RSA data breach revealed March 17, 2011
So, it was St. Patrick's Day and I was in sunny Florida enjoying a round of golf with family when my phone buzzed with a "data breach" story... I thought about blogging... but like golfing more.
On Thursday March 17th, RSA, a division of EMC Corp, announced to the world (my world) that their computer system had been breached. EMC Corp. is a Massachusetts Corporation and the Boston Globe followed up with an article by Hiawatha Bray stating that the company had not filed a report with the Massachusetts Attorney General under our data breach law.
Many other media outlets have run stories on this breach but none have been able to say just what happened, what was taken, or who did it. (at least none of the 100 or so that I reviewed)
When investigating a crime, one of the key focus points is usually motive. "Why" did the bad guy do such and such. Financial gain is common, as is revenge. Establishing a motive can help investigators narrow their search for suspects and evidence. Of course getting the motive wrong can be a real problem. The best investigators let the evidence lead them to the suspect and then establish a motive to bring the whole thing together.
So, I asked myself the question: why would someone breach RSA's computer system? This company is a serious security outfit and the bad guys apparently pulled out all the stops by using what the company said was an "advanced persistent threat", which apparently in layman's terms means "they did everything they could to get in".
OK, so someone used a lot of time and energy to breach a major security company's computer system but why?
For those who don't know, a common application of RSA's security business, SecureID, is that they provide these little "tokens" that have a small screen with numbers on them. The numbers are constantly changing. If you have one that probably means you have access to some significant, sensitive information. I knew a doctor who carried one so he could log in to his hospital's computer system to review patients records and make changes, etc. I read that our government is also a customer. The customer uses a computer to go to the place where the information is, they then enter a memorized password and then enter the number that is currently showing on the "token". Somehow, that token's number can be confirmed by the location that the customer is trying to access and allows the access if the number matches.
Back to the question at hand, why... I have a few theories:
- Conspiracy.Whoever did this never intended to take anything, they just wanted to put the world on notice that even the largest security outfits are not safe, causing the government to over legislate by passing a quick "overregulating" law thus giving other security companies tons of business and tons of money.
- Foreign Government Action. Maybe the Chinese were just curious how the whole thing works and instead of creating one, they steal this one, reverse engineer it and now have their own version. Hey, just ask Google about that possibility.
- Corporate Espionage. If I was a major corporation, and I mean a world power corporation, and I needed to get inside a competitors network who happens to use RSA's SecureID, wouldn't this be a great way to do that? If you were able to use real log in credentials to access a competitor's network, that network would have no defenses, none.
- Criminal Organization. Even I think that this one is over their head. Sure, there are some smart criminals, but hacking into RSA? Really? I'd call that a stretch, but I have to include it until I eliminate it. (see generally Sherlock Holmes: "eliminate the impossible, and whatever remains, however implausible, must be the truth")
- It never happened. Remember when Coke changed their formula, only to change it right back? It was a boon for their business. Everyone tried the new one and then wished for the old one and went right out and bought it again. Maybe RSA can re-invent themselves and their product to prove to the world that they are NOW the best and strongest security since they improved on an arguably solid product. - No, I don't like this theory either.
The problem with my theories are that they are based on no evidence, zero. That is no way to run an investigation. Our Attorney General apparently has no information either. This is an interesting question though... If what was taken was NOT PII (Personally Identifiable Information) but certain codes that in turn may give the holder access to information that IS PII... what is their responsibility, meaning RSA's responsibility? Are they required to tell the AG anything? I can't even suggest an answer without more evidence.
I wonder if RSA has a WISP? Probably the mother of all WISPs if you ask me... but I digress.
I guess we will have to stay tuned and see if EMC Corp, a Massachusetts Corporation, feels like telling someone, anyone, what happened. In the meantime I will keep working on my "theories".