RSA detailing SecurID hack to customers sworn to secrecy


Tales have been told over the years about poor implementation of SecurID, where lax security practices were followed, Nelson notes. "They're addressing poor implementations of their products," he says.

Sources close to RSA say not all RSA SecurID customers are being approached to sign an NDA, which means they would not be offered privileged information.

Under the NDA, RSA is sharing far more detail regarding a "worst-case scenario" about how the RSA SecurID token system can be undermined by an attack, and offering more clarity about remediation. There's cause to believe RSA is itself remediating SecurID, with a source close to RSA saying the security issues brought to the fore should not impact future RSA SecurID customers.

RSA is starting to speak a bit more about what happened during the break-in.

For one thing, RSA employees were tricked by a targeted phishing attack using a spreadsheet containing an Adobe Flash zero-day vulnerability (CVE-2011-0609), said Uri Rivner, head of new technology for identity protection and verification, in a recent RSA blog post. The subject-line lure, he says, was "2011 recruitment plan.xls," which was apparently so enticing, one RSA employee even retrieved it from a spam filter, where it had been caught. Clicking on it allowed the attacker to take over the machine.