After weeks of speculation on the matter, it appears that RSA has finally decided to admit the obvious that the SecurID Token system has become compromised. Honestly, I’m not shocked. In fact, I said as much almost 2 months ago when debating the subject with the other Packet Pushers. I remember hearing the original disclosure and thinking to myself “How could these hackers NOT have the keys to the kingdom?” RSA categorized this hack as an Advanced Persistent Threat (APT), which is a great new umbrella term to describe hacks that persist for weeks or months without detection. Of course, I don’t think clicking on an Excel spreadsheet pulled out of your junk mail folder qualifies as a particularly advanced penetration method, but as we’ve seen in the past few months (if not years), social engineering is a much more reliable infection vector. That’s because you can always count on people to do things they aren’t supposed to.
RSA covered up the worst of the attack. They put up a good smoke screen about needing to figure out what was stolen in breach. They even went so far as to talk about having the budget to implement new security that they wouldn’t have been able to before, which to me smacks of fixing the gate after the horses have gotten out. RSA didn’t admit up front that the seed of the SecurID tokens could have been compromised, although they admitted that some information relating to the SecurID system might have been involved. They really didn’t admit much more than that. In return, we got months of second guessing, supposition, and ultimately delays that caused Lockheed Martin, Northrup Grumman, and L-3 Communications to suffer from penetration attempts. RSA never publicly told their customers to ditch their tokens, even though security professionals said that the worst case scenario of the seed exposure was probably the case. In fact, Steve Gibson eerily said as much back on March 19th.
RSA should have come clean the day after the attack. Even if it didn’t admit that it (likely) stored the token serial number in a database along with the seed used to generate the token’s algorithm, they should have at least advised their customers begin the process to replace the older tokens with newer ones to ensure that the old tokens couldn’t be used as an attack vector. Why? Well, if you have access to the customer database, it doesn’t take much guesswork to figure out user IDs (first initial, last name). Once you have the serial number, you can figure out which algorithm was used on the token, since it appears RSA stored this data somewhere or made it easily accessible. Given that information, brute force becomes the tool used to try and penetrate a vulnerable network. There has been some speculation that there is some foreign governmental interference in this whole mess due to the fact that the three targets were all defense contractors. While I won’t discount this possibility, it’s more likely that these targets were chosen due to their heightened aura of security, almost guaranteeing they would use RSA tokens in their remote access strategy. Since US defense contractors probably buy these things by the truckload, their information was probably all over the hacked database. This lit them up like a Christmas tree in the eyes of potential hackers.
If you’re using an RSA token right now, put it down. Drop it in a thirty-three foot hole in the ground. Bury it completely (rocks and boulders should be fine). Then demand the RSA replace it with a new one. Yes, you aren’t going to be able to destroy your whole remote access strategy and rip out all the RSA equipment. That would cost you a small fortune. Better to make RSA replace the tokens for you (at their cost) and investigate alternatives down the road. While I believe that RSA may be able to recover from this with enough time and some management changes, the fact that they let it happen in the first place will sting them for a long time to come.
Security breaches are always a wonderful game of ‘worst case scenario’. It tends to make most security professionals a little cynical, but it also keeps us from shooting ourselves in the foot. If you are a respected company like RSA (was), there should be no excuse for this cover up. You should always assume the worst case scenario in a situation like this. The new replacement tokens should have started shipping to your most important customers weeks ago. They newly-keyed devices should have been in the hands of your critical customers before they had the chance to ask why their keychain ornaments needed to be replaced. Even if the algorithm wasn’t compromised (which we now know that it was), a little proactive goodwill may cost money up front, but it won’t come anywhere near the cost that a black eye like this will end up totaling in the long run. Sony may have a big black eye from its security fiasco, but RSA is actually a security company. People like Sony trust them to security data. Finding out that they were hacked and their code stolen to leverage attacks on their customer is like shooting a cop with his own gun. RSA should have known better and done the right thing up front. No grandiose PR moves backed with vague statements that “something happened, we think”. Come clean, fix the issue, and be ready the meet the fallout head on rather than being blindsided in the press after the fact when your customers are getting the Sony Treatment. Better to have a garden of crops that will eventually grow back than the barren salted earth you’ve got now.