Geek Post Alert! RSA
I have held it in as long as I can.
REALLY? RSA? REALLY?
Of course, I don’t know the details, just an infosec geek reading along with everyone else, but this is huge.
I am not an alarmist and do happen to agree with Stephen Northcutt that the breach is not a game-changer, in the broad sense of the word, but could it be a game-changer for RSA. Many say no, I wish I was as sure.
RSA is one of the preeminent security companies in the world, they have a lot of positive karma out there and I hope it is enough.
I have been doing this long enough to know that yes, if someone wants to hack you, with enough patience and horsepower, they will. RSA has now fallen victim to that.
The disturbing part to me is the speculation of what they got. Best case scenario they got the list of take-out menus someone centrally stored on the servers but worst case is information detrimental to their two-factor authentication business. Again, there are degrees of bad here, just the private seeds with no client information is recoverable. Client information without seeds is also recoverable. Even seeds and client information is fixable (keep in mind all two factor requires a password you know and the numbers provided by the token). The bad guys don’t know your password – yet.
The scary part there is how easy it has been for malware and phishing emails to trick folks into giving up their two-factor authentication passwords.
I want to reiterate I don’t have any insight into what was taken other than the standard press everyone else has read. In true security world form, there will be limited groups who know the extent of the breach but they will be wrapped in so many NDA’s the rest of the world will never know, and unfortunately it has to be that way. I used to work for radio stations as a journalist, reporting the news. Now I am in information security and realize that sometimes disclosure can be more detrimental than helpful.
While it would be easy to condemn and point fingers, this really can happen to anyone. It is just disappointing for it to happen to such a respected security provider.
Most may never register a direct impact between this breach and their normal everyday life, but for many of us in the security field, we will hold our breath anxiously waiting for the other shoe to drop; hoping we aren’t under it.
http://www.rsa.com/node.aspx?id=3872
http://www.insecureaboutsecurity.com/2011/03/18/the-emcrsa-breach-what-it-means/