Is SecureID broken?
It’s been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product.
For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.
It comes down to two simple questions.
Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token’s serial number to its seed leaked?
Without the answers to those two basic questions, RSA customers can’t make educated decisions about whether to continue relying on SecurID to prevent unauthorized logins to their sensitive networks. After all, if the breach on RSA’s servers exposed the seeds and the mapping mechanism, SecurID customers have lost one of the factors offered by the two-factor authentication product.
Go to the source to read more on this important issue regarding network security.
- RSA SecurID – What’s the Risk? (itsecurityexpert.co.uk)
- Should You Stop Using RSA SecurID Tokens? (pcworld.com)
Posted on March 25, 2011, in Business, Cybersecurity, Hacking, Network Administration, Security breach, Technology News and tagged Confidentiality, Customer, EMC, EMC Corporation, One-time password, RSA, SecurID, Two-factor authentication. Bookmark the permalink. 1 Comment.