My not-about RSA blog post

Posted by:

admin 13 years, 1 month ago

There is a lot of speculation about the RSA SecuID attack. (Those are my top 3).   The lack of information, while frustrating is understandable if there is an ongoing investigation and if the security of SecurID users is not truly at risk as RSA asserts.  In general, I don't pay much attention to competition.  I prefer to pay attention to customers, in particular prospective customers. 

However, it would be a waste if the industry didn't get some insight from this situation.  Here is my general advice.

1. Don't panic. If you're a typical APT target and an RSA user, start digging.  Otherwise, if you're overly reliant on your authentication system for security, plan on beefing up your other defenses and log management.

Longer term:

2. Analyze your purchasing heuristics.  Do you not purchase from open-source companies because you think closed source is more secure? Time think again. Do you prefer large public companies to smaller vendors? Smaller vendors can notify before the stock market closes.  Do you prefer the market leader?  That leader is a bigger target.

3. (Re-)Consider Defense-in-depth. RSA has stated that the information taken "could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack". Over-reliance on any single technology has always been a bad idea.

4. Heterogeneous vs Homogeneous. If a single vendor is responsible for a large portion of your defenses? This attack puts a bigger question mark on single-sourcing. 

5. Use asymmetric encryption and "Best practices" for encryption.  By the latter, I mean practices like generating the keys on the devices.   Yes, this is a plug for WiKID because we use asymmetric encryption and not shared secrets, which means you can back up your keys and know that it is the only back up.  

6.  Don't bash two-factor authentication.   Two-factor authentication is a lot tougher to break than static passwords.  These attackers had to attack RSA before they could attack their targets. That is tough.  Please recognize this!  Further, a lot of progress has been made this year in promoting dynamic passwords (thanks to Google, primarily).  This is GOOD!  Security professionals know that static passwords are weak and getting weaker.  Don't step backwards. 

OK, I can't resist a little speculation.  RSA has a self-service download site for licenses. I think this site was exploited and was either gathering information to use to break the master key or was looking specifically for certain companies using that system.  Why do I think that? Like everyone, a hunch.  Someone told me the site was down well before RSA notified.  Also, I think this site is a newer development meant to make deployment easier and/or cheaper which often means less secure.  

Of course, as always, consider the source.  We are a smaller, dual-source, single product company that uses asymmetric encryption.  ;-)

• ← APT, open source and asymmetric encryption
• The Baby and the Bathwater, SSL cert edition →