SecurID Thoughts

Today was my first day back at work since the 18th.   Anything happen in the world of security while I was gone?

What you say?   RSA was breached?  It has been funny following the obligatory reactions in the absence of actual information.   RSA’s first suggestion for action could have been written before the event.

One of the articles that piqued my interest was Larry Seltzer “RSA Hack Demonstrates Superiority of Cell Phone as 2nd Factor”  This article pronounced security tokens like securID a niche market that will further be eroded by this loss of confidence.  He promotes PhoneFactor as a viable alternative.

PhoneFactor upon request sends you a token via SMS message.  Like securID there can be a PIN.   It can also call you and read you  the tokencode.   What happens when the power goes out?   Weather events are when people are more likely to be working remotely.   In snowstorms this winter we had people without power for days.   Many people don’t have POTS as a backup anymore.   They only have the cell or they use a form of VOIP (Vonage or ISP provided phone service).  One could also be concerned about the transmission of the tokencode over an insecure medium.   

But this isn’t about PhoneFactor.   It is about RSA.   Gartner analyst Avivah Litan reports, RSA held a conference call today with industry analysts.  The recently patched Adobe Flash vulnerability, CVE-2011-0609, was used in this attack.   Adobe had reported this vulnerability being exploited in the wild prior to patching.   A Flash file inside an Excel file was used in the initial part of the attack.  

This email was sent to the spam folder at RSA.   Sounds like a good argument for not allowing users to review their detected spam.    

With this attack it becomes ever more important that the PIN not be written down and left with the card.    Security conscious companies are doing the only thing they can do in the short term.   They require longer PINs and enable PIN expiration.   This is going to lead to more writing down of the PIN.   I feel like this incident is being used to justify what should have been done in the first place. (requiring PIN changes, and longer PINs).  

If companies feel they need to change out cards to be secure, even if those cards were free there is high cost in the change over.   This will lead to people considering other changes.   That SmartCard program that once seemed so onerous and expensive wont seem as bad.   The time to be making those changes isn’t while the ink is still wet on the security advisory. 

Security projects like SIEM, user behavior monitoring, and DLP that were once extravegant expenses are beginning to look like a crucial part of a layered approach to defenses. 

But still, it is the basics.


  1. Looks like they do not have good security practise for their server and network systems. Good security tool without good security process is rendered useless.

    • I dont know. How many companies do you think would be able to catch this occuring in real time as some articles have said occured here.

      Most breach stories involve looking at what happened 6 months ago, not that many companies retain logs that long.

  2. I wonder if RSA’s use of “Advanced Persistent Threat” is just a marketing ploy a la “hey we know some current ISA buzzwords therefore we’re in the know!” or if it really was a successful breach perpetrated by a N. Korea, China or even a Russia? I also wonder if any government agencies (FBI, NSA, CIA) have even bothered to subpoena forensics from RSA to determine who / where the threat came from? All unanswered questions, and perhaps, rightly so.

Comments are closed.