Security specialist RSA has admitted that an attack on its network back in March has left the protection of its SecurID token devices in tatters - and is offering selected customers brand-new tokens in compensation.
Back in March, RSA executive chairman Art Coviello admitted that his company had uncovered evidence of an 'advanced persistent threat' on its network - an attacker which, it transpired, had downloaded source code and detailed documents relating to the company's SecurID product.
That product, in use by companies, governments, and military establishment around the world, offers two-factor authentication for secure systems: when a user logs in, they're prompted for a psuedorandom number generated on a keychain-based dongle, based on a seed shared between the server and the dongle. No dongle, no login.
That extra layer of security provide popular, but relied on the company keeping the details of how the codes were generated a secret - something it failed to do when attackers unknown downloaded the source code for the number generation system.
While Coviello was quick to downplay the severity of the attack, claiming at the time that the company was "confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers," the company appears to be making a volte-face - and is approaching high-risk customers with the offer of new SecureID tokens.
In another open letter, Art Coviello admits that - contrary to his March claims - the RSA SecurID leak has led to a direct attack on at least one of his company's customers. "On Thursday, June 2, 2011," Coviello admits, "we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major U.S. government defense contractor."
While the attack was unsuccessful, Coviello admits that it reflects badly on his company - and believes that the attack represents proof that whoever took the RSA SecurID code from his company's servers is interested in the theft of valuable trade secrets and intellectual property from companies like Lockheed Martin.
Accordingly, Coviello has launched a remediation programme that will see selected customers given new RSA SecurID tokens based on a revised algorithm which has not yet been leaked. These customers must, Coviello explains, have "concentrated user bases typically focused on protecting intellectual property and corporate networks."
Sadly, further details are not given in Coviello's letter, but customers who think they might qualify are asked to contact their local sales representative.
Paul Ducklin, of security outfit Sophos, is less than enthused at Coviello's response to the issue. "Those sound rather like weasel-words to me," Ducklin explained. "What is a 'concentrated user base?' If you directly protect your own corporate network, are you covered? Or is RSA only offering to cover you indirectly, as the customer-of-a-customer, by helping your reseller?
"What if you're a boutique ISP with a webmail service who has taken the extra step of offering selected users two-factor authentication? Is your user base concentrated enough? Are you protecting intellectual property, or just casual chatter? And if you do swap out your old tokens, will you be given enough information to satisfy yourself that the new tokens don't have the same flaws as the old ones?"
The full text of Coviello's open letter can be found over on page 2.
To Our Customers:
On March 17, 2011, RSA publicly disclosed that it had detected a very sophisticated cyber attack on its systems, and that certain information related to the RSA SecurID® product had been extracted. We immediately published best practices and our prioritized remediation steps, and proactively reached out to thousands of customers to help them implement those steps. We remain convinced that customers who implement these steps can be confident in their continued security, and customers in all industries have given us positive feedback on our remediation steps.
Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment. For this reason, we worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure. We will continue these efforts.
Over the past several weeks, an unprecedented wave of cyber attacks against varied and high-profile targets such as Epsilon, Sony, Google, PBS, and Nintendo have commanded widespread public attention. These attacks are totally unrelated to the breach at RSA, but point to a changing threat landscape and have heightened public awareness and customer concern.
Against this backdrop of increasingly frequent attacks, on Thursday, June 2, 2011, we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major U.S. government defense contractor. Lockheed Martin has stated that this attack was thwarted.
It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker.
We remain highly confident in the RSA SecurID product as the leading multi-factor authentication solution and we also feel strongly that the specific remediations we have provided to customers will help to deliver the highest levels of customer protection. However, we recognize that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers' overall risk tolerance.
As a result, we are expanding our security remediation program to reinforce customers' trust in RSA SecurID tokens and in their overall security posture. This program will continue to include the best practices we first detailed to customers in March, and will further expand two offers we feel will help assure our customers' confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
We will continue to work with all customers to assess their unique risk profiles and user populations and help them understand which options may be most effective and least disruptive to their business and their users.
RSA's technologies, including RSA SecurID authentication, help protect much of the world's most critical information and infrastructure. The threats to digital information continue to escalate. As the leader in authentication solutions, our goal is to ensure that this growing threat environment does not impede the tremendous potential and opportunity of a trusted digital world. We believe that SecurID is the most powerful multi-factor authentication solution in the industry.
We will continue to invest heavily in both our SecurID and our risk-based authentication technologies. We will provide additional factors for strong authentication. We will integrate these solutions with our cybercrime intelligence to better identify suspicious behavior targeted at networks, transactions and user sessions. We will ensure that these technologies provide trusted access to virtual and cloud computing resources, leveraging our Cloud Trust Authority. And we will help customers more effectively create the kinds of layered defense capabilities essential to combat today's advanced threats by drawing on our broad portfolio of data loss prevention, security event management, deep packet inspection technologies, and our extensive services expertise.
Our customers remain our first priority.
Executive Chairman, RSA
For more information on all remediation actions, customers should contact their local sales representative or call the following numbers:
1-800-782-4362, Option #5 for RSA, Option #1 for the RSA SecurID Remediation Program
1-800-543-4782, Option #5 for RSA, Option #1 for the RSA SecurID Remediation Program
+1-508-497-7901, Option #5 for RSA, Option #1 for RSA SecurID Remediation Program