Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RSA Admits SecurID Tokens Have Been Compromised

CmdrTaco posted more than 3 years ago | from the hey-i-have-one-of-those dept.

Crime 219

A few months ago, RSA Servers were hacked, and a few weeks ago Duped tokens were used to hack Lockheed-Martin. Well today Orome1 writes "RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman — one of them confirmed by the company, others hinted at by internal warnings and unusual domain name and password reset process."

cancel ×

219 comments

Is this an act of war? (4, Interesting)

cultiv8 (1660093) | more than 3 years ago | (#36361234)

Sit back peoples, get some popcorn, this should be interesting...

Re:Is this an act of war? (2)

Nickodeimus (1263214) | more than 3 years ago | (#36361258)

its likely that the hack of northrop was the cause of the fed making that statement.

Re:Is this an act of war? (0)

Anonymous Coward | more than 3 years ago | (#36361422)

Funny as they make tools for such events...

Re:Is this an act of war? (1)

Anonymous Coward | more than 3 years ago | (#36361534)

Meh, they'll just claim it was some "renegade" "terrorist" organisation like Anonymous or Lulzsec. That way they can safe face by not acting on their big "act of war" speech while simultaneously passing new laws to grant themselves more powers.

Re:Is this an act of war? (1)

somersault (912633) | more than 3 years ago | (#36361708)

But surely now that Osama and Saddam are dead, they need some other people to add to the ol' war list in case they run out? Right now there's always camel-face and Kim Jong Il, but they must need a few more to keep the military cash flowing?

Re:Is this an act of war? (3, Insightful)

TheRaven64 (641858) | more than 3 years ago | (#36362044)

Cold wars are better for business than fighting wars. In a cold war, you get lots of funding but don't actually have to deliver anything. Cyberwar is even better, because whatever you do deliver becomes obsolete about ten seconds after deployment (at the latest), so you can keep getting the funding. A cyberwar with China is perfect, because there's always the possibility that it will turn into a shooting war, so you need to keep spending money on jets, drones, aircraft carriers, and so on, but there's no real chance that it will, so you don't have to waste much money on things like soldiers (who inconveniently take money away from shareholders' pockets, where it belongs).

Re:Is this an act of war? (1)

chemicaldave (1776600) | more than 3 years ago | (#36361842)

Expect a committee of jowled senators to make an official inquiry into how RSA's tubes were breached.

Cyber intrusions (4, Insightful)

ArAgost (853804) | more than 3 years ago | (#36361248)

1992 called, they wanted the adjective “cyber” back.

Re:Cyber intrusions (1)

Anonymous Coward | more than 3 years ago | (#36361286)

1984 called, they wanted to remind 1992 as to when the term "cyber" was popularized.

Re:Cyber intrusions (1, Redundant)

rylin (688457) | more than 3 years ago | (#36361310)

OH MY GOD, DID YOU WARN THEM?!

(hello, lameness filter! how have you been?)

Re:Cyber intrusions (1)

Anonymous Coward | more than 3 years ago | (#36361640)

(hello, lameness filter! how have you been?)

In desperate need of an addition to filter out tired XKCD memes, how are you?

Re:Cyber intrusions (5, Interesting)

TerranFury (726743) | more than 3 years ago | (#36361382)

...and 1947 turns the dial on its rotary phone to call both '92 and '84:

From here [theorem.net] :

It is worth noting that the Greek word for governor is k u ße r n a n . In 1947, Norbert Wiener at MIT was searching for a name for his new discipline of automata theory- control and communication in man and machine. In investigating the flyball governor of Watt, he investigated also the etymology of the word k u ße r n a n and came across the Greek word for steersman, k u ße r n t V . Thus, he selected the name cybernetics for his fledgling field.

In other words...

(Cyber = steering/adjustment/feedback) + (net = networks/interconnection) + (ics = study of)

Re:Cyber intrusions (0)

Anonymous Coward | more than 3 years ago | (#36361648)

I think you are trying too hard. That's not a very direct correlation. It's pretty indirect, if accurate at all... just because you stuff your context onto a news-byte does not mean that was the original intent.

Re:Cyber intrusions (0)

Anonymous Coward | more than 3 years ago | (#36361876)

2005 called. You mom regrets meeting your dad.

Re:Cyber intrusions (2)

Trepidity (597) | more than 3 years ago | (#36361344)

Ted Nelson was even complaining about its overuse [wiktionary.org] in the late 1960s. Seems not to have really stopped.

Re:Cyber intrusions (1)

Hijacked Public (999535) | more than 3 years ago | (#36361470)

Cyber hanky to you, for the trouble.

Re:Cyber intrusions (1)

somersault (912633) | more than 3 years ago | (#36361856)

Cyber-group hug!

Dear Customers... (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361294)

Golly Shucks. As it turns out, maintaining a copy of the seed keys for devices we sold specifically as a high-security access control solution on our under-secured network might have been a less than totally good idea... Well, lessons learned, eh?

Re:Dear Customers... (0)

Anonymous Coward | more than 3 years ago | (#36361398)

What a completely bullshit comment. Wow. I like how everything is now "under-secured" as if you have any first hand knowledge of the nature of the attack at RSA or the security measures they had in place. I'm sure you, the fuzzyfuzzyfungus from Slashdot, know more about how to properly secure a network than RSA and are in a perfectly fine position to be Arm-Chair General of the great Cyber War. Grow up, it will always be easier to destroy than to defend. The illusion that you can secure anything is just that, an illusion. More people need to get off their high horse and stop stroking their epeen over how clever they are and how stupid everybody else is. None of us are immune, is it still funny?

But you will go about with your fiddling as planned.

Re:Dear Customers... (3, Insightful)

Anonymous Coward | more than 3 years ago | (#36361452)

I think we're all assuming (for the most part) that the attack was over a network. If the keys were physically stolen from an offline box, then that's a different matter. If they had their high-security seed keys--as GP refers to them--accessible remotely in any manner, that was probably an avoidable mistake.

Re:Dear Customers... (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361474)

My main issue was with retaining the seed keys in any network accessible location.

Those things should have been deleted upon transfer to the customer or(if so requested) stored on archival media in a vault somewhere unless needed by the customer for recovery purposes.

My point isn't "Ha Ha, their network guys fucked up, I could have done better!" My point is "for something as interesting as the seeds you would find useful in compromising a laundry-list of high-profile, high-security targets, basically no configuration would be sufficiently secure, and storing them in an insufficiently secure manner is hugely irresponsible.

After the the tokens were seeded, there was no further need for RSA to have them anywhere that they could be accessed electronically.

Re:Dear Customers... (2)

AJH16 (940784) | more than 3 years ago | (#36361750)

Perhaps they kept them around for initializing more fobs if necessary without having to transfer the root key again. Granted, it would probably be better to use a new root key and have a system support multiple, but then you have a key distribution problem where you need to distribute another key as well. It might not have been the most secure choice, but it seems it could have a lot of benefits for the sake of convenience if they thought they had it protected enough. Everything in security is about trade offs of usability versus security. You may not agree with where they drew the line and hind sight is always 20/20, but it still doesn't make it a wrong choice necessarily.

I'm way more annoyed with the lack of good information about the nature of the data compromised than I am about the fact the breach was able to happen.

Re:Dear Customers... (5, Interesting)

clodney (778910) | more than 3 years ago | (#36361916)

Admittedly for a company in the security business they get a big fail on this one.

But I suspect that properly securing them is more difficult than it would appear to the outside observer. At one job I had, we had a signing key of some sort, which was on a USB key in a sealed envelope in a safe. We only took that key out when it needed to be used, which was maybe once a year. Easy enough to observe all the necessary precautions, even if it felt like overkill.

But remember that RSA presumably manufactures these tokens every single day. So the seed values have to be handled correctly all the time, and that makes the air gap restrictions tremendously onerous to comply with. The seed values need to be known to the authentication servers, and customers will likely demand that RSA could provide them the necessary data to reload authentication servers in the event of a major crash (yes, I know, backups, etc. - but the real world is not always like that).

So I suspect that RSA themselves was hurt by the classic security vs usability tradeoff. They need ongoing access to the data that they need to keep secure, and the security restrictions impacted usability, to the point where the policies were weakened, either officially or just by being sloppy.

Defenders have to be good all the time. Attackers only have to succeed once.

Re:Dear Customers... (0)

Anonymous Coward | more than 3 years ago | (#36361670)

You make the Microsoft astroturfers sound sensible. Maybe you are the one who should "grow up" whatever that is meant to mean.

Re:Dear Customers... (1)

GameboyRMH (1153867) | more than 3 years ago | (#36361718)

If the storage or machine containing the seed keys wasn't airgapped and in a safe, it was under-secured.

Because I know to do this and RSA doesn't, I 'd say I know how to properly secure a network better than RSA.

Re:Dear Customers... (1)

afidel (530433) | more than 3 years ago | (#36361820)

For something that protects defense networks the only properly secured network is probably an airgapped one, but that would have been too inconvenient...

Re:Dear Customers... (4, Insightful)

Tim C (15259) | more than 3 years ago | (#36361940)

I like how everything is now "under-secured" as if you have any first hand knowledge of the nature of the attack at RSA or the security measures they had in place.

Someone got in. Seems to me that that is a very good, practical definition of "under-secured".

Re:Dear Customers... (1)

amn108 (1231606) | more than 3 years ago | (#36361486)

Do you know how their two-factor authentication works? How do you propose their system authenticates a client if it doesn't have a copy of the seed?

Re:Dear Customers... (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361502)

RSA's customers certainly need to have a copy of their tokens' seed keys on their authentication server; but RSA doesn't need a copy of their customers' seed keys...

Re:Dear Customers... (2)

c0lo (1497653) | more than 3 years ago | (#36361626)

RSA's customers certainly need to have a copy of their tokens' seed keys on their authentication server; but RSA doesn't need a copy of their customers' seed keys...

Unfortunately, I imagine they do need the copy: otherwise how do they make sure they never issue duplicates to different customers?

Re:Dear Customers... (1)

GameboyRMH (1153867) | more than 3 years ago | (#36361738)

And that copy should stay on an airgapped machine or storage device sitting in a safe, or at the very least, in a secure area on a separate network disconnected from the outside world.

Re:Dear Customers... (3, Informative)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361774)

If they need to check the list of seeds they've already used, their seed length is arguably way, way, way too short. With sufficient seed length, the risk isn't quite zero; but it is so vanishly close that it doesn't matter.

Since the algorithm that the tokens use is public knowledge, anybody can, for a given seed, compute the token display value at time T. If the seed-space were so small that RSA needed to do duplicate checks, rather than just resting assured in the fact that they'd need to issue a fob to every proton in the universe before the risk of duplication rises above 1%, then there would be the theoretical danger that an attacker could just brute-force things by computing each seed chain, and then inferring the target fob's seed by sampling its output at one or more times and seeing which seed chain it matched...

Re:Dear Customers... (3, Insightful)

vlm (69642) | more than 3 years ago | (#36361806)

RSA's customers certainly need to have a copy of their tokens' seed keys on their authentication server; but RSA doesn't need a copy of their customers' seed keys...

Unfortunately, I imagine they do need the copy: otherwise how do they make sure they never issue duplicates to different customers?

LOL that one was funny, and some PHB requirement like that is probably the cause of the whole problem. Like intro to crypto 101 problem funny. To the noobs out there, the solution involves storing the hash of the existing keys instead of the keys themselves. Supposedly, can't turn a hash back into a key, but if the hash of your new key matches a pre-existing hash, then its a dupe, make another and try again.

That's only needed if it's required to prove there's no dupes... realistically, if you have a 1024 bit key and 16 bits worth of customers, the odds of a collision, which wouldn't matter anyway, are 1 in 2 ** (1008) or in other words quite unlikely.

Re:Dear Customers... (0)

Anonymous Coward | more than 3 years ago | (#36361754)

They obviously need to maintain the keys as customers will manage to "lose" their key (drive failure and no backup or something equally stupid). What they don't need to do is keep them on a system that is connected to their network for very long. (They probably have a business reason for them to be on their network for a short time so they can batch them up and move them to an offline system in a group say every week). But the whole list of keys should not be where they can be accessed over their business network. As an example, we have a PKI system at work. It is multiple levels of certificates and trust. The root server is never even online. The one closest to the clients - the one issuing login certificates, etc. is behind a firewall and locked in a secure cage in the data center. But the root stuff cannot be accessed on the network and is not even turned on. The drives for it are kept in a special two factor safe. I can't believe that RSA should do less than that with their info. Like I said, they need a process to batch up the keys because getting to the offline system every time they issue a key would be ridiculous. But, they shouldn't have more than a very small set of the most recently issued keys available online at any one time.

Re:Dear Customers... (2)

yodleboy (982200) | more than 3 years ago | (#36361504)

i think his point was that they sell a "high security" product and then store the keys on an apparently "low security" network. probably a bad idea.

Re:Dear Customers... (2)

hublan (197388) | more than 3 years ago | (#36361516)

Perhaps by keeping the machine that hosts the seed secured? Like using a protocol between the publicly facing machine and the seed machine that doesn't allow for remote shell access? Really basic stuff, actually.

Re:Dear Customers... (1)

thijsh (910751) | more than 3 years ago | (#36361600)

Public/private key pairs... not rocket science, but I must admit close...

Re:Dear Customers... (1)

wkk2 (808881) | more than 3 years ago | (#36361494)

I have two questions: Did someone required them to keep the initial values and why wasn't the system designed so that the customer was required to initialize the tokens?

Re:Dear Customers... (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361840)

I suspect that the first question falls into the "Very interesting, pity we'll never find out..." category.

As for the second, I suspect that it is largely a matter of manufacturing convenience and/or fob tamper resistance. With RSA doing the keyfill at point of manufacture, the customer just needs to load the seed file for the entire batch onto their authentication server and then hand out the tokens, which are glued shut with considerable enthusiasm, and have no externally accessible electrical connections of any sort. If the customer did the fill, that would be extra effort (and a step where grunt manual labor would meet very sensitive data, not a pleasant HR situation...) for them, and would mean that RSA would have to validate their design against attacks on the exposed connectors. Neither is impossible to overcome; but under the(now invalid) assumption that RSA wouldn't fuck it up, certainly easier to avoid than to deal with.

Re:Dear Customers... (5, Insightful)

thijsh (910751) | more than 3 years ago | (#36361498)

For master encryption keys anything other than offline physically secure storage is a risk that is too high... The extra hassle of having a guy physically go to the storage when new certificates need to be signed is what you pay the security premium for right? This is not about discount SSL certificates that need to be sent with an automated process, no need at all to hook the machines to the internet... under-secured or super-duper-unbreakable-secure(tm) does not matter, just don't.

Re:Dear Customers... (2)

swillden (191260) | more than 3 years ago | (#36361808)

For master encryption keys anything other than offline physically secure storage is a risk that is too high

I would agree with you if secure hardware security modules (HSMs) didn't exist. Buy a FIPS 140-2 Level 4 certified device, get people who know what they're doing to configure it for you (including ensuring that the device will never, under any circumstances, export the master keys) and it is acceptable to have the device networked. You still need to have strong physical security around it, though that's more to prevent the DOS attack that results from having the device stolen than due to concern about someone extracting the keys from it, and of course it's always a good idea to secure the network it's on as well just out of due diligence and an abundance of caution, but in such a device your keys are extremely safe from both remote and physical extraction attacks.

With a good HSM, what you really focus your security efforts around isn't physical or network security, it's access control policies. If an attacker can fire requests at the HSM and have them serviced, he doesn't need the keys or physical possession of the HSM, he can just ask the device to encrypt/decrypt/sign whatever he'd like.

When managing keys used to derive other keys (which is probably what is meant by "master key" here, though I didn't RTFA), the most important goals are to ensure that no one, regardless of access, can re-derive and re-export an already-exported key and to carefully control the export and personalization path to ensure that a derived key cannot be duplicated or diverted during personalization. ("Personalization" here refers to the process of loading a derived key into the device that will use it.)

This is all very doable. Obviously, RSA didn't do it, which is baffling.

Re:Dear Customers... (4, Informative)

PIBM (588930) | more than 3 years ago | (#36362078)

I remembered reading about this, and the failure mode were quite important to me. Let me quote wikipedia on this:

Section 4.1.1 of the specification describes additional attacks that may require mitigation, such as differential power analysis. If a product contains countermeasures against these attacks, they must be documented and tested, but protections are not required to achieve a given level. Thus, a criticism of FIPS 140-2 is that the standard gives a false sense of security at Levels 2 and above because the standard implies that modules will be tamper-evident and/or tamper-resistant, yet modules are permitted to have side channel vulnerabilities that allow simple extraction of keys.

Re:Dear Customers... (0)

Anonymous Coward | more than 3 years ago | (#36361778)

or... they kept them on purpose so they could grant intrusion ability to themselves, governments, or the highest bidder.

UK census (0)

Anonymous Coward | more than 3 years ago | (#36361298)

Didn't Lockheed Martin perform the UK census? I've no idea where there data is held now. I'm sure it's very secure where it is.

After it was obvious to all (4, Insightful)

asifyoucare (302582) | more than 3 years ago | (#36361308)

RSA betrayed their customers, only admitting to the extent of the hack after it was obvious to all that the tokens were compromised. They're untrustworthy, yet they're in a business where trust is paramount, and I'll be recommending to the company I work for that we don't deal with them again. We are a current customer, and we're now scrambling to envisage and generate reports from authentication logs for exceptions that might indicate we're being attacked or have been successfully attacked in the past.

If they actually cared about providing security to their customers instead of covering their own asses they'd have kept their customers fully informed, but they didn't. If they weren't covering their asses and actually didn't have the logging around their crown jewels to let them know what had happened, well that's even worse.

They're now on my shit list, along with Verisign and Sony, of companies I never want to do business with again.

Re:After it was obvious to all (0)

Anonymous Coward | more than 3 years ago | (#36361376)

Sony is obvious, but why Verisign?

Re:After it was obvious to all (0)

Anonymous Coward | more than 3 years ago | (#36361436)

Because they'll sellout to anyone, Government or otherwise.

Re:After it was obvious to all (3, Insightful)

asifyoucare (302582) | more than 3 years ago | (#36361958)

Sitefinder. Unforgivable.

Re:After it was obvious to all (0)

Anonymous Coward | more than 3 years ago | (#36361508)

It's obvious you're scrambling by frittering away your time on Slashdot.
 
You're suspect. I think your whole post is a troll.

Re:After it was obvious to all (1)

asifyoucare (302582) | more than 3 years ago | (#36361994)

Thankyou Mr RSA. All complainers are disingenuous because they should be trying to remedy the situation instead of complaining. Is that a fair summary.?

Re:After it was obvious to all (1)

Amouth (879122) | more than 3 years ago | (#36361654)

we're now scrambling to envisage and generate reports from authentication logs for exceptions that might indicate we're being attacked or have been successfully attacked in the past.

why would you need to scramble? shouldn't you be looking at this anyways? on a regular basis? sure this is a good reason to take a second look - but be scrambling.

Re:After it was obvious to all (1)

Amouth (879122) | more than 3 years ago | (#36361668)

but be scrambling.

*but *shouldn't* be scrambling

sorry edit ate text

Re:After it was obvious to all (1)

vlm (69642) | more than 3 years ago | (#36361858)

we're now scrambling to envisage and generate reports from authentication logs for exceptions that might indicate we're being attacked or have been successfully attacked in the past.

why would you need to scramble? shouldn't you be looking at this anyways? on a regular basis? sure this is a good reason to take a second look - but be scrambling.

Having been there / done that, what he means is that today, over and above the normal procedure, some PHB around 5 to 10 levels higher in the org chart has mandated that he will call every person who logged in on the telephone and verify that at that time and date it was in fact that person who logged in and not someone else. Or similar level of foolishness.

Re:After it was obvious to all (1)

erroneus (253617) | more than 3 years ago | (#36361730)

They care more about their reputation than the service they provide. If someone else announces the problem, they are either "speculating" or they have dangerous inside knowledge which would be hard to prove without official acknowledgement from the company. But after so many others came out, it became increasingly difficult to "deny it without denying it" as their corporate lawyers and PR staff usually do. And at just about the same time that congress is beginning to wonder what's going on and call a hearing, they pre-empt by announcing it themselves.

My company's parent company uses these extensively on their gigantic network. When the story first came out about RSA I asked "should we be concerned?" The answer was "No" at the time. Of course, the answer is "yes" now as my company's parent company is one of the world's largest.

Re:After it was obvious to all (0)

Anonymous Coward | more than 3 years ago | (#36361732)

RSA betrayed their customers, only admitting to the extent of the hack after it was obvious to all that the tokens were compromised. They're untrustworthy, yet they're in a business where trust is paramount, and I'll be recommending to the company I work for that we don't deal with them again. We are a current customer, and we're now scrambling to envisage and generate reports from authentication logs for exceptions that might indicate we're being attacked or have been successfully attacked in the past.

If they actually cared about providing security to their customers instead of covering their own asses they'd have kept their customers fully informed, but they didn't. If they weren't covering their asses and actually didn't have the logging around their crown jewels to let them know what had happened, well that's even worse.

They're now on my shit list, along with Verisign and Sony, of companies I never want to do business with again.

RSA made their customers aware months ago but they had to sign NDAs. I do agree that they should be on your shit list as they are charging companies to "help" replace all RSA tokens. Smart Cards anyone?

Re:After it was obvious to all (1)

AJH16 (940784) | more than 3 years ago | (#36361834)

In fairness to RSA, they did release updated best practices to their clients right away and had reason to believe (accurately) that the attackers were interested in the defense industry specifically, so they focused on fixing that first. Really, as long as you lock your system down if someone starts using the wrong RSA token with the wrong username repeatedly, then the chances of an actual penetration are still pretty minimal, at least for any sizable key-space. It's not a situation that would occur in almost any situation in real life, so setting the threshold for lock down to even 2 attempts would be sufficient. Sure it is still much less secure, but with a pool of say 100 users, you are still talking a .01% chance of a breach not being detected and shut down before being effective. That's still a very insignificant, particularly considering it leaves a very characteristic fingerprint of the attack that would make it rapidly obvious if someone was trying it on a large scale and they could take measures accordingly. (Statistically, a broad attack against all RSA clients would likely have a success, but it would still be complex to carry out quickly as usernames and passwords would need to be obtained for the targets as well.)

Re:After it was obvious to all (1)

Leebert (1694) | more than 3 years ago | (#36361962)

If they actually cared about providing security to their customers instead of covering their own asses they'd have kept their customers fully informed, but they didn't.

Have you read their statement [rsa.com] ? They *still haven't* kept us informed. All they've said is that they'll replace the tokens, and that "the information taken from RSA in March has been used as an element of an attempted broader attack on Lockheed Martin".

Nowhere have they said that the seeds are compromised, nowhere have they told us exactly what information was leaked, only that the leaked information played a role in the LM attack.

The mind boggles.

And they worry about retailers and PCI (1)

John3 (85454) | more than 3 years ago | (#36361320)

RSA keys are compromised, Sony gets compromised, and meanwhile the bankcard industry continues to come down hard on independent retailers to force them to bring their internal systems into PCI compliance [pcisecuritystandards.org] . I know small retailers that have invested tens of thousands to secure their WiFi, update their firewall, upgrade their debit pads, all to protect cardholder data. Seriously, what criminal is going to target Joe's Hardware Store to snag a few hundred bankcards? These guys want the big targets. As Willie Sutton didn't say [snopes.com] , "That's where the money is". Criminals are going to aim at the top of the food chain, not at the mom and pop store. And even if they do hack the mom and pop store the damage is minimal compared to an RSA or Sony breach.

Re:And they worry about retailers and PCI (1)

Anonymous Coward | more than 3 years ago | (#36361410)

Huh?

Joe's Hardware Store is a big, fat juicy target for blackhats.

Why? Simple. They have Internet access, business grade, 24/7/365. Blackhats want compromised machines they can launch attacks from that can't be traced to them, and if Joe the owner of the hardware store gets blamed or tossed in prison, so much the better.

Small businesses just have as much risk as the big guys because a security breach may not net the intruders as much cash as every credit card given to Sony, but the business can be easily shut down for good.

Plus, small businesses supply big businesses. If a small business that makes code for a larger business gets hacked and their source tree compromised, the blackhats can then add backdoors that will be passed along.

Re:And they worry about retailers and PCI (2)

surgen (1145449) | more than 3 years ago | (#36361444)

These guys want the big targets.

What guys? Are you implying that every malicious actor is part of one large homogenous blob of shared targets and interests?

Criminals are going to aim at the top of the food chain, not at the mom and pop store.

Or they'll go for the low-hanging fruit, the payoff might be smaller, but they sure can hit a lot more targets.

You're advocating "lets fly under they radar, we'll be fine", that's terrible security. Besides, if they really are that small, they don't really need the robust kind of credit card processing you're talking about. It'd be cheaper for them to get some self-contained units and dedicated phonelines for them.

Re:And they worry about retailers and PCI (1)

John3 (85454) | more than 3 years ago | (#36361836)

What I'm suggesting is that the bankcard industry is wetting their pants about retailer security and meanwhile the breaches are occurring at much more lucrative targets. I certainly think retailers need to secure their systems, but at what cost? For example, assume retailer has a secure WiFi network using WPA-2. That WiFi is on the same segment as their wired network. PCI standards require the business to segment the WiFi. That's obviously "best practice", but that means the business needs to invest in an upgraded firewall. When these businesses are struggling just to stay afloat they can't afford this technology investment.

PCI compliance requires servers be in a locked room. If the business is a three person operation and the server sits under the owners desk then is that really a big security risk, or should the owner of this small business build a secure server room?

With unlimited money I'd expect every business to secure their systems at the maximum level, but what level can we accept that will address the likely threat without bankrupting the small business owner? Do they really need to take a step back and use self-contained credit card machines?

Re:And they worry about retailers and PCI (1)

bluefoxlucid (723572) | more than 3 years ago | (#36361992)

Nah, they'll get an internet-connected PC and run your credit card through PayPal.

Re:And they worry about retailers and PCI (1)

smelch (1988698) | more than 3 years ago | (#36362024)

Perhaps they are appearing in high profile targets because big corps are likely to notice they've been compromised, and its more newsworthy. When a plane goes down you hear about it, but more people than were on that plane died in auto accidents that day.

Re:And they worry about retailers and PCI (1)

jackbird (721605) | more than 3 years ago | (#36362070)

PCI compliance requires servers be in a locked room. If the business is a three person operation and the server sits under the owners desk then is that really a big security risk, or should the owner of this small business build a secure server room?

Yes. They should use a colocated server in a datacenter or a third-party payment processor if they're that small.

Anybody know? (3, Interesting)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361322)

Are there any big, important checkbox-compliant certifications that RSA's customers might have been using the (Not Cheap) RSA tokens to obtain that, as a consequence of this sordid episode, might no longer be attainable with RSA gear? That seems like it would be a fitting punishment for RSA's questionable security practices and even more questionable disclosure practices; but I'm afraid that I haven't wrapped my head around the alphabet soup of compliance acronyms in different areas enough to know.

Lies, damn lies (1)

Anonymous Coward | more than 3 years ago | (#36361348)

Am I the only one getting frustrated by all those companies telling everyone that no important/usable data was taken/accessed and comming out a month later with "Sorry, finally they took everything."

Sony, then RSA, even fucking congressmens seem to think lying to everybody is OK.

To hell with the fuking lies.

Re:Lies, damn lies (1)

AHuxley (892839) | more than 3 years ago | (#36361880)

Company: It's just a little hacked. It's still profitable, it's still profitable!
It's just a little compromised, it's still profitable, it's still profitable!
It's just a little copied, it's still profitable, it's still profitable!
Tech: [Crestfallen.] It's public.
Company: I know.

And the worst part.... (1)

wjousts (1529427) | more than 3 years ago | (#36361352)

...is that I'm going to have to fiddle around to get my RSA key fob off my keyring so I can put a new one on. Damn keyrings always end up hurting my nails.

Re:And the worst part.... (1)

vlm (69642) | more than 3 years ago | (#36361728)

...is that I'm going to have to fiddle around to get my RSA key fob off my keyring so I can put a new one on. Damn keyrings always end up hurting my nails.

A really cool hack would be replicating the operation of a keyfob using the very stereotypical ardweeno board or any other microcontroller. Or even a small perl script.

By replication, I don't mean a small box that outputs a periodically changing random number on a LCD like a movie prop, but I mean a replication of my actual fob, that when used, successfully lets me log into a VPN. Now that would be cool. I haven't seen one yet.

Re:And the worst part.... (1)

Mashiki (184564) | more than 3 years ago | (#36361760)

That's what knives, pennies/dimes, and nail files are for.

World of Warcraft (0)

Anonymous Coward | more than 3 years ago | (#36361356)

Does this mean someone can hack my WoW account now?????

Re:World of Warcraft (0)

Anonymous Coward | more than 3 years ago | (#36361812)

Screw your WoW account, what about my Starcraft II account?!?

RSA is Offering to Replace Tokens (2)

chill (34294) | more than 3 years ago | (#36361360)

Here is a link to RSA's official statement [rsa.com] made yesterday. They are offering to replace tokens for "customers with concentrated user bases typically focused on protecting intellectual property and corporate networks".

That is corporate VPN, not the people who use tokens issued to get to websites, such as banking info.

Re:RSA is Offering to Replace Tokens (1)

Anonymous Coward | more than 3 years ago | (#36361468)

The phrase "focused on protecting intellectual property and corporate networks" is an interesting choice in that it doesn't include financial transactions. Are they really only offering this to high value (to EMC/RSA) customers, or ones with special (e.g., government)? Does this offer exclude, Joe's small business or your local bank that was sold on RSA security by some local consultant?

Re:RSA is Offering to Replace Tokens (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361538)

Dear customers who don't matter,

We are committed to providing you with a customer experience commesurate with what we can get away with. XOXOXO,
RSA

Re:RSA is Offering to Replace Tokens (0)

Anonymous Coward | more than 3 years ago | (#36361554)

Of course. If you want your bank token replaced, your *bank* would have to replace it.

Re:RSA is Offering to Replace Tokens (1)

AJH16 (940784) | more than 3 years ago | (#36361662)

They are offering transaction monitoring to financial providers. The difference is distribution of the tokens. The tokens themselves are probably pretty cheap, but securely distributing millions of tokens to remotely located users is a non-trivial task with a lot of additional cost. Also, distributing new tokens doesn't gain a lot over monitoring in that case. Unless you know the particular id of the token in use by a given user, you would have to guess from the pool of tokens used by that organization. Monitoring the transactions for valid values for the wrong token on the wrong user would quickly detect a breach and let the system lock down.

Not how I thought it worked... (0)

Anonymous Coward | more than 3 years ago | (#36361370)

I had assumed that the RSA token I have was just a list of random numbers stored in the keyfob with a matching list stored on a server housed at my employer (unbreakable without server access or physical access to the fob). Apparently, RSA has the servers and everything is calculated (breakable)?

"No additional details about what the RSA attackers did steal that allowed them to misuse the tokens, but it seems likely that both the seeds that link every token to a specific account and the algorithm that calculates the numeric sequence generated by the token have been compromised."

Re:Not how I thought it worked... (0)

Anonymous Coward | more than 3 years ago | (#36361482)

You wouldn't suppose, would you, that RSA retained a backdoor to your keyfob because the spy agencies insisted that they do so? You're better off making your own keys.

Re:Not how I thought it worked... (1)

DrgnDancer (137700) | more than 3 years ago | (#36361594)

How else would it work? The things change every minute: that's 31.5 million different numbers across a year, and yours have to be different than anyone else's. You think they just fire up the old pseudorandom number generator and cat 30 million numbers into a file, then keep track of which set of 30 million numbers needs to go onto the fob for any given company that might order one? The numbers are calculated based on an algorithm, a seed (which is unique to every company) and the current time/date. Since the seeds are compromised, they has got problems.

Re:Not how I thought it worked... (1)

Dog-Cow (21281) | more than 3 years ago | (#36361838)

Not that your fundamental point is wrong, but the number only needs to be unique for that authentication server for the 10 second window that the number remains valid. In other words, numbers can be reused amongst users, but not in the same time slot.

Re:Not how I thought it worked... (1)

GameboyRMH (1153867) | more than 3 years ago | (#36361866)

Yep the RSA keyfob is basically doing something like an MD5-challenge (based on the time I'd assume) over SSL,* and this is like the private keys being stolen. It's not a one-time pad (which would actually be a pretty decent idea, but you'd need a new keyfob when the logins are depleted).

*Educated guess, I don't know exactly what it does

Re:Not how I thought it worked... (1)

CProgrammer98 (240351) | more than 3 years ago | (#36361936)

that wouldn't be at all practical. Why store millions of codes (one per minute for the lifetime of the devce) when very very few of them would be used. I use my RSA token maybe once a week on the days when I'm working from home.

  2 minutes spent on wikipedia shows you g how 2 factor RSA authetication works.

Maybe now... (1)

Anonymous Coward | more than 3 years ago | (#36361392)

Wow, SecurID is broken. Maybe now my company will move away from the shitty VPN software they use.

Reparations (5, Funny)

TardisX (15222) | more than 3 years ago | (#36361454)

RSA is expected to replace practically every one of the 40 million SecurID tokens currently used.

Nah, how about just offer them a "sorry" and a couple of old games and call it even?

Re:Reparations (0)

Anonymous Coward | more than 3 years ago | (#36361510)

How are they going to fix the original breach? What's to prevent the hackers from brute force guessing another seed? This isn't going to work.

Re:Reparations (0)

Anonymous Coward | more than 3 years ago | (#36361712)

a supercomputer...

I guess you may not know so much about key authentication.

Re:Reparations (0)

Anonymous Coward | more than 3 years ago | (#36361632)

is that you, sony?

Yeah, let's take them up on their offer to monitor (0)

Anonymous Coward | more than 3 years ago | (#36361530)

But wait! They also are now offering to do free security monitoring for your company, to detect intrusions that might happen due to their lack of security.

Oh wait. Never mind.

Glad We switched to YubiKey long ago. (4, Interesting)

VortexCortex (1117377) | more than 3 years ago | (#36361598)

Our secure tokens are Yubikeys [yubico.com] . We use RFID for physical access and the challenge response protocol for authentication.

We didn't like the thought of having to trust a 3rd party with our keys, so we run our own authentication services and use our own "seeds". This way we have one less attack/exploit surface (the MFG) to worry about -- Looks like it paid off for us this time!

Key Lifecycle Management

Re-configuration of YubiKeys by customers

For high security environments, customers may select not to share the
AES key information for their YubiKeys outside of their organization.
Customers may also for other reasons want to be in control of all AES
keys programmed into the Yubikey devices. Yubico therefore supports the
use of a personalization tool to reconfigure the YubiKeys with new AES
keys and meta data.

If RSA has your keys... are they really secure?!?!!

Re:Glad We switched to YubiKey long ago. (1)

TheRealWheatley (2049120) | more than 3 years ago | (#36361676)

Thanks Meat Cat!

two factor? (4, Insightful)

vlm (69642) | more than 3 years ago | (#36361690)

All I can find is the usual journalistic garbage, some fear mongering here and there, some harsh comments about RSA, some financial "news" commentary. No real information.

Can anyone on /. with technical knowledge, comment on the hack breaking the entire system (essentially, rooting the auth system) or is it just breaking one of the two factors, that being able to predict the "random" number generation of the keyfobs, so I'm down to merely having a pretty good "one factor"?

Also is the protocol poorly enough designed that the attackers don't need to know anything about the keyfobs, or rephrased, does keeping the serial number info etc about individuals keyfobs secret prevent the break?

Re:two factor? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#36361882)

They have got the key to generate the "random" token. So, yes, it's down to one factor.

But I guess the password is the easy part.. Password reuse, keylogger, etc....

Re:two factor? (1)

vlm (69642) | more than 3 years ago | (#36361944)

They have got the key to generate the "random" token. So, yes, it's down to one factor.

But I guess the password is the easy part.. Password reuse, keylogger, etc....

OK that's exactly what I'm looking for. So its no worse than dropping back to "one factor". The two apps/systems/companies I have personal experience with that use securid use two factor only as security theater, not a realistic threat model, not for legal compliance, etc, so they're safe.

I was worried for a minute someone found a back door, like you can bypass any securid "protected" login using all nines as a password, you know, something like Sony would use....

Re:two factor? (0)

Anonymous Coward | more than 3 years ago | (#36361910)

The algorithm is public knowledge, if they get the seed of your device they can use it to determine the 6 digit code at any time.

I'm not sure if keeping the serial numbers secret is enough or if the hackers have any info that can determine who has which fobs.

Re:two factor? (2)

AHuxley (892839) | more than 3 years ago | (#36361924)

Re:two factor? (1)

vlm (69642) | more than 3 years ago | (#36362012)

is determined by a secret RSA-developed algorthm

The algorithm is already public knowledge.

Article is better written than most, or at least better cut and pasted, but needs editing. Which is it? Secret or public?

Who was watching RSA (1)

gatkinso (15975) | more than 3 years ago | (#36361908)

After all, at a minimum they had the same access to these networks that the hackers do.

This means "Was never secure" (0)

Anonymous Coward | more than 3 years ago | (#36361950)

If their tokens could be compromised by this intrusion. Doesn't this in fact mean that their tokens really never was secure? They admit that they have master keys for them, then the question is: Who except RSA Corporate was issued with copies of this? NSA? CIA? Mossad?

This basically means that their product is worse than worthless, and that the company SHOULD NOT be trusted anymore. Full stop.

hi (1)

formation (2241238) | more than 3 years ago | (#36361990)

Check to see if your Company name is available http://bit.ly/m2IHF4 [bit.ly]
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...