Healthy Passwords



RSA to Replace SecureID Tokens

Date: 2011-06-07 06:50:06

Ken S. Klein
June 7, 2011 11:47AM EDT

An open letter to customers from RSA announced RSA will replace tokens due to the security breach they incurred in march. (See Healthy Passwords News - Hackers Steal Secure Token Data - 2011-03-18.

If you are an normal, non-technical user, you only need to pay attention to this story if:

  1. You use an RSA branded secure token.

  2. You are a Citizen of a Country that uses RSA security and are highly concerned with national security matters.

If you use RSA tokens, the best advise is to ensure you are working on a clean system and then get a new token issued. The breach at Lockheed Martin was only possible because the attackers were able to install a key logger on a machine. Once they had the key logger, they only needed a user to authenticate using their token on the compromised machine. This gave them the user's password information to reuse the same credential using their own security key based off the stolen algorithms. If you're running anything older than Windows 7, upgrade to windows 7. The likelihood of getting a keylogger on Windows 7, is much lower than any previous Windows version.

If your companies corporate infrastructure group has not yet approved Windows 7, chances are good that they have already locked down your account in a manner to deter keyloggers. You can help them by only using your work machine for work and avoiding personal surfing or social networking. The last thing any employee wants to be is the one who caused a network breach. Don't play where you work!

The RSA open letter from June 6th confirms the May Lockheed Martin breach as a direct result of the March RSA breach. This possibility was reported by Network World on May 26th, citing Robert Cringely who learned of an RSA security token replacement at Lockheed Martin.

If RSA was a large provider of consumer based tokens, a ten day delay would be disturbing. Considering that RSA is provider of large government , government contractor, and corporate tokens; withholding this fact makes sense. It gave RSA time to redistribute new hardware to it's most sensitive customers.

Regardless of this breach, we still advise the use of multi-factor authentication as the most secure form of authentication. Hopefully the multi-factor key-masters will do a better job of guarding their keys in the future.

Category: Authentication

Subcategory: Tokens

blog comments powered by Disqus
McAfee SECURE sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams

 Subscribe in a reader




Home | Live CD Listing | Password Worksheet | Third Party Ratings | Purchase | Errata | Contact | News | News Archive | Legal

Copyright © 2011, Sustainable Alternatives, LLC | Ligonier, PA 15658 | 724-238-9560 | All Rights Reserved.

 Sustainable Alternatives, LLC BBB Business Review