Speaking of Security – The RSA Blog and Podcast

So I’ve called the Help Desk before. I’ve been that person on the other end who becomes a statistic, a cost point in the never-ending battle to keep costs low, to stay more efficient. The reasons I’ve had to call the Help Desk are myriad, but more often than not it’s because I’ve locked myself out of something. It’s a pain point for all of us. If you ask organizations what common user issue their Help Desk staff is plagued with the most, it is password resets. In a recent research study we worked with the SANS Institute on, 42% of organizations stated that password reset requests were the number one reason users called most often – so at least I’m not alone.

Contrary to some comments we have seen, RSA is not “walking around” the Project Team Prosecco research as is asserted in a recent Root Labs blog; in fact we have repeatedly stated to bloggers and the press that we support this specific research (as I did here, yesterday) as well as other cryptanalysis. Our problem is with the reporting on the research and its relationship to RSA. Much of this reporting is misleading and inaccurate, leading to unwarranted fear among customers. Reports have been published that claim the cracking of RSA SecurID 800 devices, stealing of private keys and possible cloning of smart cards; all of which of course are not true. In addition, other reports link this attack against smartcards to the RSA SecurID One Time Passcode technology, which is strictly false.

Guest Blog Post by Dan Schiappa, Senior Vice President, Identity & Data Protection
As researchers from SensePost have recently demonstrated in their attack simulations on one type of RSA SecurID authenticator – the RSA SecurID Software Token for Windows – scrutiny of security methods, processes, and operating environments is a valuable exercise. It can deliver benefit to the software industry and its ecosystem of vendors, security practitioners, and the users they protect in their organizations. Ultimately it helps ensure better and safer products.

With the increase in effectiveness of attackers and the corresponding decrease in more traditional defense techniques, IT and Security staff are looking for “game changing” components to bring the battlefield back into their control or at least make it more favorable. What Sun Tzu might have referred to as choosing your terrain and, when that doesn’t work, cheating!

RSA announced the availability of Authentication Manager Express. This is a breakthrough for SMBs for simplicity, affordability and efficiency. Get the results with an optimal use of resources and little to no overkill*.

Let’s start with Authentication “pre-history”: username/password was king, and they weren’t particularly sophisticated in their size or complexity. If security (as I’ve suggested) is best reflected in “cost to break,” the cost was cheap and rapidly became cheaper still. As ease of access and exposure grew, especially with the rise in distributed computing, something new was needed: it had to increase the complexity (and therefore the cost to break) sufficiently to have business impact where it counted – secrets would stay secret!

The focus of a strong authentication strategy should not be on the actual authenticator, instead it should be on the tool that allows you to manage the authentication process. This is the authentication manager.

The news: there is a smartcard / symmetric key vulnerability that potentially affects RSA SecurID® 800 Authenticator. This was first discovered by a group of third-party security researchers; and to be clear, it only affects symmetric keys (not digital certificates) and it only affects a specific type of symmetric key. To date, there are no known instances of breach or loss of data (and no other RSA authenticators affected), and there is a non-disruptive fix (software only – no hardware / firmware changes) available through RSA SecurCare Online.