RSA to Reissue SecurID Tokens

By Ericka Chickowski  |  Print this article Print

It took nearly three months and a major security incident at one of the nation's most critical defense contractors, but RSA has finally acknowledged the severity of the March breach against its SecurID authentication infrastructure and committed to replace the tokens of nearly all 40 million users.

It took nearly three months and a major security incident at one of the nation's most critical defense contractors to spur it on, but on Monday RSA, The Security Division of EMC, finally let the cat out of the bag about the severity of a March security breach against its SecurID authentication token infrastructure.  The prognosis is bad, with RSA reporting that it will replace the tokens of nearly all 40 million users scattered across its customer base.

"We remain highly confident in the RSA SecurID product as the leading multi-factor authentication solution and we also feel strongly that the specific remediations we have provided to customers will help to deliver the highest levels of customer protection," wrote RSA CEO Art Coviello. "However, we recognize that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers' overall risk tolerance. As a result, we are expanding our security remediation program to reinforce customers' trust in RSA SecurID tokens and in their overall security posture."

The letter from Coviello comes directly on the heels of Lockheed Martin confirming to the media on Friday that the RSA tokens were at play in a late-May attack against it. The defense firm also released a statement today on the matter.

"Based on our early actions to replace all RSA SecurID tokens and add new layers of security to our remote access processes, we remain confident in the integrity of our robust, multi-layered information systems security," the company said.

In addition to RSA, several other high profile defense contractors have reportedly also been targeted in recent attacks. One anonymous source told FoxNews.com that Northrup Grumman was hit by an RSA token-related attack and an internal emailed memo from contractor L3 Communications that was disclosed by Wired magazine showed that it too was affected.

Though neither company has confirmed details about their ordeals, it seems to fit the mold of attacks in the wake of the RSA Breach.

"Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment," Coviello wrote in his letter. "For this reason, we worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure. We will continue these efforts."

Even with all of the signs pointing to it, RSA still didn't go so far as to describe what exactly was stolen in the March breach. But the attacks against Lockheed and other DoD partners along with the recall program going forward seem to justify many security experts' speculation that the token seeds were compromised. Token seeds are the algorithmic keys that enable SecurID tokens to spit out an authentication code at certain intervals. Every token comes from a different seed, which cannot be changed and essentially is the lynchpin of the token's security.

It is still unclear how exactly RSA will plan on executing its remediation efforts for customers, but Coviello says that the plan stands on two offers from the company. One is an offer to replace tokens for customers "focused on protecting intellectual property and corporate networks" and the other is an offer to implement risk-based authentication strategies "for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions."

It remains unclear the role that channel partners will play in making this happen, though given the scope of SecurID rehab efforts and the role of the channel in helping carry out so many of these authentication deployments, partners will indeed be integral to the effort.