Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: RSA Offers to Replace Tokens - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
RSA Offers to Replace Tokens

RSA issued a press release, offering to replace all tokens if a customer asks for it. As an alternative, RSA also offers to implement additional authentication monitoring.

Aside from the press release, and an interview with the RSA CEO, there have not been any details about how this would work or how long it will take. However, RSA states that this will cover all customers, even if RSA considers them not at risk.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

 Johannes

4479 Posts
ISC Handler
Jun 7th 2011
Thread locked Subscribe Jun 7th 2011
1 decade ago
So after months of saying customers were still secure and there was no need to replace tokens, RSA finally admits they have been lying to their customers and the public all along.

And why should we now believe anything they have to say?
 Anonymous
Quote Jun 7th 2011
1 decade ago
Original link from RSA is here ==> rsa.com/…
 Rob VandenBrink

578 Posts
ISC Handler
Quote Jun 7th 2011
1 decade ago
My company immediately increased the pin length to help mitigate the risk.

It will be interesting to see if we accept the offer of new tokens, we have thousands of them.
 Rob VandenBrink
7 Posts
Quote Jun 7th 2011
1 decade ago
So they will replace Tokens for free?
Hopefully with replacement authentication server and brand new tokens produced, everything using key material generated after intruders were locked out, and a promise they haven't kept record of sufficient information for anyone to replicate the replacement tokens?


It would seem pointless if they're offering to replace potentially compromised tokens with (still potentially compromised) tokens from their warehouse,
but stranger things have happened.



 Mysid

146 Posts
Quote Jun 7th 2011
1 decade ago
I've always been suspicious of RSA's promises. Now with confirmation of not only their grossly-lax internal security, but also of their ongoing lies and deceptions, I have no choice but to strongly recommend against any possible future RSA implementation which requires any level of security higher than simple shared passwords.
 Anonymous
Quote Jun 8th 2011
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!