100m tokens at risk from RSA breach

The RSA SecureID token breach could affect up to 100 million people.

Following the breach last week that led to SecurID two-factor authentication token information being stolen, IronKey CEO David Jevans said there were 25 million hard tokens deployed, but that figure is closer to 40 million when soft tokens are taken into consideration, so it is possible that more than 100 million users could have been impacted.

A report by the New York Times said that the SecurID system was being used to secure the identities and assets of more than 250 million people last year.

Jevans said that he believed that the database information would have been bought and sold many times over already and it was going to make the rounds like credit card numbers have.

In terms of the threat, he said that there were two main factors to be considered: the impact of the breach; and what it means for a major security provider to be hit with an advanced persistent threat.

He said: “If RSA can fall then there is little chance for smaller companies. You have got to look at the RSA response, which said that there was a lot of guidance to prevent this from happening to you but not what to do if you deployed a SecureID token. To me it demonstrates how we can be attacked and how using malware, social engineering and users with elevated privileges can bring down one of the major security firms.

“An attacker can ask for serial number of the token and then they are that user. With the serial number of the token they can do an update to Zeus or SpyEye as they have got to input the password and then they are you logging in. I have not heard of anything this large before, as authentication technology is designed to keep the bad guys out and prove who you are and I do not know of an authentication system that has been broken in such a manner.”

Bruce Schneier, chief security technology officer at BT and security blogger, said that it was hard to make any assessments about whether infiltration of the login process was possible and it was uncertain without knowing how SecurID's cryptography works and exactly what was stolen from the company's servers.

He said: “We do not know either and the corporate spin is as short on details as it is long on reassurances. RSA data security is probably pretty screwed if SecurID is compromised. Those hardware tokens have no upgrade path and would have to be replaced. How many of the company's customers will replace them with competitors' tokens? Probably a bunch. Hence, it's in RSA's best interest for their customers to forget this incident as quickly as possible.

“There seems to be two likely scenarios if the attackers have compromised SecurID. One, they are a sophisticated organisation who wants the information for a specific purpose. The attackers actually are on RSA's side in the public-relations spin, and we're unlikely to see widespread use of this information. Or two, they stole the stuff for conventional criminal purposes and will sell it. In that case, we're likely to know pretty quickly.

“Again, without detailed information or at least an impartial assessment, it's impossible to make any recommendations. Security is all about trust, and when trust is lost there is no security. Users of SecurID trusted RSA to protect the secrets necessary to secure that system. To the extent they did not, the company has lost its customers' trust.”

Blogger Steve Gibson said he understood that RSA would be ‘understandably embarrassed', as mistakes do happen. He said: “If employees of a security company are using today's incredibly insecure desktop toy operating systems, bad guys are going to be able to find a way to penetrate even the most carefully guarded connected networks.

“RSA therefore needs to step up to the plate and take responsibility for what has happened. That means recalling every single SecurID device and replacing them all. No company can consider RSA's existing deployed SecurID devices to be secure.”

Avivah Litan, distinguished analyst at Gartner, claimed that the incident should serve as a wake up call on strong one-time password (OTP) user authentication. “A layered security approach is always best and the use of an OTP generator like RSA's SecurID, does raise the bar for the criminals. Many of them will go elsewhere, to non-OTP protected accounts that are easier to break into,” she said.

“The protections afforded by OTP, whether they are generated by dedicated hardware tokens, mobile apps, software tokens or any other factor, they are communicated through user browsers, can be circumvented and defeated. They were an essentially weak form of authentication before the RSA SecurID compromise and they remain so today.

“Maybe this incident will wake companies up to the need for more controls than just OTP-authentication. The latest incident with RSA should serve as a catalyst to acknowledge this fact. So while this incident is indeed yet another piece of bad news, it should be evaluated in context. Thankfully, there are plenty of innovative solutions on the market that can continue protecting our accounts and information.”

This article originally appeared at scmagazineuk.com