InsecureID: No more secrets?

Yikes – I thought RSA’s SecurID was um… secure. We have one of their tokens attached to our PayPal security. So this is not happy news from Bob Cringely:

Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA?” he asked, referring to how the RSA Data Security division of EMC had been hacked. “I suspect it was no more than a serial number, a seed, and possibly the key generation time. The algorithm has been known for years but unless they can match a seed to an account it is like having a key without knowing what lock it fits. That might simplify a brute force attack but first the attacker would need something to brute force…”

Well it didn’t take long for whoever cracked RSA to find a lock to fit that key.

Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.

Read the whole thing »