EuroPoli

(more…)

(more…)

Following a debate with a peer over the severity of the RSA breach, I thought I would put together a more reasoned response following my rant a few days ago.

So, from rumours circulating the RSA breach seems to involve the seeds being stolen; but what else could have been stolen? Well, there are a few possibilities:

- The seeds were stolen

- The source code was stolen

- Some other IP was stolen

I’m leaving out the possibility that anything was compromised as it was shipped to customers as RSA have stated that their breach on its own cannot compromise customers.

So, let’s go into each one in more depth… If the source code was stolen, then there are two possibilities. Assuming the code was well designed, and no vulnerabilities are found in the code, then there is no real issue. In fact, some may suggest that RSA releasing the source code for public peer review may indeed strengthen their product. If, on the other hand, the source was designed in such a way that it can be bypassed; then it’s back to the drawing board for RSA.

On that note, there are rumours that there may be a backdoor in the system, allowing government(s) access to systems as they please… That said, this seems like a very far fetched option. I doubt RSA/EMC would indeed implement this, and if this were the case I doubt RSA’s network would be where the data eventually leaked from.

Onto the seeds… but first, let’s quickly run over the basics… 2 factor authentication relies on, as the name suggests 2 of the basic 3 factors of authentication (something you know, have or are) (apologies, not trying to teach you to suck eggs, I’m just trying to be coherent!)

In the case of RSA SecurID tokens, the PIN is something you know, and the token something you have. To “prove” you have it, you use the pseudo-random number it generates.

The pseudo-random number is generated from a combination of 3 things, the token serial number, the seed and the time. The time is trivial to find. The seed, we can assume, has been compromised. Thus, the token’s security relies on the serial number, which isn’t something you “have” but more of something you “know” (as it can be transferred without any noticeable change to the first instance. I can email you my serial without tampering with the serial).

Thus, an attacker can, quite easily, create a software token that takes that seed (which we assume they have stolen), the time (reasonably easy to guess) and a serial number (harder to find, but still doable) to generate the “unique” code.

As such, that reduces the 2-factor authentication to 1-factor, i.e. something you know; in this case your PIN and your serial number.

Many organisations keep large databases of serial numbers in their asset trackers, which aren’t hardened (indeed, from experience, many allow all members of staff read access to these; but that’s another debate).

So, going back to my argument, reducing 2-factor to 1-factor isn’t that “doomsday”; but then you need to consider that that 1-factor is a 4-digit PIN number, so 10^4 possible combinations, or 10,000 permutations. Let’s say the attacker then has to try this for 1minute before and 1minute after the time on his machine (as the server time may have strayed), so 30,000 permutations.

10,000-30,000 attempts to log in, for a brute force attack, are minimal (obviously assuming there aren’t other mitigating protections enabled, e.g. timeouts, etc).

Which is why I think that RSA have told everyone to safeguard their serial numbers, lengthen their PINs to 8 digits and keep an eye out for failed attempted logins…

 So… assuming the seeds were indeed stolen, what do we do? Well, in the sort run, the usual. Harden, monitor, educate and enlarge your PIN length. Then, you need to decide if to jump ship (CA are doing a free swap of RSA SecurID tokens, click here for info and of course, I need to mention that Symantec recently bought VeriSign, which also have their own identity management solutions) or whether to stay with RSA and go with a redeployment of all your tokens (again, assuming the seeds were indeed stolen)

M.

(an addendum, I’m assuming the seeds were stolen with a mapping to the clients they were used for… e.g. CompanyA:seedA, CompanyB:seedB, … if the seeds were stolen as a simple file of all the seeds with no other data… well, then it’s more complicated to mount an effective attack!)

I was talking to a friend today, and he brought to my attention the iPad 2… again, Apple has made an entry into a market not as the “first”, nor as the fastest, most feature laden nor cheapest… but they’re still causing quite a stir and taking the marketplace by storm.

but what does this mean for an enterprise? How does the iPad adapt to a large business environment? Or even more importantly, how do apple adapt to a business environment? Especially when we consider that Apple have recently left corporate customers high and dry by withdrawing their server hardware offerings!

I’ll put together something soon… but would love to hear your thoughts and or ideas in the meantime! Drop me a line, comment here, take your pic

M.

So RSA have been breached…

I spent the far too long listening to RSA saying “sorry, we’ve been hacked. Something got stolen, but we won’t tell you what. It does affect the security of the system, but there still are passwords, right? Oh yeah, and if you want EMC consulting can come in and mitigate our screw up”…

Oh wait, I’m not being very professional, am I?

http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/

The reason I’m so annoyed is that they went through the whole set of “enforce password policies, monitor accounts, update patches, password complexity, social networks” stuff (security daycare anyone?). Oh, and the best was that a compromise of the RSA SecureID isn’t enough to directly cause a breach…

The whole point of 2-factor authentication is that there are 2-factors! If one gets breached, the other comes into play. No sh*t sherlock! That’s why we spend a fortune getting that second factor instead of just using username and password! What you’re saying is that we are back to username and password in a worst case scenario; so in essence, they’ve said nothing more than “oops, something went wrong”.

We need some facts on what got stolen – without that, we cannot judge the risk for the estates we are handling and cannot decide what to do to mitigate the additional associated risks. Oh, and we need this information yesterday.

While I agree that full disclosure isn’t always the best solution, especially not immediately, as an RSA customer, we need to be kept informed instead of being told “my bad, sorry”. Some useful information is needed, at the moment, this is akin to shouting “Boo!” and running away.

There’s no point in being told in 2 weeks that the RBN or a Chinese hacking group had a way to bypass the SecureID side of things for the last month.

Rant over…
M.