Feeds

RSA defends handling of two-pronged SecurID breach

'Our adversaries left information' exec says, as FBI probe continues

High performance access to file storage

RSA Europe Two groups from the same country teamed up to launch a sophisticated attack against RSA Security's systems last March, EMC's security division said.

Unspecified information gained during the attack paved the way towards an unsuccessful attack against a defence contractor (self-identified as Lockheed Martin), senior RSA execs said during the opening of the RSA Conference in London on Tuesday.

"Two groups were involved in the attack," Thomas Heiser, RSA Security president, said during a keynote at the conference. "Both are known to authorities but they have never worked together before."

"The attack involved a lot of preparation," he added.

Forensic examination in the wake of attack on RSA's systems allowed the security arm of EMC to draw tentative conclusions about the origin and purpose of the assault on systems that underpinned its SecurID two-factor authentication technology.

RSA executive chairman Art Coviello said that "one group was very visible and one less so". Coviello declined to point the finger of blame towards any particular country but said during a later question-and-answer session that both came from the same country. "We've not attributed it to a particular nation state," Coviello said. "However with the skill and degree of resources involved it could only have been a nation state."

Coviello's comments painted a picture of the attack as a collaboration between criminal hackers and either a military or intelligence agency, even though he sidestepped a question on whether this was a correct interpretation of his remarks.

Fallout

Heiser downplayed both the impact of the attack and RSA Security's subsequent drip-drop disclosure of what exactly happened and how it had affected customers of its flagship SecurID two-factor authentication technology, which is widely used for secure remote access to corporate email or intranet applications.

"There was one attack on RSA," he said. "The information taken from the RSA attack was a vector in one other attack, which was thwarted. We know of no other attack.

"We killed the attack while it was still in progress and communicated rapidly with our customers as much as we could tell them."

Both the FBI and Department of Homeland Security are continuing to investigate the case.

"Our adversaries left information," Heiser said. "We didn't want to thwart the investigation, so for that reason we haven't disclosed everything we know."

RSA was widely criticised for its reluctance to disclose details of the assault. Even now, more than six months after the assault, it will only say that information related to SecurID was stolen. It hasn't said what was taken although it has been widely suggested that it might have been the seed database used to generate one-time codes on the devices it supplies.

RSA Security offered to supply enterprise customers with replacement tokens in response to the attack. Both Coviello and Heiser declined to say how many tokens it has replaced, although, pressed on the point, Coviello said it was a "small percentage".

During a question-and-answer session, Heiser denied accusations that many customers had been "left hanging" in the aftermath of the attack.

"We got out to our top 500 customers relatively quick. We have many thousands of other customers which we don't deal with directly, so there wasn't that that kind of hand-holding. We have to rely on our marketing press and partners," he said.

"We disclosed everything we could without putting other customers at risk," he said.

Hackers were looking for 'defence-related intellectual property'

Heiser said that RSA was a pawn in a bigger assault: "The motive was to gain access to defence-related intellectual property. RSA was not the target but a means to an end," he said.

Coviello said one of the ironies of the attack was that it validated trends in the market that had prompted RSA to buy network forensics and threat analysis firm NetWitness just before the attack. Security programs need to evolve to be risk-based and agile rather than "conventional" reactive security, he argued.

"The existing perimeter is not enough, which is why we bought NetWitness. The NetWitness technology allowed us to determine damage and carry out remediation very quickly," Coviello said.

"Organisations are defending themselves with the information security equivalent of the Maginot Line as their adversaries easily outflank perimeter defences," Coviello added. "People are the new perimeter contending with zero-day malware delivered through spear-phishing attacks that are invisible to traditional perimeter-based security defences such as antivirus and intrusion detection systems." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.