Security Experts: RSA Lacks Technical Openness
RSA channel partners are seeking more information and counseling their clients on risk mitigation following the publication on March 17 of an open letter from Art Coviello, CEO of RSA, an EMC company, that outlined a breach that compromised its highly popular authentication token SecurID product. Used by a wide range of organizations such as banks and highly sensitive government entities, SecurID provides customers with a one-time authentication method that requires the user to use a hardware token authenticator to sign in rather than relying solely on insecure passwords.
As partners scrambled on last week to deal with the ramifications of the breach, the details from RSA as to how information was obtained and what exactly the attackers took remained scant.
"The lack of specific information scares the ---- out of me," says Bobby Kuzma, owner of managed security service provider Central Florida Technology Solutions. "Fundamentally the fact that we don't know what exactly was compromised really limits our ability to react appropriately on behalf of all of our clients, many of whom do have secure id implementations."
The informational abyss has led to rampant speculation among partners as they tried to figure out the implications for their customers.
"Based on our current understanding there is no reason to suspect
the core security features of the SecurID have been significantly
compromised," says Jeremy Allen, principal consultant at Intrepidus
Group. "However, if there has been a flaw discovered in the SecurID
token code generation process or some large scale material compromise
of token seeds has occurred the impact could be tremendous. Given RSA's
8K filing that they expect no financial impact there is not a reason to
suspect a significant compromise. Time will tell the real story behind
Token seeds are the algorithmic keys that enable SecurID tokens to
spit out an authentication code at certain intervals. Every token comes
from a different seed, which cannot be changed and essentially is the
lynchpin of the token's security. It is the scenario of a loss of the
token seeds that frightens Kuzma most.
"The fact that it did not specifically note what was compromised
says to me that it's either some or all of the seeds that they've
issued, or the mechanism by which they generate the seeds was
compromised," he says. "In that case, it may involve physically
replacing all of the outstanding key fobs with ones with new seeds,
which would be a Chinese fire drill of epic proportions. Because of the
secure design of these tokens, you can't reseed them; they can't be
reinitialized. RSA designed them to prevent that."
Some security experts believe that aside from the breach, part of the issue has to do with the lack of technical openness that RSA has fostered with this set of authentication products. They used the breach as an opportunity to take a jab at RSA for not offering the security community with more details about the workings of SecurID in the first place.
"RSA broke a cardinal rule in the non-disclosure of their one-time authentication system; the fundamental crux of any security method or algorithm is wide publication and dissemination of the underpinning method used for purposes of peer review," says Gregory Perry, CEO of training firm GoVirtual, a former security firm executive and an open-source advocate. "RSA is not new to this concept, their RSA encryption algorithm and related method of implementation is the de facto standard for public key encryption in use on the Internet today, but for some reason they chose to adopt a mindset of 'security through obscurity' with their RSA SecurID method - which many industry veterans viewed with suspicion over the years and which raised the specter of a backdoor within the SecurID OTP authentication framework."
Christian Hessler, CTO of authentication firm LiveEnsure, agreed that the opacity of the RSA solution works to its disadvantage.
"The breach at RSA just goes to show that security by obscurity
never works. It's a fundamental principle in security called
Kerckhoff's principle - you must assume your enemy has the details of
your system. If your authentication relies on some level of operational
system 'secrecy' to work, it is just a matter of when, not if, the
system will be compromised," Hessler says. "The problem with
traditional shared secret tokens, outside of cost, deployment and
custody issues, is that they do nothing to establish context of the
mutual authentication. They are merely additional layers of 'secret
passwords,' regardless of how those factors are generated or delivered."
It's hard to tell when RSA will offer more insight into how the product was compromised, but in the meantime, it recommended customers and partners take steps outlined in the note it posted in its SecurCare Online portal. RSA has also been proactive over the last several days to arrange conference calls for partners and customers to offer advice in mitigating steps.
"At the end of the call, RSA was very adamant that this is not something trivial but that there are no other RSA products or EMC products that have been affected by this and that RSA SecurID is still a very viable selection for strong authentication," says Philip Cox, principal consultant with SystemExperts, who has been "elbow-deep" in advising customers on the breach and participated in one of the calls. "What I think partners need to do is get educated on what the recommendations are that RSA has put out and based on their understanding of where their customers are security practices-wise, pick and pull the top 10 things that really need to be done and blast that out to their customers. I think education here is key."
Conference calls notwithstanding, some experts also believe that the channel needs to hold RSA accountable for more information in the coming weeks and months.
"At the end of the day, money is what's going to get people's attention. That's the way the world works," says Vik Phatak, CTO of security testing and analyst firm NSS Labs, who believes that partners may have more impact than individual customers.
"I mean, I think the channel partner comes back and says look, I've
got these 50 customers and I can't help them and these are the
questions they're asking. If I can't answer it I'm going to have to go
with an alternate technology."