In an open letter posted on RSA's Website, the company revealed that attackers launched an Advanced Persistent Threat (APT) attack and stole its SecurID two-factor authentication data.
Security acknowledged it had been hit by an "extremely sophisticated"
attack and that information related to the SecurID two-factor authentication
products have been stolen.
Intruders succeeded in breaching RSA
networks "recently" as part of an Advanced Persistent Threat attack, Art Coviello, executive chairman of
, wrote in an open letter to customers that appeared on the RSA
Website on March 17. While the investigation is ongoing, RSA has determined
attackers stole "certain information," including the ones specific to
RSA's SecurID two-factor authentication products, Coviello said.
"Recently, our security systems identified an extremely sophisticated
cyber-attack in progress being mounted against RSA,"
RSA has historically kept the algorithm
for its multifactor authentication products secret.
Neither the letter nor EMC's filing with
the Securities and Exchange Commission identified what exactly was stolen, but
it "could potentially be used to reduce the effectiveness of a current
two-factor authentication implementation as part of a broader attack,"
Coviello said. He was "confident" that the stolen data won't allow
the criminals to mount a successful attack directly on RSA's
often target source code and other information useful in
espionage and involve knowledge of the company's network, employees and
policies. APT generally employs some forms
of social engineering as well as exploits hidden in e-mail messages to sneak
keyloggers and other tools onto the computer. Unlike most attacks, APT
intruders are generally not interested in financial and identity data. Instead,
once attackers gain access to the network, they move around looking for
sensitive data, such as intellectual property, to steal.
, which compromised systems at Google and a number of other major
companies in 2009, was a type of APT.
Other EMC or RSA
products were not affected, and personally identifiable data on customers and
employees were not compromised, Coviello said.
RSA did not elaborate on how the attack
was carried out, when it occurred or how long it took the company to discover
it. RSA representatives were not available
RSA was able to say with "some
confidence" what was and was not compromised, which allowed it to
communicate with customers "accurately," Steve Shillingford, CEO
of Solera Networks, told eWEEK. RSA is
likely to maintain its credibility with customers, he said.
As of 2009, RSA had about 40 million
tokens and 250 million mobile software versions deployed in over 25,000
organizations across industries, such as banks, government, manufacturing and
pharmaceutical. They are used to randomly generate a numeric code that is used
in conjunction with a password to allow a user to log in. The number is
cryptographically generated and changes every 30 seconds.
It is unclear at this time whether attackers stole the "seed"
values SecurID tokens use to generate the numeric codes. If they have the seeds
for a specific company, they may be able to generate a fake number on tokens,
allowing them pass one layer of security. Attackers may have stolen the source
code, which could be analyzed to find vulnerabilities to exploit, or private
cryptographic keys to trick RSA servers or
RSA recommended that customers increase
their focus on security for social media applications and Websites, enforce
strong password and PIN policies, and remind employees to avoid opening
suspicious e-mails or giving away their log-in credentials to people or other
Websites. Customers should also pay special attention to securing their active
directories, "make full use of their SIEM products," use two-factor
authentication to control access to active directories, monitor for changes in
user privilege levels and access level rights, limit remote and physical access
to infrastructure hosting security software, beef up defenses against social
engineering attacks, and update security software and operating systems.
RSA also recommended adding levels of
manual approval to change user privilege levels and access rights, as well as
following the rule of "least privilege" when assigning roles. The
administrators should have just enough privileges to get work done without
acquired RSA Security
in 2006 for $2.1 billion in cash.