When RSA’s executive chairman Art Coviello issued an open letter acknowledging the fact that the company’s systems had been breached and that the extracted information is related to its SecurID two-factor authentication products, he – understandably – didn’t reveal any specifics about what was actually stolen.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” was all he said.
Details about the attack and the stolen information are still unknown to the larger public, so speculation abounds. Some even say that it is possible that the database that links SecurID serial numbers to seeds (card’s factory-encoded random key) has been compromised.
In order to help its customers and stop the speculation, Stratsec – Australia’s largest information security consultancy firm that administers local clients of RSA – has decided to invite all of them to a teleconference where they will be briefed about the incidents.
Among Stratsec’s customers are many federal government departments and agencies, such as the Department of Defence, the Department of the Prime Minister and Cabinet, the Department of Parliamentary Services, the Department of the Treasury, AusAid, the Australian Electoral Commission and many more. Stratesec’s corporate clients include Australian telecommunications and media company Telstra, the Virgin Blue airline and Western-Pacific (or Westpac), one of Australia’s biggest banks.
“So basically we’ve called the teleconference and … invited all of our clients to dial into that just for us to take the opportunity to provide our thoughts on the incident and, I guess, just try and make sure everyone is working from accurate information because obviously when there is a lack of information, as there is at the moment, some pretty extreme degree of speculations fill that void and I think it’s important that everyone keeps perspective on what the realistic impact is in a reasonable sort of timeframe,” Mr Ellsmore said.
Nick Ellsmore, Stratsec’s head of business development, says that that the goal of the teleconference is to “make sure everyone is working from accurate information” and that “everyone keeps perspective on what the realistic impact is in a reasonable sort of timeframe.” I’m not sure how he proposes to do that, since he himself admitted to The Age that there is currently a “lack of” information available from RSA.
The only information that the RSA shared with its customers is a set of security recommendations that should help them defend themselves against possible attacks. “There’s probably one key piece of information in the [documents provided to clients] which would protect against whatever vulnerability now exists due to the RSA security breach,” speculated one Australian IT manager. “But RSA wouldn’t want to tell us which one because that would be telling the world exactly what was stolen.”