RSA SecurID Breach Has Partners Seeking Answers

By Ericka Chickowski  |  Print this article Print

RSA channel partners are concerned about the lack of details from RSA following a security breach of its authentication SecurID product which is used by a range of organizations including banks and highly sensitive government entities.

RSA channel partners are seeking more information and counseling their clients on risk mitigation following the publication on March 17 of an open letter from Art Coviello, CEO of RSA, an EMC company, that outlined a breach that compromised its highly popular authentication token SecurID product. Used by a wide range of organizations such as banks and highly sensitive government entities, SecurID provides customers with a one-time authentication method that requires the user to use a hardware token authenticator to sign in rather than relying solely on insecure passwords.

As partners scrambled on last week to deal with the ramifications of the breach, the details from  RSA as to how information was obtained and what exactly the attackers took remained scant.

"The lack of specific information scares the ---- out of me," says Bobby Kuzma, owner of managed security service provider Central Florida Technology Solutions.  "Fundamentally the fact that we don't know what exactly was compromised really limits our ability to react appropriately on behalf of all of our clients, many of whom do have secure id implementations."

The informational abyss has led to rampant speculation among partners as they tried to figure out the implications for their customers.

"Based on our current understanding there is no reason to suspect the core security features of the SecurID have been significantly compromised," says Jeremy Allen, principal consultant at Intrepidus Group. "However, if there has been a flaw discovered in the SecurID token code generation process or some large scale material compromise of token seeds has occurred the impact could be tremendous. Given RSA's 8K filing that they expect no financial impact there is not a reason to suspect a significant compromise. Time will tell the real story behind this compromise"

Token seeds are the algorithmic keys that enable SecurID tokens to spit out an authentication code at certain intervals. Every token comes from a different seed, which cannot be changed and essentially is the lynchpin of the token's security. It is the scenario of a loss of the token seeds that frightens Kuzma most.

"The fact that it did not specifically note what was compromised says to me that it's either some or all of the seeds that they've issued, or the mechanism by which they generate the seeds was compromised," he says. "In that case, it may involve physically replacing all of the outstanding key fobs with ones with new seeds, which would be a Chinese fire drill of epic proportions. Because of the secure design of these tokens, you can't reseed them; they can't be reinitialized. RSA designed them to prevent that."