Friday, March 18, 2011

RSA hack - Trouble with a capital T

It seems RSA was hacked today. This means, if you use one of those nice little SecureID fobs to connect to your corporate server or bank, it may have been compromised.

This is a big deal. Using two-factor authentication is an industry gold standard, and RSA is one of the most prolific manufacturers of such fobs.

Securious has a nice write up of the fact vs. fiction surrounding the attack, including a note that this was an APT attack, not some random script kiddie in Germany.

I'm not trying to stir up panic here, but if you work with sensitive data, this might be a good time to add another layer of encryption on it*. There are lots of free solutions, like True Crypt, or if you're on a Mac the easiest thing to do is create a password protected disk image. Remember not to use the same password for your encrypted disk partition that you use for anything else (logging in, email, etc.). But also don't lose this password - if you do then your data is "irrevocably lost". Whee!

* Obviously all the "check with your (IT) doctor" disclaimers apply here.


  1. Around a generation's worth of pre-web Internet security people wished RSA would Die In A Fire. Karma is a bitch. Aside from trade-secret crypto like RC4, the beef was the claimed fundamental patent on all asymmetric encryption.

    Appropriately, trade secrecy is making public analysis of what happened and how bad it is more difficult. The essence of a SecureID fob is just a pocket watch that says what minute it is, scrambled by some function including a per-fob secret. The function and the nature of its inputs are not public. RSA could have published "this is exactly how ours work, and inject your own secrets into yours if you'd like." But then anybody could make compatible ones. (Assuming they avoided some other fundamental patents owned by RSA, but ignore that.)

    So anyway, there have always been a bunch of attacks on anything authenticated by any one-way solely-time-dependent authenticator, and some deployment rules plus (patented) gross hacks in an authentication server to work around them. It's not so much that this technology is the gold standard as the cheap Nokia phone of authenticators: familiar, not very complicated or capable, and ubiquitous--depending on which country you're in.

    TrueCrypt may be a good technology for you anyway. But there is little individuals can do to cover for the problems that may or may not be here; these are tools used by large organizations. The only advice anybody has is "be paranoid about failing to log in or your last login time" since it's the external organization which is the only one empowered to change what they consider sufficient evidence you are you. They'll probably go to smart cards or keypad authenticators next.

  2. RSA the company was hacked into, not that RSA the algorithm was hacked. An important distinction. :)