Friday, March 18, 2011

The words "Oh SHIT", really just don't cover it...

Uhhh... this is double plus ungood:

"RSA, the security division of Hopkinton-based EMC Corp., issued an “urgent message” to customers that its systems were hit by “an extremely sophisticated cyber attack.”

The message from RSA Executive Chairman Arthur Coviello was posted this afternoon on the company’s Web site and disclosed by EMC in a filing with the U.S. Securities and Exchange Commission.

“We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure,” Coviello wrote. “We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.”

He added that the hack “resulted in certain information being extracted” from RSA’s systems, relating to the company’s SecurID “two-factor authentication” products, which businesses and governments use to protect sensitive data on their computer networks.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” Coviello said. “We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”
And then this...

http://securosis.com/blog/rsa-breached-secureid-affected

You've gotta understand, SecureID is THE authentication solution for probably 80% of all high security remote access systems out there.

If SecureID is compromised, even in a way that's technically easy to fix (like replacing keys, which can be sent out via a physical media patch; but for security reasons can't be distributed electronically), you're talking about literally hundreds of thousands of man hours to fix it, plus the couple of days of vulnerability before the media can be shipped and the keys can be updated, plus all the lost work hours and productivity fixing and debugging the access issues that are sure to show up.

Many companies (including mine... and almost every other company I know of for that matter), depend on SecureID for remote access, which is how a large percentage of their workforces get their jobs done.

I literally could not work without my SecureID token working; and it would take weeks to get an alternate solution in place, other than having to piggyback a terminal in a local office.

Any kind of systemic SecureID hiccup is a HUGE deal. Even minor problems in one company can often cost that company millions of dollars in lost productivity.

If it's a worse compromise than that... if for example, it requires a trade in of all SecureID authentication devices... and that's millions (I've got one, and I'd wager a large fraction of my readers do too), the issue could take months to resolve. The cost, loss of productivity, and loss of reputation, may put the RSA division of EMC out of business.

And of course, those are the BEST case scenarios...

While it would be nice to think that every organization security minded enough to use SecureID, would be secure minded enough to keep up with security patching and compromises, and would have a procedure in place to disable remote access... Reality says otherwise. There would likely be thousands and thousands of organizations running vulnerable for months, or even "forever". That could be billions in damage, lost privacy... tens of billions...

Let's hope the nature and extent of the compromise can be ABSOLUTELY PROVEN (to a standard of audit-ability by the NSA, which is even harder than you think it is), to be minor, non systemic, and present no end user risk. Otherwise, this is a Chinese fire drill of epic proportions.