Dutch version of this article
On 18 March 2011, RSA announced that its IT systems had been subjected to a very sophisticated attack. In this attack, certain data related to the SecurID products was extracted.
Onsight is an Affiliate Elite Partner of RSA, advising its clients about RSA products and also implementing them, including the SecurID products. Via this website, we are advising our clients and other interested parties about the developments regarding the RSA cyber attack.
Best practice guidelines
RSA is advising clients with SecurID products to follow the best practice guidelines. You can download these documents from the right-hand column on this page. There, you will also find other documents with more information.
Our business consultants can help you check your security environment and implement the best practices. They can also provide you with information about additional measures which you can take to raise the security level of your IT environment. Would you like further information about the support options? If so, please contact us to discuss your requirements.
Do you have any questions, or would you like further information about this subject? If so, please contact Peter Pronk, Onsight's technical director. You can call him on +31 26 352 01 00 or contact him by email: firstname.lastname@example.org.
How did this start?
On 18 March 2011, RSA Executive Chairman Art Coviello published a letter (http://www.rsa.com/node.aspx?id=3872) stating that RSA had been subjected to an APT cyber attack (Advanced Persistent Threat). In an extremely sophisticated way, this led to the theft of information related to the RSA SecurID product. RSA disclosed that the algorithm for calculating the token codes was not stolen.
How did the attack happen?
You can read on http://blogs.rsa.com/rivner/anatomy-of-an-attack/ how the attack was carried out.
What are the risks?
Assuming that the hacker has the seed records, theoretically there is a greater chance of a successful attack taking place. Several factors are required if an attacker wishes to successfully hack into a business network, such as the algorithm for calculating the token code, the user's login name, the pin code, the serial number of the token, the associated seed record, the URL of the portal and the login name/password combination of the applications behind the portal. The best way to get hold of this information is by means of social engineering. The workstations are contaminated with malicious code by enticing users/administrators into clicking on mail attachments or visiting certain websites. This can only be avoided if everyone becomes more aware of the dangers, i.e. more security aware. People must restrain their curiosity with regard to suspicious emails.
What is a seed record?
It is being assumed that the so-called ‘seed records’ have been stolen. A seed record is a symmetric encryption key, a so-called shared secret between the authenticator (token) and the authentication server. On a time-dependent basis, a new token code is generated every 60 seconds in accordance with a specific algorithm. Together with a pin code, this token code is used as a password. The server can check whether this password is correct by performing the same calculation.
I am an RSA SecurID client, what should I do?
In an open letter from Art Coviello, http://www.rsa.com/node.aspx?id=3891, further to a number of attacks which appear to be related to the RSA cyber attack, RSA offered to provide its customers with replacement tokens. There are currently 40 million tokens in circulation all over the world. The exact conditions under which the replacement of the tokens would take place are not yet known. Clients who wish to be eligible for replacement must in any case assess whether the best practice documents have been followed and whether the users are security aware. It is possible that these guidelines, in combination with greater security awareness, could sufficiently reduce the chances of a successful attack.
What is the best way of setting up the RSA SecurID environment?
RSA has a number of best practice documents containing guidelines for setting up RSA SecurID environments. These can be downloaded from http://rsa.com/node.aspx?id=3876