When RSA originally announced their security breach, they were quite circumspect about what exactly was stolen. There was lots of conjecture flying around, but nobody knew for sure, because RSA wasn’t saying much.
The RSA announcement was here:
What set the industry abuzz was the suspicion that:
- The attacks were carried out by state actors, not just random criminals.
- The attacks compromised key material used in the RSA SecurID token authentication process.
- This key material could be used, by a reasonably sophisticated attacker, to impersonate a legitimate user in an organization that relies on RSA SecurID tokens.
Nobody knew for sure, but this seemed like a strong possibility and a dangerous one at that.
Today we started getting confirmation that this exact scenario is what has been playing out. Lockheed Martin, one of the largest US military contractors, is reporting ongoing attacks related to RSA tokens, which are typically deployed to authenticate remote users in their VPN connections.
So if reports are to be believed – and where there’s smoke there is usually a fire – then it’s likely that a state actor (probably China) first compromised RSA to acquire key material for all RSA tokens everywhere, then used this data to construct fake tokens and attack user accounts at interesting organizations, including US military contractors.
If your organization uses RSA tokens, then you presumably deployed them to increase the security of remote user connections to your network from a somewhat complex single factor (a password) to two factors, consisting of evidence that the user physically posesses his token plus an even simpler knowledge-based factor (typically a 4 digit PIN).
What you actually got, however, now that the key material was breached, was a change from a single, moderately complex password to a single, definitely simple, PIN. The token part can be impersonated, by at least one foreign entity. Your adversary also has to figure out which token is associated with which of your users, and apparently they are using phishing to figure this out.
So what to do?
Clearly, the RSA tokens should be replaced. I imagine RSA will be offering replacement tokens based on different key material. I wouldn’t go there, however, since the basic problem with this architecture is that there is a single point of failure — RSA — and that’s a very tempting target for powerful adversaries.
To RSA’s competitors — do your architectures also have this weakness? Unless you can demonstrate that your tokens don’t aggregate risk in the same way, then you are guilty by association…
Perhaps another token solution? Or smart cards, if you have pervasive readers? Or combination smart-card/token devices, if you don’t have card readers everywhere, or one of several mechanisms that leverage user mobile phones as an authentication factor?
All of these make sense — choose the one that works for you.
Heck, going back to just passwords, but making them strong ones and authenticating the endpoint (i.e., is this the same PC that my user usually signs on from?) would be better than the RSA tokens at this point. More convenient for end users too.
Whatever you do, think about risk aggregation. Maybe that’s the new motto for authentication technologies.