Letter to Compliance Week Editor Regarding Data Breach at Security Firm Could Make Others Vulnerable Article
Blogmaster Note: This is a letter to the editor of Compliance Week in reference to its article titled “Data Breach at Security Firm Could Make Others Vulnerable” written for the site by Karen Kroll on June 21.
To the Editor:
Earlier this month, I was interviewed by your reporter, Karen Kroll for the June 21 article titled, “Data Breach at Security Firm Could Make Others Vulnerable.”
While I’m pleased that Compliance Week engaged a variety of industry voices to comment on the very real issues related to the recent security breach with RSA, I was somewhat troubled by the comments made by Ted Theisen, a director in the secure information services practice with Kroll Ontrack regarding smartcard technology. In the article, Mr. Theisen is quoted as stating, “It (smartcards) can be compromised in the same way that RSA has been.”
It is important for Compliance Week readers to understand that it is a tremendous oversimplification to suggest that smartcards can be compromised in the same way RSA’s hard tokens are being repeatedly compromised. Your readers deserve better information and facts.
One-time passcode tokens (like those from the RSA division of EMS) and smartcards differ markedly both in their fundamental architecture and common implementation choices. The severity of the RSA incident results from the use of a master secret that, in the wrong hands, enables criminals to replicate any token of his or her choice. This can be done without having any physical access to that token, and that appears to be what happened.
In the attack on RSA, the perpetrators gained access to what is known as the seed files. Given a seed file and other readily-obtainable information, the attacker can simulate a physical hard token that was issued to an individual employee. Essentially, this negates the second factor of authentication. Smart-card solutions avoid this implementation choice, so that any single incident cannot compromise the entire inventory of cards. Even replicating a single card requires physical possession of that card. There are no known attacks against modern smart cards that put the private key in the hands of the attacker.
Further, smartcards have the flexibility to solve many more security issues beyond just that of simple user authentication, which accounts for their increasing popularity among organizations ranging from forward-thinking global corporations to INTERPOL to the U.S. Government which has mandated the issuance of smartcards to all federal employees through HSPD-12. The future clearly favors smart cards over OTP tokens.
In today’s cyberworld, software tools are changing in days not years — and in many cases hours or even minutes. That makes fighting cybercrime a constant real-time battle. The good news is that technology, like smartcards, is available able to address and thwart many potential attacks by today’s savvy criminals.
As digital security experts, we have a duty to clearly and accurately articulate the pros and cons of digital security solutions. The businesses and governments who depend on our expertise deserve nothing less than complete facts. Thank you for the opportunity to further educate your readers on this important topic.
President and CEO