RSA SecurID Breach and Why You’re Getting Apology Emails from Your Bank
The last two weeks has seen a buzz of cyber security problems. First, RSA announced a very sophisticated breach. Anyone who has ever had to use an RSA SecurID two-factor authentication product has or will be affected by the breach. Two-factor authentication consists of something you know and something you have.
The know part refers to a user’s password, or PIN code. The have part refers to the one-time pad generator found on the SecurID token. The theory is simple, even if a hacker obtains your password, they lack possession of your token and cannot break into the system.
Here’s What Happened (In Layman Terms)
This is all with a dash of speculation too, since RSA hasn’t publicly outlined precisely what occurred. Hackers may have obtained the sensitive algorithm and the seed values used by RSA clients. Individually, neither provides a hacker with penetration capabilities, but collectively, possession of both items poses an increased risk.
In effect, if a user’s PIN code (the know part) was easily guessed, like 1234, then hackers could access systems that were previously near-impenetrable because of the mathematics involved.
While the RSA isn’t openly admitting that their system has been fully compromised, RSA has issued nine recommendations for all of its customers, including the enforcement of strong password and PIN policies. A number of government agencies have already changed their operations to reflect these recommendations. Some government security experts are openly discussing going even further than RSA’s recommendations, potentially including:
- Requiring users to phone in before initiating a login sequence
- Restricting the amount of time a user can be remotely logged in
- Notifying the user of the last know login timestamp, asking them to verify that the timestamp was correct
- Reducing the number of attempts before an account is locked out by the system
In addition to the RSA breach, odds are your personal email address is being bombarded with apologies from vendors announcing that your name and email address has been stolen. A marketing services provider named Epsilon was hacked, presumably as a result of a phishing attack. Slashdot has also picked up on the magnitude of the breach, reporting that US Bank, JPMorgan Chase, TiVo, Capital One, Best Buy, Walgreens and many, many more companies were impacted.
Thus far, I’ve personally received notification from 9 companies advising me that my contact information was stolen as a result of the Epsilon breach. Unfortunately for Epsilon,the breach occurred on April 1st and some thought it might have been a bad prank.
Advanced Persistent Threats
APT is a term widely known in the security industry, but generally not known by most outside–yet. Wikipedia provides a friendly definition:
APTs usually refer to a group, such as a foreign-nation state government, with both the capability and the intent to persistently and effectively target a specific entity.
I mention APTs here because what seems like unrelated events, frankly, may not be unrelated at all–and no one will know for sure until months later. Armed with your contact information, including your email address, hackers can continue to evolve the phishing threat. Spam is getting harder to detect,especially when a PDF document or an email with a hyperlink appears to be from your trusted co-worker and for all intents and purposes passes scrutiny (e.g. looking at the email headers).
The best advice, sadly, boils down to this: Be diligent! Remember, hackers walk around (literally!) with shirts that read “There is no patch for human stupidity!”