Posted on 03/18/2011 2:43:35 PM PDT by Gideon7
Sophisticated hackers broke into security company RSA's servers and stole data related to SecurID authentication tokens, the firm's head announced late Thursday.
The tokens are used by an estimated 40 million employees of large corporations and organizations. They generate a seemingly random six-digit number every 30 or 60 seconds, which the employees type in to log into virtual private networks or other sensitive systems.
The RSA cryptography algorithm, which uses a 128-bit "seed" unique to each token to generate the numbers, is virtually impossible to crack. An estimated 250 million smartphones use similar RSA software to verify identity.
"Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA," RSA executive chairman Art Coviello, Jr. wrote in an "Open Letter to RSA Customers" that was posted on his company's site Thursday evening...
An "online note" filed with the Securities and Exchange Commission stated that the stolen data "could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack..."
Coviello's reference to an "advanced persistent threat" is telling. The term is often a euphemism for "extremely skilled hackers supported by the Chinese government" who in the past few years have penetrated the networks of hundreds of U.S. corporations and governmental organizations.
Similar intrusions were part of "Operation Aurora," which hit Google, Yahoo, Morgan Stanley, Disney, General Electric and about 200 still-unnamed firms, and of "Night Dragon," which affected the Western energy giants ExxonMobil, Royal Dutch Shell, BP, Marathon Oil and ConocoPhillips.
The Chinese government has denied any connection to the incidents.
(Excerpt) Read more at msnbc.msn.com ...
Note: The author appears to be confusing the RSA encryption algorithm, used in the HTTPS web protocol, with RSA the company. SecurID is not used in SmartPhone web browsers.
SecurID is a physical token system used by the US government and military for access to sensitive computer systems. It is a small card (or key fob) that displays a random 6-digit number on an LCD screen. The number changes every minute. When someone with clearance wants to log on they must type in the 6-digit number shown along with his/her password.
The idea is that only someone who physically holding the SecurID card can gain access. It works better than fingerprints (which can be faked). If the user is under duress he/she can enter a duress password. If you attempt to open or tamper with the card it self destructs.
The weakness of SecurID is its pseudo-random number generator. Each card starts off with a 'seed number' (essentially the first random number). Each number in sequence is computed using a cryptographically secure hashing function. If anyone can capture the seed number they can in theory reproduce the entire number sequence and create a duplicate card.
This could be a China-sponsored cyber-attack against the US government.
Hang him from the highest yardarm!
Hu?
The real question is to know who holds which token. Only that person knows the password that matches the token.
Interestingly, the online game World of Warcraft has this system as an option. You pay Blizzard Entertainment $6.95 and they send you an “authenticator,” which is just one of these little RSA keyfobs with some World of Warcraft graphics on it. You have to input the six-digit code in order to log on. There’s no extra charge on top of the monthly subscription fee to use it. My wife and I play and we both use this system, as do most of the people I know who play.
They started offering this setup because with 12 million accounts worldwide, hacking WoW accounts is a lucrative business, often done by Chinese companies who get userIDs and passwords, log onto the accounts, clean the game characters out of in-game items and currency, then turn around and sell the currency using real money. I had my WoW account hacked once and to this day I *still* don’t know how they did it. Multiple scans with multiple products turned up no malware or viruses on my machine.
}:-)4
Thanks Gideon7. Sounds like they need better security. Wait, what?
I use one to remote into my work computer from home.
In order to do so, I need to enter my username, password, another password immediately followed by the RSA 6 digit code, which is only good for a minute. It would be VERY difficult for a hacker to do anything with this. Plus, the “keyfobs” expire after a few years, so they only have a limited time to use the stolen data.
As for my company, the only thing they would get is healthcare data, which wouldn’t include an SSN (at least for the apps I use).
Maybe there was a weakness in the auth protocol and you got sniffed outside your box. Also the mere fact that you have WoW SW running on it means you have opened up some potential vulnerabilities. The scan should have resulted in: "ahh, you have some crap sending data out of your PC, please click here to remove"
great and useful post. thanks. i will notify IT and my engineer buddies. they may not yet be aware of this.
i agree with you that the article or msnbc, what a shock, has likely confused rsa encryption with a company name.
wow. anyone who buys *anything* directly from the ms media, especially science based info, is also very confused and gullible.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.