Comment: Cyberattack leads to crypto token recall

It had to happen: three months after the computer security company RSA realised its computer systems had been invaded in a data-scavenging cyberattack, the company today announced that it will replace many of the pseudo-random number generators that are its signature cybersecurity product.

RSA makes the 'SecurID' keyfob tokens that use a secret algorithm to generate a different-but-predictable six-digit number every 30 seconds or so. Starting with a "seed" number known only to RSA, the algorithm generates numbers from activation time onwards. Used alongside a personal PIN, the fobs provide a convenient way of allowing corporate, government and military employees working remotely to log onto office servers securely. Some 40 million people use them worldwide

But on 17 March, RSA revealed in a letter to customers that its computer network had been attacked by an "advanced persistent threat" or APT. The data extracted by what it dubbed a "sophisticated" attacker included information related to the RSA SecurID product - and presumably this included the seed.

Little more was heard of the data theft until last week, when stealth fighter maker Lockheed Martin revealed publicly that its systems had been attacked and that stolen RSA SecurID data had played a part in the hacking attempts. Then a leaked email from military contractor L-3 Communications said the firm had suffered similarly thanks to the SecurID breach - and Fox News reported that Northrop Grumman had too.

The big question the affair raises is this: why did RSA store its critical security data on a networked computer? It makes no sense.

Whatever the reason, RSA executive chairman Art Coviello said in the 17 March letter that while the data that had been taken could not be used in a "direct attack", it might be used to "reduce the effectiveness of two-factor authentication". In other words, users should strengthen their PINs.

But following the Lockheed attack, RSA's latest missive says it has been running an accelerated token replacement program for government and military users. And it has offered to replace tokens - presumably with ones running a smarter algorithm - for companies "with concentrated user bases typically focussed on protecting intellectual property and corporate networks".