RSA breach: Reactions from the security community
RSA, the security division of EMC, has suffered a breach and data loss following an “extremely sophisticated cyber attack.” Their investigation revealed that the information extracted from the company systems is related to its SecurID two-factor authentication products.
The news of the incident spread through the information security community like wildfire and below are some of the comments received by Help Net Security.
Kevin Riggins, Information Security Analyst for a Fortune 500 financial services company
“The EMC/RSA breach is another example of the very real and present danger of a sufficiently motivated and experienced attacker gaining access to protected networks. In many cases, vigilance in monitoring and alerting processes is the only real protection we have against these types of attacks.
I do want to urge users of the SecurID system to not panic. Work with your EMC representatives to implement appropriate mitigation steps and wait for details that matter. There will be a lot of hand waving and arm flapping, but until details are available, most of that will be speculation.”
Christian J. Hessler, CTO of PalmTree Technology
“The breach at RSA just goes to show that security by obscurity never works. It’s a fundamental principle in security called Kerckhoff’s principle – you must assume your enemy has the details of your system. If your authentication relies on some level of operational system ‘secrecy’ to work, it is just a matter of when, not if, the system will be compromised.
The problem with traditional shared secret tokens, outside of cost, deployment and custody issues, is that they do nothing to establish context of the mutual authentication. They are merely additional layers of ‘secret passwords’, regardless of how those factors are generated or delivered. Another flaw is that their use is dependent on user input into the browser, the very vehicle that has not yet established trust.
The primary issue involved in this breach is the wide applicability of the ‘secret’ elements that were compromised. In a properly architected authentication system, any security failure should be at worst a one-in-a-row event. Clearly, a new way of thinking regarding privacy, security and identity is required that departs from the 20th century notion of shared secrets.”
Brian Honan, founder and head of Ireland’s CERT and owner of BH Consulting
“This is not the first security issue or compromise that has happened at a security company and it won’t be the last. This attack highlights that your incident response plan should include covering external incidents impacting on your providers, whether they provide security products or not.
It also highlights that when designing your information security management system you should identify the risks not only to your information but also the tools that you use to protect that information. Hopefully RSA will provide more information on the nature of the attacks so customers can take the appropriate steps to secure themselves.”
Rafal Los, Application Security Evangelist with HP Software
“What the successful RSA intrusion continues to shine a limelight on is the fact that every enterprise is a target for attack.
Information security needs to be pervasive in every organization from risk planning to incident response – and while it’s no doubt this event is “blood in shark-infested waters’ for the media, it’s necessary to take a step back and realize it’s another day in information security’s life. We will all get hacked at some point, but it is in the response to these calamities that we find the true nature of an organization’s security preparedness.”
Andrew Kemshall, Technical Director at SecurEnvoy
“In RSA’s thirty years there has never been a breach like this. We have to question the way RSA stores and manages customer data in its own disparate databases.
When RSA refers to a data breach, it may be referring to token seed records. What this means is that anyone with public tools such as Cain & Abel can use these seed records to create users token codes!
If the second factor is compromised then only the first factor – in general a static four digit pin – is the only protection. This is virtually no protection! Clearly, RSA is losing its reputation for security; first it released a 2FA product that allows password only authentication at some locations and then it compromised its customers’ second factor.”
Dale Pearson, Founder of Security Active
“It’s never good when a company gets hacked, especially when it’s a security one, but I have respect for RSA in their disclosure efforts. This is obviously of little consolation to the many RSA SecurID customers around the world though, and a serious hit to the RSA brand.
When you think two factor you instantly think of RSA as a leader in this field, and by their own admission they have lost their special sauce and this really is a worry for everyone moving forward. There are very smart people around, and Coviello’s comments around the lost secrets not be sufficient to allow a successful attack sound a little optimistic at this stage. Only time will tell how we’ll emerge from this, it will be some interesting times for all.”
Nick Owen, CEO of WiKID Systems
“In the short term: Don’t panic. Think about your infrastructure. If there is an attacker in it, how will you best find out?
In the long term, think about your purchasing decisions. The attack makes open-source, best-of-breed solutions more appealing than closed, single-sourced ones. Think of this as an attack against a security vendor, not against two-factor authentication. It could be happening to any of your vendors.
We’ve made a lot of progress as an industry promoting two-factor authentication. It appears that the ‘Advanced’ nature of this attack is that the attackers had to attack RSA before attacking their real targets. That’s good defense-in-depth. Static passwords are still much, much worse.”