So RSA have been breached…
I spent the far too long listening to RSA saying “sorry, we’ve been hacked. Something got stolen, but we won’t tell you what. It does affect the security of the system, but there still are passwords, right? Oh yeah, and if you want EMC consulting can come in and mitigate our screw up”…
Oh wait, I’m not being very professional, am I?
http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/
The reason I’m so annoyed is that they went through the whole set of “enforce password policies, monitor accounts, update patches, password complexity, social networks” stuff (security daycare anyone?). Oh, and the best was that a compromise of the RSA SecureID isn’t enough to directly cause a breach…
The whole point of 2-factor authentication is that there are 2-factors! If one gets breached, the other comes into play. No sh*t sherlock! That’s why we spend a fortune getting that second factor instead of just using username and password! What you’re saying is that we are back to username and password in a worst case scenario; so in essence, they’ve said nothing more than “oops, something went wrong”.
We need some facts on what got stolen – without that, we cannot judge the risk for the estates we are handling and cannot decide what to do to mitigate the additional associated risks. Oh, and we need this information yesterday.
While I agree that full disclosure isn’t always the best solution, especially not immediately, as an RSA customer, we need to be kept informed instead of being told “my bad, sorry”. Some useful information is needed, at the moment, this is akin to shouting “Boo!” and running away.
There’s no point in being told in 2 weeks that the RBN or a Chinese hacking group had a way to bypass the SecureID side of things for the last month.
Rant over…
M.
