RSA has finally opened up and started talking about the March breach into its systems. Admitting that SecurID tokens were compromised, the company has promised to replace all 40 million tokens, for any client that feels it’s necessary. Chairman Art Coviello also stated that for financial institutions, they are also offering to provide transactions monitoring.
The admission is a big deal considering the recent cyber-attacks on the networks of the three US Military contractors: L-3 Communications, Northrop Grumman and Lockheed Martin. While the company only outright confirmed one breach, the others were hinted at by internal warnings and suspicious looking domain name and password reset processes.
RSA SecurID is a two factor authentication system intended to provide security for users when accessing sensitive data. Tokens are issued that are designed to interact with either hardware or software. The tokens generate authentication codes at fixed intervals (usually 30-60 seconds) using a built in clock and the cards factory-encoded random key (called a “seed). If all 40 million tokens in circulation are compromised, the only choice RSA has is to replace them. Doing so is surely going to cost them a huge chunk of money and the admission cannot be making companies using the “broken” SecurID tokens for the past several months happy.
What’s concerning is that there are no official details coming forth about what, exactly, was stolen that allowed hackers to misuse the tokens. Because of the way they work, it seems likely that the seeds that link every token to a specific account and the algorithm that calculates the numeric sequence generated by the tokens must’ve been compromised as well.
Experts in the security industry, as well as knowledgeable consumers, are unhappy with RSA’s failure to disclose the exact nature of the stolen data. Many people feel that the non-disclosure actually allowed the subsequent breaches while keeping consumers in the dark about the reality of the danger to their sensitive data. Chairman Coviello defended the company’s actions on that count by explaining that they didn’t want to reveal to hackers how to mount further attacks.
Despite the breach, Lockheed Martin assured the public that their systems remained secure and that no customer, program or employee personal data was compromised. In light of this new information, though, one has to question the likelihood that true security was maintained.
Recent cyber-attacks on major businesses and government organizations make it clear that it is paramount that security protocols be taken up a notch. Consumers need to feel safe in the knowledge that their personal information is secure and it is the responsibility of the businesses in question to make that happen. The Department of Homeland Security has offered to help determine the scope of the attacks. Hopefully these serious breaches in security will inspire contractors and businesses alike to take extra measures to secure information in the future.
Do you think that the government should get involved? Or is this just another way for the government to go snooping around our personal and private lives?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.