Security Tokens Hacked
Security token maker RSA admitted earlier this month what had been suspected for months — that its SecurID devices had indeed been compromised as a result of a security breach in March.
The company also confirmed that compromised SecurID tokens had been used to penetrate the networks of defense contractor Lockheed Martin.
As a result, said RSA Executive Chairman Arthur W. Coviello, Jr., in an open letter, the company would offer to replace tens of millions of SecureID tokens assigned to most of its 25,000 client organizations.
“On Thursday, June 2, 2011, we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major U.S. government defense contractor,” Coviello said.
The letter does not mention the alleged network intrusions at two other defense contractors, Northrop Grumman and L-3 Communications. Neither company has confirmed the break-ins.
“It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology,” Coviello insisted. “Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker.”
“We recognize that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers’ overall risk tolerance,” Coviello said in the open letter.
As a result, he said, RSA would be willing to meet some customers halfway.
The company was now making “an offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.”
That category includes most of RSA’s clients, who assign tokens to employees who wish to access workplace networks from off-site.
For its other, “consumer-focused customers,” which includes banks who give SecurID tokens to high-value account holders, RSA would “offer to implement risk-based authentication strategies … focused on protecting web-based financial transactions.”
An estimated 40 million people use RSA’s SecurID tokens to access secure networks, mostly as part of their jobs. The Boston-area company’s 2,500 clients include many Fortune 500 companies and governmental organizations.
RSA was purchased in 2006 by EMC, another Boston-area technology company.
Still not clear what was taken
Security experts have criticized RSA for not publicly disclosing exactly what was taken during its own security breach. The company will share that information with clients only after they sign a non-disclosure agreement.
The prevailing theory is that the attackers took lists of “seeds,” secret numbers that are used to generate the algorithm used in SecurID tokens, and possibly lists of SecurID serial numbers.
SecurID tokens are used as part of “two-factor” authentication schemes. Someone wishing to access a secure network first logs in using his username and password, then types in the six- or eight-digit number appearing on his SecurID token, which resembles a key fob.
The numbers, which change every 30 or 60 seconds, are keyed to an authentication server that grants the user access to the secure network.
The number-generation algorithm incorporates the time of day (translated into non-repeating “computer time”), each SecurID’s serial number and the “seed,” which had been known only to RSA and the individual RSA client organization’s security administrators.
It appears that someone with lists of seeds and serial numbers was able to “clone” genuine SecurID security tokens assigned to Lockheed Martin. Passwords and usernames to Lockheed Martin’s networks could have been obtained by other means.
Neither RSA nor Lockheed Martin have commented on who the attackers might be, but the methods and targets match the characteristics of what is diplomatically referred to as an “advanced persistent threat” – i.e., Chinese military or government hackers.
Replacing a client organization’s SecurID tokens would involve generating new lists of seeds and serial numbers. Coviello’s language seemed to indicate that the company may not be planning to change the number-generation algorithm itself.
“We remain highly confident in the RSA SecurID product as the leading multi-factor authentication solution,” Coviello said, “and we also feel strongly that the specific remediations we have provided to customers will help to deliver the highest levels of customer protection.”