RSA breach report lacks depth: Kaminsky

RSA has been commended for alerting users of a data breach of its SecurID, but chastised for scant information on the severity of the attack which experts say was not enough to allow organisations to protect themselves.
Written by Darren Pauli, Contributor

RSA has been commended for alerting users to a data breach relating to its SecurID products, but has also been chastised for only passing on scant information on the severity of the attack.

Dan Kaminsky

Dan Kaminsky(Credit: Dave Bullock, CC2.0)

The information security giant has released an open letter admitting that hackers had broken into its systems and acquired information on its SecureID authentication products. However, it stopped short of disclosing the severity of the incident.

The SecurID system is used by millions of businesses for two-factor authentication. Telstra, Virgin Blue and Lockheed Martin are some of RSA's Australian customers.

"This [stolen] information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," RSA chief Art Coviellio wrote in the letter.

But according to security expert Dan Kaminsky, speaking to ZDNet Australia in a phone interview from the United States, the information is useless to customers and "could have been said yesterday".

"They haven't given enough information. What they have given is good advice, but frankly it's belt and suspenders stuff," Kaminsky said.

"People need more information to determine the appropriate action."

The lack of information is creating fear and speculation, Kaminsky said. Social networking site Twitter is rife with discussion on the breach, with some speculating that hackers could have accessed a database containing information that could compromise RSA's entire pool of two-factor tokens.

This worst-case scenario is dire, but not improbable, Kaminsky said. Such a database would link SecurID serial numbers to seeds, allowing the precise token generated at any given time to be known. It would also tie serial numbers to the organisations using them.

RSA would not be stupid for holding such a database, according to Kaminsky, because it would be essential to allow SecurID to scale to tens of millions of users.

"There are possible exposures that exist because [RSA] had to engineer a solution to scale," Kaminsky said.

Kaminsky praised the company for announcing the breach, but said that although the notification process is a balancing act in terms of the degree of disclosure, RSA should have said how severe the breach was. "What's the differential? What can an attacker do today that they could not do yesterday? That's what we don't know."

Kaminsky advised administrators to monitor external-facing interfaces for unusual use of SecurID, determine the origin of any suspect activity, and correlate services to authentication mechanisms.

IBRS security analyst James Turner said the company could face serious revenue problems if SecurID is badly compromised.

"This is the time when governments are looking to spend on security and it's a bad time for this to happen," he said. SecurID is said to provide the lion's share of RSA's revenues.

Turner added, "These RSA guys are smart, they're no slouches, so this underscores the point that if they can get hacked, really anyone can."

RSA Australia declined to comment on the matter.

Editorial standards