Hacked security firm leaves Aussies vulnerable

Discussion in 'Business & Enterprise Computing' started by j3ll0, Mar 21, 2011.

  1. j3ll0

    j3ll0 Member

    Joined:
    Jul 13, 2005
    Messages:
    4,674
    der linken...

    My understanding is that the algorithms used are mathematically guaranteed such that knowning the salt, knowing previous results, none of these things allow someone to predict future results. I also thought the algorithm was based on open, mathemtically proofed algoriothms.

    Vulnerability in the RSA implementation, or some out-of-band attack on the authentication service?

    IACSecurity, to paraphrase Kenny Rogers, there'll be time enough for the disclosin', when the mitigatin's done. I'm guessing you've got a busy day or two ahead you.

    .
     
  2. underskore

    underskore Member

    Joined:
    Nov 5, 2002
    Messages:
    4,187
    Location:
    3147
    vulnerable to what exactly?
     
  3. Tekin

    Tekin Member

    Joined:
    Nov 16, 2002
    Messages:
    4,039
    Location:
    Elsewhere.
    They would be loathe to publicly say I would suggest.

    I suppose the concern is more, if it appeared to be a detailed sophisticated attack in deference to an opportunistic one, then the implication is that they are more likely to have been looking for something specifically.

    And because of that 'risk' - certain actions will need to be taken to mitigate it. As unfortunately vague as that risk is.
     
  4. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,431
    Location:
    Canberra
    Basically the tokens are now worthless. To anyone who is serious about hacking RSA-ID protected stuff, they just need your private pin/password now (assuming they have your seed).

    The article on the age mentions that every company with RSA tokens should demand new ones, for nothing. Somehow i don't think RSA is going to be very keen on that, more to the point - is it enough?
     
  5. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,431
    Location:
    Canberra
    Thats my point. RSA need to build new algorithm's and replace the whole lot.

    When in doubt, assume everything is compromised.
     
  6. Gargamel

    Gargamel Member

    Joined:
    Dec 25, 2001
    Messages:
    190
    Location:
    Brisbane -> Berlin
    Quick thread hijack - recommendations for (non RSA lol) 2 factor token solution for 50 users?
     
  7. eyeLikeCarrots

    eyeLikeCarrots Member

    Joined:
    Jan 1, 2002
    Messages:
    4,325
    Location:
    Canberra Is Shit Sex: Yes
    I'm presuming the penetration was a web or email attack - otherwise the attackers would have had to overcome the RSA 2 factor authentication used by the company.... they would use thier own product right ?

    lolz...
     
  8. alch

    alch Member

    Joined:
    Oct 9, 2006
    Messages:
    1,539
    Location:
    Perth
    Retinal scanners.
     
  9. Trinity9

    Trinity9 Member

    Joined:
    Apr 16, 2005
    Messages:
    334
    Location:
    Mackay QLD
    a cheap solution is just smart cards,
    most laptops have secure smart card slots now :)
     
  10. Thelen

    Thelen Member

    Joined:
    Nov 5, 2010
    Messages:
    1,120
    Location:
    Sydney
    Fixed.

    Seriously though, all the security in the world doesn't protect against dumb users or social engineering. It is easy as pie to compromise a secure system such that you can abuse it even with 10 layers of authentication. Look at the movie Airforce One for a perfect example.
     
  11. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    35,069
    Location:
    Brisbane
  12. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Doesnt look they intergrate in to router auth challengers
     
  13. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    35,069
    Location:
    Brisbane
    They integrate just fine into OpenVPN. But then again, I prefer to use security software that's open, flexible and customisable, rather than something provided by a restrictive vendor who is stuck in the mud, and sees updating their product as a chance to gouge the customer for more money.
     
  14. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Yea but i dont see how you would integrate it in to tacacs
     
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    35,069
    Location:
    Brisbane
    Your argument is that it doesn't support a legacy, proprietary protocol? Sounds like you got everything you deserve by buying that.

    You've heard of RADIUS, right? (Yubikey and Goldkey both support RADIUS, FYI).

    Seriously - stop buying proprietary security gear. When it all goes wrong (emphasis on "when", not "if"), you're left holding the baby. At least with open source and standards you've got the power to switch to something else quickly.
     
    Last edited: Mar 24, 2011
  16. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    The proprietary equipment is from the company that has 60% market share and do 9 times our of 10 make the best gear for the job :)


    I honestly dont give a shit what we use, our customers do.... but they also pay for it :)
     
  17. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    35,069
    Location:
    Brisbane
    You're stats are not only subjective, they also don't mean squat when one of the devices you're relying on is rendered useless by a well executed hack.

    I honestly couldn't give a toss about market share. All I care about is making sure that when things go bad (once again, emphasis on "when", because eventually ALL security products are broken) I've got a fast way to switch to a different technology at minimal pain.

    Your 60% market share, 9 out of 10 product is currently about as useful in securing your business as hiding the front door key under the mat. And all the corporate bonehead arguments about market share don't mean squat right now.

    People who banked on RSA banked on the vendor being impenetrable. Once again, it was a case of "when" they were broken in to, not "if".
     
  18. underskore

    underskore Member

    Joined:
    Nov 5, 2002
    Messages:
    4,187
    Location:
    3147
    the voices of people are getting more concerned at the lack of disclosure
    article
     
  19. Gargamel

    Gargamel Member

    Joined:
    Dec 25, 2001
    Messages:
    190
    Location:
    Brisbane -> Berlin
    Much obliged. I'll check them out.
     
  20. Thelen

    Thelen Member

    Joined:
    Nov 5, 2010
    Messages:
    1,120
    Location:
    Sydney
    You both make good arguments, but unfortunately in the real world it tends to go more towards "whatever is cheapest and still reliable and still mostly conforms to standards". There is just no way to have 0 risk, so it is all about mitigation.

    If you have to spend double on an open source solution to only reduce the risk by 0.1%, even a nuclear technician will decide to bite the risk. As you've seen just recently in Japan.
     

Share This Page