Hacked security firm leaves Aussies vulnerable

der linken...

My understanding is that the algorithms used are mathematically guaranteed such that knowning the salt, knowing previous results, none of these things allow someone to predict future results. I also thought the algorithm was based on open, mathemtically proofed algoriothms.

Vulnerability in the RSA implementation, or some out-of-band attack on the authentication service?

IACSecurity, to paraphrase Kenny Rogers, there'll be time enough for the disclosin', when the mitigatin's done. I'm guessing you've got a busy day or two ahead you.

.

 

vulnerable to what exactly?

 

They would be loathe to publicly say I would suggest.

I suppose the concern is more, if it appeared to be a detailed sophisticated attack in deference to an opportunistic one, then the implication is that they are more likely to have been looking for something specifically.

And because of that 'risk' - certain actions will need to be taken to mitigate it. As unfortunately vague as that risk is.

 

Basically the tokens are now worthless. To anyone who is serious about hacking RSA-ID protected stuff, they just need your private pin/password now (assuming they have your seed).

The article on the age mentions that every company with RSA tokens should demand new ones, for nothing. Somehow i don't think RSA is going to be very keen on that, more to the point - is it enough?

 

Thats my point. RSA need to build new algorithm's and replace the whole lot.

When in doubt, assume everything is compromised.

 

Quick thread hijack - recommendations for (non RSA lol) 2 factor token solution for 50 users?

 

I'm presuming the penetration was a web or email attack - otherwise the attackers would have had to overcome the RSA 2 factor authentication used by the company.... they would use thier own product right ?

lolz...

 

Retinal scanners.

 

a cheap solution is just smart cards,
most laptops have secure smart card slots now

 

Fixed.

Seriously though, all the security in the world doesn't protect against dumb users or social engineering. It is easy as pie to compromise a secure system such that you can abuse it even with 10 layers of authentication. Look at the movie Airforce One for a perfect example.

 

Alternative devices people can try:
http://www.yubico.com/yubikey
http://www.goldkey.com/

Different concept to RSA Keys, but they still offer a decent dual-factor auth system. And they're shitloads cheaper to boot.

 

Doesnt look they intergrate in to router auth challengers

 

They integrate just fine into OpenVPN. But then again, I prefer to use security software that's open, flexible and customisable, rather than something provided by a restrictive vendor who is stuck in the mud, and sees updating their product as a chance to gouge the customer for more money.

 

Yea but i dont see how you would integrate it in to tacacs

 

Your argument is that it doesn't support a legacy, proprietary protocol? Sounds like you got everything you deserve by buying that.

You've heard of RADIUS, right? (Yubikey and Goldkey both support RADIUS, FYI).

Seriously - stop buying proprietary security gear. When it all goes wrong (emphasis on "when", not "if"), you're left holding the baby. At least with open source and standards you've got the power to switch to something else quickly.

 

The proprietary equipment is from the company that has 60% market share and do 9 times our of 10 make the best gear for the job


I honestly dont give a shit what we use, our customers do.... but they also pay for it

 

You're stats are not only subjective, they also don't mean squat when one of the devices you're relying on is rendered useless by a well executed hack.

I honestly couldn't give a toss about market share. All I care about is making sure that when things go bad (once again, emphasis on "when", because eventually ALL security products are broken) I've got a fast way to switch to a different technology at minimal pain.

Your 60% market share, 9 out of 10 product is currently about as useful in securing your business as hiding the front door key under the mat. And all the corporate bonehead arguments about market share don't mean squat right now.

People who banked on RSA banked on the vendor being impenetrable. Once again, it was a case of "when" they were broken in to, not "if".

 

the voices of people are getting more concerned at the lack of disclosure
article

 

Much obliged. I'll check them out.

 

You both make good arguments, but unfortunately in the real world it tends to go more towards "whatever is cheapest and still reliable and still mostly conforms to standards". There is just no way to have 0 risk, so it is all about mitigation.

If you have to spend double on an open source solution to only reduce the risk by 0.1%, even a nuclear technician will decide to bite the risk. As you've seen just recently in Japan.