Say Goodbye To RSA’s Fobs
Written by Frank HayesRSA will have to replace all its SecurID fobs in the wake of the security breach the company announced on March 17. Why? Because no one at RSA knows exactly what the thieves took.
Did the crooks grab source code that spells out SecurID’s secret hashing algorithm? You have to assume so. Did they get data on the seeds, which would allow a thief with the algorithm and lots of computing horsepower to duplicate any particular SecurID fob? Again, you have to assume so. And that’s enough to require replacing all SecurID fobs and starting over with new seeds.
But instead of trying to shore up the popular but aging SecurID system, there’s a better way for RSA to go: It could just publish the hashing algorithms and convert its SecurID users to mobile devices that could be updated on-the-fly at any time. That would eliminate all the advantage gained by the thieves who stole RSA’s secrets, while making things more secure for SecurID users.
Right now, how secure those users are is debatable. RSA Executive Chairman Art Coviello announced that the break-in had been discovered, saying in an open letter to customers only that some of the information grabbed by the thieves “is specifically related to RSA’s SecurID two-factor authentication products.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” Coviello wrote. In plain English: As long as you still have good passwords, the bad guys still can’t get into your systems with the information they stole from us. By itself, though, SecurID is toast.
That’s not pleasant to hear, especially for retailers that may be using SecurID to help lock down customer data that falls under PCI. But RSA is being realistic in expecting the worst. And there’s every reason to believe RSA will be responsible by swapping out existing SecurID hardware and issuing new software.
That’s a start. But no company is immune from cyber attack, and it’s a small miracle that SecurID hadn’t already been compromised years ago. After all, SecurID started picking up momentum in 1996. It’s 15-year-old technology. Back then, even if the secret hashing algorithm and seeds had been stolen, only a huge amount of compute power could have let a thief make real use of the stolen goods.
A decade and a half later, it’s a different story.
-Marc
March 27th, 2011 at 12:19 pm
Regarding the suggestion that fobs be updateable (or worse, be replaced by an app in a smartphone,) you’re missing the greater security issue of trust that a sealed system provides.
If the secret seed can be replaced, then it can be replaced by a bad guy who knows what sequences his replacement seed will produce. If you have an extra-secret tamperproof key that protects the ability to inject a new seed, then that’s exactly as “trustworthy” as the seed itself needs to be, and the replacement process is simply an extra cost burden (plus a risk).
A smartphone app is much, much worse. How do you know you’re looking at the real RSA Token App? You might be looking at Bill’s Malware Trojan RSA App, or your real app might be infected with Brad’s RSA App-Sniffer App. An end user has no way of knowing if his phone is compromised.
A sealed tamperproof hard token, with only human readable air-gap access to its data, is still one of the most trustworthy designs available to put in the hands of the general population.