RSA SecurID Compromise in Detail

By: Absolute Team | 6/10/2011

It was announced earlier this year by EMC, the company behind RSA, that the company had been a victim of an APT cyber attack and that information about their SecurID two-factor authentication products was leaked. At the time, it was unclear if the breach had resulted in SecurID being compromised. For the first time, the company as acknowledged that its compromised SecurID tokens were used to breach Lockheed Martin.

RSA Security has offered to replace all of the 40 million SecurID tokens, which is used in the two-factor authentication process currently in use by corporate workers to securely log onto their computers. Ars Technica does a good job describing what a token is:

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it's this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.

There is commentary about whether or not disclosing information about this exact vulnerability earlier would have prevented attacks, as RSA had hoped, or if it left companies in the lurch about how to shore up their security.

As we wrote earlier, a layered approach to security will greatly help shore up these risks and other risks in your security systems and processes.

Financial Services