RSA, the security arm of EMC, has made an embarrassing admission today: it's suffered an attack that has allowed ne'er-do-wells insider access to secret information about its SecurID two-factor authentication technology.
In an open letter from executive chariman Art Coviello, the company admitted that it had uncovered evidence of an 'Advanced Persistent Threat' on its internal network - which is code for 'an attacker has been playing around in our system for God knows how long without our knowledge.'
During its investigation into the attack, RSA's security team made a worrying discovery: unknown attackers had made off with trade secrets relating to the company's popular SecurID range of two-factor authentication systems.
Possibly RSA's best-known product, SecurID is a physical token which generates a string of numbers every few seconds based on a 'seed' which is known to the token and the authenticating server. By using the same seed and an accurate timer, the authentication server and the token generate matching pseudo-random numbers each time - allowing the server to verify that the user has the physical key in his or her possession.
"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello admitted in the letter. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."
The company's 'immediate steps' appear to comprise common-sense advice and best-practice monitoring tips, if a filing with the Securities and Exchange Commission is to be believed. In the filing, RSA advises that customers keep a close eye on social networking applications for 'phishing' attempts, enforce strong password and PIN policies, educate employees on how to spot and avoid suspicious e-mails, review Active Directory security implementations, limit physical access to critical infrastructure, and update their systems with the latest security patches.
It's an embarrassing admission for RSA to make, being - as it is - in the business of security - and the next few months will be a worrying time for anyone who relies on RSA's SecurID technology to protect their infrastructure as the leaked data spreads in the digital underground.