RSA Víctima de un ataque cibernético

Note: This post is available in English at http://infosecbyac.blogspot.com/2011/03/rsa-securid-attack.html

RSA, la división seguridad de EMC publicó el 17 de Marzo una “carta abierta” (2) donde comunica que fueron víctimas de un ataque cibernético. Acorde a las investigaciones realizadas por RSA, sospechan que tuvo lugar lo que es llamado una Amenaza Avanzada Permanente (Advanced Persistent Threat), que son “formas avanzadas y clandestinas de ganar inteligencia continua y persistente sobre un individuo ó grupos de individuos”. Desde la perspectiva de Seguridad de la Información, se refiere a “patrones a largo plazo de intentos sofisticados de hackeo cuyos objetivos son gobiernos, empresas y/o activistas políticos”. (1)

Según Art Coviello, Presidente Ejecutivo de RSA, el ataque tuvo éxito en extraer información de servidores de la Compañía. El tipo de información extraída no fue hecha pública por la Compañía, pero sí establecieron que está relacionada con los productos de autentificación de dos factores SecurID (3). Según la Compañía, la información extraída no permitiría realizar un ataque con éxito sobre los usuarios del producto SecurID, pero podría ser utilizada para reducir la efectividad de implementaciones de autentificación basadas en dos factores como parte de un ataque mayor. RSA está recomendando a sus clientes la ejecución de medidas inmediatas para asegurar sus  implementaciones del producto SecurID. Hasta el momento, ningún otro producto de RSA fue afectado.

Como hemos mencionado previamente, se desconoce cuál fue la información extraída. Fuentes no oficiales establecen que ésta podría estar relacionada con datos utilizados por el algoritmo del producto SecurID, como ser el dato de la semilla. El SecurID es un dispositivo llamado “token” (4) del tipo sincrónicos que generan una contraseña única y e irrepetible (One Time Password) que cambia cada 30 ó 60 segundos basándose en la hora, fecha y una semilla (algunas versiones también requieren el ingreso de un PIN para que el dispositivo funcione). La semilla son llaves de 128 bits grabadas en el hardware del dispositivo (es única para cada dispositivo) y los datos hora y fecha funcionan como vectores de inicialización (Initialization Vectors) que le agregan aleatoriedad al proceso, evitando la repetición de contraseñas.

Aparentemente, RSA guarda una copia de la semilla de cada dispositivo vendido (salvo que el Cliente solicite lo contrario), con el número de serie del mismo. Esta es la información que podría haber sido extraída de los servidores de la Compañía y que podría llegar a ser utilizada para generar una contraseña sin poseer físicamente el dispositivo.

¿Por qué el Director Ejecutivo de RSA establece “esta información podría ser utilizada para reducir la efectividad de implementaciones de autentificación basadas en dos factores como parte de un ataque mayor”? La respuesta es la forma en que el producto SecurID trabaja. Para autentificarse con éxito con un dispositivo SecurID, uno debe ingresar la contraseña resultante más un PIN que solo es conocido por el usuario (por eso es un sistema de autentificación de dos factores, algo que uno tiene y algo que uno sabe). Sin el PIN, un atacante no puede hacer mucho. Sin embargo, si se confirman las versiones de la información extraída,  éste poseería el resto de los datos (tiempo, fecha y semilla) y con el número de serie de un dispositivo, podría seleccionar un usuario en particular y convertirlo en el blanco de un ataque de ingeniería social (ej. Phishing) con el objetivo de obtener el PIN faltante.

¿Qué deberían hacer los clientes de RSA? Primero, es demasiado pronto para tomar una decisión si el producto SecurID es inseguro, ya que las investigaciones por parte de la empresa se encuentran en ejecución. Lo que sí podrían hacer es solicitar a los usuarios del producto que cambien su PIN más seguido y capacitarlos en técnicas para evitar ataques de ingeniería social. Finalmente, las implementaciones de los servidores del producto SecurID deben ser asegurados, los datos (números de serie de los dispositivos y semillas) cifrados e implementar controles técnicos a nivel de red, como pueden ser HIDS ó NIDS (Host/Network Intrusion Detection Systems) y monitoreo.

¿Qué debería hacer RSA? Si los números de serie y semillas fueron realmente extraídos, las semillas de los dispositivos afectados deben ser cambiadas y desde ya, su infraestructura de IT (servidores SecurID), asegurada.

Por Agustin Chernitsky

Fuentes:

(1)   http://en.wikipedia.org/wiki/Advanced_Persistent_Threat

(2)    http://www.rsa.com/node.aspx?id=3872

(3)    http://www.rsa.com/node.aspx?id=1156

(4)    http://es.wikipedia.org/wiki/Token_de_seguridad

RSA SecurID Attack

Nota: Este publicación está disponible en Español en http://infosecbyac.blogspot.com/2011/03/rsa-victima-de-un-ataque-cibernetico.html

RSA, the security division of EMC has published an “open letter” (2) on March 17^th stating that they have been victim of a Cyber Attack. According to RSA investigations, they suspect that an Advanced Persistent Threat (APT) attack, which is “an advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals”, took place. From an Information Security perspective, it refers to “a long-term pattern of targeted sophisticated hacking attacks aimed at governments, companies and political activists, and by extension” (1).

According to Art Coviello, Executive Chairman of RSA, the attack achieved the goal of extracting information from the Company’s servers. Although the type of information is not publicly specified by RSA, it is said to be related to the SecurID (3) two-factor authentication products. According to the Company, the information extracted does not enable a successful direct attack on any of their RSA SecurID customers, but it might be used to reduce the effectiveness of the current two-factor implementations in a broader attack. RSA is recommending certain steps to be taken by their customer in order to harden their SecurID implementations. At the time, no other RSA products have been affected.

As stated before, the information extracted is unknown. Unofficial sources state that it might be information used by the SecurID algorithm, such as the seed data. SecurID is a synchronous token that generate a OTP (One Time Password) that changes every 30/60 seconds based on the current time, date and a seed (some versions even require a PIN to be entered for the token to work). The seed is a 128 hardcoded Key (unique to each device) and the time and date works as an IV (initialization vector), that adds randomness to the process, ensuring that passwords are not repeated.  

Apparently, RSA stores a copy of the seeds shipped with the tokens (unless otherwise requested by its Customers), along with the device serial number. This information is what might have been extracted from RSA servers and could be used to generate a password without having the physical device.

Why the Executive Chairman of RSA states that “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”?
The answer is the way SecurID works. To successfully authenticate with a SecurID device, one must enter the displayed password plus a PIN known only to the user (thus two-factor authentication, something you have and something you know). So without the PIN, attackers can’t do much. Still, if rumors of the extracted information are confirmed, they would have all the remaining variables (time, date and the seed) and that combined with the serial number would allow them to target a specific user by performing a social engineering attack (i.e. Phishing) directed to obtain the missing PIN.

What should RSA customers do? First of all, it’s too early to make a decision on declaring RSA SecurID as insecure since the investigation is underway. What could be done is to make sure all SecurID users to change their PIN more frequently and to deploy an awareness and training program focusing on Social Engineering. Finally, SecurID servers must be hardened, data (RSA serials and seeds) encrypted and technical controls at network level, such as HIDS or NIDS and monitoring be implemented.

What should RSA do? If the serials to seed information have truly been leaked, then the affected devices must have their corresponding seeds replaced and of course, the IT infrastructure (SecurID Servers) secured.

by Agustin Chernitsky

Sources:

     (1)   http://en.wikipedia.org/wiki/Advanced_Persistent_Threat

     (2)    http://www.rsa.com/node.aspx?id=3872

     (3)    http://www.rsa.com/node.aspx?id=1156

Social Networks and Organizations: Associated Security risks

Note: This article was originally published in Spanish on December 2^nd 2009 at Iprofesional.com

Social networks, like Facebook, Plaxo, Linkedin and MySpace, among others, have become interaction tools with more than a million users worldwide. According to recent statistics, social networks as applications have superseded common e-mail and two thirds of Internet users have at least one profile in one of them (1).

                                            

These new technologies and its impressive growth has attracted the attention of cyber criminals, who according to statistics, are responsible for 19% of attacks against social networks detected between January and July of this year (2).

A study has revealed that two thirds of the surveyed organizations felt that social networks represent a risk to their security (3). For this reason, many companies and institutions requested advice on the possible risks on allowing employees to access these networks through the available IT infrastructure at their workplace (i.e. Internet access, workstations, notebooks, etc.).

From an information security perspective, there are several risks that an organization may face if preventive measures are not taken:

                                                                                                                       

The first one, and most common, is disclosure of confidential information. Let us imagine that an employee is working on a confidential project and accidentally publishes in a social network, like Linkedin, what he is working on (the majority of these networks allow a user to publish what they are doing under the question “What’s on your mind?” or “Share your comments”). What would the impact of this action be? For starters, all users with access to this employee’s profile will know what he is working on, thus information otherwise classified as confidential will be disclosed.

The second risk is associated with the increase of possibilities to be victim of a social engineering attack. In most of these networks, the user is required to store personal information like full name, date of birth, marital status, employment, hobbies, work experiences, etc. Without the correct configuration of privacy options, an attacker could create a social profile of the victim by simply using google, becoming these actions the grounds for an identity theft attack. 

Once attackers have your personal information, what stops them from calling your company helpdesk and ask for a password reset? Or opening a bank account? There have been public cases where persons had been victims of identity theft in social networks, like Facebook, where attackers pretend to be the victim by creating virtual profiles (this is a very common case with celebrities).

Is it possible for an attacker to steal the identity of a company’s CEO, create a virtual profile in a social network, add company employees to this profile and then try to obtain confidential information? The answer is yes, and it has already happen in personal and corporate levels.

Other risks are malware attacks, caused mainly by worms. The quantity of malware that use social networks as a distribution point has significantly grown. Allowing access to these sites from organizations workplaces increases the chances of infection.

What to do with the risks mentioned previously? As preventive measures, it is critical to configure each social network privacy options in a most restrictive way, validate the users that we are adding to our networks, personnel training and awareness programs, monitor social network activities, apply technical controls (i.e. antivirus software) and a sound security and acceptable use policy regarding access to these networks.

Author: Agustin Chernitsky

Sources: 

(1). Nielsen - Global Faces and Networked Places.
(2) Breach - The Web Hacking Incidents Database 2009.
(3) Sophos - Security threat report: Update July 2009.