RSA to replace all SecurID tokens – or perhaps not

SecurID tokenThe internet is abuzz with news that beleaguered security company RSA, which suffered a security intrusion and theft of trade secrets back in March, is offering to replace its customers’ security tokens.

Security tokens are used in two-factor authentication to add additional strength to conventional password-based logins.

The simplest sort of token generates and displays a sequence of pseudo-random numbers, with a new number appearing every minute or so. You enter this ever-changing number as well as, or instead of, your regular password.

The theory behind time-based token authentication is that only your authentication server and the token itself can reproduce the pseudo-random stream. So, if you don’t have possession of the token, you’ll never know the password-of-the-minute.

And if a crook should shoulder-surf or keylog your current token number, it’ll be worthless next time. That should make you much more secure than relying on a password you use over and over again.

But one concern over RSA’s security breach was that some of the trade secrets stolen might allow cybercrooks to work out a token’s pseudo-random number sequence. Of course, this would destroy the very foundations of RSA token security.

RSA didn’t do itself many favours when it first commented on the breach, playing its cards rather close to its chest and not saying much more about the ongoing security of its tokens than:

"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

F-22 Raptor jet fighterSadly, RSA’s confidence may have been misplaced, with recent attacks on US defence contractors linked with the compromise of RSA token security.

Under this sort of pressure – and perhaps still reluctant to give away too many technical details for fear of making a bad thing worse – RSA has just announced a free replacement plan for users of its tokens.

That’s going to be a big job. But is it going to be quite as big as PC World suggests when it says that RSA “will replace [SecurID] tokens for any customer that asks“?

RSA’s open letter on the subject isn’t quite as clear-cut.

It looks as though RSA will only replace your tokens for free if you are a customer:

"with concentrated user bases typically focused on protecting intellectual property and corporate networks."

Open letter from RSAThose sound rather like weasel-words to me. What is a “concentrated user base”? If you directly protect your own corporate network, are you covered? Or is RSA only offering to cover you indirectly, as the customer-of-a-customer, by helping your reseller?

What if you’re a boutique ISP with a webmail service who has taken the extra step of offering selected users two-factor authentication? Is your user base concentrated enough? Are you protecting intellectual property, or just casual chatter?

And if you do swap out your old tokens, will you be given enough information to satisfy yourself that the new tokens don’t have the same flaws as the old ones?

What do you think? Take part in our poll – and be thankful you’re not working in one of RSA’s call centres or help desks right now!




Strike three: Speculation rises that another US military contractor has been hit by hackers

Military aircraftFox News is reporting that US military contractor Northrop Grumman may have suffered a hacking attack on its networks.

If true, the defense giant will be joining the likes of L-3 Communications and Lockheed Martin who have both been targeted in recent weeks by cyber attacks.

According to Fox News, Northrop Grumman unexpectedly shut down remote access to its network on May 26th, just five days after Lockheed Martin detected that unauthorised persons had infiltrated its systems.

A anonymous source at Northrop Grumman, which is the US’s second-largest defense contractor, told Fox News that the sudden lockdown was a shock to staff:

"We went through a domain name and password reset across the entire organization. This caught even my executive management off guard and caused chaos. I've been here a good amount of time and they've never done anything this way - we always have advanced notice."

SecurID tokenSpeculation is rising that what links the L-3, Lockheed Martin and Northrop Grumman security breaches are RSA’s SecurID tokens – devices used by many organisations worldwide to provide two factor authentication for remote staff.

In March, RSA admitted that it had been hacked, and some of the information stolen was specifically related to their SecurID two-factor authentication products.

RSA, the security division of EMC, hasn’t been forthcoming about the precise details of what was taken when they were hacked – but now that a third military contractor appears to have suffered as a consequence, there will be many firms keen to hear more details of how they should protect themselves.

L-3 defense supplier targeted in RSA SecurID hack attack, report claims

L-3 and RSA SecurID tokenUS military contractor L-3 Communications, whose customers include the US Department of Defense, has been named in a news report as having been targeted in attacks by external hackers.

According to reports, L-3 warned 5,000 employees in April about an attempted hack against the company’s network using forged RSA SecurID tokens.

The claim, by Wired magazine, follows news earlier this week that US military giant Lockheed Martin had been subject to its own hacking attack, with RSA SecurID token security once again in the frame.

An anonymous source told Wired that L-3 “uses SecurID for remote employee access to the unclassified corporate network, but classified networks at the company would not have been at risk in the attack.”

RSA Security, a division of EMC, admitted in March that it had been hacked, and that some of the information stolen was specifically related to RSA’s SecurID two-factor authentication products.

There will obviously be some who will point fingers at China as likely suspects for the probes into the networks of US military suppliers, but until some evidence is made public it’s only going to be speculation.

As RSA has chosen to keep largely schtum about what was taken from them – and we can hardly expect the military contractors to share much detail – your guess is as good as mine right now.

What does seem clear, however, is that stories of hacking into military and government systems has never had a higher profile. Bear that in mind when you read news reports that The Pentagon is working on a Cyber Defense Strategy that could see an internet attack treated as though it were an “act of war”.

US military contractors hacked – possible link with RSA SecurID breach

F-22 Raptor jet fighterHackers have broken into the network of Lockheed Martin and several other US military contractors, according to media reports.

Lockheed Martin, has described the attack as “significant and tenacious”.

Blogger Robert Cringely claimed that Lockheed Martin first detected the security breach last weekend (a fact later confirmed by the weapons maker in a press statement). In response to the attack the firm is said to have promptly blocked all remote VPN access to their internal network, and informed over 100,000 users that they would have to change their passwords.

In addition, it’s claimed that all Lockheed personnel with RSA SecurID tokens will be given new tokens.

From the sound of things, Lockheed Martin took swift and sensible action. It was wise of them to take the step of shutting down access to its internal networks as a precaution, once it believed that unauthorised users may have breached its systems.

SecurID tokenThe mention of RSA SecurID tokens, though, is interesting. They’re the devices used by many companies and organisations to provide two factor authentication to allow provide workers with a more secure way of proving they are who they say they are than just providing a username and password.

You may have used something similar when accessing your online bank account – for instance, a keyfob that displays a sequence of numbers that changes every 30 seconds or so.

The reason why this raises eyebrows is that back in March, RSA admitted that it had been hacked, and some of the information stolen was specifically related to RSA’s SecurID two-factor authentication products.

However, RSA has never made public details of precisely what kind of data was stolen – leading to speculation that the security of the widely-used SecurID tokens might have been compromised.

Is it possible that whatever information was stolen from RSA helped the hackers break into Lockheed Martin? If that’s the case, that’s worrying news for businesses around the world.

An unnamed source with direct knowledge of the attacks is said to have confirmed to Reuters that other military contractors have also been compromised.

It’s important to realise that all of these companies are victims of a criminal act – the authorities will no doubt be keen to uncover who is behind these attacks, and where they might have originated from. Only time will tell if those questions are ever answered satisfactorily.

Update: Lockheed Martin has now confirmed the attack, claiming that its “systems remain secure; no customer, program or employee personal data has been compromised.”

Press statement from Lockheed Martin

Here’s the meat of the statement by Lockheed Martin about the hack:

On Saturday, May 21, Lockheed Martin (NYSE: LMT) detected a significant and tenacious attack on its information systems network. The company's information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.

Throughout the ongoing investigation, Lockheed Martin has continued to keep the appropriate U.S. government agencies informed of our actions. The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security.

To counter the constant threats we face from adversaries around the world, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security.