Forgot your password?
typodupeerror
Security IT

RSA Chief: Last Year's Breach Has Silver Lining 49

Posted by Soulskill
from the learn-the-lesson-in-advance-next-time dept.
alphadogg writes "Last year's industry-shaking RSA Security breach has resulted in customers' CEOs and CIOs engaging much more closely with the vendor to improve their organizations' security, according to the head of RSA. Discussing the details of the attack that compromised its SecurID tokens has made RSA sought after by companies that want to prevent something similar from happening to them, Executive Chairman Art Coviello said in an interview with Network World. 'If there's a silver lining to the cloud that was over us from April through over the summer it is the fact that we've been engaged with customers at a strategic level as never before,' Coviello says, 'and they want to know in detail what happened to us, how we responded, what tools we used, what was effective and what was not.'"
This discussion has been archived. No new comments can be posted.

RSA Chief: Last Year's Breach Has Silver Lining

Comments Filter:
  • The good news is that you're now engaging more closely with the fire department and your insurance agent.

    • And since the fire department burned to the ground, more home owners are contacting the fire department to help with their home fire defense.

      What the? Does that make any sense to anyone?

      ... Coviello says, 'and they want to know in detail what happened to us, how we responded, what tools we used,

      Ah, that makes sense now.

      Not "dude, u r teh awesome!!! How can I get some of that awesome for myself?"

      More like "dude, where were your fire extinguishers? Smoke detectors? What model were they? Did they give ANY alarm? HOW THE HELL DID YOU LET YOUR FIRE DEPARTMENT BURN DOWN? And is there any way to tell if I am in danger?"

      • And in a unrelated news event, The farmer has started communicating to neighboring farm's about closing the barn doors after the live stock in the barn had left.
    • by hedwards (940851)

      I was just thinking something along those lines. The silver lining in being mugged is knowing how to report a mugging. Doesn't really sound particularly helpful and definitely not helpful enough to justify being mugged. And unless you're new to the country you should already know how to report the crime.

      Likewise, all those RSA officers ought to be terminated for incompetence. It doesn't take somebody with credentials to realize that it was going to happen eventually. Making somebody physically take a disc o

  • And did they answer? (Score:5, Interesting)

    by marcosdumay (620877) <marcosdumayNO@SPAMgmail.com> on Monday January 16, 2012 @06:42PM (#38719008) Homepage Journal

    Everybody knows that their customers want to know such things because they asked in a quite vocal maner just after the troubles, and werre simply dismissed by RSA. So, now RSA issues a PR stating that their customers want to know if they are secure, and not teling if they gave any answer. Quite funny what some spin can create.

    Anyway, why should anybody buy a product from RSA anymore?

    • Is it spin? Or smoke?
      • Changing "people are mad at us, and won't trust us unless we evidence that we changed" into "see? People care about us" well... Could get any name you want :)

    • Everybody knows that their customers want to know such things because they asked in a quite vocal maner just after the troubles, and werre simply dismissed by RSA. So, now RSA issues a PR stating that their customers want to know if they are secure, and not teling if they gave any answer. Quite funny what some spin can create.

      Anyway, why should anybody buy a product from RSA anymore?

      It's not so much if they are secure, but how did they detect the breach, etc. That is some very important information for a lot of people - even people that don't use RSA products - as it can help detect or prevent security issues elsewhere. It's kind of like saying, "Your system had a Monkey B virus; what did you do to detect and remove it?"

    • by Juser (825174)
      They blew us off. We had been (what we thought as) high profile customers ever since it was Security Dynamics (15 years?) and RSA took FOREVER to tell us if soft tokens were impacted. After reading Coviello's response. I'm glad we moved to another solution.
  • by v1 (525388) on Monday January 16, 2012 @06:43PM (#38719018) Homepage Journal

    you can get out of a bit of damage control

    Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes. You pay them the big dollars because they're supposed to already know what they're doing and have good practice already in place the day you shake hands.

    This is just their P.R. people clawing for some way to put a little positive spin on their blunder.

    • by vlm (69642) on Monday January 16, 2012 @06:49PM (#38719072)

      You pay them the big dollars because they're supposed to already know what they're doing and have good practice already in place the day you shake hands.

      Actually you pay them because its faster / better / cheaper than doing it yourself, not because they are perfect. If 50% of the population is below the median, they only have to achieve a 50% median solution to capture about 50% of the market. The actual percentages are probably much higher, regardless they certainly don't have to be 100% perfect to make money.

      The other reason you pay money is to have someone else to blame for the inevitable headaches. As long as your boss yells at them for an outsourced solution instead of you for an insourced solution, that was money well spent.

      • by vlm (69642)

        Whoops third reason is lemming like behavior. If your biggest competitor gets his complete stored credit card and customer list posted on the pirate bay as a torrent, or maybe on wikileaks, you can guarantee your boss is going to want a detailed explanation of why your data is not posted there too, isn't our company at least as good as the competitions?

        So it doesn't matter, if you're lemming like boss wants to be just like X and X buys secureid, well guess what you're doing next week?

    • by swillden (191260)

      Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes.

      Especially when the "unrefined" processes were mind-bogglingly stupid and betrayed such utter incompetence.

      There's no way the RSA token master keys should have been stored in anything other than a FIPS 140-2 level 4 (or 3, but that would be mildly lame) host security module, with tight logical and physical access controls.

  • We had our technology stolen, because we can't secure our own network, our customers suffered intrusions as a result... and this is a good thing!

    This guy should be the White House Press Secretary!

    • by Chibi Merrow (226057) * <mrmerrowNO@SPAMmonkeyinfinity.net> on Monday January 16, 2012 @07:15PM (#38719292) Homepage Journal

      Is that the worthless corporate scumbags who own the company I work for (and force us to use RSA keyfobs) thought very hard about what to do about this spectacular failure on RSA's part, and came up with this solution: Get new keyfobs from RSA!

      RSA's only job was to be trustworthy. None of their technology is a trade secret, and once they produce the fobs there's no need to interact with RSA whatsoever. There IS NO technology to steal on their networks.

      And yet they kept the keys. The only purpose served by keeping those keys is allowing someone to decrypt their customers encrypted traffic. The keys are completely unnecessary for any other reason once the fobs have been made. If they're doing their job right, it wouldn't matter if terrorists came in and held a gun to the CEO's head, nevermind if their network was secure. The key fobs do not depend on them in any way to function once they're produced.

      Their only job was to be trustworthy, and they have failed spectacularly.

      So I'm expecting raises and bonuses all around for the execs, while a couple worker drones (who probably questioned keeping the keys in the first place) get axed. SNAFU.

      • by hedwards (940851)

        Well, better than changing companies that new company might not be trustworthy.

      • The only purpose served by keeping those keys is allowing someone to decrypt their customers encrypted traffic

        Ahem, don't know how to burst your buble, but RSA Tokens do not "encrypt" your traffic, it is a form of Two Factor Authentication(2FA). There is a big difference between the two.

        Also if you are using the tokens properly, you will not just be using what is on display on the token, but also PIN number that is combined with whats on display.

        As for why they kept the seeds, I don't know, but if you have your network properly secure, the compromise of the seeds does not instantly make your 2FA redundant. Ye

        • Ahem, don't know how to burst your buble, but RSA Tokens do not "encrypt" your traffic, it is a form of Two Factor Authentication(2FA).

          You're not bursting my bubble. I'm well aware that they're for two-factor authentication. However, we happened to use that for a VPN login. :)

      • Funny how people gravitate to sinister motives and conspiracy theories. Has any stopped and thought about all the companies that don't even have a process to backup seed records? What happens when they lose that CDROM or whatever the records are held on? I bet they call RSA to give them a copy of the records. If RSA tossed the records, then anytime a customer loses the records they end up with a useless pile of fobs.
        • Yes, because it would be much worse to KNOW you had a bunch of useless fobs as opposed to NOT knowing you had a bunch of useless fobs because the company kept the keys without telling you and someone stole them. :)

    • by AngryNick (891056)
      RSA is now an EMC company...the kings of spin and purveyors of BS.
  • FTFY (Score:5, Funny)

    by CanHasDIY (1672858) on Monday January 16, 2012 @06:52PM (#38719106) Homepage Journal

    'If there's a silver lining to the cloud that was over us from April through over the summer it is the fact that we've been getting phone-raped by customers... as never before,' Coviello says, 'and they want to know in detail what the fuck happened, how we fucked up so badly, how the fuck we're going to fix it, and why the fuck they should still be our 'customers'."

  • by snero3 (610114)
    That's BS. We tried on a number of different occasions to speak to them and they weren't having a bar of it. This story is just marketing spin
  • by DaMattster (977781) on Monday January 16, 2012 @07:53PM (#38719600)
    This is a load of crap. If anything, I think the entire RSA incident should serve as an impetus to look for open source, community supported solutions. Security through obscurity works only in government, CIA stuff.
  • ...why they should continue doing business with RSA.

  • RSA seeds the tokens. They keep the database of token seeds. You can't seed your tokens yourself.

    This means you put your trust in RSA, not only that they won't give you defective tokens, but also that they will never have a security breach that compromises your keys.

    This is why I use Yubikey [yubico.com]. I still have to trust the manufacturers' QA team and technology, but I also get to run my own authentication servers, and SEED MY OWN DAMN KEYS. Such that WE control our security; There is no single central po

    • Funny how the mindset is that if we simply controlled/hosted the software/authenticator, we'd be secure. Keep in mind the average company is not very secure, and whether they use Yubikey or whatever, the attacker just has to hack the authentication server and they can generate however many Yubikey passwords they want. So there is still a single point of failure, and now it's the complete responsibility of the customer's IT dept.

      Some people use a safe deposit box at the bank because they trust that the

  • It's great that the RSAremote hack helped, but there's more work to do. For instance, SELinux developer Dan Walsh is struggling with RSA's PAM module for SecurID: http://danwalsh.livejournal.com/48571.html/ [livejournal.com] RSA recommends turning off enforcing mode, instead of fixing whatever the underlying problem is--not exactly the excellence you might expect from a prominent computer security outfit.

    Read the blog---Walsh suspects there's more shenanigans lurking in their code.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...