Thursday, 24 March 2011

RSA SecurID - What's the Risk?

This week there has been plenty of concern following RSA’s announcement about their two-factor authentication solution, SecurID, which was subjected to a sophisticated cyber attack.  A lot of people are asking for my views on the risk in continuing to use RSA SecurID following this attack, so I am going to attempt to explain this risk in simple terms, but it won’t be easy.

What are the facts? Well we simply don’t know exactly what has been stolen from RSA at present, as RSA aren’t providing details beyond “the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products”. However in Information Security we always hope for the best but prepare for the worst, the worst case scenario is all of the RSA SecurID private keys (seeds) records along with corresponding serial numbers were stolen.

Stolen Seeds?
Every RSA SecurID has a unique 128 bit key hardware coded into it, a 128 bit number is very long number, so it’s very hard to brute-force/guess what it is. This key is often referred to as the seed. RSA keep a copy of the seed unless the customer specifically tells them to remove it, RSA’s storage of SecurID seeds is what is suspected to have been compromised. Each SecurID issued to a customer is associated with a customer based RSA SecurID Server, which stores the seed number.  The seed is in essence a private key which must be kept secret, even from the user, and is used to generate the challenge response number on the SecurID token, and is used to match it up on SecurID Server.

In simple terms, if an attacker were to know which SecurID token you had, based on the serial number on the back or from the customer site database; and assuming the attacker had the stolen RSA database of serial numbers and seed numbers, the attacker could generate the SecurID number without having possession of SecurID token, which defeats the purpose of two factor authentication.

Big IFs
However they are many factors and ‘ifs’ in play, assuming the attacker had the full RSA SecurID database in their possession, to be fully successful the attacker would need to obtain the username, password, remote gateway details and SecurID serial number. Most of this information would need to be collected from the user or from within the customer site. So phishing attacks, social engineering and network attacks are most likely ways to obtain such information, which is why RSA is providing warnings to be on the guard with such attacks.

More IFs
Now throw into the mix other best practice security controls, including one of the most significant, namely account lockout after fail attempts to prevent brute-forcing.  We are talking pretty long grass in terms of risk.  However risk means different things to different people, in my personal view, in the worst case scenario I don’t think the risk is significantly high enough to consider switching off RSA SecurID remote access at present. That is as long as you have adopted a good set of information security best practices, and inform staff to be extra vigilant to phishing, social engineering and network attacks specifically targeting the RSA SecurID remote access.
What Next?
Hopefully RSA will provide further details and end the speculation, but I think it is highly likely their copy of SecurID seeds were stolen, although I think these seeds probably won’t be directly associated with a customer, but just by serial number.  I think we could see a very clever patch or a complete product recall on RSA SecurIDs in the near future. The latter would be something as RSA SecurID is the industry leading two-factor token, with tens of millions in circulation.


ax0n said...

Keep in mind also that even if an attacker now has a list of seeds and serial numbers, and also has a list of which of RSA's customers each serial number went to, there's a huge stretch of uncertainty left. Which employee has which serial number? Has this token even been deployed yet? And that's added to the other layers of security you mentioned here.

Administrator said...

I bet if the attacker has all the mentioned criteria by ax0n, then it is like 100% hackable. Seeds are so confidential but do the attacker know the algorithm to generate the one time password out?

IT Security Column

Dave Whitelegg said...

RSA is offering to replace virtually all 40 million SecurID token - >>The solution I predicted

Thomas said...

I don't think so that Hacker will be that much eligible who can generate one time password and I believe that we can secure entire system with Web server SSL Certificates.

WildCard SSL

windows dedicated server said...

Phishing information is crucial in hacking this, the reason why these should be changed periodically. Take a look at what happened to wiki leaks.