Caution urged in wake of RSA security breach


Pescatore dismissed RSA's claim that it was the victim of a sophisticated attack, a kind of low, slow highly targeted attack most commonly associated with Chinese hackers.

RSA's claim is "disingenuous," Pescatore said. "It is trying to deflect attention from RSA's failure to protect their systems. Any security company with any threat experience has been dealing with targeted threats for several years."

SecurID is a proprietary algorithm that is designed to produce random numbers in a pre-determined sequence, according to a description of the technology by the Intrepidus Group. The sequence is used by an RSA authentication server to essentially validate that a person logging in, actually has the token in their possession, Intrepidus .

Each token features a "seed" that determines the sequence of 6-digit numbers generated by that token. The seed ensures that the numbers are produced in a sequence that is unique to each token. The SecurID algorithm ensures that there are literally an infinite number of potential sequences that can be generated by each token, making them almost impossible to crack, says Intrepidus.

Even so, there are circumstances under which this assurance can be weakened, Intrepidus noted. One example is where an attacker somehow manages to get a list of all seeds and their associated token serial numbers. Another scenario is if attackers manage to get a list of seeds and the corporations to which they have been assigned.