Replacing RSA SecurID Tokens Not So Simple

  /     /     /  
Publicated : 22/11/2024   Category : security


Replacing RSA SecurID Tokens Not So Simple


There are plenty of in-house logistics -- and no guarantees that the new tokens wont be eventually compromised, security experts say



Should all RSA SecurID customers take the company up on its new offer to swap out their authentication tokens as a precaution?
Not so fast, security experts warn. While RSA says it will provide replacements for SecurID tokens to allay security concerns in the wake of its breach and the subsequent related breach at Defense contractor Lockheed Martin, the move might be only a temporary fix if the attackers who compromised RSAs SecurID servers indeed got the seed files. And replacing tokens takes more than a hardware-swap: There are logistics, such as enrollment and getting the help desk involved, and the tokens then must be redeployed with Active Directory so that the back-end VPN system recognizes it, for example.
But some RSA customers say they still dont have enough information from RSA to determine whether they are actually at risk. RSA still hasnt come clean with all of the details on what the bad guys stole. If the seeds were compromised, for instance, then SecurID customers who replace their tokens might have to do so again at another time.
Customers need to ask RSA why new tokens matter. Does getting a new token mean Im more secure? Thats the question that needs to be asked, says Marcus Carey, a security researcher with Rapid7. Companies need to know that this isnt a token gesture.
RSA
late yesterday confirmed
that a breach last month at its customer Lockheed Martin was tied to an attack in March on its own systems. RSA chairman Art Coviello said in a blog post that on June 2 his firm determined that SecurID data stolen from RSA used as an element of an attempted broader attack on Lockheed Martin.
Coviello said the attack on Lockheed appears to be part of a targeted attack on Defense contractors, that it doesnt reflect a new threat or vulnerability in RSA SecurID technology, and that the remediation steps it had recommended for customers would help to deliver the highest levels of customer protection.
Security experts say Coviellos latest post appears to confirm that some of the SecurID seeds were compromised in the attack against RSA. Theres no mention of why its not going to happen again or what has been done to make the seeds more secure, says Max Caceres, a security expert. Its unclear what you are getting out of taking [on] that cost [of replacing tokens], he says.
Token replacements arent for every organization, he says. Every company is different. They should be cautious about how they go about doing that. They need to talk a little more with RSA to understand what has changed now if they do the replacements, and get more assurances around what the security benefits by replacing tokens, Caceres says.
Its unclear if six months down the road youll have to replace them again, he says.
Marcus Ranum, CTO at Tenable Security, says that if youre not a big Defense contractor, then you probably dont need to get new SecurID tokens. A bigger problem is protecting your firm from social-engineering attacks to grab user credentials, he says. You need to make sure your IT staff is particularly careful about social engineering, he says.
Even so, RSAs offer to replace the tokens is good timing for a refresh for customers keyfobs, he says. That will reset the clock for another five years, he says.
Other experts say replacing the tokens is better than doing nothing now that the cat is out of the bag. Theres a good chance you lost the reason you moved to two-factor authentication in the first place. You could now be left with one-factor, says Tsion Gonen, corporate vice president of products and marketing at SafeNet. Our view is you have to do something about it … otherwise, youre back to [just] a username and password.
Gonen suggests that at a minimum, RSA customers should have replaced their tokens and changed passwords months ago when RSA admitted it had been hacked. Still, its no surprise that Lockheed Martin and others did not. People are change-averse, Gonen says.
And theres always risk associated with relying on an outsourced seed model, like RSAs for SecurID. SafeNets Gonen says this refresh is also a chance to take seeds in-house. Make sure you program the token yourself, says Gonen, whose firm offers such a product.
Maybe RSA will offer the option for users to own the seeds themselves and program their own tokens at some point as well, he says.
Meanwhile, RSAs Coviello did say in his post that the company will add extra factors for strong authentication to SecurID. We will continue to invest heavily in both our SecurID and our risk-based authentication technologies. We will provide additional factors for strong authentication. We will integrate these solutions with our cybercrime intelligence to better identify suspicious behavior targeted at networks, transactions and user sessions, he wrote.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Replacing RSA SecurID Tokens Not So Simple