This content can also be viewed on the site it originates from. The RSA breach, when it became public days later, would redefine the cybersecurity landscape.
Timo Hirvonen, a researcher at security firm F-Secure, which published an outside analysis of the breach , saw it as a disturbing demonstration of the growing threat posed by a new class of state-sponsored hackers. The question was quite literal. RSA's SecurID tokens were designed so that institutions from banks to the Pentagon could demand a second form of authentication from their employees and customers beyond a username and password—something physical in their pocket that they could prove they possessed, thus proving their identity.
Only after typing in the code that appeared on their SecurID token a code that typically changed every 60 seconds could they gain access to their account.
RSA had added an extra, unique padlock to millions of doors around the internet, and these hackers now potentially knew the combination to every one. The Kremlin operatives who hacked SolarWinds hid espionage code in an IT management tool called Orion, used by as many as 18, companies and institutions globally.
For those with a longer memory, though, the RSA breach was the original massive supply chain attack. Now those agreements have expired, allowing them to tell me their stories in new detail. After 10 years of rampant state-sponsored hacking and supply chain hijacks, the RSA breach can now be seen as the herald of our current era of digital insecurity—and a lesson about how a determined adversary can undermine the things we trust most.
A technical director investigating the anomalous login with Leetham and the admin asked Bill Duane, a veteran RSA engineer, to take a look. To Duane, who was busy working on a cryptographic algorithm at the time, the anomaly hardly looked like cause for alarm. The admin had been right. The RSA staffers began putting in nearly hour workdays, driven by the chilling knowledge that the breach they were tracking was still unfolding.
Management demanded updates on their findings every four hours, day or night. He'd opened it. But it was from this ingress that the RSA analysts say the intruders began to demonstrate their real abilities. Today that credential-stealing hopscotching technique is common.
But in the analysts were surprised to see how the hackers fanned out across the network. Breaches as extensive as the one carried out against RSA are often discovered months after the fact, when the intruders are long gone or lying dormant. Hackers use e-mail-based or Web-based attacks to get a foothold in the company and then move about the company's internal networks looking for sensitive data to sneak out.
In this case, the hackers found information on RSA's SecurID products -- which are used on PCs, USB devices, phones and key fobs in about 25, corporations to provide an extra layer of security beyond a username and password for people logging into programs or networks.
Having access to RSA's internal networks and the SecurID source code might give criminals some subtle way of attacking SecurID users, but it shouldn't give them a way of completely breaking RSA's encryption, said Thorsten Holz, an assistant professor at Ruhr-University Bochum who studies computer security.
However, from RSA's statement, it's not clear exactly what the hackers were able to learn off the company network. According to Nate Lawson, a cryptographer and the founder of Root Labs, there's simply not enough information available to tell how bad the problem really is. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.
We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations. We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.
Our first priority is to ensure the security of our customers and their trust. We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. APTs involve significant intelligence research and the use of numerous techniques to hack targets.
They need serious investment to be carried out. RSA is now in the process of informing customers about the dangers and how to strengthen SecurID implementations. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.
In an advice note to customers , RSA listed a number of recommendations for customers to follow, with the first point being to increase focus on security for social media applications and the use of them by anyone with access to critical networks. RSA has a wide range of customers, ranging from high profile private companies to government bodies.
0コメント