
RSA hit by targeted attacks, SecurID 2-factor auth possibly compromised - ssclafani
http://www.rsa.com/node.aspx?id=3872
======
dchest
For those who, like me, wondering how SecurID might be affected by attacks on
their servers, from Wikipedia:

"""

The RSA SecurID authentication mechanism consists of a "token"—a piece of
hardware (e.g. a token or USB) or software (e.g. a "soft token" for a
computer, PDA or cell phone)—assigned to a computer user that generates an
authentication code at fixed intervals (usually 30 or 60 seconds) using a
built-in clock and the card's factory-encoded random key (known as the "seed"
and often provided as an ASCII file). The seed is different for each token,
and is loaded into the corresponding RSA SecurID server (RSA Authentication
Manager, formerly ACE/Server) as the tokens are purchased.

"""

<http://en.wikipedia.org/wiki/SecurID>

------
werrett
The money quote is:

 _While at this time we are confident that the information extracted does not
enable a successful direct attack on any of our RSA SecurID customers, this
information could potentially be used to reduce the effectiveness of a current
two-factor authentication implementation as part of a broader attack._

To me that sounds a lot stronger than "the thieves took the SecureID
implementation plans and could theoretically build a 'soft' SecureID. Your
long, random, hard-to-guess seed still protects you."

To me, what Coviello is saying is don't worry the thieves haven't stolen some
secret 0-day that would provide them immediate access through your RSA kit.
But they did get something that will make the RSA part of your 2-Factor
authentication scheme null and void.

~~~
caf
The algorithm necessary to build a software SecurID was leaked long ago.

This sounds like they could well have stolen copies of some customers seeds,
which would reduce the RSA authentication from two-factor to one-factor.

~~~
peterwwillis
correct me if im wrong, but iirc that second factor is a 4 digit number you
pick at your first login.

~~~
caf
The second factor is called a "PIN" in the RSA documentation, but the details
can be configured by the administrator in a particular deployment. The
administrator can set an allowed length range (with minimum and maximum
between 4 and 8), and can choose to allow alphanumeric "PIN"s.

RSA's recommendation is for alphanumeric PINs of at least 6 characters.

Note also that a small number of tries with an incorrect PIN but correct
tokencode will lock the account as "token stolen".

------
keith_erskine
I worked there 10 years ago and if I remember correctly, the system that
generated seed files wasn't on the network. They wanted an "air gap" just for
this reason.

And yes - the method for SecurID was long ago known - just read the patent.

------
MiguelHudnandez
I am wondering if this is another case where vulnerabilities in Adobe products
were used to strategically infiltrate an organization. Here's hoping for more
information soon.

Edit: I referenced Adobe specifically because of their recent security
announcements. HN Discussion: <http://news.ycombinator.com/item?id=2328928>

Edit 2: "Another case" in the post implies there are multiple cases. I was
thinking specifically of the prominent Google/China hack in which attackers
first got access inside the networks of google and "more than 30 companies"
based on vulnerabilities in Acrobat Reader. Source:
<http://www.wired.com/threatlevel/2010/01/google-hack-attack/>

~~~
lwat
I'm sorry but you can't just throw a name out there like that! They didn't say
anything at all that could possibly implicate Adobe. Are you just speculating
idly or where did you come up with Adobe?

~~~
MiguelHudnandez
I apologize -- I should have cited recent events as the reason I brought up
Adobe specifically. I did think I worded it in a way that made it clear I was
speculating, but I see now I should have been much more specific.

Yesterday Adobe released a very serious advisory for Flash Player:
[http://blogs.adobe.com/psirt/2011/03/security-advisory-
for-a...](http://blogs.adobe.com/psirt/2011/03/security-advisory-for-adobe-
flash-player-adobe-reader-and-acrobat-apsa11-01.html)
<http://news.ycombinator.com/item?id=2328928>

And I was thinking of the highest-profile hacking case I can remember, when
Google was infiltrated primarily by vulnerabilities in Adobe software. If I
recall correctly, maliciously crafted PDFs were e-mailed to staff with
cleverly engineered "From" addresses and subjects. For example, an employee
received an e-mail from their boss's e-mail address.

~~~
sp_
Operation Aurora was an Internet Explorer vulnerability, not an Adobe
vulnerability.

~~~
nigelk
It was both.

If you read the various news reports closely, you'll see one vector was the
0-day IE vulnerability, another was malicious payloads in PDFs.

The headlines haven't helped.

[http://www.computerworld.com/s/article/9144844/Hackers_used_...](http://www.computerworld.com/s/article/9144844/Hackers_used_IE_zero_day_not_PDF_in_China_Google_attacks)

"Hackers exploited an unpatched vulnerability in Microsoft's Internet Explorer
(IE) browser to break into ___some_ __of the firms targeted in a widespread
attack that compromised Google's and Adobe's corporate networks"

"Google and Adobe, the only two companies to have stepped forward thus far to
acknowledge the attacks, were hacked using malicious PDF files that exploited
a zero-day vulnerability in Adobe's popular Reader software"

------
phrotoma
"could potentially be used to reduce the effectiveness of a current two-factor
authentication implementation"

What could this be? Initialization settings?

~~~
cpswan
makes me wonder what they've been holding back from customers and pen testers?
Obscurity shouldn't be part of the strength of the solution.

~~~
phrotoma
I've never set one up. There's an RSA encryption cabinet in our datacenter at
work, it has red rope around it like a nightclub line and a sign that says no
non RSA certified personnel. I imagine anyone who knows what it might be can't
confirm what would be useful.

~~~
jrockway
_There's an RSA encryption cabinet in our datacenter at work, it has red rope
around it like a nightclub line and a sign that says no non RSA certified
personnel._

Almost as effective as the ssh banner that says "Unauthorized use is
prohibited."

Security through hoping people won't step over a rope is no security at all.

~~~
runningdogx
It's my understanding that such login banners are used to provide support for
prosecution efforts, should someone break in and claim they did not know that
access by random people was prohibited.

I would hope nobody thinks such warning messages are an adequate substitute
for human-based and technology-based security measures, any more than wearing
garlic cloves or putting up "no guns allowed" signs are replacements for being
wary of vampires and armed criminals.

~~~
gaius
Yes, there was a case in which a system had "Welcome to XXX" as a banner, and
their attempts to prosecute a cracker failed because of this.

~~~
jrockway
That's going to need a citation.

------
kgo
And here's the rather useless security advisory:

[http://www.sec.gov/Archives/edgar/data/790070/00011931251107...](http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm)

With helpful tips like (paraphrasing) "don't use facebook on your critical
systems" and "only give people the rights they need."

------
cpswan
A thief broke in to our house and stole some special blueprints from a safe in
the drawing room. We don't think they took any cash or gadgets from other
parts of the house, but we have so much lying around who can tell?

------
bl4k
"Advanced Persistent Threat (APT)", gimme a break

Too much corpspeak, not enough real information.

~~~
SoftwareMaven
According to MSNBC, that is PC-speak for the Chinese.
[http://www.msnbc.msn.com/id/42152645/ns/technology_and_scien...](http://www.msnbc.msn.com/id/42152645/ns/technology_and_science-
security/)

------
peterwwillis
i have set up rsa auth systems. would it surprise anyone to know that
sometimes vulnerabilities are purposefully included because its easier or
allows you to keep some old insecure app working? securid is not some golden
impermeable shield. it just helps stop a few attack vectors.

------
iuguy
It appears as though the data stolen _might_ include RSA seeds. I thought I'd
explain what this means for some of the people here not familiar with SecurID.

The seed is used a random key for the token and is used to generate a string
of random numbers periodically to use. This is called a one-time pad as you
use the numbers in combination with a pass code (PIN) in order to log in. In
theory you won't use the same code twice although in practice you can as long
as the token number is valid (normally a few seconds).

So this provides you with two 'factors' for authentication - something you
have (the token number) and something you know (the PIN).

If you know the seed for a token you can simulate a token [1](or put it on a
real one) and use it. Where the token is being used in conjunction with a PIN
(probably the majority of use cases) you'd need to know the PIN.

The PIN is between 4 and 8 alphanumeric characters in length, but most people
use a 4 digit number (possibly as it's called a PIN and people associated it
with bank numbers, I don't know).

Now imagine the scenario, you want to break into PG's VPN and he uses SecurID
but you have his seed and you've synced up with his token, but you don't know
his PIN. You can take a guess that it's a 4 digit PIN (as is common) and that
means a maximum of 10,000 authentication attempts. Using a tool like
IKECrack[2] you can brute force about 18,000 guesses with a P3-700, so it
becomes quite easy to target an organisation that way.

Likewise you can start brute forcing two factor auth on Citrix servers as well
to great extent.

The great thing about all this (from an attacker's perspective) is that people
don't change their PINs. Why change one factor when the other is so
infallible?

But what if you have a more complex PIN? Well, that 62^8 possible combinations
for an 8 character alphanumeric PIN. Let's break this down:

62^8 == 2.18340106 × 10^14 combinations

62^8 / 18 000 = 1.21300059 × 10^10 seconds

62^8 / 18 000 / 60 = 202,166,764 minutes

62^8 / 18 000 / 60 / 60 = 3 369 446.07 hours

62^8 / 18 000 / 60 / 60 / 24 = 140,393 machine days

That's for a P3-700, modern computers will be considerably more powerful,
although at some point the limitations of the machine at the other end kicks
in.

Bottom line - 4 digit PIN and you're screwed. 8 character alphanumeric PIN and
you're probably alright.

[1] - <http://seclists.org/bugtraq/2000/Dec/459> [2] -
<http://ikecrack.sourceforge.net/>

