Volume 11, Number 11 -- March 22, 2011

Security of SecurID In Question Following Hack of RSA

Corrected: March 30, 2011

by Alex Woodie

Following the disclosure by RSA Security over the weekend that its computers had been hacked and information relating to its two-factor authentication software, called SecurID, had been compromised, customers that rely on RSA's software are wondering what steps they should take next.

In an open letter to RSA customers, RSA's executive chairman Art Coviello Jr. explained that RSA recently discovered that it was the victim of an "extremely sophisticated cyber attack," dubbed an Advanced Persistent Threat (APT) attack. The company's security pros caught the attack as it was in progress, and immediately took steps to harden the RSA systems so it couldn't happen again, he says.

During a subsequent investigation, RSA discovered that the attack "resulted in certain information being extracted from RSA's systems," including information about SecurID, one of the EMC subsidiary's most popular products.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello says.

While Coviello says there is no evidence that any SecurID customers have been compromised as a result of the attack, it is clear from RSA's statement that it believes the hack and subsequent transfer of sensitive data to cyber criminals could conceivably play some type of supporting role in a compromise of a customer's system.

When installed, SecurID uses two things--a cryptographic key that lives on some type of token, and a password that lives in somebody's head--to grant or deny a requesting user access to a system. Even if RSA's complete database was hacked, and cyber criminals are distributing copies of customers' crypto keys as we speak--the worst case scenario--that doesn't automatically mean that SecurID customers will soon become the subject of a "successful direct attack," as EMC puts it.

RSA isn't sharing a lot of specific information about the attack, and what it means for SecurID customers. In a post to its Securcare online support system, the company states: "We strongly urge immediate customer attention to this advisory, and we are providing immediate remediation steps for customers to take to strengthen their RSA SecurID implementations."

Several IBM i security software companies are partners with RSA, and make products that allow IBM i servers to utilize RSA's crypto keys, including Safestone, Townsend Security, and others.

This article has been corrected. Powertech's IBM i security software does not integrate with RSA's SecurID product. It previously sold a product that integrated with a different RSA encryption product. IT Jungle regrets the error.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

HA4i ~ High Availablity for the IBM i

                                                             Availability without complexity
                                                             Cost effective availability
                                                             Browser-based monitoring
                                                             Uses IBM trusted technology

Availability can be affordable and easy to implement.
HA4i provides the user with all of the required functionality
without the complexity.

For information & free 30-day trial visit
or call 519-940-1192

Editor: Alex Woodie
Contributing Editors: Dan Burger, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

SEQUEL Software:  FREE Webinar: Overcoming query limits with SEQUEL. March 23
Northeast User Groups Conference:  21th Annual Conference, April 11 - 13, Framingham, MA
looksoftware:  Integrate IBM i apps with web services. FREE on-demand webinar and white paper!


IT Jungle Store Top Book Picks

BACK IN STOCK: Easy Steps to Internet Programming for System i: List Price, $49.95

The iSeries Express Web Implementer's Guide: List Price, $49.95
The iSeries Pocket Database Guide: List Price, $59
The iSeries Pocket SQL Guide: List Price, $59
The iSeries Pocket WebFacing Primer: List Price, $39
Migrating to WebSphere Express for iSeries: List Price, $49
Getting Started with WebSphere Express for iSeries: List Price, $49
The All-Everything Operating System: List Price, $35
The Best Joomla! Tutorial Ever!: List Price, $19.95

The Four Hundred
IBM Hikes Maintenance Fees on Power-Based Gear

IBM, Oracle to Build on i Solution Edition Momentum

Calculating the Risks on All Sides of the App Modernization Issue

As I See It: Rethinking the Resolution

IBM to Ride Growth Waves on Current Iron in 2011

Four Hundred Guru
Running Totals in an SQL Query

Odds and Ends: The Reader is the Guru

Admin Alert: Corralling i/OS Storage Hogs, Part 1

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
September 25, 2010: Volume 12, Number 39

September 18, 2010: Volume 12, Number 38

September 11, 2010: Volume 12, Number 37

September 4, 2010: Volume 12, Number 36

August 28, 2010: Volume 12, Number 35

August 21, 2010: Volume 12, Number 34

TPM at The Register
IBM: Our appliance servers smoke Ellison's 'phony baloney'

IBM accused of bribery in China, South Korea

Cisco shells out first dividend

Supercomputer charts killer tsunami's course

Intel buys Silicon Hive for SoC smarts

IBM tunes up Java for z196 mainframes

US CIOs: IT hires on the rise

GaleForce blows into the cloud

SGI talks Windows on Altix UV

Intel opens kimono on Sandy Bridge Xeon E3

Intel: 'We ate McAfee to slip security into silicon'

Amazon tweaks virtual private clouds


Linoma Software
Shield Advanced Solutions

Printer Friendly Version

ExtraHop Adds DB2 to Database Performance-Tracking Repertoire

InterForm Sees New Opportunities in IBM i Forms Management

Early Adopters of Profound UI Pleased

Quadrant Touts Replacement for Withdrawn IBM Domino Fax for i5/OS

Security of SecurID In Question Following Hack of RSA

News Briefs and Product Shorts:

PowerTech to Release Annual IBM i Security Survey . . . Magic Offers Free Version of uniPaaS . . . i365 Launches Virtualized EVault for Microsoft DPM Offering . . . CCSS Takes Aim at IBM i Availability in New Guide . . . Infor Touts License Fee Growth, Expansion Plans . . .

Four Hundred Stuff


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2011 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement