RSA: disclosure could compromise clients
Security giant RSA said if it answered some of our most burning questions about the high-profile breach of its systems, customers could be put in jeopardy.
The company's head of technology and chief customer problem-solver Uri Rivner told ZDNet Australia that customers could be put at risk if RSA confirmed that it has a token seed database, or gave specific details about what was compromised.
"We try to do what is responsible. We don't want to put customers at risk because we put too much information in the public and we don't want to disrupt investigations outside of our organisation," Rivner said.
"I think that is the main reason why you don't have more information.
"We have natural curiosity here, but ask yourself … how many companies informed anyone that they were the subject of attacks?"
There is still no word whether RSA is preparing to issue more information on the scale of the compromise, but Rivner said he believes the company had already completed its investigation soon after the attack.
His comments follow the line that RSA has maintained since hackers broke into its systems and accessed its SecurID token product last month.
The SecurID system is used by millions of businesses for two-factor authentication. Telstra, Virgin Blue and Lockheed Martin are some of RSA's Australian customers.
To its credit, RSA did publicly admit to the breach, and later published explicit details on how the break-in occurred, which are rare acts in an industry inclined to hush data breaches.
Yet that's little solace for many customers who remain in the dark about whether their SecurID tokens are still secure.
Rivner said RSA has placed some 15,000 phone calls to affected customers and issued hundreds more detailed security updates under non-disclosure agreements. Yet RSA has yet to publicly say whether or not its SecurID systems are still safe, a fact that has groomed suspicion within the information security industry.
If a seed database exists, in which SecurID serial numbers are linked to seed records, attackers could use it to decipher the six-digit AES-128 scrambled RSA tokens. But to attack a customer, they would need to know the serial number of a token used by the victim and their account password.
Although Rivner wouldn't budge on whether such a database existed, he said that an attempt to exploit RSA would require customer-held information.
"In the worst-case scenario they will not be able to complete an attack without information from the client side."
He would not say whether RSA has binned the intrusion detection technology that failed to stop an employee from opening a malicious email attachment, a file that was already flagged as spam.
Rather, he said, intrusion prevention and detection technologies are a crucial facet of information security, but acknowledged that the name for such technologies is deceptive.
"Intrusion prevention is like the lock on the door," Rivner said. "I don't think it is the end of these technologies, just that they will be less effective at stopping [social engineering] attacks."
Rivner said businesses should assume intrusions are occurring and accept that prevention of social-engineering-based attacks cannot be guaranteed.