The IT world has been thrown into a spin with security firm RSA, which manufactures cryptographic tokens, revealing it has been hacked and information lifted from its servers which could potentially threaten the integrity of its security products.
The incident has caused security experts to urge companies to review their security systems and protect their data, with some saying RSA should issue completely new SecurID tokens to protect its customers.
Ted Egan, chief executive of security firm TrustDefender, says SecurID customers should be more watchful when accessing their internal systems.
“The main thing is that anyone using tokens for authentication should be a little more vigilant about their online transactions, and look for anything that may be unusual… this incident really shows how hackers are stepping up their game.”
However, Egan also praised RSA for being up-front about the situation, saying that “the open letter was very responsible, rather than just covering it up”.
Several Australian companies including banking and telco giants Westpac and Telstra use the RSA SecurID system, along with several government departments including the Department of the Prime Minister and Cabinet and the Family Court.
Last week, RSA executive chairman Art Coviello said in a letter posted on the company’s website that an internal investigation prompted by a number of cyber-attacks had revealed some information had been lifted from the company’s internal systems.
This information related to the RSA SecurID tokens. These devices are given to an employee of a company, and provide them with an additional password that changes every 30 or 60 seconds, adding another layer of security to a typical username and password login process.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” Coviello said.
If a hacker was able to gain access to the algorithm that creates these passwords, the damage could be severe and widespread. RSA says it is now working with its customers to protect their data.
Many Australian companies use the SecurID system to login to their internal servers, including many small businesses, but there are individuals who also use the RSA tokens to access their online banking facilities.
Security firms McAfee and Symantec were contacted this morning but declined to comment on the matter. SecurID customers Telstra and Westpac were also contacted, but they were unavailable for comment.
So far, it is unclear what type of data has been taken – RSA and its parent, EMC, have issued no further warnings.
“It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident,” Coviello said in his letter.
But some security experts have already begun issuing warnings about how RSA should respond. Steve Gibson, a prominent computer security expert, wrote on his blog that while there isn’t much information, some threats can be deduced.
He points out that each SecurID token has a serial number printed on the back that is used to “pair” it with a device. He says RSA must have a list that shows how each device calculates each password for the user – and this very well could be compromised.
“RSA may not want to do the responsible thing because it would be very expensive for them,” he says.
“But given the only deductions possible from what little RSA has said in light of the technology, any company using RSA SecurID tokens should consider them completely compromised and should insist upon their immediate replacement.”
RSA is one of the biggest security companies in the world. It is best known for the SecurID technology, with customers in the military, government and banking among other private sectors.
In a filing with the Securities and Exchange Commission, EMC said it did not expect the incident to have a material impact on its finances.
Patrick Stafford is a freelance journalist and a former deputy editor of SmartCompany.
