Saturday, March 26, 2011

Hacker Spies Hit Security Firm RSA

via Kim Zetter at Wired's Threat Level Blog,

Top security firm RSA Security revealed on Thursday that it’s been the victim of an “extremely sophisticated” hack.

The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote on its blog, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software. Its customers include government agencies.

RSA CEO Art Coviello wrote in the blog post that the company was “confident that no other … products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The company also provided the information in a document filed with the Securities and Exchange Commission on Thursday, which includes a list of recommendations for customers who might be affected. See below for a list of the recommendations.

A company spokesman would not provide any details about when the hack occurred, how long it lasted or when the company had discovered it.

“We are not withholding anything that would adversely impact the security of our customer systems,” said spokesman Michael Gallant. “[But] we’re working with government authorities as well so we’re not disclosing any further information besides what’s on the blog post.”

RSA categorized the attack as an advanced persistent threat, or APT. APT attacks are distinctive in the kinds of data the attackers target. Unlike most intrusions that go after financial and identity data, APT attacks tend to go after source code and other intellectual property and often involve extensive work to map a company’s infrastructure.

APT attacks often use zero-day vulnerabilities to breach a company and are therefore rarely detected by antivirus and intrusion programs. The intrusions are known for grabbing a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.

Last year’s hack into Google was considered an APT attack, and, like many intrusions in this category, was linked to China.

RSA, which is owned by EMC, is a leading firm and is most known for the RSA encryption algorithm used to secure e-commerce and other transactions. The company hosts the top-ranked RSA security conference every year.

for more information visit the Wired Threat Level Blog.


Diana said...

Incredible this intruder/hacker was able to steal information related to the company’s SecurID two-factor authentication products. There was not enough protection on this SecurID because an intruder was able to hack into it. Supposedly this SecurID is supposed to add on extra layer of protection, which is great but how did this hacker get a hold of the secret code? So does this mean a hacker is capable to hack into every top-notch company because it seems that the numbers of companies that are hack is increasing massively. It is sad to see these people put their trust into this company and there information have been stolen. I am glad to hear that no other products were impacted by this attack. I am wondering what is the next step for RSA and what are solutions to prevent this attack from happening again.

Mary T. said...

It's ironic that a tool meant to add security ended up being a threat to security. I think this will be a trend as companies and the government seem to implement online security measures. Though tools such as the hardware tokens and the idea of "online drivers' licenses" seem to protect online security, they attract hackers and cybercriminals who will eventually find a way to compromise the security of the tools. This incident goes to show how governments and private agencies need to weigh the benefits and risks of creating tools for online security and realize that most likely security tools will eventually be compromised.

Margot Annie Dale said...

What I find interesting about this post is that it was posted directly after the article about Blackberry users information being sent to third parties without them knowing. The difference between how AT&T and RSA security handled the attacks against their companies is notable. AT&T was not upfront or precautionary about the rewiring of information to third parties. However, RSA came right out and took all precautions necessary to warn and protect their clients. The article does note that the company spokeswoman refused to reveal when exactly the company became aware of this attack, however it can be assumed that they notified their clients in a timely manner in order to prevent any further damage to their company's software and reputation.
There is obviously a difference in the type of information that could possibly be illegally obtained from each attack. The article mentions that clients of RSA include several government agencies, and we have discussed in class that many government officials use the RSA SecurID products. While privacy is privacy, and breaches are breaches, I think it's safe to say that the possible information coming from the email addresses, computer documents, etc. from a government official may be a little more detrimental to higher levels of security than a Blackberry user's BBM conversations, Google searches, and Facebook posts.
However, from an ethical standpoint, the actions taken by RSA after they experienced an "extremely sophisticated" hack are honorable and no doubt appreciated by RSA Security clients and SecurID users. It would be ethically responsible to all companies who have experienced an attack to immediately notify their clients in an effort to halt any further damage.

Anonymous said...

Surprise, surprise! A security firm attacked with a 0-Day. Go big or go home I guess. Adversely, it is of no surprise that the APT attack went after source code or data given the nature of RSA's business. They (the attackers) could care less about Joe Shmoe working for RSA or the name of a few government officials and their addresses on file. What's important is the source code, finding the algorithm that generates RSA's securID to infiltrate sites that use it or to sell the technology at a much lower cost. The representative at RSA speaking to this blog gives me the vibe that he thinks that because no one's "id" was stolen the attack wasn't so bad. I hate to make generalizations but thats what everyone looks for, was his ID stolen, Identity theft! OH NO! But really I think this problem is a bit more serious then this guy is letting on. The source code is probably the worst thing to be stolen from this company depending on what it is for - because down the road this WILL comprise the security and ID of other sites and companies using this technology.

Jen said...

This attack is particularly unsettling, as many companies not only use this as a secondary form of security when logging on at work, but are also used mainly for remote access when employees are not physically at work and are logging onto much less secure systems and through much less secure connections. I would wonder if the end targets of this hack are not actually the businesses themselves but the individuals who work away from the office, such as on client sites or from home. This would be the perfect attack for companies that have their employees do a considerable amount of travelling while working with sensitive information. I would also like to know how much money this costs RSA to fix. Does this mean RSA will have to come up with an entirely new algorithm?

Holly said...

When I was at home over Easter break, I noticed that my dad uses RSA’s SecurID for work (he works for the government), and I remembered this article. However, when I mentioned it to him, he knew nothing about the hack. He did tell me though that about a month ago (around the time this article was written) his employer told everyone to make their pin codes longer. They use these pin codes in collaboration with the SecurID to log on to their computers.

This makes me wonder whether he somehow missed the announcement or whether the employees were not specifically notified about the threat. Given Jen’s point about employees who work away from the office being targeted, I think it is their duty to warn each employee and tell them to take greater precaution.

Also, is RSA continuing to use the same algorithm? I know my dad’s company continues to use their SecurID, but I can’t imagine that it would be useful if the algorithm was stolen. Even if they have contrived a new algorithm, how will they protect it from getting stolen again? It’s definitely scary to think about all the information flying over the internet that we can’t protect.

Shelby Bartemy said...

The fact that this security firm was attacked with a zero day vulnerability only stresses the increasing risk uninformed users are facing. Due to lack of awareness, users often do not feel the need to install new updates for their software as it is seemingly seen as time consuming and unnecessary. Before taking this class, I personally have experienced clicking the "do not install" or "remind me later" button on my software update because I was in the middle of something else. I would rather continue my Facebook usage than have my computer restarted to install these updates.I did not realize the importance of installing updates and often forgot to install them later, as I was unconcerned and unaware of their purpose. Little did I know that by not installing these crucial software updates that contain patched vulnerabilities, I am actually wearing a sign saying "attack me" ; making me increasingly more prone to cyber attacks such as this one. Because there are so many people like myself who are not updating their software, there becomes an enterprise network for hackers. I was only able to learn this though by taking a computer privacy class. Other internet users often do not have this luxury and remain unaware of the looming cyber dangers. I feel that because many internet users out there share this unawareness, they do not install new updates that are crucial to their cyber security. If only they were more informed, they would see the need in installing these updates, enabling such attacks to be more easily prevented. This lack of awareness indicates a pressing need for an internet awareness campaign, informing users of the acts they can take to protect themselves from cyber hacking. This would allow for even the smallest measures of installing updates to work to further protect ourselves.

pjk52 said...

This article is very similar to the current situation and predicament in which Sony currently finds itself. The scary part about the breach of data is the uncertainty about where the data went and who currently has access to it. Unfortunately for these companies, they lose significant amount of shareholder and client confidence hurting their operations.

Sony currently is trying to offer increased protection and rebuild a sense of consumer confidence in its product. I don't believe that consumers will readily return to the gaming system knowing that there are safer alternatives on the market (such as Xbox). The scary notion is the fact that the hackers took credit card and personal information which are extremely lucrative for criminals.

These incidents all reinforce the idea that there needs to be better safety standards for all businesses choosing to hold data online.

Lawrence Brenninkmeijer said...

Even though RSA's codevhas been obtained, it does not pose an immediate threat to all users of RSA. The token is used in combination with another 4 digits (or any other combination RSA might offer) that only the holder of the account knows about. On top of of that, the hackers have to obtain the user name and a set password combined with the account. Although, these two added measures are easier to obtain than the RSA code through well known exploits. A recall of all the tokens might be cumbersome and expensive, but if RSA (and its users) wants to continue to deliver a safe service it might have to resort to that.
User name - password - 4 digit number in combination with the token - encryptor can all be obtained step by step. When one of them falls, it does not mean that you have three left, it means you have to reinstate a security measure.

Darion Parker said...

The interesting thing about technology is that there is that it never sleeps. For example when apple unleashes the new iPhone 4 they don't rest. Rather, they're working on the iPhone 4G which the market won't see until months later. In this fast paced environment it seems that companies aren't being as meticulous as they should be in protecting their client's investments. Unlike phones and other devices this SecurID is especially targeted to protect one's security and it fails as shown. This is worrisome to say the least. Is there really any technological device that is safe?

James Farley said...

It's scary when companies that make their living by providing security have their security compromised. It just goes to show how creative and persistent people can be. I like to believe that if their are "bad guys" capable of breaking into that kind of software, then there are "good guys" just as capable. However, maybe the nature of the game just makes it easier for the bad guys. More specifically, companies can only set up their defenses and wait for an attack while attackers can proactively look for weaknesses. I may be naive to the way things work but I doubt that the majority of companies are paying people to look for holes in their security. If so, I am impressed and feel as though my security and information is in good hands. If not, companies have no excuse except greed if a customer or users security is compromised.

If this attack went after source code, which can reveal important information about the entire company infrastructure, I am sure the next attack will be more extravagant and informed. Although no personal information was stolen, I believe that this is a bigger problem and can even lead to information being stolen in the future. The internet is a scary place and to take one's security for granted is foolish