RSA Chief: Last Year's Breach Has Silver Lining 49
alphadogg writes "Last year's industry-shaking RSA Security breach has resulted in customers' CEOs and CIOs engaging much more closely with the vendor to improve their organizations' security, according to the head of RSA. Discussing the details of the attack that compromised its SecurID tokens has made RSA sought after by companies that want to prevent something similar from happening to them, Executive Chairman Art Coviello said in an interview with Network World. 'If there's a silver lining to the cloud that was over us from April through over the summer it is the fact that we've been engaged with customers at a strategic level as never before,' Coviello says, 'and they want to know in detail what happened to us, how we responded, what tools we used, what was effective and what was not.'"
Re: (Score:2, Informative)
Tokens were replaced for free...but don't let the facts get in the way of a good story!
Re: (Score:2)
Paypal did not replace tokens for free. I'm still running with my old token as they have not responded with my question as to when they will be replacing it.
Re:Silver Lininig for their Bottom Line (Score:4, Insightful)
And you know the fire that burned down your house? (Score:1)
The good news is that you're now engaging more closely with the fire department and your insurance agent.
Slight bit different. The fire dept burned down. (Score:4, Funny)
And since the fire department burned to the ground, more home owners are contacting the fire department to help with their home fire defense.
What the? Does that make any sense to anyone?
Ah, that makes sense now.
Not "dude, u r teh awesome!!! How can I get some of that awesome for myself?"
More like "dude, where were your fire extinguishers? Smoke detectors? What model were they? Did they give ANY alarm? HOW THE HELL DID YOU LET YOUR FIRE DEPARTMENT BURN DOWN? And is there any way to tell if I am in danger?"
Re: (Score:3)
Re: (Score:2)
I was just thinking something along those lines. The silver lining in being mugged is knowing how to report a mugging. Doesn't really sound particularly helpful and definitely not helpful enough to justify being mugged. And unless you're new to the country you should already know how to report the crime.
Likewise, all those RSA officers ought to be terminated for incompetence. It doesn't take somebody with credentials to realize that it was going to happen eventually. Making somebody physically take a disc o
Re: (Score:2)
And did they answer? (Score:5, Interesting)
Everybody knows that their customers want to know such things because they asked in a quite vocal maner just after the troubles, and werre simply dismissed by RSA. So, now RSA issues a PR stating that their customers want to know if they are secure, and not teling if they gave any answer. Quite funny what some spin can create.
Anyway, why should anybody buy a product from RSA anymore?
Re: (Score:3)
Re: (Score:2)
Changing "people are mad at us, and won't trust us unless we evidence that we changed" into "see? People care about us" well... Could get any name you want :)
Re: (Score:2)
Everybody knows that their customers want to know such things because they asked in a quite vocal maner just after the troubles, and werre simply dismissed by RSA. So, now RSA issues a PR stating that their customers want to know if they are secure, and not teling if they gave any answer. Quite funny what some spin can create.
Anyway, why should anybody buy a product from RSA anymore?
It's not so much if they are secure, but how did they detect the breach, etc. That is some very important information for a lot of people - even people that don't use RSA products - as it can help detect or prevent security issues elsewhere. It's kind of like saying, "Your system had a Monkey B virus; what did you do to detect and remove it?"
Re: (Score:1)
its amazing what publicity (Score:3, Informative)
you can get out of a bit of damage control
Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes. You pay them the big dollars because they're supposed to already know what they're doing and have good practice already in place the day you shake hands.
This is just their P.R. people clawing for some way to put a little positive spin on their blunder.
Re:its amazing what publicity (Score:5, Insightful)
You pay them the big dollars because they're supposed to already know what they're doing and have good practice already in place the day you shake hands.
Actually you pay them because its faster / better / cheaper than doing it yourself, not because they are perfect. If 50% of the population is below the median, they only have to achieve a 50% median solution to capture about 50% of the market. The actual percentages are probably much higher, regardless they certainly don't have to be 100% perfect to make money.
The other reason you pay money is to have someone else to blame for the inevitable headaches. As long as your boss yells at them for an outsourced solution instead of you for an insourced solution, that was money well spent.
Re: (Score:2)
Whoops third reason is lemming like behavior. If your biggest competitor gets his complete stored credit card and customer list posted on the pirate bay as a torrent, or maybe on wikileaks, you can guarantee your boss is going to want a detailed explanation of why your data is not posted there too, isn't our company at least as good as the competitions?
So it doesn't matter, if you're lemming like boss wants to be just like X and X buys secureid, well guess what you're doing next week?
Re: (Score:2)
Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes.
Especially when the "unrefined" processes were mind-bogglingly stupid and betrayed such utter incompetence.
There's no way the RSA token master keys should have been stored in anything other than a FIPS 140-2 level 4 (or 3, but that would be mildly lame) host security module, with tight logical and physical access controls.
Sounds like spin! (Score:2)
We had our technology stolen, because we can't secure our own network, our customers suffered intrusions as a result... and this is a good thing!
This guy should be the White House Press Secretary!
The really awesome part... (Score:5, Interesting)
Is that the worthless corporate scumbags who own the company I work for (and force us to use RSA keyfobs) thought very hard about what to do about this spectacular failure on RSA's part, and came up with this solution: Get new keyfobs from RSA!
RSA's only job was to be trustworthy. None of their technology is a trade secret, and once they produce the fobs there's no need to interact with RSA whatsoever. There IS NO technology to steal on their networks.
And yet they kept the keys. The only purpose served by keeping those keys is allowing someone to decrypt their customers encrypted traffic. The keys are completely unnecessary for any other reason once the fobs have been made. If they're doing their job right, it wouldn't matter if terrorists came in and held a gun to the CEO's head, nevermind if their network was secure. The key fobs do not depend on them in any way to function once they're produced.
Their only job was to be trustworthy, and they have failed spectacularly.
So I'm expecting raises and bonuses all around for the execs, while a couple worker drones (who probably questioned keeping the keys in the first place) get axed. SNAFU.
Re: (Score:2)
Well, better than changing companies that new company might not be trustworthy.
Re: (Score:2)
The only purpose served by keeping those keys is allowing someone to decrypt their customers encrypted traffic
Ahem, don't know how to burst your buble, but RSA Tokens do not "encrypt" your traffic, it is a form of Two Factor Authentication(2FA). There is a big difference between the two.
Also if you are using the tokens properly, you will not just be using what is on display on the token, but also PIN number that is combined with whats on display.
As for why they kept the seeds, I don't know, but if you have your network properly secure, the compromise of the seeds does not instantly make your 2FA redundant. Ye
Re: (Score:2)
You're not bursting my bubble. I'm well aware that they're for two-factor authentication. However, we happened to use that for a VPN login. :)
Re: (Score:1)
Re: (Score:2)
Yes, because it would be much worse to KNOW you had a bunch of useless fobs as opposed to NOT knowing you had a bunch of useless fobs because the company kept the keys without telling you and someone stole them. :)
Re: (Score:2)
FTFY (Score:5, Funny)
'If there's a silver lining to the cloud that was over us from April through over the summer it is the fact that we've been getting phone-raped by customers... as never before,' Coviello says, 'and they want to know in detail what the fuck happened, how we fucked up so badly, how the fuck we're going to fix it, and why the fuck they should still be our 'customers'."
bs (Score:2)
I have to call it ... (Score:3)
"Coviello says they want to know..." (Score:2)
...why they should continue doing business with RSA.
Wait, not a lesson in Single Points of Failure?! (Score:2)
RSA seeds the tokens. They keep the database of token seeds. You can't seed your tokens yourself.
This means you put your trust in RSA, not only that they won't give you defective tokens, but also that they will never have a security breach that compromises your keys.
This is why I use Yubikey [yubico.com]. I still have to trust the manufacturers' QA team and technology, but I also get to run my own authentication servers, and SEED MY OWN DAMN KEYS. Such that WE control our security; There is no single central po
Re: (Score:1)
Some people use a safe deposit box at the bank because they trust that the
RSA security posture: work in progress (Score:1)
Read the blog---Walsh suspects there's more shenanigans lurking in their code.