I usually try to avoid getting too geeky on the blog, so when the IT-security company RSA reported it had been hacked, I didn’t post, but now that it appears that incident was merely setting the stage for an assault on defense contractor, Lockheed. News accounts I’ve seen are not giving a good idea of what’s going on, I’ll chime in. I was the architect of a SecurID infrastructure, so I know of what I speak.
For those of you who don’t know, RSA makes a two-factor authentication product called SecurID. You may have seen these little fobs. They are popular with a lot of companies for things like securing access for mobile users who connect to their company’s e-mail, etc.
It’s called “two-factor”, because you need two things to gain access.
- something you know (your PIN), and
- something you have, (the fob).
They generate a six or eight-digt number that changes every thirty or sixy seconds (depending on the model purchased). A user enters that number, along with their PIN.
The numbers are never repeated, and you can’t use the same one twice. If anyone on 24 used them, there would be no show. The numbers, though impossible to guess, aren’t random. They’re generated based on a “seed” file. The SecurID server in the company you log on to, also has a copy of the seed file that the token is programmed with, and it’s generating the same numbers, and then comparing the two.
What hackers stole (though RSA didn’t confirm it) are the seed files associated with an unknown number of tokens. Now, RSA has no knowledge of who is assigned which token. They sell the tokens in bulk to a customer, which then in turn assigns them to a person, creates a user-name, etc. RSA claims, and it’s technically accurate, that theft of the seed files alone, won’t allow someone access to a protected system.
However, if by phishing or key-logging, you capture the username and PIN and token-code when a person logs in, and you are running your own SecurID server with the stolen seed file, you can figure out which fob the user has. You can then generate one-time tokencodes at your leisure, and you now know their username and password. You may also just be able to guess a person’s user-ID and PIN (e.g., jdoe and John Doe’s birthday). The former appears to be what happened at Lockheed.
Obviously, this is serious for any SecurID customer of RSA’s, and a disaster for the company itself (a division of EMC). It’s a security company, and yet was itself hacked. In a not easy-to-find message to their customers on their website, Art Coviello, the head of RSA writes,
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
Yeah. “Nothing to be worried about, sir”, said the porter on the Titanic. “We’ve just run over a whale and should be underway shortly.”
IMHO, if any company continues to use SecurID tokens, they need new tokens, from a new seed file. That’s not going to be fun, millions of tokens are out there. Large companies may have thousand in circulation, but sometimes all your alternatives suck.