Tuesday, June 7, 2011

RSA (In) SecurID Pulls A Sony

RSA had issued a vaguely worded blogpost on the breach of SecurID and who knows what else. Today, after numerous disclosed RSA SecurID related breaches, they have come clean... Or have they? They have promised to finally replace InSecurIDs with (drum roll please) more StrongerSecurIDs. Or have they? (More on that later, stay with us, now.)

The key problem that they have not approached was that they had a cash cow and maintained a central repository of ALL their customers' seeds and had an outdated approach to stronger security. That has not been addressed. We only know that it took a military contractor or two or three RSA SecurID-related breaches and a new, Pentagon-issued military doctrine for them to finally admit what most in the security world already knew.

Apparently this is the security equivalent of Ralph Nader's expose of the automobile industry.* RSA (In)SecurID still does not address any of the new emerging cyber attack vectors, and companies that replace old breached RSA tokens will still be left flapping in the breeze. So it begs the question: Do companies go along with the party line and continue with RSA even after it has let them down? After all, it was RSA that said:

"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

There is one caveat that we might have overlooked, as Uri Rivner had posted that on the official EMC RSA Blog on none other than April Fool's Day. Obviously, all RSA SecurID customers should have known that that was a big joke.

Unfortunately for them, the joke is stuck in a time-continuum lapse. If one is to read between the lines (it is RSA, after all, that's stuck in Pravda-speak), not all RSA SecurID customers are created equal. Their metric makes no sense and anyone who can decipher it (pun intended) is worthy of cracking an egg that has already been smashed on RSA customers. RSA's generosity for those worthy of an upgrade:
  • An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
  • An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
So what constitutes a customer with a concentrated user base, typically focused on protecting IP and corporate networks? Does that not include a consumer goods company with a VPN? And what about web-based companies that do not include financial transactions? We tried Google Translate and it blew up.

*The 1965 publication Unsafe at Any Speed: The Designed-In Dangers of the American Automobile

No comments:

Post a Comment