RSA SecurID Breach and Why You’re Getting Apology Emails from Your Bank

by April 5, 2011 04/5/11

The last two weeks has seen a buzz of cyber security problems. First, RSA announced a very sophisticated breach. Anyone who has ever had to use an RSA SecurID two-factor authentication product has or will be affected by the breach. Two-factor authentication consists of something you know and something you have.

The know part refers to a user’s password, or PIN code. The have part refers to the one-time pad generator found on the SecurID token. The theory is simple, even if a hacker obtains your password, they lack possession of your token and cannot break into the system.

Here’s What Happened (In Layman Terms)

This is all with a dash of speculation too, since RSA hasn’t publicly outlined precisely what occurred. Hackers may have obtained the sensitive algorithm and the seed values used by RSA clients. Individually, neither provides a hacker with penetration capabilities, but collectively, possession of both items poses an increased risk.

In effect, if a user’s PIN code (the know part) was easily guessed, like 1234, then hackers could access systems that were previously near-impenetrable because of the mathematics involved.

While the RSA isn’t openly admitting that their system has been fully compromised, RSA has issued nine recommendations for all of its customers, including the enforcement of strong password and PIN policies. A number of government agencies have already changed their operations to reflect these recommendations. Some government security experts are openly discussing going even further than RSA’s recommendations, potentially including:

  • Requiring users to phone in before initiating a login sequence
  • Restricting the amount of time a user can be remotely logged in
  • Notifying the user of the last know login timestamp, asking them to verify that the timestamp was correct
  • Reducing the number of attempts before an account is locked out by the system

In addition to the RSA breach, odds are your personal email address is being bombarded with apologies from vendors announcing that your name and email address has been stolen. A marketing services provider named Epsilon was hacked, presumably as a result of a phishing attack. Slashdot has also picked up on the magnitude of the breach, reporting that US Bank, JPMorgan Chase, TiVo, Capital One, Best Buy, Walgreens and many, many more companies were impacted.

Thus far, I’ve personally received notification from 9 companies advising me that my contact information was stolen as a result of the Epsilon breach. Unfortunately for Epsilon,the breach occurred on April 1st and some thought it might have been a bad prank.

Advanced Persistent Threats

APT is a term widely known in the security industry, but generally not known by most outside–yet. Wikipedia provides a  friendly definition:

APTs usually refer to a group, such as a foreign-nation state government, with both the capability and the intent to persistently and effectively target a specific entity.

I mention APTs here because what seems like unrelated events, frankly, may not be unrelated at all–and no one will know for sure until months later. Armed with your contact information, including your email address, hackers can continue to evolve the phishing threat. Spam is getting harder to detect,especially when a PDF document or an email with a hyperlink appears to be from your trusted co-worker and for all intents and purposes passes scrutiny (e.g. looking at the email headers).

The best advice, sadly, boils down to this: Be diligent! Remember, hackers walk around (literally!) with shirts that read “There is no patch for human stupidity!”


Are you getting more than 14¢ of value per day from ITS Tactical?

Please consider joining our Crew Leader Membership and our growing community of supporters.

At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.

For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.

Click here to learn about all the benefits and Join!


JakeB
JakeB

Any interesting note is that companies that are using the SecureID authentication systems for external access are vulnerable to compromise. The thing to remember is that the compromise is only valid if using single factor authentication...tokencode only.

Tokencode + PIN + Shared Secret are not vulnerable.

JakeB
JakeB

Any interesting note is that companies that are using the SecureID authentication systems for external access are vulnerable to compromise. The thing to remember is that the compromise is only valid if using single factor authentication...tokencode only. Tokencode + PIN + Shared Secret are not vulnerable.

tcnkc
tcnkc

Need Sticker pak

The Latest
Squawk Box