Partners Skeptical Of RSA Plan To Replace SecureID Tokens


RSA’s decision to re-issue SecureID tokens following a wave of cyber attacks targeting the two-factor authentication solution is a necessary, if tardy gesture, but fails to fully re-establish trust in the effectiveness of the products, several partners said Wednesday.

In response to a recent spate of high-profile attacks targeting Lockheed Martin, Northrop Grumman and L3 Communications, Art Coviello executive chairman of RSA, the Security Division of EMC, announced Tuesday that RSA planned to replace SecureID tokens for specific customers focused on protecting intellectual property and corporate networks, and implement risk-based authentication strategies for consumer-oriented customers aimed at protecting financial transactions.

“We are expanding our security remediation program to reinforce customers’ trust in RSA SecurID tokens and in their overall security posture,” said Coviello, in the open letter to RSA customers Tuesday. “It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker.”

However, many RSA channel partners contend that the security company’s efforts came too little too late, following more than two months after the breach was first detected, and only after a high-profile company disclosed that they were the victim of a cyber attack.

An RSA spokesman late Wednesday afternoon said that the company would prepare a response to partners' concerns soon.

“They should have replaced those tokens earlier when they got hacked,” said one New Jersey-based solution provider who asked to speak off the record. “People are assuming the seed values are compromised. If that’s what happened, they should have replaced them earlier.”

Partners say that as expected, the SecureID hack and the public cyber attacks that followed on major defense contractors have been a source of alarm for customers, many of whom have requested alternatives to RSA’s two-factor authentication solutions altogether.

“We actually have customers asking to replace their RSA tokens,” said Andrew Plato, CEO of Beaverton, Ore.-based Anitian Enterprise Security. “This is a potentially big issue. And RSA needs to respond to this quickly. I think they should offer a trade-in for all affected tokens; provide new tokens or new encryption seeds that have not been compromised, if that is possible.”

RSA’s gesture to replace customers’ tokens follows days after defense contractor Lockheed Martin publicly confirmed last week that it had become the victim of a “significant and tenacious” cyber attack executed by hackers exploiting a security vulnerability in SecurID tokens, used for two-factor authentication for remote VPN access.

The giant weapons manufacturer first became aware of the problem in May, when IT administrators detected a network disruption that appeared to be an external intrusion. The company subsequently shut down its computer systems and embarked on the process of re-issuing SecureID tokens to many of its employees while requiring a password reset for the more than 120,000 workers at the company.

Since then, two other defense contractors, Northrop Grumman and L3 Communications -- reportedly experienced similar attacks by hackers targeting its SecureID tokens.

“The hackers are going after the highest level targets and of course the sensitivity of that is off the charts. Re-issuing tokens is probably the right move. It’s probably their only move,” said Jonathan Dambrot, CEO of Warren, N.J.-based Prevalent Networks.

Partners Question Security Of RSA TokensPlato added that the recent attacks against defense contractors could likely herald more to come in light of the fact that the tokens’ seed values were compromised and circulating on the cyber underground.

“This is the tip of the SecurID iceberg. It is obvious here was a serious breach at RSA. And the knowledge of how to hack SecureID is spreading cross the hacking community,” he said.

Yet others are questioning the effectiveness of replacing tokens that have already been compromised.

“The technology is broken. If you’re sending out new tokens, aren’t they still broken? Are they really fixing the problem?” asked Michelle Drolet, CEO of Framingham, Mass.-based TowerWall. “Their technology is on the open market now. Because it’s been compromised, whatever they do, unless they redevelop their technology, they are always going to be at risk.”

An RSA spokesperson said that the newly re-issued tokens would not be compromised and would not put customers at risk.

RSA’s stated plans to replace tokens follows more than two months after Coviello first acknowledged that its SecureID two-factor authentication tokens had been targeted in a sophisticated attack known as an Advanced Persistent Threat .

Coviello said in a March open letter that at the time he was “confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers.” However, he remained mum on exactly what was taken or how it might affect customers.

Meanwhile, some solution providers contended that the mystery surrounding details of the SecureID hack contributed to growing fear and doubt.

“I don’t think anybody has really come out and truly identified publicly what exactly happened from an RSA perspective,” Dambrot said, while acknowledging RSA was likely in the process of investigating the incident before coming to conclusions about remediation efforts. “I think there’s always this balancing act. People want more information. Without that information, they have a natural tendency to think the worst. “

However, some partners were critical of RSA’s approach to disclosure that kept many details of the hack under wraps. The approach carried critical implications because attack targets were weapons manufacturers, partners said.

“They notified people, but there was no disclosure on the backend. That to me is egregious. Companies like Lockheed Martin -- that’s our military. They’re protecting our soldiers” said one East Coast security solution provider who asked to speak off the record. “They’re number one in two-factor authentication. They should have conducted even more full disclosure to their customers.”

“It’s not losing credit cards, you’re talking about missiles here,” the solution provider said.

Anitian Enterprise Security’s Plato said that while he “wasn’t ready to throw RSA under the bus quite yet,” he would take a “wait and see” approach regarding RSA’s response in the wake of the fallout from the SecureID exploit and subsequent cyber attacks.

“I think they have a problem and we need to see how they respond. I liken this to the McAfee DAT update disaster that happened about a year ago. That event, in my opinion, still remains the model for how to handle a major incident,” he said. “RSA has smart people and they have been around a long time. I think they can weather this. They have big EMC behind them who can and should be throwing resources at this issue. Perhaps they can even come out of this a little stronger.”