Thursday, the RSA Security division of EMC Corporation reported a security breach, potentially leaving many corporations and governments vulnerable who rely on its products.
In an open letter, the company revealed that the “advanced persistent threat” had managed to pull information from the company. According to CNET, these types of attacks often target source code and useful information. The hacker often knows some knowledge of the company’s inner processes.
It is not known where the threat originated from, and the company has refused to comment on the situation beyond an open letter posted yesterday.
RSA sells security measures that go beyond the multi-character password: users have to carry around a device that has a number. The numbers change at set intervals, and users type it in along with a password.
According to the New York Times, in 2009, 40 million customers were using the SecurID system. It was also being used to guard the identities and assets of 250 million people. (Disclosure: It should be noted that TIME uses the same security system for its employees.)
The executive chairman of the division, Arthur W. Coviello, Jr., posted on the company website that:
While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
Coviello assured that a number of measures were being taken to protect its customers. Given the large number of people that depend on the software, it is a major source of concern. There is no information whether RSA’s customer base has been affected.
According to a computer security expert secured by the Times, the absolute worst case scenario would revolve around the hacker producing the same type of technology, and being able to gain access to systems that rely on it. The expert, Whitfield Diffie, says that a “master key,” a fundamental part of the encryption, could have been stolen.
Of course, because it’s not known what type of information was stolen, experts can only speculate about the extent of the damage. CNET chimed in on the matter, saying that:
While details [are] scarce, hints about the breach could be gleaned from a message to customers filed with the SEC. It recommended that customers increase focus on security for social-media applications and Web sites accessed by anyone with access to their critical networks; enforce strong password and PIN policies; as well as remind employees to avoid opening suspicious e-mails and providing usernames or other credentials to people without verifying the person’s identity as well as avoid complying with e-mail or phone-based requests for such information.
(via New York Times)
More on TIME.com:
Twitter Boosts Security with Permanent HTTPS Support