EMC's anti-hacking division hacked

Mar 18, 2011
Art Coviello, Executive Chairman of RSA, speaks at a conference in 2007. US computer security titan RSA said Thursday that hackers broke into its computers and swiped data that could be used to breach defenses of some systems guarded with its technology.

The world's biggest maker of data storage computers on Thursday said that its security division has been hacked, and that the intruders compromised a widely used technology for preventing computer break-ins.

The breach is an embarrassment for ., also a premier security vendor, and potentially threatens highly sensitive computer systems.

The incident is a rare public acknowledgement by a security company that its internal anti-hacking technologies have been hacked. It is especially troubling because the technology sold by EMC's security division, RSA, plays an important role in making sure unauthorized people aren't allowed to log into heavily guarded networks.

The scope of the attack wasn't immediately known, but the potential fallout could be widespread. RSA's customers include the military, governments, various banks and medical facilities and health insurance outfits. EMC, which is based Hopkinton, Mass., itself is an RSA customer.

EMC said in a filing with the that RSA was the victim of what is known as an "advanced persistent threat," industry jargon for a sophisticated . The term is often associated with corporate espionage, nation-state attacks, or high-level cybercriminal gangs.

EMC didn't offer clues about the suspected origin of the attack. It said it recently discovered an "extremely sophisticated" attack in progress against its networks and discovered that the infiltrators had made off with on RSA's SecurID products. The technology underpins the ubiquitous RSA-branded keychain "dongles" and other products that blanket important computer networks with an additional layer of protection.

The products make it harder for someone to break into a computer even if a password is stolen, for example. The RSA device, working in concert with back-end software, generates an additional password that only the holder of the device would know. But if a criminal can figure out how those additional passwords are generated, the system is at risk.

RSA is one of the best-known names for this type of "two-factor authentication" technology.

RSA declined to comment on what type, or how much, information was stolen.

Richard Stiennon, a security analyst with the IT-Harvest firm, said there would be "tremendous repercussions" if the criminals were able to silently tap into critical systems using the stolen information.

"You'd never have a sign that you've been breached," he said.

In its SEC filing, RSA said that it is "confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers." However, it warned that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."

"We have no evidence that customer security related to other RSA products has been similarly impacted," said the company's executive chairman, Art Coviello. "We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident."

The company said it is providing "immediate remediation steps" for customers. It didn't specify what those are. It outlined some generic security tips that offer clues about how its customers might be targeted with the information stolen from RSA, such as closely monitoring the use of social networking websites by people with access to critical networks and the need to educate employees on the danger of clicking on links or attachments in suspicious e-mails.

EMC said it doesn't expect the breach to have a meaningful impact on its financial results.

Its shares slipped 8 cents to $25.58 in extended trading Thursday. They ended the regular session up 25 cents at $25.56.

Explore further: UN moves to strengthen digital privacy (Update)

4.8 /5 (9 votes)
add to favorites email to friend print save as pdf

Related Stories

Recommended for you

UN moves to strengthen digital privacy (Update)

19 hours ago

The United Nations on Tuesday adopted a resolution on protecting digital privacy that for the first time urged governments to offer redress to citizens targeted by mass surveillance.

Spotify turns up volume as losses fall

20 hours ago

The world's biggest music streaming service, Spotify, announced Tuesday its revenue grew by 74 percent in 2013 while net losses shrank by one third, in a year of spectacular expansion.

Virtual money and user's identity

Nov 25, 2014

Bitcoin is the new money: minted and exchanged on the Internet. Faster and cheaper than a bank, the service is attracting attention from all over the world. But a big question remains: are the transactions ...

User comments : 14

Adjust slider to filter visible comments by rank

Display comments: newest first

TheGhostofOtto1923
1.7 / 5 (11) Mar 18, 2011
So... in keeping with the approaching Apocalypse, and with all these quasi-governmental super-hackers lurking about, how long before they attack financial institutions and drain all our accounts? Can't you just feel the tension mounting?
Skeptic_Heretic
4.7 / 5 (6) Mar 18, 2011
So... in keeping with the approaching Apocalypse, and with all these quasi-governmental super-hackers lurking about, how long before they attack financial institutions and drain all our accounts? Can't you just feel the tension mounting?

For every cracker with ill intent there are 10 hackers with good intentions.
TheGhostofOtto1923
1.7 / 5 (12) Mar 18, 2011
So... in keeping with the approaching Apocalypse, and with all these quasi-governmental super-hackers lurking about, how long before they attack financial institutions and drain all our accounts? Can't you just feel the tension mounting?

For every cracker with ill intent there are 10 hackers with good intentions.
Perhaps... but that didn't protect the big deal security firm above, yes? Or the Iranian centrifuges. Is Anonymous with us or against us? And who out there with their skills, is against us?

In war, your side is always the good side.
Shaffer
3 / 5 (1) Mar 18, 2011

For every cracker with ill intent there are 10 hackers with good intentions.


Maybe, maybe not...I would venture to bet that most of the network security guys with jobs are stressed out from being over worked and under paid with the current economic situation. Those 10 good guys you talk about can easilly turn in to 7 or 8 bad guys real quick if unrest develops.

Our networks are not even close to secure. I work with them every day, and it surprises me how easy it is to gain physical access to some of the major network infrastructure. It seems that 'hiding it in plain sight' is working for now...
Skeptic_Heretic
5 / 5 (5) Mar 18, 2011
Our networks are not even close to secure. I work with them every day, and it surprises me how easy it is to gain physical access to some of the major network infrastructure
Security is an illusion. You cannot secure electrical transmission. It is simple obfuscation no matter how you look at it.
Perhaps... but that didn't protect the big deal security firm above, yes? Or the Iranian centrifuges. Is Anonymous with us or against us? And who out there with their skills, is against us?
Anonymous isn't for or against anyone. They're about freedom of information. That's their only goal. If you align yourself with that goal then you would see them as 'good'. If you are opposed to that goal, you would see them as 'evil'.
TheGhostofOtto1923
1.4 / 5 (11) Mar 18, 2011
Anonymous isn't for or against anyone. They're about freedom of information.
Then why dont they tell everyone who they are? Ah, selective freedom. They are certainly for themselves at least, arent they? Rhetorical question anyways. I guess theyre the good guys until they get someone you care about killed.

But they probably had nothing to do with the attack mentioned above, and definitely not the centrifuge attack, nor the ones which will steal all our money from banks and investment accounts at the proper Time. I would bet Anonymous couldnt hold a candle to those People, and would be powerless to stop Them, or to secure themselves against Them.

Another rhetorical question: is it morally proper to invade Libyan airspace to keep Cuddaffy from killing 'his own' people? You know, the same kinds of revolutionaries who have risen up against their own govts throughout history, and have been slaughtered even as they have slaughtered? Is this a reason to invade? Frajo or anybody?
TheGhostofOtto1923
1.4 / 5 (11) Mar 18, 2011
Is it a crime for a ruler to suppress rebellion, and is it proper to invade his country to stop him? What about collateral damage? What about unavoidable innocent civilian casualties? Does Cuddaffy care? Does France or Egypt?

I bet that Muamor (Muhameer?) is thinking exactly what saddaam was thinking when he invaded kuwait; when asked why he did it, Hussienn said 'Well my army was getting to be a problem.' So he sent it far out into the desert where the B52s could carpetbomb it into mush. The Taliban conveniently did the same thing in northern iraq with their forces, to the exact same effect. Win-win.

I bet that cruddaffy is thinking, that the more on either side that are killed, the better for everybody. And I bet the allies delayed the no-fly zone just long enough to give the rebels a reason to hope and to fight on, without the possibility of saving very many of them.

Because, above a certain level, Everybody in these engineered conflicts are on the SAME SIDE dont you see?
TheGhostofOtto1923
1.4 / 5 (10) Mar 18, 2011
Alexander did exactly the same thing with his forces when they wanted to return to greece, and for the exact same Reasons, by leading them back through the arabian desert where 90% of them died.

This has been going on for a very, very long time.
TheGhostofOtto1923
1.7 / 5 (11) Mar 18, 2011
Hey, maybe Anonymous is like the Symbionese Liberation Army, and they will need to rob banks and steal our money so they can keep up the Good Fight? Maybe they will kidnap Paris Hilton?
trekgeek1
5 / 5 (3) Mar 18, 2011
Good for them for coming out and announcing that their system has been compromised. It's refreshing to have a company admit they've been beaten by an adversary and take the most mature and responsible route.
PinkElephant
not rated yet Mar 18, 2011
If their security solution relies on secrecy rather than computationally hard algorithmic foundations, then it isn't much of a security solution. Security by obscurity only works for as long as obscurity can be maintained. I'm surprised that RSA would resort to such amateur tactics.
sirachman
not rated yet Mar 19, 2011
Eventually people will realize the simple fact that no networked node can be made 100% secure from any other.
sirachman
not rated yet Mar 19, 2011
'Anonymous' isn't a 'they'. Anonymous is simply comprised of anyone who takes an action or supports an idea without revealing their identity. You cannot put all those who perform an anonymous action into a group and expect it to have some sort of organized leadership based on a hierarchy. Anyone who is 'anonymous' and reveals their identity immediately is no longer anonymous. The idea of some greater group called 'anonymous' simply comes from the human habit of grouping similar things together and labeling them. Anonymous is not a label but simply a description of those involved in an action as being unidentified. Just because the majority of actions is related to freedom of information doesn't make it an official 'group' ideal for some sort of secret 'anonymous' group, it simply means that the majority of people who choose to take action to support their beliefs on the internet happen to believe in that ideal.
Shaffer
not rated yet Apr 04, 2011
'Anonymous' isn't a 'they'.


'They' just sent me an e-mail...

From: Anonymous
Sent: Monday, April 04, 2011 11:08 AM
To: Shaffer
Cc: The World
Subject: RE: All your base...

...are belong to us.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.