RSA Under "Extremely Sophisticated" Attack; Yes, That Includes Those Tokens
Security company RSA today disclosed what it described as an “extremely sophisticated attack” against its technology. The disclosure came in a blog post by Art Coviello, the former RSA CEO who saw the company through its 2006 acquisition by EMC.
Coviello didn’t disclose many details about the attack, but said the attackers were able to extract some information about the company’s SecurID products. The backbone of the SecurID system is the keychain-sized tokens like the one pictured that generate a new number every 30 seconds or so, and used to log in to computer networks and other systems. The tokens and software that generates numbers in the same way on smart phones are widely used by corporations and governments to keep attackers out. As of 2009, RSA estimated that 40 million people used the tokens and another 250 million used RSA software on their smart phones.
Coviello said that so far it doesn’t look like the SecurID system has been compromised. But the information taken by the attackers could make an attack that would compromise it somewhat easier. “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” he wrote. “We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”
RSA has classified the attack as an “Advanced Persistent Threat” which in security industry parlance means it’s sophisticated enough that it may require the resources of a nation state to carry out, though the phrase is often met with mild derision by security professionals. As one put it, APT is another way of saying “not attacked by a script kiddie.”
It remains to be seen exactly how significant this incident will prove to be over the long term. As one security expert put it to me, if algorithm used to generate the numbers displayed by the token is compromised in any way, confidence in the SecurID system will plummet, and the cost to RSA and EMC could be serious. Not only will there be the cost to replace all those tokens, but work will have to be done to change the software algorithm used to generate the numbers. Neither will be inconsequential. EMC shares finished the day up 25 cents or nearly 1 percent, but are falling slightly in after-hours trading as the news about this attack has come to light.