A product many federal employees use to log on to computers and networks should be regarded as compromised, due to the infiltration of key information about the application during a cyberattack against manufacturer RSA, some security experts said.
The Homeland Security Department -- the civilian agency that oversees commercial and government cybersecurity -- has relayed mitigation procedures to federal agencies that have installed RSA's SecurID tools, the department announced on Friday. A DHS official on Monday said the government is not recommending that agencies replace their SecurID products. The department is helping RSA and clients who control critical infrastructure deal with the threat to the devices, which are a single point of failure in the computer security ecosystem, according to some industry observers.
Agencies "should consider [the ID tools] breached," said Tom Kellermann, a former World Bank computer specialist and now an executive at Core Security Technologies, a firm that lawfully penetrates its clients' systems to identify network weaknesses.
SecurID, which verifies the identities of authorized users, consists of a token -- a portable physical object such as a smart card or USB drive that controls access to a system. The device displays a continuously changing code that the user enters, in conjunction with a personal identification number, or PIN, to log into a network through a process known as two-factor authentication.
RSA officials said agencies should not stop using the SecurID products because the information the culprit gleaned is insufficient to launch an attack by itself. "To the best of our knowledge, whoever attacked RSA has certain information related to the RSA SecurID solution, but not enough to complete a successful attack without obtaining additional information that is only held by our customers," an RSA spokesman said in an e-mail.
Federal SecurID clients include the Pentagon, Transportation Security Administration, State Department, Environmental Protection Agency, Census Bureau and a large agency the firm's website describes as "the government department responsible for tax."
Kellermann said departments should deem any assets authenticated through SecurID with caution: "At this point you already have an insider in your house."
A letter to customers that RSA posted Friday on its website does not disclose whether the hacker stole information about the formula that produces the constantly changing codes or other secret information. RSA Executive Chairman Art Coviello, who sent the message, did note that no personal information was evidently compromised.
The so-called advanced persistent threat that RSA discovered is a breach designed to linger invisibly inside a network. The most specific details in the letter about the extent of the damage stated, "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."
Some cyber specialists suspect the "broad attack" would not take the form of a nationwide assault against critical systems that wreaks instant havoc on the economy or human lives. Rather, the perpetrator could create problems for system operators over time. SecurID is used by about 40 million people across more than 30,000 organizations worldwide, according to RSA.
"The long-term financial impact of this attack has yet to be seen -- but it will be larger than what we've seen before," Kellermann said. "Imagine 30 percent of the people in your building losing their key fobs."
The large government tax department that RSA services, according to a company case study, deployed SecurID on 10,000 employee laptops to protect sensitive data. EPA, in February, bought 800 SecurID authenticators, a notice on the government's procurement site FedBizOpps states. Recently, Census solicited maintenance support for about 10,000 SecurID users, according to another notice.
The breach "undermines one of the most successful authentication systems out there," Kellermann said. "You have to assume that [the enemy is] playing a game of chess with you that is 12 steps ahead."
Rear Adm. Edward Masso, a former commander of the Navy Personnel Command who now researches cybersecurity issues at the Potomac Institute for Policy Studies, agreed that a strike on a computer services provider, such as RSA's parent company EMC Corp., represents a breakdown of network security.
"When iconic institutions such as EMC and their RSA SecurID products become compromised, it affects all critical infrastructures and consumer confidence," he said. "Companies and agencies depend on network security to allow for capabilities such as teleworking, collaborative working environments from divergent locations and to ensure network services such as banking, energy, health and retail."
Masso recommended RSA clients use strong passwords and change them frequently, as well as protect personal data on social networks. "For companies and for our government, it is imperative that they create a very secure architecture around a secure tunnel type solution that protects network infrastructure from a remote workstation, to the Internet, back to the workplace," he said.
The company is offering customers new guidance on bolstering security to supplement instructions RSA published online Friday. "The online bulletin that we issued today is the latest element of our customer communication program, in this case, to provide more specific best practices and help customers prioritize the remediation steps," the spokesman said. "Customers should have confidence that the remediation steps we are providing are identical to those we have implemented across RSA's and EMC's business, with respect to our own RSA SecurID authentication system."
This story was updated to clarify the headline and two quotes.