On March 17th, 2011, Art Coviello, RSA Security‘s Executive Chairman, posted a statement on their website disclosing their discovery of an attack on their network classified as an “Advanced Persistent Threat (APT).” Essentially, this means that the attackers had been rummaging around in their systems for awhile before being discovered; while doing so, they manage to penetrate one of RSA’s most secret databases.
This raises several questions: 1. How did the attackers penetrate RSA’s security perimeter; 2. How did they go unnoticed long enough to become a “persistent” threat; and, 3. What, exactly, did they get?
Coviello doesn’t address either of the first two questions and is quite vague on the third. How do you interpret this?
Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products [emphasis added]. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers [emphasis added] , this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack [emphasis added]. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
See what I emphasized up there? The attackers got some info related to the SecureID products. RSA isn’t saying exactly what they got, but Steve Gibson makes mention of this in a recent blog post:
…at the time of manufacture individual SecurID devices would be assigned a secret internal random or pseudo-random 64-bit key and a database would be maintained to forever map the device’s externally visible serial number to its internal secret 64-bit key.
This public-serial-number-to-secret-key mapping database then becomes “the keys to the kingdom”. It is RSA’s biggest secret to keep, since a full or partial disclosure of the database would potentially allow attackers to determine a device’s current and future display values and would therefore, of course, break any authentication protection.
More news as it becomes available.