RSA, the Security Division of EMC, announced that SecureID two-factor authentication products may be at risk following a sophisticated cyber attack that has been recently identified.
There is evidence that certain information has been maliciously stolen from RSA that could potentially affect the efficiency of the authentication process.
In an open letter to RSA customers, RSA’s Executive chairman Arthur Coviello stated “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”
RSA SecureID products are used by tens of millions of people in tens of thousands of organizations worldwide on phones, key fobs, USB devices and PCs.
RSA’s revelation may cause quite a wave of concern.
The 3rd Generation Partnership Project (3GPP) which has the mandate of making globally applicable third generation (3G) and fourth generation (4G) mobile phone system specifications, has recently revised the specifications of two security algorithms: 128-EEA3 and 128-EIA3. The updated version is v1.5.
The 128-EEA3 and 128-EIA3 confidentiality and integrity algorithms are targeted at the LTE‐Advanced (LTE-A) wireless networks acceptable for Asian markets. They are based on the key stream generator ZUC and are expected to be ratified late this year as part of LTE-A Release 11.
Elliptic’s family of hardware and software 3GPP/LTE-A solutions have been updated to support the latest version (v1.5) of the ZUC based modes.
Firesheep is a recently released free program that makes it easy to snoop on what users of unsecured Wi-Fi networks are doing … and even more … assume their identity.
Firesheep is able to steal the user’s web browser cookie – oftenly unencrypted, which contains computer and other sensitive information like account passwords (Facebook, Twitter, Flickr, etc). With this information at hand, malicious users can easily go on the site and gain full account access. All this is possible because of the lack of end-to-end encryption.
Many web sites don’t encrypt all communication because of cost and speed impact reasons, but the good news is that more and more popular sites are beginning to offer encryption support via the TLS/SSL cryptographic protocol (web address starts with “https”). This way, users are protected from prying eyes. The bad news is that many of the sites that support encryption don’t have it set as a default feature, and therefore it is rarely used. In an effort to improve Internet security for users, the Electronic Frontier Foundation in collaboration with Tor Project have released “Https Everywhere”, a Firefox extension to enable “https” for the sites that offer support for it, but don’t have it turned-on.
More on this story >>>>