RSA has been hacked.
March 17, 2011 8:27 PM   Subscribe

I've been wondering about this statement.. is "Advanced Persistent Threat" basically a codeword for China?

See also the SEC 8-K that RSA (EMC) filed.
posted by Nelson at 8:32 PM on March 17, 2011 [1 favorite]

Advanced Persistent Threat (APT)
posted by stbalbach at 8:36 PM on March 17, 2011 [2 favorites]

This is apropos of nothing, but my employer uses an RSA SecurId key that's generated on my Blackberry, which is SO ANNOYING. If I lose my BB, it's out of juice, broken, etc. I can't get my away from work--unless I make a call to our IT department and promise that I'm me. It's just a waste of time. Boo to you, RSA SecurID!
posted by Admiral Haddock at 8:38 PM on March 17, 2011 [2 favorites]

Does anyone with sufficient technical chops know how this will affect the two-factor authentication model that some folks use for remote access? Will it require new hardware, that sort of thing?
posted by Blazecock Pileon at 8:40 PM on March 17, 2011

Is it typical to file an 8k after being hacked?

I don't think this will require new fobs, AFAIK they use AES an algorithm that has been out in the open for a long time, and as stated above there are software implementations of secureID.

As for the setup, each fob comes with a seed that is keyed into the server, if you got the seeds could you replicate the token that the fob pumps out could you not? But how could you possible match them up to a user?
posted by Ad hominem at 8:45 PM on March 17, 2011

Oh great. This means Anonymous can read my e-mail now, doesn't it? I'm kidding - right?
posted by Salvor Hardin at 8:46 PM on March 17, 2011

Are WoW authenticators safe?
posted by furiousxgeorge at 8:47 PM on March 17, 2011 [3 favorites]

One early analysis of the situation.
RSA files Form 8-K with SEC.
posted by scalefree at 8:47 PM on March 17, 2011

Well. This is going to make part of my life really crappy.
posted by bonehead at 8:48 PM on March 17, 2011

This week is sure making me wish we didn't live in such interesting times.
posted by ChrisHartley at 8:50 PM on March 17, 2011 [3 favorites]

Primer: How to create an APT.
posted by scalefree at 8:55 PM on March 17, 2011 [2 favorites]

Dumb question -- is RSA, the company, related to RSA, the algorithm?
posted by escabeche at 8:58 PM on March 17, 2011

Dumb question -- is RSA, the company, related to RSA, the algorithm?

Yes. They own it.
posted by scalefree at 9:00 PM on March 17, 2011

Yes the company was founded by Rivest,Shamir and Adleman who first published the algorithm.
posted by Ad hominem at 9:02 PM on March 17, 2011 [1 favorite]

I wondered why my fob has been 8008135 all day.
posted by Big_B at 9:05 PM on March 17, 2011 [54 favorites]

This sounds much worse than the Japanese nuclear reactors, are SecurID fobs all compromised?
posted by nmr8 at 9:06 PM on March 17, 2011

My dad's firm has been using RSA fobs since I was 11. I just used this news to score big brownie points. Thank you metafilter.

I wondered why my fob has been 8008135 all day.

You are a victim of the future. And the future has marvelous boobs.
posted by thsmchnekllsfascists at 9:11 PM on March 17, 2011 [1 favorite]

Goddamn grocers apostrophe. This is what I get for commenting on St. Patricks. Ugh.
posted by thsmchnekllsfascists at 9:12 PM on March 17, 2011

Well doesn't look like I'll be able to remote into work anytime soon!
posted by SirOmega at 9:13 PM on March 17, 2011

are SecurID fobs all compromised?

No.
posted by Threeway Handshake at 9:15 PM on March 17, 2011

They don't mention how long this may have been going on.
posted by fshgrl at 9:26 PM on March 17, 2011

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

Maybe not directly compromised, but I'll bet we don't have our fobs for much longer.
posted by bonehead at 9:30 PM on March 17, 2011

I've always found it funny that SecurID fobs are a crucial, and 100% non-negotiable security element inside the corporate world, and virtually nonexistent outside of it.

I mean, really. No sane person is going to risk getting caught and being brought up on federal charges by hacking into my timecard. (I'm sure our competitors are dying to know that I worked 37 minutes of overtime yesterday. Oops! Our secret is out!)
posted by schmod at 9:31 PM on March 17, 2011

So, no MeFi fobs anytime soon?
posted by vidur at 9:35 PM on March 17, 2011

Not sure what your industry is, schmod, but at my company I have direct access to all kinds of highly sensitive operational data for major airlines in every continent (minus Antarctica) that I'm sure lots of nefarious folks would love to get their hands on. Having to log in with an RSA fob seems like a reasonable precaution. We also have to have boot-level encryption on our work laptops.
posted by jnrussell at 9:35 PM on March 17, 2011

I've always found it funny that SecurID fobs are a crucial, and 100% non-negotiable security element inside the corporate world, and virtually nonexistent outside of it.

I mean, really. No sane person is going to risk getting caught and being brought up on federal charges by hacking into my timecard. (I'm sure our competitors are dying to know that I worked 37 minutes of overtime yesterday. Oops! Our secret is out!)

The data I work with is fairly dull, but still subject to our Privacy Act. The Act provides for penalties for the company, but also for me, personally, if someone happens to find out Joe Bloggs' post-code and account balance and it's my fault. Would your scenario change if you were risking a fine by not taking sufficient precautions to protect your overtime accrual?

(As a result of all this I have one of these fobs, even though I have never felt the urge to work from home, and I think (and hope) it's been deactivated by IT)
posted by pompomtom at 9:42 PM on March 17, 2011

They should have used PGP.
posted by zippy at 9:46 PM on March 17, 2011 [2 favorites]

schmod writes "I mean, really. No sane person is going to risk getting caught and being brought up on federal charges by hacking into my timecard. (I'm sure our competitors are dying to know that I worked 37 minutes of overtime yesterday. Oops! Our secret is out!)"

It's easier to secure everything than to constantly be making decisions on what to secure. Plus it is easier to communicate to employees.

Also you can mine quite a bit of information from employee hours like the hypothetical pizza boy always knowing when a early morning raid was going to take place from the volume of pizzas ordered by the SWAT team.
posted by Mitheral at 9:54 PM on March 17, 2011 [1 favorite]

One possibility, said Whitfield Diffie, a computer security specialist who was an inventor of cryptographic systems now widely used in electronic commerce, is that a “master key” — a large secret number used as part of the encryption algorithm — might have been stolen.

I don't know much about crypto, so it surprises me that one constant would be used in part to generate all of the keys. Or am I misreading this? I figured hashing with constants was the domain of light security schemes, a la OAuth, and that RSA-level stuff had figured out a way around that.
posted by ignignokt at 9:58 PM on March 17, 2011

I wonder if they sell fobs to Iran.
posted by five fresh fish at 9:59 PM on March 17, 2011 [1 favorite]

Whitfield Diffie, the co-inventor of of Diffie-Hellman key exchange said that? Well I don't know what to think, a private key used to generate the seeds? There is for sure no secret number embedded in the algorithm.
posted by Ad hominem at 10:17 PM on March 17, 2011 [2 favorites]

To generate the psudo-random number the appears on a fob you need two inputs. 1) a seed. 2) the time.

If you can establish how seeds are generated you can establish a list of all possible seeds, you can then calculate what psudo-random number that will appear at any given time.

That is probably massively simplified or even outright wrong but the initial generation of the seeds seems like the weak link.
posted by Ad hominem at 10:40 PM on March 17, 2011

Sorry, what a mess, you can establish all possible psudo-random numbers that can appear at any given time.
posted by Ad hominem at 10:43 PM on March 17, 2011

I use an RSA fob for my ebay & paypal accounts, but there is also a password element.
posted by BrotherCaine at 11:08 PM on March 17, 2011

Bizarrely, the law firm I work for switched away from SecurID to some non-fob system a couple of weeks ago. I was already pumped about not constantly fearing I'd lose the stupid little fob, but if this also avoids some departmental panic over data security, it practically qualifies as a coup.
posted by Copronymus at 11:19 PM on March 17, 2011

Nice work on the 8-K: "Our company's main cash cow just had all its internal organs removed by Chinese hackers. We do not expect this to impact future profits."
posted by benzenedream at 11:44 PM on March 17, 2011 [5 favorites]

about the ever growing list of sites that will only accept a facebook account login...
posted by Fupped Duck at 11:46 PM on March 17, 2011

A SecurId token has three things in it: A seed value, a clock, and the algorithm. The algorithm takes the first two and calculates the six or eight digit number you see. The server verifies that number because it knows the seed value and compares what it thinks should be the current number with what's submitted. Given a configurable window of numbers to account for clock drift in the token, it's secure as long as the seed value for any particular token is secure.

I'm purely speculating here--I used to work for RSA, but with their ClearTrust product, not SecurId, and I haven't worked there in five years, so this is knowledgable spitballing. I know how SecurId works, but I have no more knowledge of what happened here than any of you.

RSA has to keep those seed values in order to distribute them to the customer who buys a block of tokens. If you stole those seed numbers, then, if you got hold of a token (or knew the serial number on a target's token), you could theoretically impersonate the person to whom the token is assigned. SecurId usually requires a PIN to accompany the submission of the number, but that's likely not hard to discover. The algorithm is publicly known--it's in the patent papers on file, and several years ago Art released those patents to allow the algorithm to be used generally.

If a block of records of seed values was compromised, then the security of the architecture is still sound, but the tokens accompanying those seed values are compromised. All you would need as a customer of RSA is a bunch of new tokens, then, so if it was seed values stolen, then RSA is likely looking at a widespread recall of tokens.
posted by fatbird at 11:54 PM on March 17, 2011 [9 favorites]

One possibility, said Whitfield Diffie, a computer security specialist who was an inventor of cryptographic systems now widely used in electronic commerce, is that a “master key” — a large secret number used as part of the encryption algorithm — might have been stolen.

I'm 99% sure this isn't it. It's basic to encryption since WWII that no part of the algorithm is secret, that the security of something encrypted with the algorithm rests entirely with the key--or the seed value, in this case.

Ad Hominem's suggestion of brute forcing the token by working through the possible seed values isn't very plausible--the server has basic throttling controls just to handle this, and that's the only way you'd be able to test your keyspace, against a production server.
posted by fatbird at 12:00 AM on March 18, 2011

A SecurId token has three things in it: A seed value, a clock, and the algorithm.

And a serial number printed on the back. It's my understanding they keep a database of serials & seeds, possibly indexed to the enterprise that bought them. That might be what's been compromised.
posted by scalefree at 12:08 AM on March 18, 2011 [2 favorites]

You're correct, scalefree. To be practical, it's not the seed values you need, it's the mapping of seeds to serial numbers. And RSA does keep such a database. When a company buys SecurId, they get cases of tokens and a CD with the mapping so they can run the server. I'm pretty sure they track serials to enterprises, too.

If this is what happened (and, to remind you, there's no word yet that this is what happened--it just seems like the only valuable thing to steal from RSA), then RSA would right now be determining the extent of the compromise and contacting all those customers, and the phone call would likely start "we're shipping you brand new tokens--please apologize to your IT department for the all-nighters they're going to pull next week".
posted by fatbird at 12:13 AM on March 18, 2011 [2 favorites]

I can't get my away from work--unless I make a call to our IT department and promise that I'm me.

Stupid, unless it's a very small company and everyone knows each other's voice very well. Solution: use video chat.
posted by ryanrs at 1:44 AM on March 18, 2011

furiousxgeorge: WoW authenticators (the physical token variety, not the phone software kind) are manufactured by Vasco, not RSA I believe.
posted by edd at 2:29 AM on March 18, 2011

The fob that I got from PayPal many moons ago also has a Vasco imprint, and a Verisign silkscreened on the front. Should I be concerned?
posted by Wild_Eep at 4:50 AM on March 18, 2011

Wow, so RSA kept the seeds of everyone who bought their solution? That seems quite...single-point-of-failure-ish.
posted by ymgve at 4:57 AM on March 18, 2011 [1 favorite]

Wild_Eep/edd: Vasco/Verisign authenticators are an entirely different company and (if I recall correctly, because I'm not awake enough to go confirm) an entirely different technology. They are transaction-based authenticators (in which a set of authentication codes are generated in sequence, but a new code is only generated when you press a button) as opposed to SecurID, which is a time-based authenticator, where each code is generated as time passes, whether you're going to use that code or not. Transaction-based systems have their own set of issues, security-wise, but will not be affected by this particular issue.

This is probably going to make my life suck for a while, especially if fixing it involves upgrading SecurID servers or distributing a bunch of new tokens.
posted by jferg at 5:25 AM on March 18, 2011 [1 favorite]

Is this why the co-op bank my law firm uses stopped using SecureID tokens last month?
posted by subdee at 5:30 AM on March 18, 2011

The RSA SecurID (soft) tokens and servers all have the public key corresponding to the above mentioned "master" signing key burned into them. They have this public key so they can ensure that the seed file you pay $10-$25 (more for physical tokens, natch) came from them.

The actual seed for a token is a random number. The "master key" is the secret sauce that ensures you can only buy random numbers from RSA. When they started pushing soft tokens, this became essential to the scheme.

Stealing that key would be interesting, but for some fairly convoluted reasons.
posted by graftole at 5:38 AM on March 18, 2011 [2 favorites]

Is everyone forgetting what TWO factor means? Surely people aren't replacing one factor of authentication (i.e., username and password) with just a fob. That would be silly. As long as you're actually using two factors, even a compromised fob shouldn't lead to compromised data.

Replace your fobs with new ones programmed after the attack is resolved. The algorithm and process aren't secrets.
posted by odinsdream at 5:46 AM on March 18, 2011

If RSA does have to make good and resupply their customers with new physical tokens, it will be entertaining to see the financial disclosure and derive the actual cost-per-token+distribution for RSA.

If you're using soft tokens, you've already demonstrated that you don't care about security, and the punishment in this case is you don't get to enjoy schadenfreude. Their cost to regen "seed files" for you will be very close to $0.
posted by graftole at 5:47 AM on March 18, 2011 [2 favorites]

jferg: The WoW authenticators made by Vasco are based on an internal clock + seed. They don't lose sync if you push the button and don't use the code for example.
posted by edd at 5:49 AM on March 18, 2011

So, no MeFi fobs anytime soon?

That's MeFi Foe Fobs.

more for physical tokens, natch

Well, you can use the physical tokens to open beer bottles. So they *are* worth more.
posted by eriko at 5:51 AM on March 18, 2011 [3 favorites]

Anyone enjoying the new web interface for administration?
posted by LD Feral at 5:58 AM on March 18, 2011 [1 favorite]

I've always found it funny that SecurID fobs are a crucial, and 100% non-negotiable security element inside the corporate world, and virtually nonexistent outside of it.

Most companies I've worked with use the tokens for VPN access. In some cases this is pretty scary, since they don't have much in the way of security inside the VPN — the token represents their 'castle walls' and that's it, no defense in depth or anything. I've very rarely seen it used just for websites, although I guess maybe some people just use it everywhere (need to justify the expense somehow!).

Is this why the co-op bank my law firm uses stopped using SecureID tokens last month?

That probably has more to do with the fact that the tokens are stupid expensive for what they are, and you can get 90% of the security benefit for a fraction of the cost by using other means like paper gridcards or one-time-passwords. People are slowly starting to figure this out, and I've seen more alternatives to SecurID popping up in the past year or so.
posted by Kadin2048 at 6:16 AM on March 18, 2011 [1 favorite]

How this thread reads to Horace Rumpole:

Fob fob fob, fob fob fob fob fob-fob. Fob fob fob fob? Fob!
posted by Horace Rumpole at 6:19 AM on March 18, 2011 [7 favorites]

I mean, really. No sane person is going to risk getting caught and being brought up on federal charges by hacking into my timecard.

I'll bet you have more data access than your timecard.

The problem with people is they are *lousy* with passwords. Just utterly lousy. Two factor helps fix that by accepting that humans are lousy with passwords and using them, at best, as a secondary protection.

So, by having two factor, you can accept that a number of the passwords are going to be password01, because you have to also have the matching 2nd factor -- in the case of SecureID, it's a psuedorandom number generated every 20 seconds.

The "bingo" in this attack is if the bad guy has figured out how the seeds are generated. The number is a function with effectively two inputs -- a seed, and time. In fact, the funciton has one seed, and is iterated a number of times -- f^on(x).

The function itself on a the tokens is provably strong -- someone upthread mentioned AES was used, I honestly don't know, but there are plenty of functions that work, and more importantly, knowing the function won't help you guess the next number in the sequence^*.

The theoretical issue here: The compromise at RSA may help an attacker figure out the seed of a given SecureID implementation. That's the x in f^on(x). With a fob, figuring out n is much less difficult. Clever attackers might be able to read the clock off the fob, which would give them n directly, or just generate a long string of numbers and wait for the key to generate three of them in a row. With both n and x, x in f^on(x) is trivial to generate, and that factor of ID is broken.

Leaving you with a pin, which is probably 1234.

If this has actually happened, it's a big deal. The "master key" is probably the input of a function that generates seeds, and it's probably part of a public/private key, so that the fobs can verify that the seed is "valid" -- that is, that you bought your fob from RSA. If that's compromised, to re-secure the system (and protect the revenue stream) you'd need to create a new master key, keeping the private half private^*, get the new public key onto all the fobs and software fobs, then regenerate and distribute new seeds.

That's a massive undertaking.

* Fundamental rule of cryptography: Trust no system that needs secrecy of anything but the key. The entire function, if known to the attacker, must not all help in deriving the plaintext without a key.

* One problem with public/private keying systems is that if the private key is exposed, *everything* that was encrypted with the public key is now trivial to read.
posted by eriko at 6:24 AM on March 18, 2011 [4 favorites]

If RSA's signing key was breached, the damage is not to the security of their customers, but to RSA's business of selling random numbers for an upwards of $12/year to customers.
posted by graftole at 6:36 AM on March 18, 2011 [1 favorite]

I've always found it funny that SecurID fobs are a crucial, and 100% non-negotiable security element inside the corporate world, and virtually nonexistent outside of it.

Most companies I've worked with use the tokens for VPN access. In some cases this is pretty scary, since they don't have much in the way of security inside the VPN — the token represents their 'castle walls' and that's it, no defense in depth or anything. I've very rarely seen it used just for websites, although I guess maybe some people just use it everywhere (need to justify the expense somehow!).

I think that's it, mostly. The RSA sales force goes out and says "this is unbreakable, nobody ever got fired for buying these, nobody has ever had a failure, and it's only $12 a year per user!" That is the kind of thing institutional buyers love. Add in an 800 number that their employees can use to call RSA directly when they have a problem, and the deal is done.

And lazy policy people who assumed that RSA-cards were the only security they'd ever need.

And they would have gotten away with it too, if their own shit was as secure.

It seems like there would be a way to make these things one-way so that RSA isn't holding onto useful information that can harm clients.

(As a cynic, I'm sure they thought of that, but their clients didn't like it and wanted the ability to be able to call RSA for [the equivalent of] forgotten passwords.)
posted by gjc at 6:52 AM on March 18, 2011 [1 favorite]

[Firewalls give corporate networks] a hard, crunchy outside with a soft chewy center.
- RFC1636 Report of IAB Workshop on Security, Feb 1998.

It looks like the attack may not have gotten the seeds (which would probably lead to an immediate compromise due to the number of bozos people who use "1234" as their pin), but more likely the algorithm that RSA uses internally to generate the seeds. If you can reduce the number of possible seed values, then a brute force attack becomes much more feasible. Rate limiting will help, of course, but a bad guy and a distributed attack (as would be run from a botnet or by a nation state) is more likely to be the problem.

In this context, it certainly looks as though "Advanced Persistent Threat" is a codeword for China. The description certainly reads like the attack against google last year. If I ran one of the big certificate authorities, I definitely schedule a careful extra-special security review on top of the ones I'm already doing- theft of the root certs would be similarly valuable to the bad guys.
posted by jenkinsEar at 7:05 AM on March 18, 2011

Another big reason for 2-factor auth on VPN is PCI (8.3 requires it for all remote network access, not really just the cardholder environment). Additionally it's a very common contractual requirement for anyone dealing with any financial institution or other highly regulated industry. It's one of the first things you look for when doing an security assessment of a third party.

In addition to the obvious strengthening to authentication, an intelligent deployment of 2-factor auth eliminates the risk of some random user on the internet being able to lock out (just fail authentication 3 or 5 times) your CEO or admin's account over the internet.

This *should* help RSA's competitors in the 2-factor space (Cryptocard is one) but the RSA infrastructure is so deeply integrated to high-visibility portions of corporate networks that the cost of replacement would be staggering. RSA has really benefited from the perception that they're the only game in town, many IT departments aren't aware of the competition to check it out.

Google has recently rolled out their own 2-factor auth system for Gmail, etc. It remains to be seen if corporate auditors will accept this (outsourcing to Google has major question marks around privacy, retention, and discoverability).

RSA has a couple conference calls today on this issue.
posted by These Premises Are Alarmed at 7:13 AM on March 18, 2011 [1 favorite]

Oh, and yes, "APT" is absolutely just another way of saying "China".
posted by These Premises Are Alarmed at 7:18 AM on March 18, 2011 [1 favorite]

* One problem with public/private keying systems is that if the private key is exposed, *everything* that was encrypted with the public key is now trivial to read.

I'm not a cryptography/math person, but isn't there a way to get around that problem? An extra factor of randomness or something?

Also, I thought that was the point of public/private keying. The public key is supposed to let you see everything created with the private key. And vice versa. I thought it was meant to be two-way?
posted by gjc at 7:19 AM on March 18, 2011

Oh, and you know, I was up in Hopkinton at EMC on other business on Wednesday, and was surprised by 1) the number of NJ/MD/VA plates and 2) how busy the Marathon bar was at 4:45p. Hm.
posted by These Premises Are Alarmed at 7:20 AM on March 18, 2011

By the way, in terms of competitors, we've been very pleased with DUO Security which was recommended by someone here a couple months ago. They're a smaller company, but the product is really easy and it integrates into any web-app, and most of the popular VPN concentrators.
posted by odinsdream at 7:22 AM on March 18, 2011

And (promise I'll shut up now) what's so interesting is how this came out in an SEC filing. Yes, this could totally clobber RSA's bottom line (I don't think they'll lose many customers over it, but they'll have to give major makeup sex pricing breaks which is something you never get from EMC). Breach disclosure laws are still weird and fractured in the US (we learn about many data breaches from the New Hampshire AG!).
posted by These Premises Are Alarmed at 7:25 AM on March 18, 2011

edd: Ah - I stand corrected. It's been a while since I've closely followed that space.
posted by jferg at 7:28 AM on March 18, 2011

In addition to the obvious strengthening to authentication, an intelligent deployment of 2-factor auth eliminates the risk of some random user on the internet being able to lock out (just fail authentication 3 or 5 times) your CEO or admin's account over the internet.

People are still doing things like that?

Maybe I'm misunderestimating what two-factor authentication is. I thought it was two separate username/password combinations. Like a separate u/pass combo to get into the VPN before you ever get to be able to try to log into the domain and lock out the admin. For example. Shouldn't admin accounts always be protected from external brute-force, brute-annoyance vectors?

Are people just making people have two passwords for an account, one is a password, and the other is the magic number on the keyfob? WTF good is that?
posted by gjc at 7:30 AM on March 18, 2011

These Premises Are Alarmed: No further information is being given in the RSA conference calls - I was on the 9am ET call this morning - it's effectively a reading of Art Coviello's letter, and a reiteration of "implement SecurID according to best practices". It was over in 12 minutes.
posted by jferg at 7:31 AM on March 18, 2011

gjc: 2-factor auth means requiring two different bits of evidence that you are who you are asserting to be. Typically, it's a password and a one-time key (like RSA provides), but other factors like biometrics or proximity cards are common too.

External lock-outs still do happen. Absolutely you shouldn't be able to log in as an admin from the outside, but what about all your helpdesk team? And more importantly, what about your CEO's account? A smart two-factor system validates the code from the token before checking against your account credential store.

There are valid arguments that using two separate username/password combos doesn't do much to improve security. Your users are either going to be more likely to forget the passwords and write them down, or just use the same password in multiple credential stores. You now have two areas you have to protect. Some folks make the argument that you should put all your eggs in one basket ... and really scrutinize that basket.
posted by These Premises Are Alarmed at 7:39 AM on March 18, 2011

The way RSA is being so tight-lipped (still), it almost seems like their automated seed-file signing system did get nailed.

If so, amusing...but more of a concern to RSA than customers.

I find the speculation about how seeds work a little disturbing. RSA engineers will tell you exactly how the system works if you ask. Maybe not for a few weeks, they're probably busy, but still.

Or, you can rip the hood off your system and see for yourself. That's especially easy if you use (bleh) soft token software.
posted by graftole at 7:39 AM on March 18, 2011

Maybe I'm misunderestimating what two-factor authentication is. I thought it was two separate username/password combinations.

SecurID has three pieces for authentication:
Username
PIN
Token Code

The two factor part is the PIN+Token Code, which combines to form your "one-time password" when you log into something that is authenticated via SecurID. The PIN is an arbitrary password, and the token code is the code that is shown on the hardware keyfob or software token.
posted by Threeway Handshake at 7:40 AM on March 18, 2011

gjc: Maybe I'm misunderestimating what two-factor authentication is.

My understanding is that two-factor authentication is usually "something owned and something known". At the bank machine, your ATM card is physically present and your PIN is known. For secureID, the pin is known, and the number sequence demonstrates that the FOB is physically present with you.

The idea of multiple logins has more to do with privilege escalation and usage roles, where additional authentication is useful to carry out privileged operations.

Are people just making people have two passwords for an account, one is a password, and the other is the magic number on the keyfob? WTF good is that?

Actually, it's three elements- username, fob number, and password. This is usually used for access; an access control list will usually be used to determine who's even allowed to log in to a higher level of privileges.

Some folks are talking about going to "three factor", which would include adding biometric data to the mix, but that is a bit challenging to get right in view of amputation or deformity, and may not be all that useful in a mobile / widely deployed situation.
posted by jenkinsEar at 7:44 AM on March 18, 2011

Thanks to the folks who confirmed my suspicion that APT implies China. It seems extraordinary to me that we have two separate incidents of major corporate espionage attributed to a foreign government. In the previous Google et al case, quite publically attributed to China. If we had Chinese mercenaries breaking into office buildings in New York to photograph documents and they were caught it would be an enormous international incident. Why not this? I guess the evidence isn't so physical.

I want to pimp my friends' startup in this thread: Duo Security. They're selling a new two factor implementation based on cell phones. Very smart security guys and if they can make TFA less of a pain in the ass to implement, I think they'll succeed. I'll also give a shoutout to Google's TFA implementation, it's good. The code to validate the codes is open source, btw, so it's possible to integrate their authentication into your own systems.
posted by Nelson at 7:49 AM on March 18, 2011 [1 favorite]

The most value to be extracted from this compromise would come if you are capable of intercepting and impersonating a server protected by SecureID. People login to your fake server, giving you 2 pieces of info that you didn't have before, the username and the password. You can then both pass-along the current connection, monitoring it for additional in-system authentications like "su -", and initiate your own connections later that would be under your full control.

If the attackers only gained access to the seed database, this is an attack on authentication, not encryption, so any communication that you weren't able to monitor initial key-exchange for, would still be secure.

I work for an SSH vendor that supports RSA's SecureID and have been hoping we would start supporting some other vendors' implementations. I suspect we'll have some customer demand for that now.
posted by nomisxid at 8:01 AM on March 18, 2011

I've always found it funny that SecurID fobs are a crucial, and 100% non-negotiable security element inside the corporate world, and virtually nonexistent outside of it.

At about $60.00 each, and requirements of a server administrator and that the fob is tied into one server I don't see how this could be used by the wider public.
posted by Gungho at 8:03 AM on March 18, 2011

Wow.

Usernames are not an authenticator. Biometrics are not an authenticator. They are identification.

The "two factor" authentication present in SecurID is your PIN, which is a shared secret between yourself and the Authentication Manager server and the token seed, which is a shared secret between the SecurID token (calculator) and the RSA Authentication Manager server.

People like to say "something you know / something you have" because it sounds better and is better marketing-wise than "Something you know and something a plastic calculator knows". In the end, the job of that plastic calculator is to verify that it knows it's secret without disclosing it to you or anyone listening in.

I'm a big fan of the plastic calculators, btw. My jeering at RSA is merely at how their carefully marketed revenue-generation can (potentially) fall apart with one attack.
posted by graftole at 8:03 AM on March 18, 2011

My speculation: RSA does not use a PRNG to generate seeds, instead relying on known-good sources of entropy to generate "truly" random seeds.

A database correlating seeds to SecurID serial numbers would be the key score, but I like graftole's idea about targeting the master signing key for soft tokens. I still haven't worked out how it helps an attacker to be able to spoof them, though. Maybe to generate enough ciphertext with known plaintext to guess a user's PIN?
posted by whuppy at 8:14 AM on March 18, 2011

Ohok. Duh. What nomisxid said: Spoof the server and the token et voila: Man in the middle.
posted by whuppy at 8:22 AM on March 18, 2011

People like to say "something you know / something you have" because it sounds better and is better marketing-wise than "Something you know and something a plastic calculator knows". In the end, the job of that plastic calculator is to verify that it knows it's secret without disclosing it to you or anyone listening in.

No, they say it because INFOSEC theory says there are 4 (used to be 3 until recently) categories or factors of authentication:

Something you know (password)

Something you have (key)

Something you are (biometrics)

Somewhere you are (geo-encryption*)

*Geo-encryption was independently invented at around the same time by Dr Dorothy Denning & Yours Truly, but she wrote it up & I didn't.

posted by scalefree at 8:35 AM on March 18, 2011

You're correct, scalefree. To be practical, it's not the seed values you need, it's the mapping of seeds to serial numbers. And RSA does keep such a database. When a company buys SecurId, they get cases of tokens and a CD with the mapping so they can run the server. I'm pretty sure they track serials to enterprises, too.

Are you seriously telling me that a security company kept all this information on a networked computer? How long will it take people to learn that the way you keep information secure is keeping it on a non-networked computer?! It's not that hard! If you need a little block of info to send via e-mail, you can transfer it via USB or something.
posted by stoneweaver at 8:38 AM on March 18, 2011

> Oh, and yes, "APT" is absolutely just another way of saying "China".

I love Bruce Sterling and China is certainly a plausible source for the attack, but that link doesn't constitute very convincing evidence.
posted by Estragon at 8:42 AM on March 18, 2011

Estragon, my point wasn't that the attacks are coming from China, as much as that when someone in the information security industry says "Advanced Persistent Threat", what they mean in "China". Actually, as I put it in an email to my boss this morning, I think for RSA to say "APT" is a cop-out, either they know the source or they don't.
posted by These Premises Are Alarmed at 8:53 AM on March 18, 2011

SecurID has three pieces for authentication:
Username
PIN
Token Code

Username isn't part of authentication. The point of authentication is to prove your assertion of ID, the username is the ID you are asserting.

Maybe I'm misunderestimating what two-factor authentication is. I thought it was two separate username/password combinations.

Two factor is two different mechanisms to authenticate. There are three classic classes:

1) Something you know (password, PIN, etc.)
2) Something you have (ID token, one-time passkey, etc.)
3) Something you are (biometrics.)

Actually, there is a fourth:

4) Someone who will vouch.

...but the discussion here is identifying yourself to a system, and Class #4 is someone else identifying you to a system.

Something you are is arguably a class of something you have, the difference being that devices in class #2 are easily replaceable and easy to steal, while devices in class #3 are tied to you in a non-trivial and non-replaceable way.

Two factor is using two classes. SecureID does this with classes #1 (PIN) and #2 (a token generating a number that changes constantly.) The door lock on my employer's datacenters uses classes #1(pin) and #3 (hand shape or fingerprint scanner) , and I have seen a case where you had to punch in a SecureID code and use a fingerprint for authentication, which would be #2 and #3.

And, yes, I've read about PIN/Token/Scanner three factor -- and in very secure areas, there's four factor -- PIN, Token, Scanner, then someone looks at you and verifies that you are you. This is actually pretty rare. It's not uncommon to have a dual-door mantrap, three factor, and then a guard looking into the mantrap, but that's to ensure that you're the only one in there, since everyone in there can enter when the door opens. But it does occur -- where your class #1-3 tokens get you into a foyer, then someone has to vouch that it is you to actually enter -- usually, in areas where words like "nuclear weapons" are involved.

Speaking of which, this applies to the Football -- the bag of launch codes that is kept near the President. Step one of authentication is that if anybody except the President attempts to open the bag, they're shot by the guy carrying the bag (Class #4).
posted by eriko at 8:56 AM on March 18, 2011 [1 favorite]

Step one of authentication is that if anybody except the President attempts to open the bag, they're shot by the guy carrying the bag (Class #4)

Ahhh one can dream.

"Where's Jim?"
"Oh, he tried to log on as Bob because he forgot his keyfob"
"Ouch, headshot?"
"Mozambique"
posted by fullerine at 9:09 AM on March 18, 2011 [1 favorite]

Jesus eriko where do you work?
posted by thsmchnekllsfascists at 9:10 AM on March 18, 2011

Speaking of which, this applies to the Football -- the bag of launch codes that is kept near the President. Step one of authentication is that if anybody except the President attempts to open the bag, they're shot by the guy carrying the bag (Class #4).

Well, in theory anyway. In practice, it's not so clear that's how it works.
posted by atbash at 9:36 AM on March 18, 2011

Jesus eriko where do you work?

Walmart
posted by banshee at 9:48 AM on March 18, 2011 [1 favorite]

every day at work i have to deal with an Advanced Persistent Douchebag.
posted by quonsar II: smock fishpants and the temple of foon at 9:49 AM on March 18, 2011 [1 favorite]

scalefree: The narrative of "know/have/are" (or adding "where") doesn't change the problem of identity assertion and proving said assertion. I am familiar with the mantra, and hats off to you for thinking of using location. Wagner, et al have come up with interesting methods for proving location. Perhaps you can share yours with me offline.

My comment above only really has the content of "Me like plastic calculator! Crappy software calculator bad!".

A friend shared some of his threat modeling on this situation, and his attack methods convince me that if someone actually acquired the seed/serial/customer database from RSA, they will be monetizing that very soon, perhaps especially if they went after it specifically and monetization is a secondary concern.

The accursed soft tokens will likely have a shorter window of exposure.
posted by graftole at 9:55 AM on March 18, 2011

Are you seriously telling me that a security company kept all this information on a networked computer? How long will it take people to learn that the way you keep information secure is keeping it on a non-networked computer?! It's not that hard! If you need a little block of info to send via e-mail, you can transfer it via USB or something.

No. As I said, I don't know what happened here, and I was speculating that what might have been stolen was the recorded seed values for a bunch of fobs; my speculation was based on asking "what would be valuable to steal from RSA?" I don't know the details of how RSA secures the seed records.

RSA hasn't said what was stolen, and neither has anyone else. RSA hasn't revealed what the vector was--it might have been an employee who copied a bunch of data off of a non-networked computer to a thumb drive.

From my time at RSA, I recall that security was generally pretty good. RSA certifies all employees as CISSP, so pretty much everyone in the company is a lot more security knowledgeable and aware than your average Fortune 500 bear.
posted by fatbird at 10:31 AM on March 18, 2011

A friend shared some of his threat modeling on this situation, and his attack methods convince me that if someone actually acquired the seed/serial/customer database from RSA, they will be monetizing that very soon, perhaps especially if they went after it specifically and monetization is a secondary concern.

Lets say you got the seeds. How exactly would you monetize that? You couldn't just sell new number blocks to companies (although that would be pretty funny). I suppose you could try to sell it on russian hacker boards. But in order to make any money, you'd need to have a ton of information in order to actually get in to any of the places.

The only way I see is if the RSA hack was just a stepping stone to get into some huge bank or something.
posted by delmoi at 10:58 AM on March 18, 2011

The seed files are the ones RSA has already sold to organizations. They would be valuable (in an extreme example) to someone who has been watching, say, a SecurID-protected FTP site and has collected usernames and PINs, but needs to find a working token to make it all come together.

Like you said, deimoi, a stepping stone. If one had *all* of the seed/serial/org database, someone going after one of RSA's thousands of clients might be willing to pay. It's the new economy and all: the person stealing your banking credentials is not necessarily the one draining your account.

On the Sinister Cyber^U Advanced Persistent Threat side, If I were just going after (for example) Northrup, General Dynamics, and Motorola, and nailed RSA to that end, I might want to spread the love around to mask my own attacks.

That is of course *if* any of that got compromised.
posted by graftole at 11:07 AM on March 18, 2011

graftole: They'd also have to be able to access the token serial number to username mapping, which is not held by RSA. So even if they did have username, pin/password, and seed record file, they would have to figure out how to map the entries in the seed file to site usernames.
posted by jferg at 11:12 AM on March 18, 2011

The geoencryption stuff is interesting, and if it worked would be a possible alternative to tokens/fobs in some use cases ... but I've read the paper and I'm still very suspicious of it. It seems like it relies much too hard (even moreso than SecurID) on tamper-resistant hardware to determine the user's location, and that it would be pretty trivial to feed false locations into it during a known-ciphertext attack. I don't know if there's a formal name for that sort of problem with a cryptosystem, but it seems like the same issue that cryptographic "time locks" have ... an attacker can just spoof the time since they control all the inputs into the system. (And if you don't assume that an attacker has control of all inputs into the system then it seems like a pretty weak-sauce analysis.)
posted by Kadin2048 at 11:17 AM on March 18, 2011

jferg: In the extreme example I mentioned where the attacker has everything but the token?

You try the right user(1) + PIN(1) with the code generated from token(x). Did it work? Great. That's user(1)'s token. Didn't work? Heck, try user(2) + PIN(2) with token(x). Did it work?...repeat until you win.

I suppose it all comes down to if you care *who* you break in as. I described the stealthy way that shouldn't lock accounts.

Hard tokens might make it more interesting. Depends on your clock.
posted by graftole at 11:21 AM on March 18, 2011

One thing that puzzles me is how surprised people are that this happened to RSA. They're just as vulnerable to all the issues that're used to compromise every other enterprise as everyone else. More than once I've used a SecurID ACE server as my foothold onto a network during a pentest, because they tend to use Solaris servers that come with all those lovely useless RPC services enabled by default which over the years have been a fruitful ground for remote root exploits. It's like installing a bank vault door over the main entrance & leaving a window wide open around the back. I'd be surprised if whatever was used to gain access involved any password use at all, let alone some kind of spoof of a SecurID.
posted by scalefree at 11:57 AM on March 18, 2011 [3 favorites]

Dang! I knew I was going to be late to the MeFi infosec party!

Anyway, I'd just like to nip this "APT = China" nonsense in the bud. We know almost nothing about this attack at the moment, and it is both irresponsible and damaging to imply that some foreign government commissioned this. Without evidence, it's just speculation. When Google was the victim of an APT, they provided some evidence and analysis of where the attacks were originating from, but I've yet to see reliable evidence of the same in this case. The fact that this is likely a targeted attack does not reveal much information about the attackers.

To paraphrase a tweet from Jacob Applebaum last night - the threats are rarely advanced, they're just persistent, as their target is also persistently vulnerable.
posted by antonymous at 1:23 PM on March 18, 2011

I was confusing two-factor authentication with the physical idea of layers or borders, I guess. Two factor as two completely different, unconnected barriers one must pass to get to the good stuff. Belt and suspenders as opposed to just a belt with two passwords.

I still think the little calculators are silly. It is a lot of theater for something that is just as likely to be under the keyboard or in a laptop bag with the PIN taped to it, as is the password alone. It solves man-in-the-middle, I guess, but how often does that actually happen? Especially if it CREATES a security hole that wouldn't exist without it.
posted by gjc at 6:28 PM on March 18, 2011

So we have no idea how bad this is. We really don't.

It could be as limited as a source code breach, in which case -- whatever, we didn't stop using Windows when its code was dropped.

It could be a complete leak linking all serial numbers with the "seeds" that each fob has -- meaning if you see a fob today, you can predict all numbers it will ever release tomorrow.

It could be the above, but describing which networks were using which serial numbers -- so you can actually figure out how to breach networks.

Or it could be no big deal, for any of a wide range of real world reasons.

RSA isn't giving anyone enough actionable intelligence to know what their exposure is. Put simply, we don't know what an attacker can do today, that they couldn't do yesterday, for which class of attacker, to which class of customer. There are 40M users of SecureID. Which users are vulnerable, to who? All of them? Some of them? None of them?

Nobody knows.

People are quite displeased. Apparently, a major customer call was literally just somebody reading the "Open Letter" verbatim.

This is not a good situation.
posted by effugas at 7:51 PM on March 18, 2011

Kadin2048,

Cost of GPS blockers and spoofers is collapsing.
posted by effugas at 8:03 PM on March 18, 2011

The "little calculators" are very valuable against a lot of casual threats. Man in the middle attacks happen in the real world, particularly their close cousins of sniffed wireless networks and stolen passwords. A second authentication mechanism means that a stolen username + password alone won't compromise your system. RSA fobs have been the tech of choice for two factor for awhile. We're seeing alternate keygens now in consumer oriented systems, like World of Warcraft accounts or Google accounts. It's not 100% protection, but it sure helps.

Unless a determined state actor compromises the RSA system, in which case your two factor authentication goes back to one factor. I agree with antonymous that we have no evidence who the actor against RSA is, and particular nothing yet has specifically pointed to China. But given recent history with Chinese agents hacking many major US Internet companies and given RSA's characterization of the nature of the attack, it seems a distinct possibility.
posted by Nelson at 8:06 PM on March 18, 2011

It could just as easily be Russian mafia or Israeli's spy agency. The RSA fobs are not attractive to only the Chinese. Every big power player wants that info.

Again, I ask whether Iran was using RSA fobs in their centrifuge sites. It would be prohibited trade, but the market works around such things. I imagine Iran's secret programs tend to use the best technologies. RSA fobs were considered top-notch.
posted by five fresh fish at 8:31 PM on March 18, 2011

I still think the little calculators are silly.

Know-all internet nerdism at its finest. "I don't know what the system is or how it works, but I think it's silly."

Is everyone forgetting what TWO factor means?

No, but everyone who spends any non-trivial portion of their life thinking about security knows that people choose terrible passwords. As with many of the other folks here, I'll cheerfully bet any number of outfits using these tokens relax their normal rules around complexity, rotation, and so on, secure in the (now provably misplaced) conviction that rubberhose mechanisms are the only way to crack them.
posted by rodgerd at 1:40 AM on March 19, 2011

Steve Bellovin speculates on the sorts of things that could have been compromised. Not very satisfying, but he is a beardy expert.
posted by Nelson at 3:48 PM on March 19, 2011

Nelson,

Anything could have been compromised. Nobody, not even Steve, knows what has been compromised.

The best analogy I've heard came from Vik Phatak, of NSS Labs. Basically, it's like the government announced there was poisoned water...somewhere. You could be super conservative, and stop drinking from any sources. You could ignore the warning, and face the consequences if it was in fact your water that was poisoned. Either way, if you were wrong, you'd pay the price for your error.
posted by effugas at 5:07 PM on March 19, 2011

And what if you replace RSA with some other system but introduce a new vulnerability in the process, either intrinsic to the new system or through a misconfiguration?
posted by scalefree at 9:51 PM on March 19, 2011

Sure, scalefree, but since RSA won't tell us the exact nature of the breach, who knows what the risk is? It tends to make me assume worst-case - especially since they seem to be saying, essentially, "PIN will keep you safe".

I am looking forward to chatting with the guy I deal with who's been on a Holy Crusade to replace Vasco in our organisation because they aren't the market leader.
posted by rodgerd at 11:10 AM on March 20, 2011

rodgerd--

If they literally just said: "An attacker with knowledge of PIN/password and a single secureid value could log in as a remote user", that'd be a world of difference. As is, I imagine that's going to be an entertaining conversation.
posted by effugas at 1:57 PM on March 20, 2011

NYT: Security Firm Is Vague on Its Compromised Devices.

“It’s a weird situation,” said Dan Kaminsky, an independent Internet security specialist. Referring to the Tokyo Electric Power Company, he said, “It’s like the Tepco situation in Japan, but here everyone is freaking out” and “nobody has Geiger counters.”
[...]
“I’m speculating, but I’m pretty confident that somebody has the root seed file,” said a former RSA employee, referring to the master file at the company, which is based in Bedford, Mass. He asked not to be identified because he still has a business relationship with the firm.

posted by scalefree at 4:26 PM on March 20, 2011

RSA Breach: Reactions Pour in, Many Questions Remain Unanswered Following SecurID Attack

I reached out to Kenneth Weiss, the original inventor of the SecurID technology for comment. Here’s what Weiss had to say: "The SecurID technology I designed and patented has never been breached in 25 years of use. This unfortunate breach of security at RSA speaks to the quality of their internal security not the security of the SecurID token. The possession of 40,000,000 random SecurID seeds is meaningless unless a subset can be associated with a particular one of 30,000 worldwide clients and then intern directly associated with a particular client user. Even if such identification were possible, an attacker would also have to know the particular user's PIN. This information is not stored on RSA computers." Kenneth Weiss is now CEO of Universal Secure Registry, a company that recently emerged from stealth mode.

posted by scalefree at 5:20 PM on March 20, 2011

scale--

Hi! I'm Dan.
posted by effugas at 6:55 PM on March 20, 2011

No, but everyone who spends any non-trivial portion of their life thinking about security knows that people choose terrible passwords. As with many of the other folks here, I'll cheerfully bet any number of outfits using these tokens relax their normal rules around complexity, rotation, and so on, secure in the (now provably misplaced) conviction that rubberhose mechanisms are the only way to crack them.

And I'd be the first to agree that relaxing password complexity policies because you added tokens would be stupid. It's back to one-factor authentication. I do actually spend a non-trivial portion of my life thinking about security, which is why we actually use two-factor authentication and mean it, rather than just replacing one factor with another more trendy factor.
posted by odinsdream at 7:17 PM on March 20, 2011

Hi! I'm Dan.

Yes, is why I posted that bit of the article.
posted by scalefree at 8:14 PM on March 20, 2011

Bruce Schneier weighs in. Again, all speculation. RSA really needs to tell its customers whether they're screwed or not.
posted by Nelson at 3:10 PM on March 21, 2011

RSA just sent out an updated release to their customers. It contains an FAQ section, which contains the following:

7. Have my SecurID token records been taken?

For the security of our customers, we are not releasing any additional information about what was taken. It is more important to understand all the critical components of the RSA SecurID solution.


To compromise any RSA SecurID deployment, the attacker needs to possess multiple pieces of information about the token, the customer, the individual users and their PINs. Some of this information is never held by RSA and is controlled only by the customer. In order to mount a successful attack, someone would need to have possession of all this information.

My personal feeling is that this is pretty telling. I think if the seed records were not compromised, they would have clearly stated, "your seed records are safe". They did not.
posted by jferg at 8:28 PM on March 21, 2011

That RSA statement is awful. Yeah, no shit you need multiple pieces of information controlled by the customers. The whole point of SecurID is that one of those pieces is generated by a secret. If the tokens are no longer secrets, they really need to say that.
posted by Nelson at 6:44 AM on March 22, 2011

If the tokens are no longer secrets, they really need to say that.

Perhaps they are contacting individual customers directly and don't want to spill the beans until they've replaced the insecure tokens?
posted by BrotherCaine at 11:58 PM on March 22, 2011

Only tangentially related, but the Tor Project just published a report on evidence that a certificate authority was compromised. Long story short: Chrome and Firefox pushed a patch to ignore a few specific certificates, the author traces it back and Comodo/usertrust.com admits they had a security breach with some unauthorized certificates being issued for "high value websites" including addons.mozilla.org.
posted by Nelson at 8:12 AM on March 23, 2011