Friday, March 18, 2011

RSA Hacked! Were they using 2-factor authentication themselves?

This has really made headlines. It’s also resulted in a number of e-mails from Quest customers happy they chose Quest Defender over RSA SecurID!

Hacker Spies Hit Security Firm RSA

Top security firm RSA Security revealed on Thursday that it’s been the victim of an “extremely sophisticated” hack.
The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote on its blog, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software. Its customers include government agencies.

RSA CEO Art Coviello wrote in the blog post that the company was “confident that no other … products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The company also provided the information in a document filed with the Securities and Exchange Commission on Thursday, which includes a list of recommendations for customers who might be affected. See below for a list of the recommendations.

A company spokesman would not provide any details about when the hack occurred, how long it lasted or when the company had discovered it.
If you read what RSA’s Chairman said in his note he doesn’t detail if the hackers by-passed RSA’s security or how they by-passed it. I wonder if they (RSA) were using their own SecurID product to protect access to their internal networks? Gee, that’d be embarrassing if they were. Heck, it’s even more embarrassing if they weren’t! I wonder if we’ll ever be told?

Of course, if you’d prefer an alternative, there’s always Quest Defender.

No comments: