Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
RSA SecurID
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== March 2011 system compromise == On 17 March 2011, RSA announced that they had been victims of "an extremely sophisticated cyber attack".<ref>{{cite web | url=https://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex991.htm | title=Open Letter to RSA Customers | access-date=2020-04-15 | archive-date=2022-05-23 | archive-url=https://web.archive.org/web/20220523080319/https://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex991.htm | url-status=live }} Originally online at [http://www.rsa.com/node.aspx?id=3872 RSA site] {{Webarchive|url=https://web.archive.org/web/20110319214522/http://www.rsa.com/node.aspx?id=3872 |date=2011-03-19 }}.</ref> Concerns were raised specifically in reference to the SecurID system, saying that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation". However, their formal [[Form 8-K]] submission<ref>{{cite web |url=https://www.sec.gov/Archives/edgar/data/790070/000119312511070159/d8k.htm |title=EMC / RSA 8K filing |publisher=The United States Securities and Exchange Commission |work=Form 8-K |date=17 March 2011 |access-date=10 September 2017 |archive-date=18 September 2016 |archive-url=https://web.archive.org/web/20160918110616/https://www.sec.gov/Archives/edgar/data/790070/000119312511070159/d8k.htm |url-status=live }}</ref> indicated that they did not believe the breach would have a "material impact on its financial results". The breach cost EMC, the parent company of RSA, $66.3 million, which was taken as a charge against second quarter earnings. It covered costs to investigate the attack, harden its IT systems and monitor transactions of corporate customers, according to EMC Executive Vice President and Chief Financial Officer David Goulden, in a conference call with analysts.<ref>{{cite web|url=http://www.govinfosecurity.com/articles.php?art_id=3913|title=RSA Breach Costs Parent EMC $66.3 Million|last=Chabrow|first=Eric|date=1 August 2011|work=GovInfoSecurity}}</ref> The breach into RSA's network was carried out by hackers who sent [[phishing]] emails to two targeted, small groups of employees of RSA.<ref>{{cite web|last=Rivner|first=Uri|title=Anatomy of an Attack|url=http://blogs.rsa.com/rivner/anatomy-of-an-attack/|work=Speaking of Security - The RSA Blog and Podcast|date=1 April 2011|url-status=dead|archive-url=https://web.archive.org/web/20110720202026/http://blogs.rsa.com/rivner/anatomy-of-an-attack|archive-date=20 July 2011}}</ref> Attached to the email was a [[Microsoft Excel]] file containing [[malware]]. When an RSA employee opened the Excel file, the malware exploited a vulnerability in [[Adobe Flash]]. The [[Exploit (computer security)|exploit]] allowed the hackers to use the [[PoisonIvy (Trojan)|Poison Ivy]] [[remote access trojan|RAT]] to gain control of machines and access servers in RSA's network.<ref>{{cite web|last=Mills|first=Elinor|date=5 April 2011|title=Attack on RSA used zero-day Flash exploit in Excel|url=http://news.cnet.com/8301-27080_3-20051071-245.html|work=CNET|url-status=dead|archive-url=https://web.archive.org/web/20110717172902/http://news.cnet.com/8301-27080_3-20051071-245.html|archive-date=17 July 2011}}</ref> There are some hints that the breach involved the theft of RSA's database mapping token serial numbers to the secret token "seeds" that were injected to make each one unique.<ref>{{cite web |title=RSA won't talk? Assume SecurID is broken |first=Dan |last=Goodin |publisher=The Register |date=24 May 2011 |url=https://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/ |access-date=10 August 2017 |archive-date=10 August 2017 |archive-url=https://web.archive.org/web/20170810170755/https://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/ |url-status=live }}</ref> Reports of RSA executives telling customers to "ensure that they protect the serial numbers on their tokens"<ref>{{cite web |title=Did hackers nab RSA SecurID's secret sauce? |first=Ellen |last=Messmer |publisher=Network World |date=18 March 2011 |url=http://www.networkworld.com/news/2011/031811-rsa-breach-reassure.html |url-status=dead |archive-url=https://web.archive.org/web/20121015005548/http://www.networkworld.com/news/2011/031811-rsa-breach-reassure.html |archive-date=15 October 2012 }}</ref> lend credibility to this hypothesis. RSA stated it did not release details about the extent of the attack so as to not give potential attackers information they could use in figuring out how to attack the system.<ref>{{cite web |last=Bright |first=Peter |title=RSA finally comes clean: SecurID is compromised |publisher=Ars Technica |date=6 June 2011 |url=https://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars |access-date=14 June 2017 |archive-date=8 May 2012 |archive-url=https://web.archive.org/web/20120508020926/http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars |url-status=live }}</ref> On 6 June 2011, RSA offered token replacements or free security monitoring services to any of its more than 30,000 SecurID customers, following an attempted cyber breach on defense customer [[Lockheed Martin]] that appeared to be related to the SecurID information stolen from RSA.<ref>{{cite news |title=Security 'Tokens' Take Hit |publisher=Wall Street Journal |date=7 June 2011 |url=https://www.wsj.com/articles/SB10001424052702304906004576369990616694366 |first1=Siobhan |last1=Gorman |first2=Shara |last2=Tibken |archive-date=29 October 2017 |access-date=8 August 2017 |archive-url=https://web.archive.org/web/20171029170750/https://www.wsj.com/articles/SB10001424052702304906004576369990616694366 |url-status=live }}</ref> In spite of the resulting attack on one of its defense customers, company chairman Art Coviello said that "We believe and still believe that the customers are protected".<ref>{{cite news |title=RSA forced to replace nearly all of its millions of tokens after security breach |publisher=News Limited |date=7 June 2011 |url=http://www.theaustralian.com.au/business/rsa-forced-to-replace-nearly-all-of-its-millions-of-tokens-after-security-breach/story-e6frgak6-1226071087832 |first1=Siobhan |last1=Gorman |first2=Shara |last2=Tibken |archive-date=9 October 2016 |access-date=7 June 2011 |archive-url=https://web.archive.org/web/20161009013500/http://www.theaustralian.com.au/business/rsa-forced-to-replace-nearly-all-of-its-millions-of-tokens-after-security-breach/story-e6frgak6-1226071087832 |url-status=live }}</ref> === Resulting attacks === In April 2011, unconfirmed rumors cited [[L-3 Communications]] as having been attacked as a result of the RSA compromise.<ref>{{cite news |last=Mills |first=Elinor |title=China linked to new breaches tied to RSA |publisher=CNet |date=6 June 2011 |url=http://news.cnet.com/8301-27080_3-20068836-245/china-linked-to-new-breaches-tied-to-rsa/ |archive-date=6 June 2011 |access-date=7 June 2011 |archive-url=https://web.archive.org/web/20110606124241/http://news.cnet.com/8301-27080_3-20068836-245/china-linked-to-new-breaches-tied-to-rsa/ |url-status=live }}</ref> In May 2011, this information was used to attack [[Lockheed Martin]] systems.<ref>{{cite news |last=Leyden |first=John |title=Lockheed Martin suspends remote access after network 'intrusion' |publisher=The Register |date=27 May 2011 |url=http://www.channelregister.co.uk/2011/05/27/lockheed_securid_hack_flap/ |archive-date=9 November 2011 |access-date=28 May 2011 |archive-url=https://web.archive.org/web/20111109101854/http://www.channelregister.co.uk/2011/05/27/lockheed_securid_hack_flap/ |url-status=live }}</ref><ref>{{cite news |title=Stolen Data Is Tracked to Hacking at Lockheed |work=New York Times |date=3 June 2011 |url=https://www.nytimes.com/2011/06/04/technology/04security.html |first=Christopher |last=Drew}}</ref> However Lockheed Martin claims that due to "aggressive actions" by the company's [[information security]] team, "No customer, program or employee personal data" was compromised by this "significant and tenacious attack".<ref>{{cite news |url=https://www.google.com/hostednews/afp/article/ALeqM5hO0TYWRsxt1CKUUEXKd04BQwsdGQ?docId=CNG.377fe057126251044306fe73e1e5ae83.401 |archive-url=https://archive.today/20120907074904/http://www.google.com/hostednews/afp/article/ALeqM5hO0TYWRsxt1CKUUEXKd04BQwsdGQ?docId=CNG.377fe057126251044306fe73e1e5ae83.401 |url-status=dead |archive-date=September 7, 2012 |title=Lockheed Martin confirms attack on its IT network |publisher=AFP |date=28 May 2011}}</ref> The [[Department of Homeland Security]] and the [[US Defense Department]] offered help to determine the scope of the attack.<ref>{{cite news |last=Wolf |first=Jim |url=http://uk.reuters.com/article/2011/05/28/us-usa-defense-hackers-idUKTRE74Q6VY20110528 |archive-url=https://web.archive.org/web/20120613194007/http://uk.reuters.com/article/2011/05/28/us-usa-defense-hackers-idUKTRE74Q6VY20110528 |url-status=dead |archive-date=13 June 2012 |title=Lockheed Martin hit by cyber incident, U.S. says |publisher=Reuters |date=28 May 2011}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)