March 18, 2011
By JOHN MARKOFF
SAN FRANCISCO — More than a day after RSA security posted an “urgent” alert warning that a sophisticated intruder might be able to initiate a “broad attack” on a password device used by millions of customers, the announcement and its meaning remain shrouded in mystery.
RSA, a division of the data management company EMC Corporation, will not say how its system was compromised and what specific kinds of threats its customers are facing. But from its extremely limited disclosure on Thursday afternoon about what might have been taken, customers and computer security specialists are scratching their heads about what the risks may actually be.
There was wide bewilderment about the company’s claim that the intruder was “extremely sophisticated,” as it suggested that one of the nation’s premier security firms had no better security than dozens of companies that have fallen victim to a computer break-in that deceives employees and exploits unknown software vulnerabilities.
On Friday, a spokesman for RSA said it was briefing its customers individually but added that its executives were declining to speak publicly about the breach.
The announcement touched off intense speculation about whether RSA’s popular SecurID tokens, which are carried on key chains and in wallets of millions of corporate and government users, have been significantly compromised.
“It’s a weird situation,” said Dan Kaminsky, an independent Internet security specialist. Referring to the Tokyo Electric Power Company, he said, “It’s like the Tepco situation in Japan, but here everyone is freaking out” and “nobody has Geiger counters.”
The system is intended to provide additional security beyond a simple user name and password by requiring users to append a unique number generated by the token each time they connect to their corporate or government network.
A potential weakness that could be exploited involves a factory-installed key called a seed. Typically 16 characters, it is different for each token and is stored on a corresponding computer server program, which authenticates the session each time a user connects to a secure network.
If the database containing customers seeds was taken, the intruder might still not know which user had which seed, but cryptographers said it would be possible to use a reverse-engineered version of the RSA algorithm to determine that information by simply capturing a single log-in session. That would be a potentially serious vulnerability that could be exploited by a sophisticated attacker.
A technical expert in New York whose financial services firm uses the SecurID system said that even after listening to a telephone briefing on Thursday evening, he was uncertain about which potential threats he should be concerned about.
The company offered only extremely general “belt and suspenders” advice, the expert said. A copy of the company’s terse “RSA Securcare Online Note” posted on the Securities and Exchange Commission Web site on Thursday offers such advice as “Focus on security for social media applications” and “We recommend customers re-educate employees on the importance of avoiding suspicious e-mails.”
RSA notified the federal government, whose agencies widely use the tokens to guard access to its networks, some time before the public announcement was made. On Wednesday, the Computer Emergency Readiness Team in the Department of Homeland Security posted a “Technical Information Paper” on its Web site describing a set of security practices meant to limit vulnerability to attacks based on the stolen information, according to a person close to the organization.
“We have notified all of the federal agency chief information officers to take remediation steps,” said a government official who declined to be identified because he had not been authorized to speak about the breach.
What the actual risk is and what precautions a user of the key fobs and wallet-size cards depends on what was taken in the theft.
“I’m speculating, but I’m pretty confident that somebody has the root seed file,” said a former RSA employee, referring to the master file at the company, which is based in Bedford, Mass. He asked not to be identified because he still has a business relationship with the firm.
The worst case, many security consultants say, is that the vulnerability created by the theft might require companies to replace the secure tokens, which, according to analysts, cost $15 a year or more to maintain. The vulnerability might also force RSA to rethink the design of its SecurID system.
“They may have to change their security model to one where a third party does not hold the keys to your devices,” said Paul Kocher, president of Cryptography Inc., a San Francisco computer security consulting firm.