Tuesday, 7 June 2011

RSA security tokens compromised

Recently there have been some problems with RSA security fobs reported in the media like this: http://www.bbc.co.uk/news/technology-13681566

Basically back in March RSA (the guys that make most of those secure number generator key fobs for online banking etc) were hacked (you might remember me mentioning it at the time if you know me).  RSA were taking the line that it was not a big deal as they did not get enough information to actually compromise anything but would not say what was taken "for the security of our customers".  Unfortunately several major North American military companies have now been hacked/had attack attempts (new news - I'm sure it will become a bit clearer over the next week or so) due to compromised RSA tokens (Lockheed Martin, L-3 Communications and Northrop Grumman for example).

It currently looks like the intent behind the original hack was to target American military tech and RSA are now taking the line that nobody else needs to worry much as the original hackers are not interested in them.  This of course is debatable (with a confirmed exploit how long until people who ARE interested in bank accounts obtain a copy?).  RSA are offering to replace all RSA tokens for customers with concentrated user bases (eg they are happy to send thousands of replacement fobs to a company but will not send those thousands of fobs directly to the end users.  (Letter from the RSA Chairman here: http://www.rsa.com/node.aspx?id=3891).  That is an interesting read for diversionary tactics.  He mentions that there have been lots of high profile atacks on other companies that were nothing to do with the RSA problems.  He states that Lockheed Martin have denied that the attack succeeded (they would!) but obviously can't say that it has not succeeded somewhere else.  He says that the attack is not a new threat to RSA SecurID (correct - its from the hack they announced back in March and down played.  Now we just know that the information stolen in that hack can and has been used in an attempted (maybe successful, maybe not) hack on top US military companies).

For end users (you and me) this means two things:
1. At the moment if you use RSA key fobs you are currently probably safe but it may not stay this way
2. The only people who can replace your Fobs are the people that gave them to you (your bank for example) and they are probably not going to be too keen to do anything as shipping new fobs to all their customers and ensuring the right person gets the right fob is going to cost them a lot. (also RSA are offering financial protection insurance so the banks will not loose anything if anyone is compromised)

I get the feeling I've heard this story a few times before (warning, massive generalisation ahead).  Company makes good product and grows as people use it.  As the company employs more people there is a greater chance that one of them will make a mistake/leave their laptop on a train/get greedy and data is lost.  The more popular the product the bigger the companies likely to be effected when the brown stuff hits the fan.  Media run a few stories, company tries to down play the issue and most people keep using the service anyway.  I'm sure most PS3 owners are going to keep buying and playing games even after Sony lost millions of their account details with passwords, addresses, credit card numbers etc included.

You could start using something like the excellent Yubikey (http://www.yubico.com/yubikey) host your own dual factor authentication server and generate your own keys so nobody else has a copy.  That way even if your provider was compromised your keys would not be exposed.  There is still the risk of an attacker or other person discovering an exploitable vulnerability in the encryption scheme used but this is fairly unlikely.  I'm sure many people who have deployed Yubikeys or similar devices will be quite happy reporting to their managers that they are immune to this attack.  Unfortunately for me I have purchased a batch of Yubikeys and got them working on our VPN but an issue with IP address allocation (http://forum.yubico.com/viewtopic.php?f=5&t=651) has stopped me deploying them so far - along with the usual list of more important projects as long as my arm and I'm therefore not able to gloat as much as I'd like.  Not that any internet connected system is 100% secure.

At the end of the day if you are reading this you are probably safe enough.  Use secure unique passwords, make sure you visit reputable sites, try not to put the answers to security questions on Facebook (what is your mothers maiden name...), use an up to date virus checker etc.  Even if someone can duplicate your RSA token they would also need your password, username etc.  If you are responsible for managing RSA keys then read through the guidelines that RSA have produced (http://www.rsa.com/products/securid/faqs/11370_CUSTOMER_FAQ_0311.pdf) to see if there is anything further you want to do.  If you are working for a top military company, bank or other place you think is at high risk because of this then go talk to your security people.  You do have them right?