RSA SecurID Breach Has Partners Seeking Answers

RSA channel partners are seeking more information and counseling
their clients on risk mitigation following the publication on March 17
of an open letter from Art Coviello, CEO of RSA, an EMC company, that
outlined a breach that compromised its highly popular authentication
token SecurID product. Used by a wide range of organizations such as
banks and highly sensitive government entities, SecurID provides
customers with a one-time authentication method that requires the user
to use a hardware token authenticator to sign in rather than relying
solely on insecure passwords.

As partners scrambled on last week to deal with the ramifications of
the breach, the details from  RSA as to how information was
obtained and what exactly the attackers took remained scant.

"The lack of specific information scares the —- out of me," says
Bobby Kuzma, owner of managed security service provider Central Florida
Technology Solutions.  "Fundamentally the fact that we don’t know
what exactly was compromised really limits our ability to react
appropriately on behalf of all of our clients, many of whom do have
secure id implementations."

The informational abyss has led to rampant speculation among
partners as they tried to figure out the implications for their
customers.

"Based on our current understanding there is no reason to suspect
the core security features of the SecurID have been significantly
compromised," says Jeremy Allen, principal consultant at Intrepidus
Group. "However, if there has been a flaw discovered in the SecurID
token code generation process or some large scale material compromise
of token seeds has occurred the impact could be tremendous. Given RSA’s
8K filing that they expect no financial impact there is not a reason to
suspect a significant compromise. Time will tell the real story behind
this compromise"

Token seeds are the algorithmic keys that enable SecurID tokens to
spit out an authentication code at certain intervals. Every token comes
from a different seed, which cannot be changed and essentially is the
lynchpin of the token’s security. It is the scenario of a loss of the
token seeds that frightens Kuzma most.

"The fact that it did not specifically note what was compromised
says to me that it’s either some or all of the seeds that they’ve
issued, or the mechanism by which they generate the seeds was
compromised," he says. "In that case, it may involve physically
replacing all of the outstanding key fobs with ones with new seeds,
which would be a Chinese fire drill of epic proportions. Because of the
secure design of these tokens, you can’t reseed them; they can’t be
reinitialized. RSA designed them to prevent that."