Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Lockheed Martin and RSA Tokens

Published: 2011-05-30
Last Updated: 2011-05-30 14:30:51 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

Just about a month ago, RSA notified its customers about a major breach of its systems. One of the big questions was if the breach leaked sufficient information to emulate RSA tokens.

RSA tokens are not random. They can't be random because the RSA authentication server has to know what number is displayed on the token. Based on the release from Lockheed Martin, suggesting that the RSA token was successfully emulated, one can only assume that the breach of RSA leaked sufficient data to predict the number displayed by a particular token. It may also have leaked which token was handed to what company (or even user).

However, remember that not all is lost. There are simple steps that you can and should do to protect your RSA token users:

- use a strong PIN or password. RSA tokens are just one factor of a two factor authentication scheme. You will have to enter a PIN or a password in addition to the token ID.

- monitor for brute forcing attempts. If your PIN is not trivial, an attacker will need a few attempts to guess it. Monitor for brute force attempts and lock accounts if someone attempts to brute force them. To prevent the associated denial of service attack, be ready to mass-unlock accounts and block access by IP address or other parameters.

- monitor your systems for accesses from odd IP addresses. Geo-location can help identify these out-layers. Keep logs indicating who logged in from what IP address in the past.

Also see:

http://isc.sans.org/diary.html?storyid=10609
http://isc.sans.org/diary.html?storyid=10618

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

10 comment(s)

Allied Telesis Passwords Leaked

Published: 2011-05-30
Last Updated: 2011-05-30 01:51:17 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

A list of default "backdoor" passwords for network gear vendor Allied Telesis leaked and was available for download on Friday. 

Some gear sold by Allied Telesis uses static default passwords for system recovery. Other equipment uses passwords derived from the MAC address. An application to calculate these MAC address specific passwords was leaked as well.

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

1 comment(s)
Diary Archives