Skip to main content

RSA SecurID Information Breached


In a disclosure made by RSA today, they indicated that they have been breached by an "extremely sophisticated cyber attack" which has partially compromised the SecurID information which millions of clients use to provide strong authentication to services.

It is not yet clear what information was breached or what the impact will be to RSA customers, but for now I would suggest that people stay tuned to ensure that they take appropriate action based on what RSA and others release.

Update 1 - Found the recommendations made by RSA to customers regarding how to better protect their environments. I have added my comments on what these recommendations could mean to RSA.


• We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.

This could mean that part of the RSA breach was associated with a social media application attack vector - maybe employees reusing passwords across internal and cloud-based sites?

• We recommend customers enforce strong password and pin policies.

Could mean that the data that was compromised is related to the seed and token records kept by RSA, and with less reliance on this part of the SecurID solution, that customers must make the corresponding passwords and pins used in combination with the token more robust.

• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.

Could mean that the attack vector was related to additional privileges assigned to RSA security administration staff.

• We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.

Could mean that social engineering was part of the attack vector, sounds very similar to the HBGary breach here.

• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.

• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.

Could mean that users privileges were escalated as part of the attack, and that regular users were given privileges without any alerting of this fact.

• We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.

Critical security software could mean the RSA intellectual information or customer information. Could also refer to the infrastructure.

• We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.

Could mean that RSA staff were pre-texted, difficult to train out-sourced helpdesks.

• We recommend customers update their security products and the operating systems hosting them with the latest patches.

Could mean that the attack vector took advantage of previously known vulnerabilities with patches available but just not applied.


Hopefully we continue to hear more about the attack.

Comments

Popular posts from this blog

Consumer Benefits of Credit Card Security

Recently, new types of credit card security features have be debuted, such as this one from Visa. And as some of the comments on Bruce Schneier's blog point out, its questionable how effective this is. I want to figure out what the motivation is behind these ideas, as it appears banks and the major credit card brands are not completely transparent about the benefits to the consumer. My example is this, one source has that in 2005 $2.8 million was lost due to credit card fraud from Visa and MasterCard in Canada alone. These costs are absorbed by the credit card companies as they protect their cardholders from liability, but as can be expected these costs are directly applied to the card brand customers, people and merchants, in the form of fees and interest rates. Now lets say that card brands can deploy a technology to eliminate 90% of this fraud and associated insurance and liability costs. Likely a large savings both in Canada and globally. Would we, the public and mercha

OpenSolaris, ZFS, iSCSI and OSX - Creative Storage - Part II

In part I of this post, I looked at the simple steps required to setup a relatively simple storage solution using OpenSolaris, ZFS, iSCSI and OSX. This was about a month ago, and I've made some significant changes on how this is used for me. At the end of the last post I left off on the part dealing with configuration of the iSCSI initiator side of the solution. I stopped here because there were some issues related to the installation and use of the software. The iSCSI initiator that I was using was Studio Network Solutions GlobalSAN initiator (version 3.3.0.43) which is used to allow for connections to their products. This software will also allow for connections to ANY iSCSI target! After the configuration of the iSCSI target on the ZFS pool, and installation of the client it was trivial to get the connection established with the storage pool, and it showed up in OSX as a raw disk which had not been formatted. I proceeded to format the disk as HFS+ and it then mounted as a lo

May Security Catch-up

Its been much too long since my last post - Sony's PSN network has been breached a few times , a record number of vulnerabilities have been published , and the US government has released a new set of cyber space strategies . On the cool tools and technologies there have been lots of notable releases: Some research from Albert Cotesi New Zealand on the traffic flowing from IOS to 3rd parties, now sniffable thanks to MITMProxy , and instructions on getting it working with IOS As always SQLmap is making life easier for the vulnerability assessor and pen-tester. Microsoft has released an updated to the Enhanced Mitigation Experience Toolkit - I'll be looking into this over the next few weeks, and how it can be applied practically. New major version of Backtrack also released, for those of you that are still relying upon live-cd's as a source for tools.