The IT security world was rocked by the publication of an open letter, written by security vendor RSA boss Art Coviello on 18 March.
In the letter he said the company had ‘identified an extremely sophisticated cyber-attack in progress’. ‘An investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat’. In layman’s terms that means that a burglar broke in, the alarms didn’t go off, and they were there for quite a time.
‘The attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products.’ Just about anyone who has used a corporate Virtual Private Network in the last ten years will be familiar with these tokens which display an apparently random 6 digit number that changes every minute or so. This number is used together with some other password (two factors) to log-in.
I am sure this letter will become a case study in damage limitation โ see my earlier blog “Sorry seems to be the hardest world“. This was a clear example of the minimum necessary disclosure approach. There was much speculation at the Financial Sector Technology Expo in London today about what might have been stolen. “If I knew, I couldn’t tell you” said one Chief Security Officer. “They are only speaking to a very few of their major customers at Banks, and then under tight Non Disclosure Agreements.”
In the absence of hard facts, most informed opinion suggests the breech included the data that links the key used to generate the number to the identification number engraved on the back of each token. This is supported by advice going around that you should remove this engraved number โ and RSA’s fix which is to issue replacement tokens.
So the news headlines again:
- There has been a break in at the locksmiths.
- Some of the customers’ master keys have been stolen
- Why did they need to keep a copy?
- Could you trust that locksmith again?