RSA compromise: Impacts on SecurIDBy: Counter Threat Unit Research Team
On March 17, 2011, RSA announced that a cyberattack that they attributed to an "Advanced Persistent Threat" resulted in the compromise and disclosure of information specifically related to RSA's SecurID two-factor authentication products. RSA is the security division of EMC software, best known for the popular SecurID two-factor authentication tokens used in high-security environments. The full extent of the breach remains publicly unknown. RSA states that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack." Organizations that make use of SecurID should be alert for attempts at circumventing their authentication infrastructure, though no specific attacks are known to be occurring at the time of this publication.
According to Threatpost.com, RSA is withholding further details due to an ongoing criminal investigation. Until additional information becomes available regarding the specific information that was compromised, a good deal of assumption and speculation is involved in preparing an appropriate response. However, certain information would be of interest to threat actors and fit RSAs criteria that the information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation while not facilitating a successful direct attack on any of our RSA SecurID customers. This in turn allows for a reasonable response plan to be formulated.
As part of our Intelligence Services, the Dell SecureWorks Counter Threat Unit (CTU)™ research team have prepared a Threat Analysis discussing the breach, its possible impacts on RSA's clients, and recommendations on steps to take in response to the issue. We've decided to share that report publicly, in the interests of helping those who may be at risk.