Huge news recently when RSA announced that information relating to their RSA SecurID Two-Factor authentication was stolen by hackers in what they are calling an Advanced Persistent Threat (APT). The highly sophisticated attack has now put the use of their patented two-factor authentication techology in doubt. RSA are not releasing the specific type of information that was taken and are conducting their investigations. Obviously right now they do not want to put their customers into a panic mode as this technology is used by companies globally. So they are witholding all information about the breach that might alert other hackers or attackers to know how to further break the techology to guess one time passwords. The problem with this position is that the IT Security media are making the assumptions that because they are not releasing information, that this silence is an admission of guilt that the product is no longer secure. The media has a good point in that it is important that the customers and also the investors in RSA should know the extent of damage that this breach has caused and the impact on the future of this solution.
Perhaps this is the end of two-factor authentication and there will be a move by the industry to deploy three-factor authentication products such as MXI Security. I have worked with this product developing Proof of Concept bespoke solutions for clients and it is an innovative enterprise solution. This techology is not yet mature or widely used but I see it developing more in the near future especially when this type of news from RSA proves that even the companies that provide security products can be hacked.
In fact I find it very ironic that the companies that provide consultancy and technology to other clients, also suffer the same problems as their clients. In fact these companies are huge targets for attackers with huge bragging rights.
At the end of the day this is the real challenge of IT Security, you can keep patching holes and building layers to prevent an attack but if hackers have the motivation, time and resources to penetrate a network, it is not a matter of IF it will happen, only WHEN it will happen.
RSA Open Letter — http://www.rsa.com/node.aspx?id=3872
Theregister.co.uk article — http://www.theregister.co.uk/2011/03/24/rsa_securid_news_blackout/