Information about RSA's SecurID authentication tokens used by millions of people, including government and bank employees, was stolen during an "extremely sophisticated cyberattack," putting customers relying on them to secure their networks at risk, the company said today.
"Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA," Executive Chairman Art Coviello, wrote in an open letter to customers, which was posted on the company's Web site.
"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat. Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products," the letter said.
"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello wrote. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."
The company said it has no evidence that other products are affected or that personally identifiable data on customers or employees was compromised. RSA, the security division of technology giant EMC, did not elaborate and a spokesman said he could not provide additional information at this time.
The tokens, of which 40 million have been deployed, and 250 million mobile software versions, are the market leader for two-factor authentication. They are used in addition to a password, providing a randomly generated number that allows a user to access a network.
The tokens are commonly used in financial transactions and government agencies; one source who asked to remain anonymous said SecurID users in those sensitive areas were scrambling to figure out what to do in light of the breach.
What exactly did the bad guys get?
Because it's unclear exactly what type of information was stolen, sources told CNET they could only speculate as to what the potential outcome could be for companies using the devices.
"It's hard to say [how serious the breach is] until we know the extent of what the bad guys got a hold of," said Charlie Miller, a principal analyst at consultancy Independent Security Evaluators. "Any time a security company gets broken into, it reminds you that it could happen to anybody."
He used to work for a financial services firm that "basically ran everything on" SecurID, he said. "They would be very unhappy if they found out" it could be compromised somehow.
"The real story here is what was stolen. It definitely seems mysterious," said Ravi Ganesan, an operating partner at The Comvest Group and former founder and CEO of single sign-on provider TriCipher. "SecurID is a token authenticator device that flashes a new number every 60 seconds. The number is calculated from two things, a 'secret seed' unique to that device and the time of day. So your one-time password is output of [that] algorithm."
RSA has historically kept their algorithm secret, but that is not a good defense against a sophisticated attacker who could get a software version of the token or the back-end server and reverse engineer the code, Ganesan said. "So what on earth could have been stolen? I certainly hope RSA did not put some back door into the software and that was what got stolen."
While details were scarce, hints about the breach could be gleaned from a message to customers filed with the SEC. It recommended that customers increase focus on security for social-media applications and Web sites accessed by anyone with access to their critical networks; enforce strong password and PIN policies; as well as remind employees to avoid opening suspicious e-mails and providing usernames or other credentials to people without verifying the person's identity as well as avoid complying with e-mail or phone-based requests for such information.
Additionally, the message said customers should pay special attention to securing their active directories and use two-factor authentication to control access to them; watch closely for changes in user privilege levels and access rights; harden monitor and limit remote and physical access to infrastructure that hosts critical security software; shore up practices against social-engineering attacks; and update security products and patch operating system software.
Advanced Persistent Attacks often target source code and other information useful in espionage and involve knowledge of the company's network, key employees, and workings. Attackers use social engineering and exploits hidden in e-mail and other messages to sneak keyloggers and other snooping tools onto employees' computers. Google announced last year that it and other companies had been targeted in such an attack and it later came out that attackers used an unpatched hole in Internet Explorer to get into the company computers. Google said at the time that intellectual property was stolen and that the attacks appeared to originate in China.
Updated at 7:06 p.m. PT with reaction, more details, and background throughout.