dinsdag 7 juni 2011

RSA mocking hype

And so finally RSA aknowledged that the march hack can in fact result in risks. It took some while and perhaps because of this the tweetosphere exploded by all experts mocking RSA: SecurID is unsafe now. And the fact that RSA said to replace unsecure SecureID's for only a few 'high risk' customers made things even worse.

And alas, for RSA things will not get better soon. Being vague about the theft of whatever was stolen does not help getting back the trust that was lost today.

But there is another problem. Media report that SecurID is corrupted, but, as long as we don't know what the real problem is, I have not yet seen an objective problem analysis. What is the real risk for a regular RSA customer? Is everybody just repeating (RT'ing) others without thinking for themselves?

Fact: trust in RSA is low. No fact: SecurID is corrupted.

Let's just think of an attack scenario like this:
An attacker can calculate the security code, based on knowledge of the algorithm, using a seed from the stolen dataset. But, what seed is the seed that belongs to a token that is used for authentication? What token is used? A web login form does not contain this information. Besides one would need a valid userid (for a Windows domain), a valid password and the pincode of the device, that is needed to proof the legitimed use of the token.

Unless an attacker has all this information, he cannot authenticate. An attacker might fool the RSA authentication server, that is not enough to enable access. More is required. That makes me think that the documented attacks must be inside jobs and that the insiders had to steal the RSA data as well to make further remote access possible.

I may be wrong, must be because of all the fuss by the security community, but I really don't see SecurID compromised. I don't trust it now, because the strange moves of RSA, but as far as I can see, SecurID can still be used as a means for strong authentication. But we need to know more of the data loss and we need to know more of the (obscure) security model.

And no, besides being a SecurID user I have no relationship whatsoever with RSA.

Geen opmerkingen: