RSA hacked

[Eugen Leitl]

http://www.wired.com/threatlevel/2011/03/rsa-hacked/

Hacker Spies Hit Security Firm RSA

By Kim Zetter * March 17, 2011  | * 6:40 pm  | *
Categories: Breaches, Hacks and Cracks, RSA Conference

Top security firm RSA Security revealed on Thursday that itbs been the victim
of an bextremely sophisticatedb hack.

The company said in a note posted on its website that the intruders succeeded
in stealing information related to the companybs SecurID two-factor
authentication products. SecurID adds an extra layer of protection to a login
process by requiring users to enter a secret code number displayed on a
keyfob, or in software, in addition to their password. The number is
cryptographically generated and changes every 30 seconds.

bWhile at this time we are confident that the information extracted does not
enable a successful direct attack on any of our RSA SecurID customers,b RSA
wrote on its blog, bthis information could potentially be used to reduce the
effectiveness of a current two-factor authentication implementation as part
of a broader attack. We are very actively communicating this situation to RSA
customers and providing immediate steps for them to take to strengthen their
SecurID implementations.b

As of 2009, RSA counted 40 million customers carrying SecurID hardware
tokens, and another 250 million using software. Its customers include
government agencies.

RSA CEO Art Coviello wrote in the blog post that the company was bconfident
that no other b& products were impacted by this attack. It is important to
note that we do not believe that either customer or employee personally
identifiable information was compromised as a result of this incident.b

The company also provided the information in a document filed with the
Securities and Exchange Commission on Thursday, which includes a list of
recommendations for customers who might be affected. See below for a list of
the recommendations.

A company spokesman would not provide any details about when the hack
occurred, how long it lasted or when the company had discovered it.

bWe are not withholding anything that would adversely impact the security of
our customer systems,b said spokesman Michael Gallant. b[But] webre working
with government authorities as well so webre not disclosing any further
information besides whatbs on the blog post.b

RSA categorized the attack as an advanced persistent threat, or APT. APT
attacks are distinctive in the kinds of data the attackers target. Unlike
most intrusions that go after financial and identity data, APT attacks tend
to go after source code and other intellectual property and often involve
extensive work to map a companybs infrastructure.

APT attacks often use zero-day vulnerabilities to breach a company and are
therefore rarely detected by antivirus and intrusion programs. The intrusions
are known for grabbing a foothold into a companybs network, sometimes for
years, even after a company has discovered them and taken corrective
measures.

Last yearbs hack into Google was considered an APT attack, and, like many
intrusions in this category, was linked to China.

RSA, which is owned by EMC, is a leading firm and is most known for the RSA
encryption algorithm used to secure e-commerce and other transactions. The
company hosts the top-ranked RSA security conference every year.

Following is the list of recommendations RSA has provided to customers:

    b" We recommend customers increase their focus on security for social
media applications and the use of those applications and websites by anyone
with access to their critical networks.

    b" We recommend customers enforce strong password and pin policies.

    b" We recommend customers follow the rule of least privilege when
assigning roles and responsibilities to security administrators.

    b" We recommend customers re-educate employees on the importance of
avoiding suspicious emails, and remind them not to provide user names or
other credentials to anyone without verifying that personbs identity and
authority. Employees should not comply with email or phone-based requests for
credentials and should report any such attempts.

    b" We recommend customers pay special attention to security around their
active directories, making full use of their SIEM products and also
implementing two-factor authentication to control access to active
directories.

    b" We recommend customers watch closely for changes in user privilege
levels and access rights using security monitoring technologies such as SIEM,
and consider adding more levels of manual approval for those changes.

    b" We recommend customers harden, closely monitor, and limit remote and
physical access to infrastructure that is hosting critical security software.

    b" We recommend customers examine their help desk practices for
information leakage that could help an attacker perform a social engineering
attack.

    b" We recommend customers update their security products and the operating
systems hosting them with the latest patches.

Photo: RSA SecurID tokens (br2dotcom/Flickr)