Arik Hesseldahl

Recent Posts by Arik Hesseldahl

Read the NSA’s Advice on Coping With the SecurID Attacks

It’s been nearly three months since RSA, the security unit of the storage giant EMC, disclosed that it came under an “extremely sophisticated attack” that was ultimately found to be targeted at compromising the SecurID tokens it sells to secure computer systems at large companies and government agencies.

Later, after RSA described how it was attacked, the defense contractor Lockheed-Martin found its systems under attack. EMC admitted that its technology was breached in the Lockheed incident, and has since offered to replace the tokens of affected customers. Long a lynchpin of computer security at many companies and agencies doing sensitive work, there’s no question that the reputation of the SecurID system has been hurt.

Since the first attacks against RSA were disclosed, many of those organizations that have relied on the tokens have been trying to figure out what to do, and whether or not they can still trust them. One of those organizations was the National Security Agency, the super-secret spy agency who sets IT security policies throughout the U.S. government’s intelligence and defense establishments.

The unclassified document below is an internal advisory from the NSA’s Information Assurance Directorate concerning its recommendations. If your company is among those coping with the headaches that are arising as a result of all this, I thought at the very least it would make for interesting and hopefully useful reading. Granted, this document was issued in March, which was before RSA came clean on the details of the attack, but it may prove useful nevertheless.

NSA RSA Advisory

Latest Video

View all videos »

Search »

I think the NSA has a job to do and we need the NSA. But as (physicist) Robert Oppenheimer said, “When you see something that is technically sweet, you go ahead and do it and argue about what to do about it only after you’ve had your technical success. That is the way it was with the atomic bomb.”

— Phil Zimmerman, PGP inventor and Silent Circle co-founder, in an interview with Om Malik