

Security Breach Forces RSA to Offer to Replace SecurIDs - aclimatt
http://online.wsj.com/article/SB10001424052702304906004576369990616694366.html

======
ars
"Providing any further information, he said, would give the hackers a
blueprint for how to mount further attacks."

That's quite a danger sign! If your security relies on attackers not knowing
the details of your system then your security is quite poor.

(As opposed to a random secret that has no particular meaning and is different
for each device.)

------
samuarl
I still dont understand why it's taken so long to get to the point where
they're going to renew the tokens. Perhaps I'm misunderstanding SecureID
implementation, but If an attacker had accessed the database with the token
seeds and serials, wouldn't the security then essentially become little better
than single factor authentication?

It almost seems like they didn't actually know for definite if the database
had been stolen and where unwilling to burden the cost of replacing all the
tokens as a precaution. Now with the Lockheed Martin incident they know it was
compromised and are forced to.

------
mishmash
So is this what the Obama "cyberattack = act of war" saber rattling was about?

------
anonymous246
Here's my hypothesis for why they need to replace _all_ devices.

The securid tokens are basically sealed, tamper-proof etc hardware
pseudorandom generators. RSA knows the seed burned into the PRNG for every
device they manufacture.

At customer premises, there's a RSA server component that simulates the same
algorithm as the securid devices owned by that customer. This is how they
verify that the number you enter is what it's supposed to be, hence proving
that you possess the securid. To do this, the customer server needs to know
the seeds of all of that customer's devices. This is a trivial computational
burden btw, since securid generates a new number only once a minute.

I strongly suspect that RSA continued to store the seeds for their customer's
tokens after selling them on an internet-connected computer on their premises.
Somebody cracked into this database and stole the seeds for all RSA devices in
use by _all_ of RSA's customers.

Once the crackers have this information, they can predict the sequence of
numbers for any device out there.

The only fix is to change the seeds: since the hardware is sealed, the only
way to do so is to replace the tokens.

I think it's _ULTRASTUPID_ of RSA to (1) keep the seeds after selling a
device, (2) keep it on a internet-connected computer.

THIS IS A BIG DEAL, imho.

~~~
ams6110
All the RSA tokens I've ever used had a PIN in combination with the number
displayed on the device. So to successfully mimic a device the attacker would
need to know the PIN (1:10000 guess) plus the seed for the device.

~~~
anonymous246
Good point. I had forgotten about the PIN. But that's simply yet another
password that amenable to guessing/bruteforcing/keylogging etc. The securid is
not vulnerable to such attacks which why is why this crack is a big deal.

~~~
RockyMcNuts
exactly, I'm paying a lot for working two-factor authentication. If the
algorithm generating one factor is known by hackers, and I simply have 2
passwords which the user could have written down somewhere or picked the most
obvious or gotten keylogged, then what am I paying for?

