Thursday, March 17, 2011

APT: RSA Identified an Extremely Sophisticated Cyber Attack in Progress

Open Letter to RSA Customers
http://www.rsa.com/node.aspx?id=3872

Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.


----------------------------------------------------------------------------------------------------

Rich Mogull @ Securosis has written a good non-hype summary outlining what is known, what is not and what RSA SecurID customers need to do....

What You Need to Do
If you aren’t a SecureID customer… enjoy the speculation.

If you are, make sure you contact your RSA representative and find out if you are at risk, and what you need to do to mitigate that risk. how high a priority this is for you depends on how big a target you are- the Big Bad APT isn’t interested in all of you.

Based on how the letter was worded it might mean that the attackers have a means to generate certain valid token values (probably only in certain cases). They would also need to compromise the password associated with that user. I’m speculating here, which is always risky, but that’s what I think we can focus on until we hear otherwise. Thus reviewing the passwords tied to your SecureID users might be reasonable.

Open Questions
  1. While we don’t need to know all the details of the attack, we do need to know something about the attacker to evaluate our risk. Can you (RSA) reveal more details?
  2. How is SecureID affected and will you be making mitigations public?
  3. Are all customers affected or only certain product versions and/or configurations?
  4. What is the potential vector of attack?
  5. Will you, after any investigation is complete, release details so the rest of us can learn from your victimization?
Finally- if you have a token from a bank or other provider, make sure you give them a few days and then ask them for an update.

No comments:

Post a Comment