Hacking crisis costs EMC reputation in security

By Jim Finkle

BOSTON (Reuters) – A recent cyber breach at EMC Corp’s RSA security division and a related attack at defense contractor Lockheed Martin Corp have damaged RSA’s once-stellar reputation, according to industry experts.

That has given companies that sell alternatives to RSA’s SecurIDs, such as Symantec Corp and Vasco Data Security International, more room to try to win customers from EMC.

SecurIDs are widely used electronic keys to computer systems, designed to thwart hackers by requiring two passcodes: one that is fixed and another that is automatically generated every few seconds by the security system.

Symantec is paying new customers $5 for every SecurID they trade in for similar technology from Symantec.

RSA’s reputation took an initial hit in March when it disclosed that hackers had stolen information that could be used to reduce the effectiveness of SecurID devices in keeping intruders from accessing corporate networks.

That was particularly embarrassing as the hack came just a month after RSA published a paper advising companies on how to avoid the same kind of sophisticated attacks to which it fell victim.

RSA’s reputation took a second hit last month when hackers tried to breach defense contractor Lockheed Martin using technology stolen from RSA.

“You have this established position as a security vendor. You’re supposed to be protecting everybody else from the bad guys and you get hacked,” said Brian Freed, an analyst with brokerage Wunderlich Securities.

He said there was a general perception that RSA was “less than forthcoming” about what had happened.

Lockheed Martin on June 4 disclosed the links between the attacks on its network and RSA. RSA on Monday offered to replace the 30 million to 40 million SecurID tokens in use by its customers.


RSA is small in terms of EMC’s revenue, last year accounting for $730 million, or 4 percent, of its $17 billion in sales. Yet it is a high-profile asset whose technology EMC has used to secure the company’s other products, including its software and data storage equipment.

EMC’s shares have fallen 5 percent since the Lockheed news, in line with a 4 percent drop in the Standard & Poor’s 500 Index.

While Lockheed was investigating the attack, RSA Executive Chairman Art Coviello sold $1.44 million in EMC shares in a May 24 transaction. Coviello could not be reached for comment and EMC spokesman Michael Gallant declined comment on the timing of the stock sale.

Companies that replace their tokens should be safe from attack using information stolen from RSA, Gallant said in a statement. “We do not believe that the stolen information can be used as an element of an attack on any customer whose tokens were manufactured after the initial breach,” he said.

Rick Moy, CEO of security consulting firm NSS Labs, said that it is possible that hackers could have already used that information to break into other companies over the past few months without being detected.

“Resetting those tokens may be too late,” he said. “It’s hard to know. RSA hasn’t provided enough detail for folks to figure out on their own what their risk profile is.”

Gallant declined to say if he knew of other companies that had been attacked as a result of the breach at RSA.

Security experts who advise companies on which technologies to use to best protect their networks said that businesses should replace their SecurIDs as soon as possible with new ones. They also said that some big corporations have begun to look at alternatives to SecurIDs.

“Nobody I know of that’s a large company has completely moved off, but there are trials,” said Alex Stamos, an analyst with iSEC Partners.

Besides alternatives from Symantec and Vasco, companies are looking at a free, open-source alternative that is promoted by Google Inc, Stamos said.

Companies download the software onto their own servers, which means that no single third party like RSA controls the “keys” to all of the IDs using that standard, Stamos said.

Rather than working with physical tokens, the new open standard is designed to send passwords to mobile phones. Google offers a free version for securing access to its Gmail web email service.

Dell Inc’s SecureWorks security division has been advising customers to abandon SecurIDs, saying the technology has holes in it that hackers have long been able to exploit.

For example, a hacker can intercept a SecurID password when a user enters it into a computer and take control of a session, said Joe Stewart, director of malware research for Dell SecureWorks.

“These latest problems are just another nail in the coffin,” Stewart said.