Last updated about an hour ago
RSA Security is to replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.
SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.
The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorthm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.
This admission puts paid to RSA’s initial claims that the hack would not allow any “direct attack” on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.
As a result, SecurID offered no defense against the hackers that broke into RSA in March. For those hackers, SecurID was rendered equivalent to basic password authentication, with all the vulnerability to keyloggers and password reuse that entails.
RSA Security Chairman Art Coviello said that the reason RSA had not disclosed the full extent of the vulnerability because doing so would have revealed to the hackers how to perform further attacks. RSA’s customers might question this reasoning; the Lockheed Martin incident suggests that the RSA hackers knew what to do anyway—failing to properly disclose the true nature of the attack served only to mislead RSA’s customers about the risks they faced.
RSA is working with other customers believed to have been attacked as a result of the SecurID compromise, though it has not named any. Defense contractors Northrop Grumman and L-3 Communications are both rumored to have faced similar attacks, with claims that Northrop suspended all remote access to its network last week.
A well-crafted e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company’s information systems, a top technologist at the security vendor says in a blog.
An Excel spreadsheet attached to the e-mail contained a zero-day exploit that led to the installation of a backdoor virus, exploiting an Adobe Flash vulnerability, which Adobe has since patched, writes Uri Rivner, head of new technologies, identity protection and verification at RSA, in a blog posted Friday.
RSA unveiled on March 17 that an attacker targeted its SecurID two-factor authentication product in what it termed an advanced persistent threat breach (see RSA Says Hackers Take Aim At Its SecurID Products). An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation. Rivner’s blog is the first substantial public comment on the breach since Coviello’s statement.
RSA on Monday also announced it is acquiring Netwitness, the network security company that provides real-time network forensics and automated threat analysis solutions. In a statement, Netwitness founder and CEO Amit Yoran alluded to the breach: “Recent events reinforce the passion and commitment we have shared for years - to help you combat zero-day attacks, targeted and advanced threats, and other sophisticated security problems.”
Netwitness technology and personnel helped identify the APT attack as it progressed, enabling RSA to launch an aggressive defense, an individual close to RSA says. But the breach had nothing to do with the acquisition; negotiations between RSA and Netwitness began before March 17.
According to Rivner, the exploit injected malicious code into the employee’s PC, allowing full access into the machine. The attacker installed a customized variant of a remote administration tool known as Poison Ivy, which has been used in APT attacks against other companies. Such tools set up a reverse-connect model, which Rivner explains pulls commands from the central command and control servers, then execute the commands, rather than getting commands remotely, making them harder to detect.
Rivner’s analysis of the breach determined the attacker had sent two different phishing e-mails over a two-day period to two small groups of RSA employees. “You wouldn’t consider these users particularly high profile or high value targets,” he says. Once inside, the attacker sought out employees with great access to sensitive information. “When it comes to APTs, it is not about how good you are once inside, but that you use a totally new approach for entering the organization,” Rivner says. “You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees.”
The RSA official says the attacker initially harvested access credentials from the compromised employee and performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and non-IT specific server administrators.
"If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while," Rivner says. "If they think they run the risk of being detected, however, they move much faster and complete the third, and most ‘noisy’ stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase."
Rivner says the goal of the attacker is to extract information. In this assault, he says, the attacker gained access to staging servers at key aggregation points to prepare for extraction. Next, the attacker accessed servers of interest, moving data to internal staging servers to be aggregated, compressed and encrypted for extraction. Then, the attacker used file transfer protocol to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.1 | 2Next Page »
The Department of Homeland Security is working with RSA in investigating what the IT security vendor characterized as an extremely sophisticated attacked aimed at its SecurID two-factor authentication products.
DHS spokeswoman Amy Kudwa said in a statement issued late Friday afternoon that the department is working with RSA by leveraging the technical, investigative and mitigation expertise of federal agencies to address the assault. “We take threats to our cyber infrastructure as seriously as we take threats to our conventional, physical infrastructure,” she said.
Kudwa said federal agencies and departments have been informed of the vulnerability and provided with mitigation measures, in coordination with RSA, adding that DHS also is distributing similar information to its critical infrastructure partners. Kudwa did not provide details on the mitigation measures.
Inquires to the office of White House Cybersecurity Coordinator Howard Schmidt, the Pentagon and the National Security Agency all were referred to DHS. RSA did not respond to a request Friday for an interview.
RSA Executive Chairman Art Coviello, in a posting on the RSA website Thursday, said a company investigation led officials to believe the attack is in the category of an advanced persistent threat. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation.
In a letter posted on the RSA website on Thursday, Coviello promised qualified transparency in addressing this problem. “As appropriate,” he said, “we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cybersecurity threat.”
Nevada’s state chief information security officer said he found Coviello’s comment reassuring. “They did the right thing,” CISO Christopher Ipsen said. “As a result, I am more comfortable than I would have been had I heard about the APT from some other source.”
Ipsen, an RSA certified administrator, said he looks forward to working in concert with RSA to address challenges facing SecurID.
To help customers, RSA issued nine recommendations it says should strengthen SecurID implemantions (see RSA’s 9 Recommendations to SecurID Customers).
SecurID consists of a token, either hardware or software, that generates an authentication code at fixed intervals - about once a minute, for instance - using a built-in clock and an encoded random key known as a seed. The seed is different for each token, and is loaded into the corresponding RSA SecurID server as the tokens are acquired. (see RSA SecurID: A Primer).
Coviello said RSA’s investigation revealed that the attack resulted in information being extracted from the company’s IT systems. “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” Coviello said. “We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”
Coviello said RSA has no evidence that customer security related to other RSA products has been similarly affected. “We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident,” he said, adding that RSA will give its SecurID customers the tools, processes and support required to strengthen the security of their IT systems in the face of this incident.
The attack came one day after the top cybersecurity executive at the Department of Homeland Security told Congress that government and private-sector IT systems are at risk from such attacks (see Experts Question Infosec Readiness). “Sensitive information is routinely stolen from both government and private sector networks,” Philip Reitinger, DHS deputy undersecretary for national protection and programs told the House Homeland Security Committee. “We currently cannot be certain that our information infrastructure will remain accessible and reliable during a time of crisis.”
Just now Top security firm RSA Security revealed by extremely sophisticated hack, Read complete Story here - http://www.thehackernews.com/2011/03/top-security-firm-rsa-security-revealed.html
Now, RSA Release Open Letter to RSA Customers, as given below :
Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.
Our first priority is to ensure the security of our customers and their trust. We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customers’ relevant partners.
We regret any inconvenience or concern that this attack on RSA may cause for customers, and we strongly urge you to follow the steps we’ve outlined in our SecurCare Online Note. APT threats are becoming a significant challenge for all large corporations, and it’s a topic I have discussed publicly many times. As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.
Executive Chairman, RSA
Source : http://www.rsa.com/node.aspx?id=3872