Is it time for RSA to open up about SecurID hack?

Three months after RSA was hacked, some say the company should disclose more about the incident.

For any company that makes its living selling security, it's a nightmare come true. This week, RSA Security admitted that hackers who broke into its network three months ago had stolen information about its SecurID tokens and then used that information to attack a customer, Lockheed Martin.

RSA seems to think the vast majority of its customers aren't directly threatened by the hacking incident, but the company's reputation has taken a hit. And users and pundits alike have blasted RSA for not being clear about exactly what was taken, and how it could affect them.

Calls for more disclosure about the March hacking incident only got louder this week, after Lockheed Martin confirmed that it was reissuing RSA tokens company-wide in response to the attack, and after RSA began offering to replace tokens for any customers who asked.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

For any company that makes its living selling security, it's a nightmare come true. This week, RSA Security admitted that hackers who broke into its network three months ago had stolen information about its SecurID tokens and then used that information to attack a customer, Lockheed Martin.

RSA seems to think the vast majority of its customers aren't directly threatened by the hacking incident, but the company's reputation has taken a hit. And users and pundits alike have blasted RSA for not being clear about exactly what was taken, and how it could affect them.

Calls for more disclosure about the March hacking incident only got louder this week, after Lockheed Martin confirmed that it was reissuing RSA tokens company-wide in response to the attack, and after RSA began offering to replace tokens for any customers who asked.

By not disclosing what happened, RSA is making it hard for customers to understand the risks they face and make informed decisions, said Thierry Zoller, practice lead for Verizon Business Luxembourg. "It's time for them to come clean," he said. "By not coming clean they are creating more fear, uncertainty and doubt than necessary."

RSA has said the hackers were sophisticated, but it has been vague about what exactly they managed to steal. The best the company could do this week was to confirm that "the attack resulted in certain information being extracted from RSA’s systems that is related to RSA SecurID multi-factor authentication products."

Even without a clear answer from RSA, some security experts took the Lockheed Martin incident as proof that the hackers who broke into RSA's systems are now able to clone SecurID tokens and use them to break into networks.

If that were true, here's how an attack might work.

Attackers appear to have gained access to RSA's database of seed numbers, called "token records" in RSA parlance. These numbers are essentially the building blocks used to create the six-digit log-in numbers that RSA tokens generate every sixty seconds or so. The tokens are widely used by governments, contractors and banks to add a second layer of security alongside computer passwords.

With a seed number in hand, a technically savvy hacker could figure out what log-in number a SecurID token would generate at any given time. The trick, however, would be to figure out which particular token a victim was using. That's not obvious. RSA says it has shipped about 40 million tokens, so it would take some work to link a particular seed number to a particular user's SecurID token.

A criminal might be able to achieve this by posing as a network administrator and emailing a victim, telling them to visit a Web site and to log in with their password and SecurID login number. With just a couple of successive log-ins, hackers could figure out which of the millions of seed numbers was used to generate the log-in numbers. Or they could identify the seed numbers by asking victims to enter their tokens' serial numbers, say as part of a security audit, and then look that serial number up in their stolen database.

The IDG News Service is a Network World affiliate.