It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
RSA finally comes clean: SecurID is compromise
page: 13
share:
RSA finally comes clean: SecurID is compromise
arstechnica.com
(visit the link for the full news article)
RSA Security will replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.
SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password,
So I was partially right. Hackers did compromise RSA key security.
Now the question is how in the world did they get access to the seeds in the first place.
I can only assumed that they entered via a compromised machine on the network and got hold of the keys and the algorithm in order to render the whole SecureID security system worthless.
And how did they get hold of everyones passwords? That's another question.
This just goes to show you. You need to have moderately complex to complex passwords. With at least 1 capital letter, 1 number, 1 special character, nothing that's a dictionary word and at least 8 to 10 characters in length. Plus change it every 3 months.
arstechnica.com
(visit the link for the full news article)
Now the question is how in the world did they get access to the seeds in the first place.
I can only assumed that they entered via a compromised machine on the network and got hold of the keys and the algorithm in order to render the whole SecureID security system worthless.
And how did they get hold of everyones passwords? That's another question.
This just goes to show you. You need to have moderately complex to complex passwords. With at least 1 capital letter, 1 number, 1 special character, nothing that's a dictionary word and at least 8 to 10 characters in length. Plus change it every 3 months.
arstechnica.com
(visit the link for the full news article)
reply to post by grey580
How about a fresh perspective. Why the sudden wave of hacker attacks on high profile targets right after the pres himself started blabbing about internet security and needing to clamp down on our "freedoms" of speech and expression even more. Methinks most of them were "professional" jobs. Any takers?
How about a fresh perspective. Why the sudden wave of hacker attacks on high profile targets right after the pres himself started blabbing about internet security and needing to clamp down on our "freedoms" of speech and expression even more. Methinks most of them were "professional" jobs. Any takers?
edit on 7/6/2011 by xXxinfidelxXx because: (no reason given)
reply to post by xXxinfidelxXx
I'll take that, every time they warn of some new potential threat, that threat manifests itself.
"we need to do 'this' in case 'this' happens"
"oh look, what did I tell you, 'it's' happening, now do you see why we need...etc...?"
That seems the most obvious answer me thinks, I agree with you 100%
I'll take that, every time they warn of some new potential threat, that threat manifests itself.
"we need to do 'this' in case 'this' happens"
"oh look, what did I tell you, 'it's' happening, now do you see why we need...etc...?"
That seems the most obvious answer me thinks, I agree with you 100%
RSA is secure, they just implemented it incorrectly with the SecureID probably. They only purported ways to crack RSA is via quantum cryptography.
Unless hackers have quantum cryptography all that has happened here is that the company designed a weak system really and it got leaked.
original discussion if interested:
www.abovetopsecret.com...
original discussion if interested:
www.abovetopsecret.com...
edit on 7-6-2011 by THE_PROFESSIONAL because: (no reason given)
reply to post by THE_PROFESSIONAL
Read the article. This is new news on the attack methodology.
The hackers got hold of the seed for the code. They were able to then use the algorithm and generate rsa keys.
They didn't have to use quantum computing to crack the keys.
They did an end run around the security.
Read the article. This is new news on the attack methodology.
The hackers got hold of the seed for the code. They were able to then use the algorithm and generate rsa keys.
They didn't have to use quantum computing to crack the keys.
They did an end run around the security.
edit on 7-6-2011 by grey580 because: (no reason given)
reply to post by grey580
Yes I understand it but the implementation is not right. Why generate a seed at all. A secret algorithm is not a secure one. An algorithm's strength relies in its ability to have strong keys.
The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token
Yes I understand it but the implementation is not right. Why generate a seed at all. A secret algorithm is not a secure one. An algorithm's strength relies in its ability to have strong keys.
reply to post by grey580
I'm not an expert in this area but my brother uses one of these tokens so I'm familiar with them.
Why wasn't RSA more forthcoming to begin with? It's nice they finally came clean, but if they had done this earlier, they might have more credibility, right? On the other hand, I don't know how many realistic competitors RSA has for this type of thing, maybe they can get away with not being honest with their customers without losing them if there aren't many good alternative security suppliers comparable to RSA?
A seed was used because that's the way pseudo-random number generators work.
Let's say they didn't use a seed, but some other method to create keys. Those keys have to reside somewhere in order to be useful, both at the server and the remote user location. In that case, instead of finding the algorithm and the seed as happened with RSA, they would just try to find whatever alternative was used. No method is secure if the hackers can break into where the information about the keys is stored.
If the hackers weren't able to get in and uncover the seeds and algorithms, the RSA stuff would still be secure.
If RSA had used a different method, and the hackers got in, I don't see how the outcome would be any different, they would just know the secrets of the different method. You have to keep the hackers out.
Regarding passwords, they are supposed to be encrypted at the server, but I'm not entirely convinced you can't unencrypt them if you know the encryption algorithm, as a simple search shows things like this:
"Steps to retrieve and decrypt stored passwords:"...I won't post the details or link and that's for passwords stored in Firefox, but I'm not convinced RSA is immune from similar methods, and obviously now they admitted their vulnerability.
I would use Firefox to store my password to something that can't harm me like my ATS account, but I wouldn't let it store my password to my banking account or anything I considered sensitive. Encrypted passwords can be unencrypted.
I'm not an expert in this area but my brother uses one of these tokens so I'm familiar with them.
Why wasn't RSA more forthcoming to begin with? It's nice they finally came clean, but if they had done this earlier, they might have more credibility, right? On the other hand, I don't know how many realistic competitors RSA has for this type of thing, maybe they can get away with not being honest with their customers without losing them if there aren't many good alternative security suppliers comparable to RSA?
No matter how strong the keys are, if a hacker finds out what the keys are, then they don't provide any security.
Originally posted by THE_PROFESSIONAL
Yes I understand it but the implementation is not right. Why generate a seed at all. A secret algorithm is not a secure one. An algorithm's strength relies in its ability to have strong keys.
A seed was used because that's the way pseudo-random number generators work.
Let's say they didn't use a seed, but some other method to create keys. Those keys have to reside somewhere in order to be useful, both at the server and the remote user location. In that case, instead of finding the algorithm and the seed as happened with RSA, they would just try to find whatever alternative was used. No method is secure if the hackers can break into where the information about the keys is stored.
If the hackers weren't able to get in and uncover the seeds and algorithms, the RSA stuff would still be secure.
If RSA had used a different method, and the hackers got in, I don't see how the outcome would be any different, they would just know the secrets of the different method. You have to keep the hackers out.
Regarding passwords, they are supposed to be encrypted at the server, but I'm not entirely convinced you can't unencrypt them if you know the encryption algorithm, as a simple search shows things like this:
"Steps to retrieve and decrypt stored passwords:"...I won't post the details or link and that's for passwords stored in Firefox, but I'm not convinced RSA is immune from similar methods, and obviously now they admitted their vulnerability.
I would use Firefox to store my password to something that can't harm me like my ATS account, but I wouldn't let it store my password to my banking account or anything I considered sensitive. Encrypted passwords can be unencrypted.
edit on 8-6-2011 by Arbitrageur because: clarification
Actually they aren't unencrypting passwords. AFAIK you can't unencrypt the hashed password.
What people usually do is guess what a password is and try to match it to the password hash.
In this case they found out the seed used to create the password and the code used to then generate the rsa key. It's very interesting that they also found out user passwords.
Very sophisticated hacking.
What people usually do is guess what a password is and try to match it to the password hash.
In this case they found out the seed used to create the password and the code used to then generate the rsa key. It's very interesting that they also found out user passwords.
Very sophisticated hacking.
I think I read where hackers were using GPUs to find hashed passwords in a few seconds to minutes. Don't remember how but the GPUs run rings around
CPUs in computational power in many orders of magnitude.
Yes, China claims to have the world's fastest supercomputer which uses lots of GPUs, they can do an incredible number of FLOPS. en.wikipedia.org...
Originally posted by Bramble Iceshimmer
I think I read where hackers were using GPUs to find hashed passwords in a few seconds to minutes. Don't remember how but the GPUs run rings around CPUs in computational power in many orders of magnitude.
Tianhe-1A is ranked on the TOP500 list as the fastest supercomputer at 2.6 petaFLOPS. It consists of 14,336 Intel Xeon CPUs and 7,168 Nvidia Tesla M2050 GPUs...
I don't know where you got that idea, maybe from RSA marketing material, back when they said they had an uncrackable system which has now been cracked?
Originally posted by grey580
Actually they aren't unencrypting passwords. AFAIK you can't unencrypt the hashed password.
ATS terms and conditions forbid us from discussing any details or posting any links about this stuff, but a single google search on the topic turned up exactly what Bramble Iceshimmer was talking about. RSA may still know more than they have released; they may know that someone figured out a way to get passwords from the hash but history is repeating itself and they won't admit it just like they didn't admit their tokens were compromised at first.
As wikipedia says:
en.wikipedia.org...
Once it's connected, it's apparently hard to make security impossible to compromise, as this incident has shown. I once read that microsoft source code had been hacked from the internet. The first question I had was, why was that computer at Microsoft even connected to the internet? I see no reason for that. If they wanted to keep the source code secure, not connecting the computer with that information to the internet would be a good place to start.
The most secure computers are those not connected to the Internet...
new topics
-
Where should Trump hold his next rally
2024 Elections: 2 hours ago -
Shocking Number of Voters are Open to Committing Election Fraud
US Political Madness: 2 hours ago -
Gov Kristi Noem Shot and Killed "Less Than Worthless Dog" and a 'Smelly Goat
2024 Elections: 3 hours ago -
Falkville Robot-Man
Aliens and UFOs: 3 hours ago -
James O’Keefe: I have evidence that exposes the CIA, and it’s on camera.
Whistle Blowers and Leaked Documents: 4 hours ago -
Australian PM says the quiet part out loud - "free speech is a threat to democratic dicourse"...?!
New World Order: 5 hours ago -
Ireland VS Globalists
Social Issues and Civil Unrest: 5 hours ago -
Biden "Happy To Debate Trump"
2024 Elections: 6 hours ago -
RAAF airbase in Roswell, New Mexico is on fire
Aliens and UFOs: 6 hours ago -
What is the white pill?
Philosophy and Metaphysics: 8 hours ago
top topics
-
A Warning to America: 25 Ways the US is Being Destroyed
New World Order: 16 hours ago, 21 flags -
James O’Keefe: I have evidence that exposes the CIA, and it’s on camera.
Whistle Blowers and Leaked Documents: 4 hours ago, 12 flags -
Blast from the past: ATS Review Podcast, 2006: With All Three Amigos
Member PODcasts: 8 hours ago, 12 flags -
Australian PM says the quiet part out loud - "free speech is a threat to democratic dicourse"...?!
New World Order: 5 hours ago, 11 flags -
Biden "Happy To Debate Trump"
2024 Elections: 6 hours ago, 10 flags -
Mike Pinder The Moody Blues R.I.P.
Music: 8 hours ago, 8 flags -
Ireland VS Globalists
Social Issues and Civil Unrest: 5 hours ago, 5 flags -
RAAF airbase in Roswell, New Mexico is on fire
Aliens and UFOs: 6 hours ago, 5 flags -
What is the white pill?
Philosophy and Metaphysics: 8 hours ago, 5 flags -
Putin, Russia and the Great Architects of the Universe
ATS Skunk Works: 11 hours ago, 4 flags
active topics
-
Candidate TRUMP Now Has Crazy Judge JUAN MERCHAN After Him - The Stormy Daniels Hush-Money Case.
Political Conspiracies • 815 • : Annee -
Where should Trump hold his next rally
2024 Elections • 10 • : EmmanuelGoldstein -
President BIDEN's FBI Raided Donald Trump's Florida Home for OBAMA-NORTH KOREA Documents.
Political Conspiracies • 35 • : Threadbarer -
University of Texas Instantly Shuts Down Anti Israel Protests
Education and Media • 309 • : cherokeetroy -
Remember These Attacks When President Trump 2.0 Retribution-Justice Commences.
2024 Elections • 58 • : WeMustCare -
2024 Pigeon Forge Rod Run - On the Strip (Video made for you)
Automotive Discussion • 8 • : WhitewaterSquirrel -
Gov Kristi Noem Shot and Killed "Less Than Worthless Dog" and a 'Smelly Goat
2024 Elections • 28 • : cherokeetroy -
Shocking Number of Voters are Open to Committing Election Fraud
US Political Madness • 5 • : AwakeNotWoke -
The Acronym Game .. Pt.3
General Chit Chat • 7756 • : bally001 -
RAAF airbase in Roswell, New Mexico is on fire
Aliens and UFOs • 8 • : Skinnerbot
3