RSA offer to replace tokens is weak if defense-industry attackers can make their own
RSA offers to replace tokens at Lockheed, L3, Northrup, following RSA breach in March
RSA is offering to replace more than 45,000 SecureID tokens after confirming the "serious and sustained" attack on defense contractors last month that used cones of RSA tokens as part of what security analysts said was a complex and sophisticated attack.
Lockheed Martin took the most severe attack over the course of several days, but blocked it before losing any sensitive data, according to statements from the company. Northrupp Grumman and L-3 Communications were also hit, though Wired reports it's not clear how successful the attacks were or how investigators knew stolen SecureID data was involved.
The clones are a direct result of an attack on RSA in March that used spear-phishing, malware and cracking techniques to penetrate the company's security and steal data on RSA's two-factor authentication devices, which are widely used in the U.S. defense industry.
China has been linked to the attack, but there is no evidence confirming its involvement. Chinese officials deny the charge.
As much fun as it is to pillory Sony for its miserable security and purely fictional reassurances that it had improved anything, attacks on companies that provide the core security and networking technologies on which secure systems in the U.S. government, Fortune 500 companies and the defense industry, are far more serious.
Attackers from overseas – most notably China – are already reportedly already pulling data by the gigabyte out of semi-secure systems with attacks that use spear-phishing techniques to gain initial access followed by malware and direct attacks.
Losing credit-card numbers, email addresses and other personal data on customers because you can't be bothered to encrypt or secure it is negligence of the most odious kind.
Giving bad guys who could be military opponents rather than simple identity thieves could have much more serious consequences.
Given the size of the breach and potential impact – not to mention the level of sophistication of the attacks on both RSA and Lockheed Martin – RSA had better not stop with replacing just 45,000 tokens.
The NYT ran estimates that more than 260 million people use RSA SecureID tokens, though that seems a high estimate for IDs that are in current, regular use.
Compared to that, replacing 45,000 that were directly affected is a pretty weak response.
With as much insider knowledge as they must have gained from the RSA breach, attackers with the kind of resources available to a foreign-national intelligence agency could do more than just clone a few electronic tokens.
It could reverse-engineer SecureID's lower-level code and build tools that would let them crack sites whose RSA tokens and security weren't part of the loot taken in March.
Replacing a few directly compromised IDs just isn't going to make enough of a difference.