Comodo and RSA: Who Shall Guard the Guardians?

When two key Internet security firms are hacked, who's safe?

Loading the podcast player...

Steven Cherry:

Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”

It’s certainly been a banner year for the Luddites. Over a million customers had their personal details accessed when blackmailers broke into the financial systems of Hyundai Capital. Millions of e-mail addresses were stolen in a security breach at the marketing firm Epsilon. Thirty million customers of a South Korean bank had trouble accessing their accounts because of a cyberintrusion. And a hundred million user accounts on the Sony PlayStation Network were compromised.

But that’s nothing. A famous saying by a Roman poet asks: Who shall guard the guardians?

In this case, the guardians are two security vendors, Comodo and RSA. Comodo was tricked into issuing counterfeit SSL certificates to some of the world’s largest websites, including Google and Microsoft. Remember those letters of transit in the movie Casablanca? These are far more valuable.

But even that pales by comparison to what happened at RSA Security, where a powerful authentication system used by tens of thousands of organizations was compromised, and because of it, the security of a number of major U.S. defense contractors have been under continual assault.

My guest today has been on the other side of this microphone a number of times now. Robert Charette is a management consultant with 30 years of experience in software analysis, risk management, and large-scale development. He’s a member of the IEEE, has a Ph.D. in computer systems engineering, and runs our highly active and respected blog, The Risk Factor.

Bob, whenever you come onto the show, it means things are not going well in the world, but nevertheless, welcome to the podcast.

Bob Charette: Thank you, Steve. Good to be here again, I think.

Steven Cherry: Bob, let’s start with the smaller breach. Tell us what SSL certificates are and why they’re even better than those mythical letters of transit signed by Charles DeGaulle himself.

Bob Charette: Those certificates, Steve, are basically the passports to the Internet. What they do is they show whether or not a company is actually the company that you’re looking at on the Web, so that when you do a log-in, you’re feeling very secure that in fact if you’re logging into Amazon, if you’re logging into Microsoft, you’re logging in to Google, that in fact those are the companies that are being represented on your display. The trouble is if somebody’s able to get ahold of these certificates, then they can become impostors, and you can sign in thinking that you’re signing into, say, Google, when in fact you’re signing into a bogus site, and what they’ve done is they’ve just stolen your user name, your password, all your credentials, and they can run wild throughout whatever your accounts are. So these are very, very important items to make sure that the Web is secure. And if these things get compromised, then basically you don’t know who you’re talking to when you’re typing in your log-ins or you’re searching on a website.

Steven Cherry: So these certificates are involved when your browser goes from “http” to “https,” right, for security? And in some browsers now, even like the company name, like PayPal or whatever actually shows up in the browser line.

Bob Charette: Right, and what you do—and it’s a very important thing to take a look at that “s” to see whether or not it’s there. These certificates are basically sold by the different vendors who manage the Web domains, and they’re not very expensive, but they’re very important to have. And again, if somebody’s able to get ahold of these in a bogus fashion—again, you might as well just open the vaults and watch your money disappear.

Steven Cherry: Very good. So let’s move on to the other problem here, Bob. The R, S, and A of RSA Security were Ron Rivest, Adi Shamir, and Leonard Adleman. These were the guys who invented public key cryptography, upon which much of the world’s electronic security is based. I mean, hacking into RSA is like wiretapping the NSA itself; it’s beating Tiger Woods at golf; it’s like fooling Houdini with your magic and beating Rambo in hand-to-hand combat all at once. What happened and how could it possibly have happened?

Bob Charette: Well, that’s an interesting question, because RSA hasn’t been overly detailed in telling what happened. Their argument is that if they tell you how it happened then it’ll encourage others to try it as well. The speculation—and again, it is speculation, because I don’t have any direct knowledge into what’s going on—is that someone was able to use a phishing e-mail to get someone in RSA or an affiliate to disclose information that allowed the hackers to get into the databases at RSA and get some of the seeds or other secure items that allowed them to compromise at least part of the SecurID approach, the two-factor authentication. So it isn’t a full compromise, but they got enough of the information that it allowed them to then move to another type of attack—another phishing attack against companies that use RSA’s technology, which again, folks like Lockheed Martin, supposedly Northrop Grumman, L3 Communications, some very large defense contractors have been fighting off attacks that look directly linked to this RSA breach. This has caused a tremendous amount of consternation, because although RSA is claiming that everything is secure—especially if you take some of their added security advice—people are very, very nervous about this, because you’re talking about not only major defense contractors but governments, you’re talking about banks, you’re talking about anyone who really thinks they need to secure something is now thinking that they may be at risk.

Steven Cherry: So what happened with the defense contractors?

Bob Charette: Well, Lockheed Martin—it was disclosed that they were replacing their RSA SecurID tokens, and that kind of got out in the news. And what’s interesting is how it got out in the news is that there was a story by Reuters on this about a week and a half ago, and it quoted defense sources, U.S. defense officials who went unnamed talking about it. It looks like what happened is that again, there was a partial compromise within the Lockheed system. Lockheed claims that nothing was taken, but it must have penetrated at least a few layers of its layered security, which caused it to basically shut down its network and require everyone to get new security tokens. This is really very worrying, because Lockheed Martin is well known for having extremely good security, because it’s the largest defense contractor in the world, and the fact that others like L3 and Northrop may have been attacked in similar fashion just puts everyone on notice that this is a very, very serious attack, and that it’s also probably done by people who have a lot of sophistication behind them.

Steven Cherry: So what exactly are these tokens? Are they like those certificates we were talking about?

Bob Charette: They’re similar. Basically, the tokens—you can think of it like an ATM card where you have an ATM and a PIN. These tokens—which you can either get as a software token or actually a physical key fob—basically generate a pass number, a code for you to put in with your PIN, which identifies you as being the person you say you are. Now this two-factor authentication—what happens is these fobs get seeded with an algorithm, which is linked to you, and they change every 30 to 60 seconds, so that it’s always looking to try to make sure that when you sign in with this number—which is generated, which is known back at RSA and in the security system of the company it’s assigned to—tries to make it extremely difficult for somebody to break in. But if somebody gets ahold of this fob and gets ahold of your password, that can open the door into the system. There’s lot of different ways to make sure that even when that happens, that people are monitoring the system to see if people are going with this particular security access and trying to access things they’re not supposed to get to. But what it’s done is, RSA has had to come out and say they’re going to replace 30 to 40 million of these fobs, which is going to cost a lot of money, and basically there’s a lot of fear out there.

Steven Cherry: So these tokens are kind of a clue as to what’s going on with RSA. And I guess you saw just last night another story that mentioned these tokens that kind of raised your antenna.

Bob Charette: Yeah, well, the Financial Times of London reported that Citigroup had been hacked in May, and that somewhere in the neighborhood of a couple hundred thousand credit card account holders had seen their account information compromised, not all of it but enough that it looks like those credit cards are going to have to be reissued. Now what’s interesting is that Citigroup did not voluntarily disclose this publicly until the Financial Times of London asked it. And there was a story about the SecurID about RSA on Tuesday in The New York Times, which said that Citigroup was one of the folks that was asking for new security tokens. So again, I’m making a large speculative leap, but I’m very curious as to whether or not the hack in May against Citigroup was related to this SecurID issue. So as you mentioned at the start of the program, there are just a huge number of major hacking incidents over the last two months that really make you wonder what’s going on out there.

Steven Cherry: Yeah, so there’s a lot of natural disasters every year, but it takes a Katrina or a Japanese nuclear meltdown to get the world’s attention. What’s it going to take to get the world’s attention in computer and Internet security? And if the RSA breach isn’t it, maybe nothing can be.

Bob Charette: Well, I don’t know. I think the cyberattacks are getting much more sophisticated and the impacts are getting greater. I think something like Epsilon actually has a greater impact than maybe some of these others, because if you have like I had five e-mails in one week apologizing for your account information being compromised, and you have that repeated millions of times to individuals, then I think the people start to take notice. What’s happened is that there’s been legislation introduced one more time by Senator Patrick Leahy from Vermont, which is moving to basically make it a federal criminal offense with prison time and a fine if companies don’t disclose their attacks, because right now a large number of attacks are never publicly disclosed by companies. In fact, in one study recently somewhere in the neighborhood of 90 percent of the attacks against utilities are not publicly disclosed. So I think as this starts to come about, as people really start to feel the impact personally, then disclosure laws will come into play, and companies are going to be held liable for this.

Steven Cherry: Very good. Well, Bob, whether it’s Toyota cars spinning out of control or boondoggle software projects wasting hundreds of millions of dollars or defense contractors getting cyberassaulted, you know you’re just one piece of bad news after another.

Bob Charette: Yeah, I’m always a great hit at parties.

Steven Cherry: But you’re always welcome here to tell our listeners about it. Thanks for joining us, and I guess we’ll see you when the next digital train wreck occurs.

Bob Charette: Right, well, hopefully that won’t be tomorrow.

Steven Cherry: We’ve been speaking with security consultant and Spectrum Risk Factor blogger Bob Charette about two of the biggest security breaches in the history of the Internet, at Comodo and RSA Security. For IEEE Spectrum’s “Techwise Conversations,” I’m Steven Cherry.

This interview was recorded 9 June 2011.
Audio engineer: Francesco Ferorelli

Follow us on Twitter @spectrumpodcast

NOTE: Transcripts are created for the convenience of our readers and listeners and may not perfectly match their associated interviews and narratives. The authoritative record of IEEE Spectrum's audio programming is the audio version.