It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

RSA finally comes clean: SecurID is compromise

page: 1
3

log in

join
share:

posted on Jun, 7 2011 @ 10:24 PM
link   

RSA finally comes clean: SecurID is compromise


arstechnica.com

RSA Security will replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password,
(visit the link for the full news article)




posted on Jun, 7 2011 @ 10:24 PM
link   
So I was partially right. Hackers did compromise RSA key security.

Now the question is how in the world did they get access to the seeds in the first place.
I can only assumed that they entered via a compromised machine on the network and got hold of the keys and the algorithm in order to render the whole SecureID security system worthless.

And how did they get hold of everyones passwords? That's another question.

This just goes to show you. You need to have moderately complex to complex passwords. With at least 1 capital letter, 1 number, 1 special character, nothing that's a dictionary word and at least 8 to 10 characters in length. Plus change it every 3 months.

arstechnica.com
(visit the link for the full news article)



posted on Jun, 7 2011 @ 10:41 PM
link   
reply to post by grey580
 


How about a fresh perspective. Why the sudden wave of hacker attacks on high profile targets right after the pres himself started blabbing about internet security and needing to clamp down on our "freedoms" of speech and expression even more. Methinks most of them were "professional" jobs. Any takers?
edit on 7/6/2011 by xXxinfidelxXx because: (no reason given)



posted on Jun, 7 2011 @ 11:02 PM
link   
reply to post by xXxinfidelxXx
 


I'll take that, every time they warn of some new potential threat, that threat manifests itself.

"we need to do 'this' in case 'this' happens"
"oh look, what did I tell you, 'it's' happening, now do you see why we need...etc...?"

That seems the most obvious answer me thinks, I agree with you 100%



posted on Jun, 7 2011 @ 11:30 PM
link   
RSA is secure, they just implemented it incorrectly with the SecureID probably. They only purported ways to crack RSA is via quantum cryptography. Unless hackers have quantum cryptography all that has happened here is that the company designed a weak system really and it got leaked.

original discussion if interested:
www.abovetopsecret.com...
edit on 7-6-2011 by THE_PROFESSIONAL because: (no reason given)



posted on Jun, 7 2011 @ 11:35 PM
link   
reply to post by THE_PROFESSIONAL
 


Read the article. This is new news on the attack methodology.
The hackers got hold of the seed for the code. They were able to then use the algorithm and generate rsa keys.
They didn't have to use quantum computing to crack the keys.
They did an end run around the security.
edit on 7-6-2011 by grey580 because: (no reason given)



posted on Jun, 7 2011 @ 11:41 PM
link   
reply to post by grey580
 




The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token


Yes I understand it but the implementation is not right. Why generate a seed at all. A secret algorithm is not a secure one. An algorithm's strength relies in its ability to have strong keys.



posted on Jun, 8 2011 @ 02:30 AM
link   
reply to post by grey580
 

I'm not an expert in this area but my brother uses one of these tokens so I'm familiar with them.
Why wasn't RSA more forthcoming to begin with? It's nice they finally came clean, but if they had done this earlier, they might have more credibility, right? On the other hand, I don't know how many realistic competitors RSA has for this type of thing, maybe they can get away with not being honest with their customers without losing them if there aren't many good alternative security suppliers comparable to RSA?


Originally posted by THE_PROFESSIONAL
Yes I understand it but the implementation is not right. Why generate a seed at all. A secret algorithm is not a secure one. An algorithm's strength relies in its ability to have strong keys.
No matter how strong the keys are, if a hacker finds out what the keys are, then they don't provide any security.

A seed was used because that's the way pseudo-random number generators work.

Let's say they didn't use a seed, but some other method to create keys. Those keys have to reside somewhere in order to be useful, both at the server and the remote user location. In that case, instead of finding the algorithm and the seed as happened with RSA, they would just try to find whatever alternative was used. No method is secure if the hackers can break into where the information about the keys is stored.

If the hackers weren't able to get in and uncover the seeds and algorithms, the RSA stuff would still be secure.
If RSA had used a different method, and the hackers got in, I don't see how the outcome would be any different, they would just know the secrets of the different method. You have to keep the hackers out.

Regarding passwords, they are supposed to be encrypted at the server, but I'm not entirely convinced you can't unencrypt them if you know the encryption algorithm, as a simple search shows things like this:
"Steps to retrieve and decrypt stored passwords:"...I won't post the details or link and that's for passwords stored in Firefox, but I'm not convinced RSA is immune from similar methods, and obviously now they admitted their vulnerability.

I would use Firefox to store my password to something that can't harm me like my ATS account, but I wouldn't let it store my password to my banking account or anything I considered sensitive. Encrypted passwords can be unencrypted.


edit on 8-6-2011 by Arbitrageur because: clarification



posted on Jun, 8 2011 @ 05:56 AM
link   
Actually they aren't unencrypting passwords. AFAIK you can't unencrypt the hashed password.
What people usually do is guess what a password is and try to match it to the password hash.

In this case they found out the seed used to create the password and the code used to then generate the rsa key. It's very interesting that they also found out user passwords.

Very sophisticated hacking.



posted on Jun, 8 2011 @ 01:02 PM
link   
I think I read where hackers were using GPUs to find hashed passwords in a few seconds to minutes. Don't remember how but the GPUs run rings around CPUs in computational power in many orders of magnitude.



posted on Jun, 8 2011 @ 04:05 PM
link   

Originally posted by Bramble Iceshimmer
I think I read where hackers were using GPUs to find hashed passwords in a few seconds to minutes. Don't remember how but the GPUs run rings around CPUs in computational power in many orders of magnitude.
Yes, China claims to have the world's fastest supercomputer which uses lots of GPUs, they can do an incredible number of FLOPS. en.wikipedia.org...

Tianhe-1A is ranked on the TOP500 list as the fastest supercomputer at 2.6 petaFLOPS. It consists of 14,336 Intel Xeon CPUs and 7,168 Nvidia Tesla M2050 GPUs...



Originally posted by grey580
Actually they aren't unencrypting passwords. AFAIK you can't unencrypt the hashed password.
I don't know where you got that idea, maybe from RSA marketing material, back when they said they had an uncrackable system which has now been cracked?

ATS terms and conditions forbid us from discussing any details or posting any links about this stuff, but a single google search on the topic turned up exactly what Bramble Iceshimmer was talking about. RSA may still know more than they have released; they may know that someone figured out a way to get passwords from the hash but history is repeating itself and they won't admit it just like they didn't admit their tokens were compromised at first.

As wikipedia says:

en.wikipedia.org...

The most secure computers are those not connected to the Internet...
Once it's connected, it's apparently hard to make security impossible to compromise, as this incident has shown. I once read that microsoft source code had been hacked from the internet. The first question I had was, why was that computer at Microsoft even connected to the internet? I see no reason for that. If they wanted to keep the source code secure, not connecting the computer with that information to the internet would be a good place to start.



new topics

top topics



 
3

log in

join