RSA out the window?

S

ShadowStriker

[H]ard|Gawd
Joined
Oct 8, 2009
Messages
1,669
Link

This admission puts paid to RSA's initial claims that the hack would not allow any "direct attack" on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.

As a result, SecurID offered no defense against the hackers that broke into RSA in March. For those hackers, SecurID was rendered equivalent to basic password authentication, with all the vulnerability to keyloggers and password reuse that entails.
Click to expand...
 
It's not quite as simple as that because of security requirements that basically force you to use RSA products in the gov't space.

With lots of remote workers that support multiple remote sites, since no one wants to foot the bill for dedicated on-site staff anymore, this type of problem was inevitable. I know we can't simply cease using two-factor authentication because quite literally, other than the networks team, no one that supports our datacenter is even located in the same part of the country.

RSA should be more forthcoming (maybe they are with affected corporations and we just don't know about it though).
 
Yup, that's great strategy if you're RSA customer that's wasn't affected yet: wait till you get hacked, then we'll tell you how they did it...

But two-factor auth is here to stay because there wasn't anything wrong with tokens as such (afaik). Tokens will get replaced and security-wise it'll be the same as it was. Not for RSA though, with their rep down, it's perfect time for competition to step up. Which I think was missing here.
 
/Dumped RSA right after they didnt fess up after the breakin
 
This is one of the reasons I like soft-tokens like Google's two-factor for gmail. In the event of any kind of breach (while still very bad), a new patch is all it takes to fix versus redistributing a bunch of keys.
 
SpaceHonkey said:
This is one of the reasons I like soft-tokens like Google's two-factor for gmail. In the event of any kind of breach (while still very bad), a new patch is all it takes to fix versus redistributing a bunch of keys.
Click to expand...

i use a smart card for my work laptop to log in over vpn.. pain in the arse tho!
 
That's what was so good about RSA tokens; easy to use and hard to mess up.
 
We now use MobilPass app on a smartphone to gen a token code
 
You must log in or register to reply here.
Back
Top