Anyone using RSA SecurID two-factor authentication tokens for remote access to sensitive information should reconsider using them until RSA, which last week admitted to a major breach of its network, clarifies exactly what was compromised, says NSS Labs.
In its analysis, entitled "RSA breach," NSS Labs indicates "it expects a string of breaches stemming from this event" and says it believes the RSA breach disclosed by RSA Executive Chairman Art Coviello on March 17 was for the hackers "a strategic move to grab the virtual keys to RSA's customers -- who are the most security conscious in the world."
"Military, financial, governmental, and other organizations with critical intellectual property, plans and finances are at risk," NSS Labs states.
The public comments that Coviello made, along with the 8K SEC filing made by RSA about the break-in, have been inadequate and leave questions unanswered, says NSS Labs. Coviello called it an "advanced persistent threat" attack that did result in "certain information" related to SecurID being taken. An APT is a stealthy breach by hackers, often long-term and sometimes by foreign governments or corporate rivals, who are trying to steal the valuable information.
NSS Labs said it believes "the locksmith's secrets may have been stolen, and the integrity of RSA's 2-factor authentication compromised. This knowledge breaks the 2-factor model since the attacker can now create the string required for a successful authentication, obviating the need to know the password and PIN. It will allow an attacker to login as a trusted user with corresponding access privileges."
Some analysis do expect to see a fix coming for RSA SecurID. And Gartner has suggested potential customers of SecurID may want to hold off any product procurements until RSA makes more information public.
Today, IronKey, whose product IronKey Trusted Access for Banking can be used in combination with RSA SecurID, said "the most likely scenario proposed by industry experts is that the secret codes, also known as seeds, used to generate one-time passcodes have been compromised or stolen, potentially allowing RSA SecurID authentication to be performed without a genuine token."