RSA: Hack was like 'a spy novel'

The breach of authentication data from security company RSA caused ripples across the globe in March. A number of governmental organisations, defence contractors, and corporations use RSA SecurID authentication tokens to allow employees to access sensitive data.

The attack, which involved the theft of SecurID data, was disclosed in March. Two teams of hackers working for a nation state stole SecurID data, according to the company.

Following the attack, RSA liaised with a number of concerned organisations. Many companies felt that RSA had not given enough timely information, RSA president Tom Heiser said in a keynote speech at the RSA Conference in October.

RSA executive chairman Art Coviello talked to ZDNet UK and described the attack as "the stuff of a spy novel". He added that RSA felt it had given its customers enough information to prevent use of the stolen data.

Q: Can you talk me through the attack on RSA?
A: Let's start with the following premise. A company was attacked to get at us. That's where the phishing emails came from.

Is that a premise, or is it what actually happened?
This is true. Why would someone want to steal security information?

To compromise customers who are using SecurID?
Right. Why would they want to do that? Because SecurID is keeping them from impersonating employees or partners or contractors, and it's a very effective technology.

If I can steal information from RSA to make it easier to attack others, then I might attack RSA. But the information the attackers got from RSA wasn't sufficient, in and of itself, to be useful. They still needed information that only the customer would have.

Let's say they could get the information the customer has, and combine that with the information from RSA. Then they could potentially impersonate one of the employees of the company being attacked, right?

So they steal some SecurID information from RSA, but it only becomes useful when they get some information from, say, Lockheed Martin?
Right, as a hypothetical. Now, did they need that to get into another company? Couldn't they just get into that other company the same way they got into RSA? With a phishing email?

The answer, of course, is yes. But what they have in mind is to get in without being seen. What they have in mind is to get in, and steal whatever it is they want to steal, and erase any evidence that they've stolen it. That's the ultimate goal.

Wouldn't it become obvious that they had managed to steal the data?
Perhaps, but perhaps long after they'd used whatever information they'd taken.

If our customers adopted our best practices, which included hardening their back-end servers, it would now become next to impossible to take advantage of any of the SecurID information that was stolen.

And is that what happened?
We gave our customers best practices and remediation steps. We told our customers what to do. And we did it quickly and publicly. If the attackers had wanted to use SecurID, they would want to have done it quietly, effectively and under the covers. The fact that we announced the attack immediately, and the fact that we gave our customers these remediation steps, significantly disadvantaged the attackers from effectively using SecurID information.

So you're saying you blew their cover?
Exactly. We think because we blew their cover we haven't seen more evidence [of successful attacks].

SecurID information in and of itself couldn't have been used in an attack.

I don't know that for a fact, but what I do know is this — SecurID information in and of itself couldn't have been used in an attack.

The attacker would need other information from a customer. We told the customer how to protect that other information. To date, there have been no losses as a result of the attack, and only one indication the information was even used in an attack, and that attack was unsuccessful.

It's not like we haven't chased down every single instance where a customer even suspected the information might have been used. Believe me, we are staying vigilant. We are keeping our eye on this. If we see any indication, we're all over it. But to date, seven months later, nothing.

Is that because nothing's happened, or is that because you believe that nothing has happened?
It's impossible to prove a negative, but law enforcement is looking into this, all kinds of people are looking into this. We're asking people to come forward if there's any evidence, and we're being very vigilant.

But we still maintain the fundamental fact that...