June | 2011 | The Networking Nerd

After weeks of speculation on the matter, it appears that RSA has finally decided to admit the obvious that the SecurID Token system has become compromised. Honestly, I’m not shocked. In fact, I said as much almost 2 months ago when debating the subject with the other Packet Pushers. I remember hearing the original disclosure and thinking to myself “How could these hackers NOT have the keys to the kingdom?” RSA categorized this hack as an Advanced Persistent Threat (APT), which is a great new umbrella term to describe hacks that persist for weeks or months without detection. Of course, I don’t think clicking on an Excel spreadsheet pulled out of your junk mail folder qualifies as a particularly advanced penetration method, but as we’ve seen in the past few months (if not years), social engineering is a much more reliable infection vector. That’s because you can always count on people to do things they aren’t supposed to.

RSA covered up the worst of the attack. They put up a good smoke screen about needing to figure out what was stolen in breach. They even went so far as to talk about having the budget to implement new security that they wouldn’t have been able to before, which to me smacks of fixing the gate after the horses have gotten out. RSA didn’t admit up front that the seed of the SecurID tokens could have been compromised, although they admitted that some information relating to the SecurID system might have been involved. They really didn’t admit much more than that. In return, we got months of second guessing, supposition, and ultimately delays that caused Lockheed Martin, Northrup Grumman, and L-3 Communications to suffer from penetration attempts. RSA never publicly told their customers to ditch their tokens, even though security professionals said that the worst case scenario of the seed exposure was probably the case. In fact, Steve Gibson eerily said as much back on March 19th.

RSA should have come clean the day after the attack. Even if it didn’t admit that it (likely) stored the token serial number in a database along with the seed used to generate the token’s algorithm, they should have at least advised their customers begin the process to replace the older tokens with newer ones to ensure that the old tokens couldn’t be used as an attack vector. Why? Well, if you have access to the customer database, it doesn’t take much guesswork to figure out user IDs (first initial, last name). Once you have the serial number, you can figure out which algorithm was used on the token, since it appears RSA stored this data somewhere or made it easily accessible. Given that information, brute force becomes the tool used to try and penetrate a vulnerable network. There has been some speculation that there is some foreign governmental interference in this whole mess due to the fact that the three targets were all defense contractors. While I won’t discount this possibility, it’s more likely that these targets were chosen due to their heightened aura of security, almost guaranteeing they would use RSA tokens in their remote access strategy. Since US defense contractors probably buy these things by the truckload, their information was probably all over the hacked database. This lit them up like a Christmas tree in the eyes of potential hackers.

If you’re using an RSA token right now, put it down. Drop it in a thirty-three foot hole in the ground. Bury it completely (rocks and boulders should be fine). Then demand the RSA replace it with a new one. Yes, you aren’t going to be able to destroy your whole remote access strategy and rip out all the RSA equipment. That would cost you a small fortune. Better to make RSA replace the tokens for you (at their cost) and investigate alternatives down the road. While I believe that RSA may be able to recover from this with enough time and some management changes, the fact that they let it happen in the first place will sting them for a long time to come.

Tom’s Take

Security breaches are always a wonderful game of ‘worst case scenario’. It tends to make most security professionals a little cynical, but it also keeps us from shooting ourselves in the foot. If you are a respected company like RSA (was), there should be no excuse for this cover up. You should always assume the worst case scenario in a situation like this. The new replacement tokens should have started shipping to your most important customers weeks ago. They newly-keyed devices should have been in the hands of your critical customers before they had the chance to ask why their keychain ornaments needed to be replaced. Even if the algorithm wasn’t compromised (which we now know that it was), a little proactive goodwill may cost money up front, but it won’t come anywhere near the cost that a black eye like this will end up totaling in the long run. Sony may have a big black eye from its security fiasco, but RSA is actually a security company. People like Sony trust them to security data. Finding out that they were hacked and their code stolen to leverage attacks on their customer is like shooting a cop with his own gun. RSA should have known better and done the right thing up front. No grandiose PR moves backed with vague statements that “something happened, we think”. Come clean, fix the issue, and be ready the meet the fallout head on rather than being blindsided in the press after the fact when your customers are getting the Sony Treatment. Better to have a garden of crops that will eventually grow back than the barren salted earth you’ve got now.

It goes without saying that Sony currently has a target the size of Iowa painted on its back. Between the breaches in the Playstation Network, Sony Online Entertainment, and now Sony Pictures, you would be hard pressed to find a company that has been more thoroughly embarrassed when it comes to user data security. Every day brings word of another incursion. I’m thinking that something is going to have to give sooner or later.

Sony started out this whole mess by going after George Hotz, a famous hacker that goes by the online name Geohot. Geohot has done all manner of things, including a simple jailbreak for the iPhone known as Limera1n. Geohot also had his eyes on rooting the Playstation 3, Sony’s premier gaming console. While Sony had given you the option to install a Linux-based OS onto the console from the start, Geohot wanted to take it a step further and unlock the ability to run other kinds of code, as well as gaining access to the memory contents and hypervisor level of the console. This would allow users to do things like emulate Playstation 2 games, which was an original feature of the console that was later dropped due to complexity and memory contraints. Geohot also started work on creating a custom firmware for the console that would allow users to do as they wished, while still keeping certain features of the OS intact. In April of 2010, Geohot announced that he was not pursuing the development any further, but in January 2011, he posted the root signing keys of the PS3 online. This is probably the straw that broke Sony. The root key would give anyone the ability to sign code and execute it on the console without raising any suspicion. Sony sued Geohot, and after some legal maneuvering and lots of publicity, eventually settled the lawsuit in April 2011. This was the catalyst for the difficulties that Sony has faced over the past two months.

In late April, Sony shut down large portions of the Playstation Network (PSN) for an extended period of time due to what was later termed an “external intrusion”. After rushing to bring the network that controlled the majority of Playstation online multiplayer capabilities, Sony Online Entertainment was intruded upon as well as PSN in early May. Rather than rushing things back online this time, more care was taken to excise any possible problems and no ETA was set to bring the services back to the public. In the interim, Sony profusely apologized for the problems and even testified before the US Congress about the breaches. Sony recently enabled PSN once more, only to fall victim to another hacking group exposing portions of the Sony Pictures online customer database. In all, close to 40 million Sony customers have had their personal information exposed in one form or another in the past two months. Email addresses, birthdates, and credit card numbers with Card Verification Value (CVV) verification codes have all been stolen.

What started out as a showdown in the desert between Sony and a group of hackers angered by the treatment of Geohot has now taken on the appearance of a rotting carcass slowly being picked over by anyone that wants to come along and poke it. The question now isn’t whether Sony will be hacked again, but what might get stolen this time, and where it will be stolen from. As a former customer of Sony Online Entertainment, I can be certain that some of my information is probably out in the wild. I’ve since changed passwords and credit card numbers to avert any possible wrongdoing, but other customers haven’t been so lucky. I’ve lost all confidence in Sony and their ability to keep my information secure. While many point to the infamous rootkit incident as the point where Sony started to sour in the eyes of their customer base, I think the PSN outage points to a bigger issue. If Sony wants to install software on my computer to monitor whether or not I’m ripping CDs that’s their business. I can dislike them for doing something they shouldn’t and be done with it. The only harm done was their ham-handed attempt to sneak something onto my PC. But with this series of hacks, Sony has taken their corporate image and dragged it through the filthiest mud imaginable. I now no longer dislike Sony because they do things they shouldn’t, but instead I’ve lost confidence in their ability to keep me safe. Just like a bank failure, when a company can no longer assure me they can do business the way that it should be conducted it’s time to move my business elsewhere.

Sony faces some pretty rough territory in the coming future. First, they really need to find out what raised the ire of their intruders and apologize for it. Profusely. It may be a little late now, but if they show a little remorse for whatever wrong they may have done it might call off the dogs for a bit. Sony needs time to recover and reassess their security posture. Secondly, Sony needs to can their security team and bring a set of fresh eyes into the picture. It’s quite apparent that the current time wouldn’t know security if it bit them in the ass. Passwords stored in clear text, arbitrary account recovery mechanisms, and general incompetence seem to abound. It’s time to get a new CISO and make some drastic and public changes. Announce what you are going to do and make sure your now-burned customers are aware of your new commitment to security. You aren’t going to win anyone back by implementing new security features and burying them on page 20 of a 21 page press release. Face it Sony, your reputation is shot either way. Why not make the most of it and try to win back some fans by admitting your screwed up and then fixing it?

Tom’s Take

There’s no doubt Sony makes good technology. Even when it fails. However, a series of organizational policies that have left their customer base more violated than the speed limit is their worst failure to date. There isn’t going to be a cool new feature to save them from this disaster. No hope for a new version of software to work out these bugs. It’s time to rewrite the security posture from the ground up. Find an executive or two to fall on their swords for this whole mess and move on. Make sure to keep your former customers in the loop about how you’re going to ensure that this never happens again. I, for one, am done with Sony until I see some major changes in their handling of customer data. No more TVs, cameras, Walkmen, or games until they prove to me that filling out an online profile isn’t going to expose me to all manner of dastardly things on the Internet and beyond. Sony’s had their moment of silence in all this by refusing to come clean about the hack in the first place. Again and again, they’ve kept their mouths shut about timetables and countermeasures. And until I hear something from them about all this, they won’t hear anything from me at all.