Here is what I think about the security breach at RSA:
First of all, since no details have been published about what was stolen, it would be wise to assume the worst. And the worst is that not only the algorithm for the calculations of the tokens was stolen, but also the users’ ids and corresponding seeds.
Each device (fob) has a unique seed hardcoded in it, so two different devices produce different six-digit tokens every minute (or half a minute, or whatever).So, it would be wise to assume that the attackers know which seed belongs to which device and which user has which device. So they can calculate the six-digit token for any fob whenever they need it, making the fob useless for secure logon.
Thus, each fob should be returned to RSA, and a new one should be given to each user. Now, we are talking about a lot of fobs here. Since this is next to impossible to achieve, RSA posted information about how to conduct transactions more securely, and also upgraded some of its procedures for getting new fobs to users. But these measures provide no mitigation whatsoever for the fobs that are already distributed. It would be wise to assume that the attackers can easily reconstruct every six-digit token for every fob at any moment of every day. So, none of RSA’s new measures provide any mitigation whatsoever for the data that was stolen.
Now, something else.
Security experts all across the board characterize this breach as an advanced persistent threat (APT). Although I am not capable to even tie the shoelaces of most of these experts, I would not go so far as to call this breach an APT.
It was advanced, but not that advanced. And it was persistent, but not that persistent. First of all, what do we call persistent? OK, the attack occurred in stages. But these stages were ordinary textbook stages of any attack. And there was nothing persistent about the initial infiltration. The attackers just sent a phising e-mail! Harldy advanced and hardly persistent. I remember an APT that occurred years ago at a US government facility. At that attack, the attackers performed a network port scan by sending one packet every two weeks. One network packet every two weeks! Now that is persistent! Sending a phising e-mail isn’t. And exploiting unpatched vulnerabilities also isn’t advanced or persistent.
After the phising e-mail, using reverse-connect mode (reverse shell), the RSA attackers connected to the initial compromised machine. Some people went as far as to characterize this attack as APT because of this fact alone. Come on! An attacker either produces a shell or a reverse shell. It all comes down to who listens for whom. A shell has the listening port residing on the attacked machine. A reverse shell has the listening port residing in the attacker’s machine. But they are both equally well known attack methods of connecting the attacker’s machine with the attacked one, getting the attacked machine’s command prompt and remotely administering it. It is just that with the reverse shell method, the attacked machine initiates the connection, which is firewall-friendly. Normally, a firewall will block initial connections to internal machines that it was not specifically instructed to allow. Nothing novel, advanced or persistent here. And the next phase, elevating their privileges is also ordinary textbook procedure. After that, they got the data they wanted, transferred them to a compromised machine outside of RSA, and then deleted their traces from that compromised machine. By now I have certainly bored you, but I will say it again: Nothing advanced or persistent here.
One thing that annoys me though, is that the attackers were able to elevate their privileges. They shouldn’t have. I mean, measures should have been in place to stop them or detect them. I mean, it is one thing to compromise a user’s unpatched machine and another to be able to perform successful attacks and successful privilege elevation to more secure areas of RSA. This is what upsets me the most, and what no one seems to denote. For me, the fact that they were able to successfully elevate their privileges *and* not get caught immediately, seems that there were more security issues with RSA’s network than easily mislead users and unpatched client machines. Calling this attack an APT just might make those security issues a little easier to digest.
Update: June 2, 2011
If you’re using RSA’s SecurID technology, take (Lock)heed.
I have just read the blog entry titled “InsecureID: No more secrets?“.
So, now we know: The RSA attackers stole the algorithms, the keys and the seeds, but not the association of that data with individuals.
So, things are not as bad as they could have been, but they are almost as bad. The stolen data alone cannot be used to compromise security, but they can be used effectively in a staged operation. Case in point: the recent Lockheed-Martin attack.
The day the RSA systems got hacked, infrastructures that based their security on RSA’s two factor authentication suffered a cruel blow. Not an irrecoverable one, but a cruel one nonetheless. Lockheed-Martin should know. So should the rest of us.