Nota: Este publicación está disponible en Español en http://infosecbyac.blogspot.com/2011/03/rsa-victima-de-un-ataque-cibernetico.html
RSA, the security division of EMC has published an “open letter” (2) on March 17th stating that they have been victim of a Cyber Attack. According to RSA investigations, they suspect that an Advanced Persistent Threat (APT) attack, which is “an advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals”, took place. From an Information Security perspective, it refers to “a long-term pattern of targeted sophisticated hacking attacks aimed at governments, companies and political activists, and by extension” (1).
RSA, the security division of EMC has published an “open letter” (2) on March 17th stating that they have been victim of a Cyber Attack. According to RSA investigations, they suspect that an Advanced Persistent Threat (APT) attack, which is “an advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals”, took place. From an Information Security perspective, it refers to “a long-term pattern of targeted sophisticated hacking attacks aimed at governments, companies and political activists, and by extension” (1).
According to Art Coviello, Executive Chairman of RSA, the attack achieved the goal of extracting information from the Company’s servers. Although the type of information is not publicly specified by RSA, it is said to be related to the SecurID (3) two-factor authentication products. According to the Company, the information extracted does not enable a successful direct attack on any of their RSA SecurID customers, but it might be used to reduce the effectiveness of the current two-factor implementations in a broader attack. RSA is recommending certain steps to be taken by their customer in order to harden their SecurID implementations. At the time, no other RSA products have been affected.
As stated before, the information extracted is unknown. Unofficial sources state that it might be information used by the SecurID algorithm, such as the seed data. SecurID is a synchronous token that generate a OTP (One Time Password) that changes every 30/60 seconds based on the current time, date and a seed (some versions even require a PIN to be entered for the token to work). The seed is a 128 hardcoded Key (unique to each device) and the time and date works as an IV (initialization vector), that adds randomness to the process, ensuring that passwords are not repeated.
Apparently, RSA stores a copy of the seeds shipped with the tokens (unless otherwise requested by its Customers), along with the device serial number. This information is what might have been extracted from RSA servers and could be used to generate a password without having the physical device.
Why the Executive Chairman of RSA states that “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”?
The answer is the way SecurID works. To successfully authenticate with a SecurID device, one must enter the displayed password plus a PIN known only to the user (thus two-factor authentication, something you have and something you know). So without the PIN, attackers can’t do much. Still, if rumors of the extracted information are confirmed, they would have all the remaining variables (time, date and the seed) and that combined with the serial number would allow them to target a specific user by performing a social engineering attack (i.e. Phishing) directed to obtain the missing PIN.
The answer is the way SecurID works. To successfully authenticate with a SecurID device, one must enter the displayed password plus a PIN known only to the user (thus two-factor authentication, something you have and something you know). So without the PIN, attackers can’t do much. Still, if rumors of the extracted information are confirmed, they would have all the remaining variables (time, date and the seed) and that combined with the serial number would allow them to target a specific user by performing a social engineering attack (i.e. Phishing) directed to obtain the missing PIN.
What should RSA customers do? First of all, it’s too early to make a decision on declaring RSA SecurID as insecure since the investigation is underway. What could be done is to make sure all SecurID users to change their PIN more frequently and to deploy an awareness and training program focusing on Social Engineering. Finally, SecurID servers must be hardened, data (RSA serials and seeds) encrypted and technical controls at network level, such as HIDS or NIDS and monitoring be implemented.
What should RSA do? If the serials to seed information have truly been leaked, then the affected devices must have their corresponding seeds replaced and of course, the IT infrastructure (SecurID Servers) secured.
by Agustin Chernitsky
Sources:
I am surprised to read the information posted in this article about RSA attack. By following all the recommended steps mentioned above RSA technique is the most secured one found so far. Thanks for sharing the main points.
ReplyDeletedigital signature