The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the “some advantages section” represents different approaches, which in and of themselves may also be inventions, and various problems, which may have been first recognized by the inventor.
In many applications a password is required to grant access to a system or authorize a transaction. Today many users have so many different passwords that it is difficult to remember them. In other cases, a password can be stolen by a thief, making passwords susceptible to fraud.
Limitations and Weaknesses of Prior Art
In March, 2011, EMC Corp's RSA security division announced a massive breach of its SecurID products. On Mar. 19, 2011, the Wall Street Journal stated the following.
A security company that provides computer-access keys used by thousands of businesses around the world disclosed a serious break-in, but left many customers scrambling to figure out what was taken and how they might be affected.
EMC Corp's RSA Security division Thursday said it has experienced an “extremely sophisticated cyber attack” on its computer systems, resulting in the theft of information related to its SecurID products.
Those products include tokens, which can be the size of a credit card or key-chain fob, that are used by employees to access corporate computer networks. The token generates every minute a new six-digit number that is synchronized with central security servers.
RSA held a conference call with customers Friday to discuss the intrusion, but didn't specify what information was taken by the attackers and declined additional comment. RSA says SecurID system is used by more than 25,000 corporations, and more than 40 million users around the world.
“RSA is distributing a set of best practices that they say will protect you,” said Bruce Jones, head of global information-technology security at Eastman Kodak Co. Beyond that, he said, RSA isn't telling customers much more about the incident.
We are getting very little information, primarily because it is an open criminal investigation and the law-enforcement agencies are limiting RSA to what they can share,” Mr. Jones said.
Security experts interpreted the statements that RSA issued Thursday to indicate the attackers may have obtained so-called “seed” keys, which include number associated with each token.
RSA said Thursday it is confident that the stolen information “does not enable a successful direct attack” on any SecurID users, but added that the information “could potentially be used to reduce the effectiveness” of the security scheme as part of a broader attack. Hackers have already demonstrated the ability to decrypt other authentication factors used to make networks safe, and “this just exacerbates the situation,” said Avivah Ltan, an analyst with research firm Gartner.
Art Coviello, RSA's executive chairman, described the attack in an open letter Thursday as an “advanced persistent threat”—a category of computer crime often associated with efforts to steal specific sorts of information over a considerable period of time. Such attacks typically are associated with criminal groups, which in recent years have often operated out of Eastern Europe, analysts said. Mr. Coviello didn't discuss any suspects for the attack, but said the company is working with law-enforcement agencies.
Friday's conference call mainly focused on what customers should do to beef up their own security, such as making sure no rogue programs had been installed on servers running RSA software and suggesting that users increase the length of PIN numbers from four to eight digits, according to one person who participated.
“RSA's limited disclosures may have been driven by the desire to avoid creating a panic among its customers”, said Jonathan Penn, an analyst at Forrester Research. He anticipates that RSA will reach out to customers through its sales force and support staff in the coming days.
Paul Kocher, president of security-technology firm Cryptography Research, said the incident raises questions about the viability of RSA's model of serving as a central repository for seed keys. Some rivals have created systems that use software at customer sites to generate such keys. “It's a big problem” for RSA, Mr. Kocher said. “They are going to have a hard time convincing their customers that they should hold their keys.”
Despite the original claim that this loss of seed information on RSA networks did not enable a direct attack, in June 2011, the adversary phished PINs from employees of defense contractors and penetrated the corporate networks of these defense contractors with offices in Washington D.C. According to Krebs Security, over 700 institutions worldwide had their networks compromised as a consequence of the SecurID breach.
Because the backend server that authenticates SecurID passcodes uses the same seed as the token, after the seed information was stolen from RSA's network, the adversary was able to launch a successful attack. In summary, THE ADVERSARY WAS ABLE TO REMOTELY ACCESS CORPORATE NETWORKS OF U.S. DEFENSE CONTRACTORS WITHOUT HAVING AN RSA SecurID token in their physical possession. At least part of SecurID's security vulnerability and security breach was caused by the fact that the seed for a particular token is the same as the corresponding seed on the backend server. In other words, the prior art uses the same shared secret on the physical token device and the backend server that performs the authentication and administers access to a network or other resource. In some cases, this is referred to as symmetric seeds or symmetric keys. In some cases, this is referred to as a shared symmetric secret.