID is not the best, technically), and all pale in comparison with PKI authentication.
  • kcorp2003
    It's an inside job. Someone with in-depth knowledge of the security design. our CIA doesn't use this, its not leet enough.
  • eriko
    SSL was cracked some years ago. And we still use that too.

    I don't see this as a big problem, really.

    I know a CFO using this technology, and there is no way anyone but the person who gave him his password is aware of it, so its still a 'two part' process, like the other poster said.
  • flachet
    So a company that specializes in security got the crap hacked out of them and no one noticed until after it was done? Tell me again why anyone uses a product from this company? If I were using RSA in my company, they could expect to get their crap back.
  • STravis
    ErikOSSL was cracked some years ago.
    Really? Do tell.
  • JD13
    This is what they want you to believe.... Do you want to take the red pill or the Blue pill Neo?
  • Wish I Was Wealthy
    Well at least they own up to vital information being stolen from them...