Another crucial episode in the affair of the RSA Breach. In a letter published yesterday by mean of the Executive Chairman Art Coviello, letter that will probably go into the annals of computer security, RSA has confirmed that information taken in March had been used as an element of an attempted broader attack on Lockheed Martin. This evidence was obtained, according to the company, on June the 2nd, and so far, the Lockeed Martin attack is the only one, among those (alleged) aimed to other contractors, which has been confirmed directly related to the use of compromised seeds.
Finally this letter indirectly confirms that, given the stolen information, SecureID tokens have been comprimised (but this was implicitly said in the original letters as well):
While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack
and moreover, as was quite clear from the beginning, RSA believes that certain characteristics of the original attack indicated that the perpetrator’s most likely motive was to obtain an element of security information to be used to target defense secrets and related IP. For this reason, the Company worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure.
Another interesting (and shareable) point of the letter is the fact that the unprecedented wave of cyber attacks against Epsilon, Sony, Google, PBS, and Nintendo have commanded widespread public attention. Albeit totally unrelated to the breach at RSA, this events, and this is a really important point, delineate a changing threat landscape and hence have heightened public awareness and customer concern: a landscape in which Cybercrime and Cyberwar dangerously overlap.
As a result, the Company is expanding its security remediation program including two offers for assuring SecureID users’ confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
Is this a new dawning age for two-factors authentication?