Security firm falls prey to breach Attack considered 'persistent threat'
By Hiawatha Bray Globe Staff / March 19, 2011
RSA, a Bedford security systems maker whose products guard vital computer networks worldwide, was scrambling yesterday to recover from a security breach that could expose its customers to hacker attacks.
The attack, revealed on Thursday, compromised products RSA sells under the SecurID brand name. RSA, a division of data storage giant EMC Corp. of Hopkinton, called the attack an ''advanced persistent threat,'' industry jargon for a relentless campaign by criminals or foreign governments to break into a high-value computer system.
SecurID uses a technique called ''two-factor authentication,'' requiring users to enter two different passwords to gain access to a network. The first password is memorized by the user. The second is a set of random numbers that appear on a SecurID ''token,'' a small electronic device carried by the user.
The token's random numbers change roughly once a minute based on a unique digital ''seed'' assigned to each token. A SecurID computer with a copy of each token's seed generates the same random number as the token. A user gets into the network by typing this number.
SecurID is used by an estimated 40 million people at 30,000 organizations worldwide, including banking firm Wells Fargo & Co., Rolls Royce Motor Cars Ltd., the French Ministry of Education, Lockheed Martin Corp., and The New York Times Co., including The Boston Globe.
A successful breach of RSA's own network could allow a criminal to compromise customer networks. Gunter Ollmann, vice president of research at Atlanta network security firm Damballa Inc., said that RSA analysts were probably scouring their computers yesterday to make sure the intruders didn't tamper with the SecurID software. One threat: Hackers could have introduced ''back doors'' to the system that could grant them easy access to the token numbers, and then to customer networks. They might also have tried to steal the seeds for the SecurID tokens, which would let them generate their own passwords and break into networks.