Skip to main content

APT, open source and asymmetric encryption

RSA just announced that they have been hacked:

Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

Rich Mogul (who has a nice write up here) pointed out on Twitter that RSA is probably not the only security company breached by ATP.  Which made me think:  Well, the same attackers may have already downloaded our software from sourceforge.  Because there are a few main concerns:  1.  The attackers got the seed files or some portion thereof. 2.  They got some private key that would allow them to create a fake RSA server or 3. They got some source code that would show a vulnerability in the auth server allowing fake credentials to be accepted. Rich is right, we don't know much about the attack and this is all speculation.  But here is what I know about us:

1.  Anyone is free to review the WiKID code.  The only parts that are not released as open source are third party commercial plugins we use.

2.  We use asymmetric keys that are generated on the device. 

I know that if someone wanted to get into our systems, they probably could.  All we can do it try our best to make sure it doesn't matter.


Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom