Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RSA's Servers Hacked

timothy posted more than 3 years ago | from the blame-israel-everyone-else-does dept.

Crime 172

Khopesh writes "EMC subsidiary RSA was the victim of 'an extremely sophisticated cyber attack' which resulted in the possible theft of the two-factor code used by their SecurID products." The Boston Herald has a short article on the intrusion. Update: 03/17 23:54 GMT by T : Reader rmogull adds "With all the hype that's sure the explode over this one, we decided to do a quick write-up to separate fact from speculation."

cancel ×

172 comments

Sorry! There are no comments related to the filter you selected.

Ouch (3, Insightful)

the linux geek (799780) | more than 3 years ago | (#35524284)

These guys aren't like HBGary - RSA basically invented huge portions of modern cryptography. I'm interested in seeing the specifics on how this happened.

Re:Ouch (4, Funny)

dAzED1 (33635) | more than 3 years ago | (#35524318)

likely a soft hack. Insider, or simply seducing an engineer with a cute girl.

Re:Ouch (0)

Anonymous Coward | more than 3 years ago | (#35524454)

If you're implicating Anonymous, a girl who hangs out on 4chan and watches anime is not capable of seducing anybody.

Re:Ouch (1)

Anonymous Coward | more than 3 years ago | (#35524658)

He didn't say "hippopotamus".

Re:Ouch (0)

Anonymous Coward | more than 3 years ago | (#35524728)

Don't insult Queen Boxxy, you heathen !

Re:Ouch (2)

interkin3tic (1469267) | more than 3 years ago | (#35524750)

a girl who hangs out on 4chan and watches anime is not capable of seducing anybody

I'm pretty sure that first part, "girl" qualifies as "capable of seducing" at least a few engineers.

Re:Ouch (1)

bughunter (10093) | more than 3 years ago | (#35524760)

OK, well we're talking about crypto engineers, so only the 'girl' condition is essential, not the 'cute' condition.

Re:Ouch (5, Funny)

russotto (537200) | more than 3 years ago | (#35524808)

OK, well we're talking about crypto engineers, so only the 'girl' condition is essential, not the 'cute' condition.

It's also essential she not call herself "Eve". The crypto guys catch onto that one immediately.

Re:Ouch (1)

PopeRatzo (965947) | more than 3 years ago | (#35525234)

OK, well we're talking about crypto engineers

We're also talking about "crypto" girls.

Re:Ouch (1)

Nefarious Wheel (628136) | more than 3 years ago | (#35525908)

Follow the white rabbit...

Re:Ouch (1)

davester666 (731373) | more than 3 years ago | (#35526396)

Yeah, no password is safe if she can get to 7 in prime numbers...

Re:Ouch (1)

macs4all (973270) | more than 3 years ago | (#35526198)

OK, well we're talking about crypto engineers, so only the 'girl' condition is essential, not the 'cute' condition.

And, if you're talking about Alan Turing, the 'girl' condition is not only non-essential, it is a liability.

Just sayin'...

(old pedophilia joke) (-1)

Anonymous Coward | more than 3 years ago | (#35526630)

You know the nice thing about 6 year old girls? You can turn them over and pretend they're 6 year old old boys.

Re:Ouch (0)

Anonymous Coward | more than 3 years ago | (#35524834)

Geek2Geek did RSA.

Re:Ouch (1)

Cramer (69040) | more than 3 years ago | (#35525058)

I think you've underestimated the male demographic that, well, hangs out on 4chan and watches anime. "come here and f*** me" would work 99.999% of the time. :-)

Re:Ouch (1)

PopeRatzo (965947) | more than 3 years ago | (#35525272)

I think you've underestimated the male demographic that, well, hangs out on 4chan and watches anime. "come here and f*** me" would work 99.999% of the time. :-)

No, it wouldn't work, because if a girl ever said that to one of them, it would be over before it started. Then their biggest concern would be hiding their underwear from their moms.

Re:Ouch (0)

Anonymous Coward | more than 3 years ago | (#35526120)

the trust condition would not be met.

the 4chan male demographic demands proof in the form of posted tits.

Re:Ouch (1)

GrumpySteen (1250194) | more than 3 years ago | (#35526022)

a girl who hangs out on 4chan and watches anime is not capable of seducing anybody.

Really? Meet Allison Harvard [imgur.com]

Granted, she's better known as creepy-chan [imageshack.us] (and she's a wee bit less seductive in that persona, but that doesn't negate the other image. It just makes the morning after a lot scarier.

Re:Ouch (1)

vux984 (928602) | more than 3 years ago | (#35524354)

Meh, I'm still unconvinced that the "extremely sophisticated attack" might be code for the "login to the company vpn was the same as his dog's name, which he posted on facebook..."

Or maybe a secretary who knew the passwords to the system got bribed...

An "Advanced Persistent Threat" really doesn't mean much when you break it down.

Most security breaches aren't all that sophisticated technically, and I'm cynical that they are making it sound much more impressive than it really was to try and preserve their credibility.

Re:Ouch (2)

SethJohnson (112166) | more than 3 years ago | (#35524562)

Meh, I'm still unconvinced that the "extremely sophisticated attack"

That used to be a good assumption to make until the steps required to manufacture the stuxnet worm were revealed [arstechnica.com] .

The penetrator likely has eyes on a very specific secondary target, and grabbing this information was a preliminary step.. Imagine the resources that could have been applied. I'm betting physical access was required at RSA.

Seth

Re:Ouch (1)

Anonymous Coward | more than 3 years ago | (#35524572)

Does persistent mean that security has been breached for months, and they only found out now?

Re:Ouch (1)

_Sprocket_ (42527) | more than 3 years ago | (#35525952)

Persistent means it isn't a one-time shot; something more involved than a crime-of-convenience.

Re:Ouch (1)

Nefarious Wheel (628136) | more than 3 years ago | (#35525928)

Does this mean I need a new authenticator for my WoW account? Crap. Those guys over at SusanExpress (free keylogger with every purchase!) must really be sophisticated now, that they have the elliptical functions needed to generate my RSA code in real time. And me with 4 level 85's to feed...

Re:Ouch (2)

MrEricSir (398214) | more than 3 years ago | (#35524404)

But do Ron Rivest, Adi Shamir, and Len Adleman have anything to do with RSA the company nowdays? I know they invented some algorithms which bare the name RSA, but that doesn't mean they have (or ever had) anything to do with the day to day operations of RSA the company.

Re:Ouch (1)

the linux geek (799780) | more than 3 years ago | (#35524412)

Well, they founded it. That kind of involves involvement with the day-to-day ops.

Re:Ouch (2)

msauve (701917) | more than 3 years ago | (#35524904)

So, by your definition, Henry Ford is still involved with day-to-day operations of the Ford Motor Company?

Re:Ouch (1)

the linux geek (799780) | more than 3 years ago | (#35525050)

MrEricSir said "doesn't mean they have (or ever had) anything to do with the day to day operations." Ford did indeed have things to do with the day-to-day operations of Ford Motor at one point.

Re:Ouch (1)

JustOK (667959) | more than 3 years ago | (#35525750)

He used to work Tuesdays and alternate Fridays in the cafeteria, mostly on the side dish line.

Re:Ouch (1)

93 Escort Wagon (326346) | more than 3 years ago | (#35526506)

He used to work Tuesdays and alternate Fridays in the cafeteria, mostly on the side dish line.

Who - Shamir or Adleman?

Re:Ouch (1)

jd (1658) | more than 3 years ago | (#35525066)

That explains the zombies.

Re:Ouch (1)

swb (14022) | more than 3 years ago | (#35525236)

Henry was actually the defacto leader of the company well into the 1930s, more than 30 years after the founding of Ford.

Thus, by your logic, it makes sense that R, S, & A would be involved in RSA's business.

Re:Ouch (0)

Anonymous Coward | more than 3 years ago | (#35525646)

You notice that they talk of "RSA, an EMC company" - Rivest, Shamir, and Adelman probably sold their company (maybe to EMC, maybe to someone who sold it to EMC).

Besides, they invented the algorithm/s which became famous, and the company was created to exploit said algorithms. They certainly gave their initials to the algorithm, and thence to the company, but they may have been nothing but figureheads in the company.

BTW: I recall with amusement the T-shirts that the company gave out at a conference when the patent on RSA was expiring ("RSA - it's just an algorithm") - it looked like someone was regretting naming the company after the algorithm :)

Re:Ouch (1)

Sulphur (1548251) | more than 3 years ago | (#35526052)

You notice that they talk of "RSA, an EMC company" - Rivest, Shamir, and Adelman probably sold their company (maybe to EMC, maybe to someone who sold it to EMC).

Besides, they invented the algorithm/s which became famous, and the company was created to exploit said algorithms. They certainly gave their initials to the algorithm, and thence to the company, but they may have been nothing but figureheads in the company.

BTW: I recall with amusement the T-shirts that the company gave out at a conference when the patent on RSA was expiring ("RSA - it's just an algorithm") - it looked like someone was regretting naming the company after the algorithm :)

Rename it Cockes then.

Re:Ouch (1)

ffreeloader (1105115) | more than 3 years ago | (#35525338)

But do Ron Rivest, Adi Shamir, and Len Adleman have anything to do with RSA the company nowdays? I know they invented some algorithms which bare the name RSA, but that doesn't mean they have (or ever had) anything to do with the day to day operations of RSA the company.

How do the algorithms created by RSA's founders expose RSA?

Re:Ouch (0)

Anonymous Coward | more than 3 years ago | (#35525390)

No. Much to their credit, unfortunately.

Re:Ouch (3, Insightful)

dfcamara (1268174) | more than 3 years ago | (#35524582)

Hacking systems very rarely involves breaking cryptography. It's bad reputation for their sys admins but not so for their cryptography experts.

Re:Ouch (1, Insightful)

MichaelKristopeit413 (2018846) | more than 3 years ago | (#35525106)

Hacking systems very rarely involves breaking cryptography.

until now.

Crap, crap, crap (3, Funny)

pedantic bore (740196) | more than 3 years ago | (#35524346)

I can imagine how this is going to play out when the IT folks at my company find out about this. They'll panic, revoke all the SecureID cards, and then no more working from home until something much more complicated, unreliable, and probably requiring Windows7 is found to replace it.

Crap!

Re:Crap, crap, crap (5, Informative)

Anonymous Coward | more than 3 years ago | (#35524522)

Are you talking about SecurID smartcards? If so then the hackers wouldn't have any advantage against those. Those use standard PKI and the private key is protected in hardware on each person's specific card.

What got stolen was the code used in those SecurID tokens. You know those key-fob things that stay in sync based on time and generate a new token every x number of seconds. However, even if the hackers got the algorithms for how that works it still wouldn't help them because the algorithm again uses a set of private data (keys) for each installation. The hackers would have to get that data along with the algorithm they presumably have now.

In short, this probably means that security will be unaffected. The only difference is now some people know exactly how the time based key fobs work. Which you could figure out anyway if you disassembled the RSA server software. Pretty much what RSA said.

Re:Crap, crap, crap (4, Insightful)

Shikaku (1129753) | more than 3 years ago | (#35524560)

Explain that to his manager.

I'll bet $1337 that GP's scenario will occur anyway.

Re:Crap, crap, crap (3, Funny)

jd (1658) | more than 3 years ago | (#35524944)

Explanations are futile. The CEOs have already been assimilated.

Re:Crap, crap, crap (1)

Cramer (69040) | more than 3 years ago | (#35525118)

Well, that and the serial number of the FOB you want to clone. which you can get off the FOB or out of the server's database. (and the user's PIN. and login ID.)

Re:Crap, crap, crap (2)

znerk (1162519) | more than 3 years ago | (#35525360)

What got stolen was the code used in those SecurID tokens. You know those key-fob things that stay in sync based on time and generate a new token every x number of seconds.

It's a conspiracy to hack my WoW account!

Re:Crap, crap, crap (0)

Anonymous Coward | more than 3 years ago | (#35525406)

Yes, because we all know hacking RSA compromises Vasco's security tokens [vasco.com]

Re:Crap, crap, crap (1)

ildon (413912) | more than 3 years ago | (#35525544)

The real question on everyone's mind: Is my WoW authenticator safe????

Re:Crap, crap, crap (1)

Mashiki (184564) | more than 3 years ago | (#35525768)

It's going to be interesting to see how the 'customer support' section of Blizz handles the people posting this 300 times.

Re:Crap, crap, crap (1)

Nefarious Wheel (628136) | more than 3 years ago | (#35525962)

ildon says> You are in violation Blizz loot rules must update your details or account suspend immediate. Click BlizzUpdate.com [slashdot.org] to update account details.

TSUNAMI RELATED (-1)

Anonymous Coward | more than 3 years ago | (#35524398)

Radioactive radiation is never good on RSA.

Oh, wait, on RNA.

RSA (1, Redundant)

MarkRose (820682) | more than 3 years ago | (#35524482)

Real Secure? Ahahaha

Let me guess... (2)

leapis (89780) | more than 3 years ago | (#35524494)

They didn't have a two factor authentication process around accessing their source code.

Re:Let me guess... (2)

abulafia (7826) | more than 3 years ago | (#35524614)

That was my first thought.

Probably a simpler attack than that, but still a pretty fucking serious hit for a company/brand that depends on rep as much as RSA does.

Re:Let me guess... (1)

jd (1658) | more than 3 years ago | (#35524978)

Likely. The most common cyber-attack is via social engineering, but social engineering is only effective if there's a single point of failure that can be attacked.

Re:Let me guess... (0)

Anonymous Coward | more than 3 years ago | (#35525776)

Let me guess... They didn't have a two factor authentication process around accessing their source code.

If the cryptography is done correctly, that shouldn't matter for anything other than the specific variable initialization that has the value of the private key. The idea behind a secure ciphersystem is that you should be able to give the attacker everything but the private key and the plaintext, and the attacker still should be unable to break the code in any reasonable timeframe.

Can someone please... (1)

s0litaire (1205168) | more than 3 years ago | (#35524510)

... pass the popcorn. This might get interesting. ^_^

Re:Can someone please... (3, Interesting)

jd (1658) | more than 3 years ago | (#35525136)

I doubt it. The McEliese cryptosystem [technologyreview.com] from 1978 is immune to attack even by quantum computers, whereas current quantum cryptography has already been broken and can be sampled without detection (if the sample rate is about the same as the noise in the system), but highly secure facilities are investing in QC, not McEliese. Why? Because nobody really cares that much, not at that level. Once you pass a certain point, people become far more vulnerable than technology, so improving the technology won't help security. All it might do is attract funding, which is why QC is so good - fully buzzword-compliant - and old tech that's superior is bad.

Re:Can someone please... (1)

s0litaire (1205168) | more than 3 years ago | (#35525298)

So you're all out of buttered popcorn then??

Re:Can someone please... (4, Funny)

jd (1658) | more than 3 years ago | (#35525592)

I salted the popcorn and it ROT13ed.

Re:Can someone please... (1)

s0litaire (1205168) | more than 3 years ago | (#35525614)

Bazinga!
well played sir!!

Re:Can someone please... (1)

ratnerstar (609443) | more than 3 years ago | (#35525888)

McEliese isn't "immune to attack even by quantum computers," it's immune to one specific form of quantum cryptanalysis.

Re:Can someone please... (5, Informative)

iris-n (1276146) | more than 3 years ago | (#35525918)

Oh come on!

This is so wrong that I can't believe you're not malicious.

As your own article admits, there's nothing that stops a quantum algorithm that breaks McEliese being invented tomorrow. There's not even evidence that such an algorithm is unlikely to exist. That's why McEliese is worthless and nobody pays attention to it.

When you say QC has been broken, you're probably referring to the implementation of BB84 by IdQuantique that was broken by the norwegian quantum hackers. They themselves say that QC is not broken: http://www.iet.ntnu.no/groups/optics/qcr/ [iet.ntnu.no]

It was only a particular implementation that was broken, not even a particular protocol. That's because it can't be broken. Of course there is not such a thing as perfect security, but BB84 (and other protocols) is based on sound principles, and we have numerous proofs (yes, mathematical proofs) of security for various scenarios.

Re:Can someone please... (1)

Nefarious Wheel (628136) | more than 3 years ago | (#35525998)

Ahh, sweet nerdishness returns; that forum of high geekery that was the Slashdot of yore has returned.

Welcome back, facts.

Re:Can someone please... (1)

jd (1658) | more than 3 years ago | (#35526498)

Given that no flaw in the algorithm is known and that the strength increases more rapidly with key length than standard pki (also in the article), there is substantial evidence that no such algorithm will exist (as the article also states).

time for new laws! (3, Insightful)

swell (195815) | more than 3 years ago | (#35524532)

This is just the opening that lawmakers need to promote panic and obliterate resistance to their 'protective legislation', which will surely be filled with special interest items buried in legalese.

Re:time for new laws! (1, Funny)

thestudio_bob (894258) | more than 3 years ago | (#35524556)

Quick! Flip the internet kill switch!!!!

Re:time for new laws! (1)

jd (1658) | more than 3 years ago | (#35525030)

It's doubtful any new law could be passed given the current paralysis (especially as the Tea Party can't make any money off an Internet law), but I'd have no objection to a law mandating strong crypto be used for all traffic on the Internet, where "strong" should be defined in relative terms so that it's never obsoleted as technology progresses.

Once the hackers are caught the headline can be... (0)

Anonymous Coward | more than 3 years ago | (#35524540)

,,,RSA's Hackers Served

It has to be a "sophisticated attack" (0)

Anonymous Coward | more than 3 years ago | (#35524568)

Otherwise RSA looks pretty dumb but if they label it "extremely sophisticated" even it it isn't people then give the company pass. Perhaps it was. Perhaps it wasn't and without additional information we won't know.

Source code wouldn't matter. (1)

John Meacham (1112) | more than 3 years ago | (#35524592)

Accessing the source code wouldn't be helpful, see http://en.wikipedia.org/wiki/HOTP [wikipedia.org]

What would be dangerous is if they stole the serial# secret initializer mapping, or the key to decode the mapping if it is algorithmic. Then you can reproduce any key with just its public serial #.

Re:Source code wouldn't matter. (1)

hAckz0r (989977) | more than 3 years ago | (#35525898)

My belief the danger is if the hackers get a chance for a man-in-the-middle attack they can do deep packet inspection of the SSL wrapped authentication session and grab the key-fob one time pad, put that into their magic decoder ring database generated from the source algorithm and then guess the next sequence to be generated. They may have to snoop several sessions to guess the seed used inside the fob, but with today's cloud computing throughput it seems doable to me. Once they have the seed and the current timing from a session or two then they could generate their own values to authenticate their own session. Certainly not easy, but then Nation States will spare no expense to do what they think they need to do.

Re:Source code wouldn't matter. (0)

Anonymous Coward | more than 3 years ago | (#35526148)

sounds great! how do I fund your startup?

Re:Source code wouldn't matter. (1)

_Sprocket_ (42527) | more than 3 years ago | (#35525994)

What would be dangerous is if they stole the serial# secret initializer mapping, or the key to decode the mapping if it is algorithmic.

Or discovered a flaw in the implementation.

Oh no! (0)

Anonymous Coward | more than 3 years ago | (#35524606)

Does this mean my WoW account is vulnerable!?

They have a big development center in Bangalore (0)

Anonymous Coward | more than 3 years ago | (#35524654)

Wonder if they'll fess up as to which RSA office was hacked.

Good non hype link, now do that for more stories (5, Interesting)

Drakino (10965) | more than 3 years ago | (#35524666)

Would be nice if more stories here included a non hyped, rational explanation of the situation. Definitely appreciated the writeup from securosis.

The recent Android browser vs iOS browser test could have used one, since the test was flawed, and there is a rational explanation for the difference between Mobile Safari and 3rd party apps tapping WebKit.

Same for all the hyped stories out of Japan causing people to run for iodine tablets on the west coast of the US.

In general I've become so skeptical of anything these days due to the echo chamber of the internet bouncing around hyped, panicked stories with no followup.

Re:Good non hype link, now do that for more storie (1)

ZDRuX (1010435) | more than 3 years ago | (#35524794)

Oh ok, so I guess the Surgeon General saying you should buy Iodide pills as a precaution is baloney and he's nothing but a big conspiracy theorist. The story [nbcbayarea.com]

Re:Good non hype link, now do that for more storie (1)

1729 (581437) | more than 3 years ago | (#35525606)

Oh ok, so I guess the Surgeon General saying you should buy Iodide pills as a precaution is baloney and he's nothing but a big conspiracy theorist.

Yes, it's baloney, though I doubt she is a conspiracy theorist.

Re:Good non hype link, now do that for more storie (0)

Anonymous Coward | more than 3 years ago | (#35525672)

Damn, I wish I had mod points for that...

Re:Good non hype link, now do that for more storie (1)

Drakino (10965) | more than 3 years ago | (#35526352)

For California residents near the two nuclear plants (of which I am), it makes sense as a precaution. Flyers were even sent in the mail about it last spring, offering free tablets to stash in emergency kits. But this is all for being prepared in case of a local disaster, not one hundreds of miles across a vast ocean.

Something tells me the surgeon general hasn't been properly briefed on the situation, especially considering her comments about being unaware that people are stocking up. Yes, it's bad, but it's not at a scale where anyone should be concerned on the western US coast. There are already people not only buying the tablets, but making use of them. Doing so brings zero benefit, but can cause side effects, some far more harmful then any potential risk from Japan.

Re:Good non hype link, now do that for more storie (1)

Shikaku (1129753) | more than 3 years ago | (#35524838)

Fear is good for business. I'm not advocating this is a good thing, however.

In the recent nuclear accident caused by Japan's tsunami, iodine tablet sales soared as you said. War brings up the sales of weapons obviously, both government and consumer (home defense and all that). Fear of robbery/previous example also aids business for security systems. Swine flu tanked pork prices; OK, that wasn't good for businesses but even swine flu infected pork was safe if cooked to FDA standards, and boy did I enjoy all that cheap pork.

The list goes on...

Re:Good non hype link, now do that for more storie (1)

Anubis IV (1279820) | more than 3 years ago | (#35524970)

The Internet has an echo chamber? Can you imagine how loud it will get in here with all of the people on the Internet?! I'm running to the store to get ear plus right now before I suffer irreparable damage! I advise all concerned Internet citizens to head to your local stores for earplugs as we work together to avert this crisis of international proportions, lest we face the case where all of our heads explode as the sound becomes more than we can take.

And, above all, remain calm.

Re:Good non hype link, now do that for more storie (1)

weicco (645927) | more than 3 years ago | (#35526048)

people to run for iodine tablets on the west coast of the US.

Well, I could (almost) understand people's worry on west coast of the US but people are hoarding iodine tablets here in Finland too! Pharmacies have already sold their stocks.

Re:Good non hype link, now do that for more storie (1)

IchBinEinPenguin (589252) | more than 3 years ago | (#35526628)

In general I've become so skeptical of anything these days due to the echo chamber of the internet bouncing around hyped, panicked stories with no followup.

I keep hearing about that thing, but I don't believe it really exists.

LOL (1)

Konster (252488) | more than 3 years ago | (#35524752)

From one of the links,

"RSA states they are communicating directly with customers with hardening advise."

LOL@that. What's their advice? To call 916.459.4727 and set up an appointment?

Re:LOL (1)

Wingman 5 (551897) | more than 3 years ago | (#35525262)

You are not RSA's customer, people like Blizzard [blizzard.com] and PayPal [paypal.com] are their customers. You are a customer of their customers.

Re:LOL (0)

Anonymous Coward | more than 3 years ago | (#35526538)

>people like Blizzard [blizzard.com] are their customers

What? That explains it. I guess the Blizzard authenticators were too successful at stopping Warcraft account hijacks so the hijackers took matters into their own hands.

Separate the fact from speculation? (1)

2Bits (167227) | more than 3 years ago | (#35524916)

I was expecting a better job from securosis, but then, the first paragraph got right into speculation:

According to the announcement, RSA was breached in an APT attack (we don’t know if they mean China, but that’s well within the realm of possibility) and material related to the SecureID product was stolen.

I stopped reading right there.

Re:Separate the fact from speculation? (1)

jd (1658) | more than 3 years ago | (#35525054)

At the moment, my bet is that RSA are sitting very tight on the facts and a press statement of "RSA said that they were hacked" would not make for much of an article.

Argument (2, Insightful)

DaMattster (977781) | more than 3 years ago | (#35524954)

This is precisely why security products should be open sourced. The fact that RSA was compromised and some data (potentially alogrithms) on the RSASecureID was obtained, nullifies any F.U.D. that open source is less secure. If these algorithms had been out in the open, there would be no reason to panic because the development community would have access to the very source code and vulnerabilities addressed rapidly. Now the intruders have the keys to the castle and the only entity that can address the ensuing vulnerabilty is EMC.

Re:Argument (2)

neonsignal (890658) | more than 3 years ago | (#35525364)

While I agree with your argument that scrutiny of algorithms leads to better security, the issue here is that private seeds may have been obtained by those who broke into the systems. Even in an open source security scenario, there still has to be private information (such as the private keys used for signing).

WoW two factor authentication?? (0)

Anonymous Coward | more than 3 years ago | (#35525010)

Hi can anyone confirm that this means my Blizzard authenticator is at risk? I use two-factor authentication to login to WoW and it protects my guild bank and all my assets! Were these Chinese attacks were directed against WoW players specifically?

I KNOW WHO DID IT!!! (1)

abednegoyulo (1797602) | more than 3 years ago | (#35525334)

Blame it on HER --> http://xkcd.com/343/ [xkcd.com]

RSA Servers Hacked... What, again? (1)

Arbition (1728870) | more than 3 years ago | (#35525400)

I'm fairly sure that this has happened before. I remember seeing screen caps of their website being hacked. It is interesting, that in spite of this, RSA should still find itself vulnerable to cyber attack. I would make comments about past attempts being benign, but that would be supposition on my behalf.

Lemme Guess (1)

andydread (758754) | more than 3 years ago | (#35525570)

China is behind this one too. They have been relentless lately when it comes to espionage. Corporate etc.

Re:Lemme Guess (1)

dweller_below (136040) | more than 3 years ago | (#35526114)

China is behind this one too.

Prior Chinese attacks against USU governments, corporations and infrastrusture have been covered up or downplayed. The US government doesn't want to offend the Chinese. The US Corporations don't want to lose the Chinese markets. There is a little talk now and then, but it is regarded as isolated incidents. Even Google's loud public protests and the later WikiLeaks disclosures keep being downplayed as unimportant past history.

At my institution, the attacks have been unending. A week-long break around the 20th Anniversary of the Student Uprising and then again during the Olympics.

If RSA (with the government's help) determine that China is responsible, then we will probably have to wait for another whistleblower to find out. The likely response in that event will be to cover it up again.

I suspect that the Chinese have a bit of a conundrum. They have created a monster. Thousands of people trained to attack IT infrastructure. Even if they wanted to stop, you can't just lay them off. They need to eat. They have a marketable skill. They are going to attack something. Maybe the Chinese could get away with killing them all. But if the choice is continuing to attack the West or destroying their valuable tool, it's going to take a LOT to want to destroy their attack capability.

I used to worry how we would deal with all the US torturers created during the glory days of Gitmo. But that problem will be a piece of cake compared to the problems we will face if we follow the example of the Chinese. Disposing of nukes will be easy compared to disposing of intelligent, talented, skilled destroyers of IT.

Miles

Re:Lemme Guess (1)

thoughtsatthemoment (1687848) | more than 3 years ago | (#35526586)

Even if they wanted to stop, you can't just lay them off. They need to eat. They have a marketable skill. They are going to attack something.

Or they can write books about cyber attacks and make a fortune?

Disposing of nukes will be easy compared to disposing of intelligent, talented, skilled destroyers of IT.

If you write the title for every slashdot article, the readsership would double in no time.

I can't wait for the e-mails! (0)

Anonymous Coward | more than 3 years ago | (#35525638)

I don't use SecureID, but I can imagine how this will play out. News and hype will make the general public aware. They will know their passwords may need to be changed - but don't really know how. There will be millions of e-mails sent out

"This is the RSA, you may be at risk, please send us your current password (to verify your identity) and the new password you would like to use. We apologize for the inconvenience. PS: There is a bank in Nigeria that has $1,000,000 USD deposited into an account in your name. With your password, please send $1,000 USD for the fees to release this money."

But But But... (0)

Anonymous Coward | more than 3 years ago | (#35526574)

Even if some sort of Back Door or Man IN the Middle attack was established, how would this play out?

They would use code to achieve the pin? meh, wouldn't they be better off getting the the pin for RSA Server, kind of tough anyway...
As by the time the user logged on they changing digits would be, well, changed... Even if a new pin mode was entered, I don't see how this attack is possible.

Certainly redirected web pages would catch the users eyes? Maybe? In the form of pop up blocker or Invalid Certificate?

Oh wait, Have Algorithm, insert false digits, run code on GPU's, have key logger(Payload from Trojan) grab the pin, crack the digits, profit.

Damn, suddenly I can see this happening. Time to find a new system for secured access.

PS I wanna punch the guy who did this if it was anyone other than a Trusted source doing a security audit. Unlikely.

that's very good !i like ! Mobile phones have beco (0)

Anonymous Coward | more than 3 years ago | (#35526682)

what you said maybe is true !but i think every thing has two sides ...we should see the whole effect of this matter !
Mobile phones have become a necessary part and parcel of everyday life to facilitate mutual communication. In our online store, we sell cheap cell phones which are in high quality but at a low cost. Cheap phones can not only satisfy your communicative needs but also save your money. Replica cell phone is a kind of cheap phone which you can use as a wonderful gift-choice for anyone who wants to use wonderful products. Nowadays, everyone wants to have his or her own mobile phone which can be equipped with the latest technological advancements and whose systems can be easily updated. That is the very exact reason why we provide you desirable cheap phones at a relative low cost. Our store not only offers you the latest cheap phones but also guarantees reliable future after services. At this mobile phones shop , you also easily sort the products and get phones compared so that you can get what you desire, that is, cheap phones at low costs. We have been assuring that you can get cheap phones economically. Just have a look at our mobiles and hope you can get what you need.
coach cell phone strap [buyphonestrap.com]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>