In association with heise online

18 March 2011, 11:56

RSA hack could endanger the security of SecurID tokens

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

RSA Logo RSA, one of the leading global manufacturers of cryptographic solutions, has apparently fallen prey to an attack in which data was stolen from its servers. According to a press release from RSA's CEO, Art Coviello, to RSA customers, part of the data included information about SecurID products, which could endanger their security.

SecurID is one of the oldest systems for two-factor authentication for safe logins on computers; most people are familiar with it as a hardware token that generates a one-time password (OTP) every 60 seconds. Worldwide, 40 million tokens are reportedly used by companies in addition to an estimated 250 million software versions on mobile devices, etc.

Zoom Some of RSA's SecurID tokens, also known as hardware authenticators.
Coviello says the data stolen reduces the "effectiveness of a current two-factor authentication implementation", which the unknown parties could exploit in future attacks. He does not, however, say exactly which data has been lost. There are speculations that the SecurID source code or even the "seeds" may have been copied. The source code would allow the algorithm that generates OTPs to be identified; furthermore, the attackers could use the source code to look for security holes in RSA software. All of the OTPs ever generated by a token can be derived from the seeds.

Attackers who have the algorithm and the seeds could probably calculate all OTPs. To log into SecurID systems, however, you need a password in addition to the OTP. RSA says it is currently telling customers how to increase the security of their SecurID systems. In an official reportPDF to the US Securities and Exchange Commission (SEC), RSA – a subsidiary of EMC – lists a number of recommendations. New tokens are not mentioned.

The attack on RSA's servers was apparently a well coordinated heist. Current insights suggest that it was an "Advanced Persistent Threat" (APT). The term is generally used in the context of industrial espionage from abroad; one such recent case concerned Google last year.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit