Skip to main content

RSA SecurID Information Breached


In a disclosure made by RSA today, they indicated that they have been breached by an "extremely sophisticated cyber attack" which has partially compromised the SecurID information which millions of clients use to provide strong authentication to services.

It is not yet clear what information was breached or what the impact will be to RSA customers, but for now I would suggest that people stay tuned to ensure that they take appropriate action based on what RSA and others release.

Update 1 - Found the recommendations made by RSA to customers regarding how to better protect their environments. I have added my comments on what these recommendations could mean to RSA.


• We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.

This could mean that part of the RSA breach was associated with a social media application attack vector - maybe employees reusing passwords across internal and cloud-based sites?

• We recommend customers enforce strong password and pin policies.

Could mean that the data that was compromised is related to the seed and token records kept by RSA, and with less reliance on this part of the SecurID solution, that customers must make the corresponding passwords and pins used in combination with the token more robust.

• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.

Could mean that the attack vector was related to additional privileges assigned to RSA security administration staff.

• We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.

Could mean that social engineering was part of the attack vector, sounds very similar to the HBGary breach here.

• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.

• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.

Could mean that users privileges were escalated as part of the attack, and that regular users were given privileges without any alerting of this fact.

• We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.

Critical security software could mean the RSA intellectual information or customer information. Could also refer to the infrastructure.

• We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.

Could mean that RSA staff were pre-texted, difficult to train out-sourced helpdesks.

• We recommend customers update their security products and the operating systems hosting them with the latest patches.

Could mean that the attack vector took advantage of previously known vulnerabilities with patches available but just not applied.


Hopefully we continue to hear more about the attack.

Comments

Popular posts from this blog

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be. Many people turn toward online classified sites to buy and sell items online.  This example starts with kijiji.ca which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a " Samsung Galaxy Note 2 " returns a posting from today with someone selling one for an unreasonably priced unit. $125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location. About an hour passes before I get a response from what appears to be a legit seller. Notice no answer to the questions I asked, but a friendly pointer at where th

Touch ID - Distributed Fingerprint Lookup

All the press regarding the new Touch ID fingerprint biometric on Apple's new iPhone has brought some insight into how to misuse this service.  Most of the critics have focused on circumventing the device to gain access or Apple deciding to share the data with the Government. One interesting perspective that I haven't seen covered yet is if the system could be used as a distributed matching system for existing fingerprint image systems.  In an over simplified view of the process, a law enforcement agency can take an acquired fingerprint and search for patterns in the database of collected prints and spit out possible matches. Although Apple states that an API won't be available for apps, it is conceivable that such an interface might exist, and provide the ability to take an acquired print (either from the iPhone hardware or from software) and check it for validity against the stored print. There are some limits to this, as there is likely only going to be one prin

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future.  Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount  of information released. With all this information, it can be difficult to understand what's relevant.  To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.   Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system.  The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics,