RSA has big problems
When you boil all the security hype away what you are left with is one thing. Trust. Security is all about trust and when that trust is gone so is the security. RSA revealed they got hacked last thursday, so now they’ve got some big trust headaches . What we really know is very limited because the company hasn’t exactly been a fountain of detailed information. There’s nothing in the press release area of their web site for example. The PR spin is here in an open letter from the chairman, thick on verbal assurance and thin on actual detail with which to make informed risk assessment. Important questions remain unanswered.
How long did the attacks go on and how much has been lost?
What exactly has been stolen?
Could this mean tokens could be reverse engineered?
Are all tokens affected or only some?
What is absolutely certain is that trust has been broken. What was known and trusted is now unknown and questionable. Not a foundation to build a trustworthy security model on.
What concerns me most about this attack is that it was targeted and sophisticated. One would assume it is not a cake walk to steal anything meaningful from someone like RSA. And what a target to steal from - phrases like “keys to the kingdom” spring to mind. When you start asking yourself who has that kind of skill set and resource the answers aren’t very comforting.
What matters to me is what happens next. If this turns into nothing more than a company PR issue where the only trust issue at stake is the ability of RSA to convince customers they are safe to buy more product then security is the looser. Without specific details it is impossible to make any meaningful risk assessment. Lawyers may judge the best outcome for RSA is the story slips off the media screen to be forgotten, but for anyone concerned with security that would be the real disaster.
Comments
Post new comment