Sunday, March 27, 2011

An Overdue Rant: The RSA Compromise

OK I haven't had a good rant in a while on the blog, so be warned, there may be some pent up rage in the paragraphs ahead. Read on at your risk.

I do not usually write posts on the latest compromise as I always feel there is enough coverage, speculation, and commentary from smarter people than I. There is a lot of speculation about the recently announced RSA breach both on the technical details of the compromise and on who may have been behind the attack. Yeah everyone is throwing three letter acronyms around again. The Digital Underground Podcast recently posted a great discussion on the technical side here and there as been some good posts on mitigation techniques.

The part I really have issue with is RSA's lack luster disclosure of this compromise. Some have suggested that they should be praised for publicly announcing the breach. I'm not sure when we set the bar so low. Since when is posting a written notification with vague details and little to no information on when and what was compromised and who is affected become acceptable?

A lot of organizations have paid a lot of money to increase the security of their information systems and data by purchasing the RSA SecureID solution. Don't forget even if your not a customer of RSA (Disclosure: I am not) it is still your family's data being protected by such solutions. In short, I find RSA's actions post compromise disgusting and inept.

While knowing the technical details of the compromise would benefit the security community by giving everyone an opportunity to learn where things went wrong, the reality is we will probably never know the details and this is OK with me. What needs to be done, on the part of RSA however, is to step up and fix where things went wrong, notify those clients affected, and offer them replacements or fixes for the technology they already purchased. Thus far the advice given by RSA is nothing more than best practice and common sense. I would like to think those implementing RSA's authentication solutions are probably already familiar with such administration controls.

To use a bad analogy. This is the equivalent of a new home owner hiring a Master Locksmith to replace all the locks in their new home with a more secure solution, only to have the locksmith keep a copy of the keys and tell the customer at a later date that the key has been stolen and the customer should go buy a bigger guard dog or better alarm system at their own expense. Would this be acceptable?

Not the greatest analogy but I did say their were more intelligent people than I posting about this didn't I?

The truth is, everyone gets owned at some time or another. It is the actions of the compromised organization during the aftermath that will distinguish it from other competitors. Asking other security solution providers to sign an NDA to learn more about the compromise is not looking out for the best interests of your customers.


Updated June 01, 2011

It appears that there may have been several attacks against U.S. defense contractor's that leveraged information from the RSA compromise. Last Friday, Reuters reported that there was a breach at Lockheed Martin Corporation. On Monday, Wired reported that L-3 Communications had also been targeted and leaked memo suggested the attackers were using inside information on their SecureID system gained by the RSA hack. Today, Fox news is reporting a possible attack against Northrop Grumman. With all these reports flooding the internet it is difficult to know how much is based on fact but I did want to share a gem of a quote from the Wired report.
Asked if the RSA intruders did gain the ability to clone SecurID keyfobs, RSA spokeswoman Helen Stefen said, “That’s not something we had commented on and probably never will.”
Updated June 7, 2011

It appears RSA has updated their Open Letter to RSA SecurID Customers. The update provides verification of the Lockheed Martin attack and offers long awaited replacements of SecurID tokens, although for what appears to be a limited subset of SecurID customers. Thanks to Wim Remes for the heads up on the updated post.

Thursday, March 24, 2011

Pauldotcom Security Weekly: I am Talking about What?

On Thursday March 24, 2011 I will be presenting the tech segment on Episode 236 of PaulDotCom Security Weekly. The segment will cover the use of NTFS MFT timeline forensics in the static analysis of malware. This is a geekier version of my NAISG BOS presentation back in January and will cover some additional tools and technique's. The podcast begins around 8:00 PM and a live feed is available at So if you are around, kick back with a beer, cigar, and listen live! I am looking forward to it.

Updated March 24, 2011 3:30 PM

As part of the tech segment this evening, Mark Mckinnon of RedWolf Computer Forensics has release the Windows beta of mft_parser which supports $MFT $SI and $FN bodyfile output from both the CLI and GUI. Big thanks to Mark from the Incident Response and Forensics community.