RSA had a major breach this week. Attackers stole information for 40 million two-factor authentication accounts.
That’s a huge breach. And the ones affected most may be IT administrators, who in turn, run the security for countless enterprise and cloud-based services in the public and private sector. The ramifications are considerable. This attack means that hundreds if not millions of people could be affected if IT administrator accounts now get hacked.
RSA is the security division of EMC Corporation. RSA is revealing little about the attack but the news does shine light on what has to be the greatest security hole the world has ever seen.
And that’s social media. People are very susceptible to these types of attacks when using services that allow them to share information.
Noted security blogger Scott Crawford summarized what RSA has revealed in its public disclosures and SEC filings.
The attackers exploited, SecurID, which IT administrators and millions of others use as it requires two authentications of a person’s identification. You may have seen it in the form of a pocket-sized token that generates a random number used to identify the individual. The exploited data resources from RSA may be able to give attackers more information that in turn would lower the bar for exploits against the two-factor technique.
Crawford:
As with virtually any technology, it’s not as if two-factor or one-time password authentication techniques don’t already have their weaknesses – but gaining access to more detailed information about SecurID functionality could at a minimum “lower the bar” for exploits against the technique. How much lower, if at all, cannot be said at this point, unless and until more information about the specifics of what was exposed in the attack become available.
Now, how did this happen at RSA? Crawford write that It looks like someone may have been fooled by a social media trap.
In the first bullet of the SecurCare advisory it issued yesterday, RSA recommends that “customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.” This is provocative in suggesting that a social media exploit may have played a role in this incident. While that cannot be said definitively until further information is made available, it clearly advises organizations to be more aware of the risks of social media. Individuals often reveal a great deal of personal information through social outlets. Social media can also be used to expose individuals to threats through links and “socially” delivered software such as games and apps. This incident may well turn up the heat on these concerns, and raise awareness of risks and countermeasures accordingly.
The scope of this attack is shrouded in the abstractions about online security. We simply do not take enough caution in how we treat the security threat. We use password systems that are easily exploited. We do not train people in the dangers to watch out for in social media environments.
I see this as due to the constant denial that the enterprise has about social media. It has been discounted for years as trivial. The Internet is not trivial. It is a cubed, multi-dimensional space. It consists of billions of experiences. It is everywhere. But, still, it does get discounted when it comes to how the organization functions. “Who cares what you are having for lunch?” is the type of exclamation that still surfaces when social media is discussed. That infers it is not taken seriously, which is a big problem. The state of our security environments deserve better.
Enterprise security experts should be working much more closely in places where the social immersion is exponentially deeper than mainstream society. That will build relationships that can help the major security providers lean how to be better prepared for these types of exploits.
Until then, we face the spectre of just another rapid series of news items about worsening attack to our most important information resources.
This is the kind of attack that should be a sounding cry. Unfortunately, the more probable result is attacks to more institutions that are looking away more than focusing on the problem.
