Just about a month ago, RSA notified its customers about a major breach of its systems. One of the big questions was if the breach leaked sufficient information to emulate RSA tokens.
RSA tokens are not random. They can't be random because the RSA authentication server has to know what number is displayed on the token. Based on the release from Lockheed Martin, suggesting that the RSA token was successfully emulated, one can only assume that the breach of RSA leaked sufficient data to predict the number displayed by a particular token. It may also have leaked which token was handed to what company (or even user).
However, remember that not all is lost. There are simple steps that you can and should do to protect your RSA token users:
- use a strong PIN or password. RSA tokens are just one factor of a two factor authentication scheme. You will have to enter a PIN or a password in addition to the token ID.
- monitor for brute forcing attempts. If your PIN is not trivial, an attacker will need a few attempts to guess it. Monitor for brute force attempts and lock accounts if someone attempts to brute force them. To prevent the associated denial of service attack, be ready to mass-unlock accounts and block access by IPaddress or other parameters.
- monitor your systems for accesses from odd IP addresses. Geo-location can help identify these out-layers. Keep logs indicating who logged in from what IP address in the past.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.