Mar 172011

RSA just announced that they were cracked. It is unclear what exactly has been put at risk.

Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

So, it looks like RSA’s SecurID is immediately at risk. Who knows what else the crackers got. This crack is more significant the crack against HBGary that happened several months ago. This shows how difficult information security is when even the experts are having trouble keeping their doors locked.


  2 Responses to “Uh oh… Someone is in trouble”

Comments (2)
  1. I noticed Schneier pointing out recently that it’s much easier to attack than defend. Given that the highest-profile targets will attract the highest-skill attackers, it seems like the current state of security means that the defenders will almost always lose…eventually.

    • Well, attackers have nothing to lose. It is the defenders who lose. IMHO there is no such thing as perfectly secure. What there is is a knowledge of your risk posture.

      I also liken it to the old two guys and a bear story. Two hikers come across a bear and anger it causing it to chase them. One guy stops to put on his running shoes. The other one looks at him like he is crazy and says, “What are you doing? You can’t outrun the bear!” The first guy responds, “I don’t have to outrun the bear, I have to out run you.” Don’t be the low hanging fruit. Now, obviously this does not apply in this case. It appears that RSA was specifically targeted.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>