RSA SecureID breach could put customers at risk

The attack on RSA’s SecureID product, announced last week, may have completely compromised the efficacy of the two-factor authentication system, opening customers’ systems wide open, one security consultancy firm has claimed.

Late last week, RSA Executive Chairman Art Coviello revealed that RSA had been the victim of what he termed an “Advanced Persistent Threat” - a sophisticated cyberattack - in an open letter to RSA customers posted on the RSA website.

In the letter, Coviello said that the attacked resulted in “certain information” being stolen from RSA’s systems.

“Some of that information is specifically related to RSA's SecurID two-factor authentication products,” the open letter read.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

“It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The letter suggested that the attack was limited to the SecureID product: “We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack.”

But despite this confidence, security consultancy firm NSS Labs advised RSA users adopt a cautious stance.

“This was a strategic move to grab the virtual keys to RSA’s customers,” a statement from the firm read. “Military, financial, governmental, and other organisations with critical intellectual property, plans and finances are at risk.”

Most alarmingly, NSS Labs claims that the two-factor authentication system itself may have been completely compromised.

“The locksmith’s secrets may have been stolen and the integrity of RSA’s 2-factor authentication compromised. This knowledge breaks the 2-factor model since the attacker can now create the string required for successful authentication, obviating the need to know the password and PIN,” the firm said.

This also means that any specific breaches that occur as a result of the attack on RSA may not be detectable, as attackers will be able to “login as a trusted user with corresponding access privileges”.

NSS Labs advised SecureID customers to eliminate remote access until the full extent of the RSA breach is known, undertake an impact assessment of those systems that rely on SecureID, and consider alternative two-factor authentication solutions.