RSA, whose SecurID tokens have been linked to the recent hacks of both the company itself and Lockheed Martin, is offering to replace the tokens of many of its customers.
In an open letter to customers, executive chairman Art Coviello confirmed that the Lockheed Martin attack was indeed carried out using information taken from RSA during the March attack on the company’s systems.
“Certain characteristics of the attack on RSA indicated that the perpetrator’s most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment,” he says.
Coviello says that the company will replace SecurID tokens for ‘customers with concentrated user bases typically focused on protecting intellectual property and corporate networks’. It is also offering to implement authentication strategies based on companies’ individual risks for those with a large, dispersed user base, with the aim of protecting financial transactions.
“We will continue to work with all customers to assess their unique risk profiles and user populations and help them understand which options may be most effective and least disruptive to their business and their users,” he says.
But Paul Ducklin, of rival firm Sophos, queries whether RSA is going far enough.
“Those sound rather like weasel-words to me. What is a ‘concentrated user base’? If you directly protect your own corporate network, are you covered? Or is RSA only offering to cover you indirectly, as the customer-of-a-customer, by helping your reseller?” he says.
“And if you do swap out your old tokens, will you be given enough information to satisfy yourself that the new tokens don’t have the same flaws as the old ones?”