Following recent attacks against Lockheed-Martin and other defense contractors, which used counterfeit SecurID keys to attempt to gain unauthorized access to the network, RSA Security has had to admit the scope of the problem and offer to replace the compromised SecurID tokens, and offer some additional perks as well to try and earn back some customer trust.

There are roughly 40 million SecurID tokens in circulation. Replacing them will not be cheap, but rebuilding customer confidence is much more important than the short term financial impact.

Adobe issued a security advisory on March 14 warning users that a vulnerability had been discovered in Adobe Flash, as well as the authplay.dll function included in Adobe Reader and Adobe Acrobat. The flaw was being exploited in limited attacks which included a malicious Flash (SWF) file embedded within a Microsoft Excel (XLS) file attachment. Apparently, someone within RSA received that email attachment, opened the Excel file, and clicked on the Flash file–compromising his PC and giving the attackers complete access to the system.

Adobe released an update for Flash, Acrobat, and Reader (except for Reader X for Windows because the sandbox security already mitigates the threat) about a week after announcing the zero-day threat. I don’t know if RSA has implemented those updates yet, but hopefully it has.

The lesson here is that even if you are RSA–a company virtually synonymous with security, the namesake of the biggest security conference of the year, provider of two-factor authentication solutions relied on to protect systems and data around the globe–one well-timed social engineering attack, and a little human error is all it takes for an attacker to get inside and gain access to sensitive information.

The bonus lesson is that it is bad PR to call an attack “extremely sophisticated”, and then have to face the embarrassment when it is discovered that it was just an average, ordinary phishing attack–especially for a security company.

The information shared in the letter is concerning for customers, but what is even more concerning at this point is what is not being shared. RSA has been scarce on details–basically just saying that it is “confident” there is no immediate threat of an exploit resulting from the hack, and that it has “no evidence” that any other products are impacted. But, other than that, RSA just wants customers to not panic, and have faith that RSA has everything under control.

Art Coviello’s letter states, “As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”

The problem is deciding who gets to define “as appropriate”. Many customers feel it would be “appropriate” for RSA to be much more forthcoming with details about what information, specifically, was compromised by the hack so customers can better understand the threat and be armed with information necessary to determine the scope and impact of the potential threat, and take proactive steps to guard against any potential SecurID hacks.

Perhaps, RSA is unsure whether the attackers even really realize what they have, and they fear that divulging too many details could exacerbate the problem by pointing would-be attackers in the right direction. That seems like a reasonable possibility. But, for now RSA is just being vague about the details of the SecurID hack, and what RSA isn’t saying seems to be more revealing than what RSA is saying.