Security firm RSA has been the victim of an "extremely sophisticated" attack that has resulted in exfiltration of certain private information, announced Executive Chairman Art Coviello in an open letter published yesterday. The company also filed a note with the SEC, warning of possible risks due to the attack. Since 2006, RSA has been part of EMC.
Some of the information taken relates to the company's SecurID security token hardware and its smartphone-based software equivalent. SecurID tokens are used in two-factor authentication systems; to authenticate, users use both a password and a number generated by the SecurID token. Each token generates a sequence of six-digit pseudo-random numbers, with a new number generated every 60 seconds. The number entered by the user must match the number that the authentication server expects the token to generate, and so allows the server to prove that the user not only knows the password, but also is in possession of the token. Each token has a unique 128-bit seed value to initialize its sequence of numbers. Every user account in the authentication server is associated with the seed of their respective token; this allows the server to know what random numbers to expect.
http://arstechnica.com/security/news/2011/03/rsa-says-hack-wont-allow-direct-attack-on-secureid-tokens.arsNote: This is a big deal. RSA was on conference calls Thursday with customers.