Tuesday, March 29, 2011

Comodo, RSA, and Security Priorities

More details are coming in on the Comodo digital certificate hack by an Iranian hacker. The young man apparently exploited the use of plaintext usernames and passwords in a generally vulnerable certificate issuing system.

Coming on the heels of the recent RSA SecurID breach, it has been a bad last couple of weeks for security vendors in general, and for both the SSL certificate and two-factor authentication hardware token businesses in particular. But RSA's pain is likely to be more acute. The SSL certificate business is unlikely to suffer in the long term. Websites need certificates, even if they don't guarantee security. Folks might move away from Comodo in the short term, but even that seems unlikely given the small-time nature of a certificate purchase. SSL certificates are mostly viewed as a commodity, and price is the main differentiator.

But the hardware token business could be in for some rough times ahead. SecurID is at the end of the day a discretionary purchase based on a desire to have the gold-standard of security. It is the security equivalent of a luxury good. But you wouldn't buy a BMW if you thought it was just as prone to accidents as the Toyota down the street. If RSA SecurID doesn't provide a concrete measure of added, or at least perceived, security, CIOs will be reluctant to pay the premium that hardware solutions naturally command.

RSA's vague pronouncements about "Advanced Persistent Threats" might have done more harm than good. There may be some mitigating law enforcement issues we don't know about that are preventing RSA from really coming clean. But APT is all-too often used as a code word for stuff-we-can't-really-do-anything-about. Which is fair enough of course; RSA can genuinely make the case that they've sold security products for a long time, but everything is breakable and stuff happens.

The security of RSA's SecurID system was always a combination of the strength of their underlying algorithms combined with the strength of their underlying operations and environment. Ditto with the Comodo situation - the security of SSL certs is dependent on many factors and the difficulty of factoring the products of large prime numbers is way down the list. Comodo is a business, and in businesses significant numbers of people need access to significant amounts of sensitive data. Invariably there will be screw-ups in how those people handle those responsibilities. This time it seems like an Italian reseller was partially to blame.

But this raises the larger question of whether particularly sophisticated and expensive security products are justified when most organizations face threats that are far most basic. In other words, the recent Comodo and RSA hacks ironically underscore the point that SecurID tokens are somewhat of a Maginot line for many organizations where other much more immediate threats are present.

The way Comodo was hacked is particularly illustrative of this phenomena. The reseller credentials were apparently sitting around in plaintext (or at least that's what the Iranian hacker taking responsibility for the attack claims). Most businesses, and especially businesses that live primarily in the cloud, have web front-ends to critical data that do not involve two-factor authentication. This might be a Salesforce account, Google Docs, an administrative console to a CMS like Drupal, or whatever. And many web 2.0 businesses live in shared hosting or VPS environments where the root credentials to their accounts actually live in plaintext in the host's servers, often visible by anyone in support. Using two-factor authentication in this kind of environment strictly to increase the general level of security rarely makes economic sense.

It's hard to say if RSA or Comodo will suffer any lasting damage from these attacks. For the vast majority of businesses, the ease of implementation and integration of a two-factor authentication solution trumps abstract concerns about the system's hackability. And SecurID's large library of clients and authentication agents is in itself a security feature; a competing product with a smaller number of clients introduces new threats, since you have to either cobble together your own code (almost always a bad idea) or you end up with some of your systems not covered.

The Rise and Fall of Hardware Tokens?

One primary beneficiary of SecurID's troubles could be competing vendors who offer two-factor solutions that do not rely on actual hardware tokens. CA has quickly gotten on the bandwagon and is offering to switch out SecurID tokens with its own ArcotID system. On the one hand it's easy to see how an actual physical hardware token is "more secure" than a software token installed on a mobile phone; a software token could theoretically be subject to all kinds of OS-related attacks and other vulnerabilities in both the issuing and maintenance. On the other hand, the actual overall environment in which hardware tokens live - the issuing, recalling, and indeed the APT in a vendor environment itself - paint a much murkier picture.

SSL and two-factor are part of the longstanding conventional wisdom of the security industry. They have made their way into the requirement documents of countless RFPs and contracts. In fact, the use of SSL is often one of the only security requirements in specs for outsourced web applications. But the shortcomings of this checklist approach to security are clear when Comodo's certificates can be brought down by a sloppy reseller or RSA's own SecurID can be subverted.


  1. "SecurID tokens are somewhat of a Maginot line for many organizations where other much more immediate threats are present." Brings to mind the idea (written about by Schneier, if not others as well) that security vulnerabilities are found most often at the "seams", areas where security systems meet. This appears to be simply the nature of security in general. Two-factor authentication is still a sound principle, as long as security teams are consistently diligent to look for vulnerabilities at those seams.

  2. Wow - I have to say its really interesting to hear about this security services in such a unique way! Thanks.
    security guard training in new jersey

  3. As I think, There are plenty of courses available that teach developers specific skills that help with building more secure applications or services. If a CIO is going to prioritise developing in a safe and secure way then it may be worth investing in a course for their developers.

  4. This blog provides useful information about new techniques and concepts.very impressive lines are given which is very attractive.
    informatica training in chennai

  5. Wonderful bloggers like yourself who would positively reply encouraged me to be more open and engaging in commenting.So know it's helpful.

    <a href="http://www.seoindiarank.com/in/chennai/branding-services-in-chennai>Branding Services in Chennai</a>

  6. Excellent blog.Thanks for sharing such great post on managing information on security.It is really good post.Keep sharing more like this.
    Digital Marketing Training in Chennai | SEO Training in Chennai

  7. In this competitive world, there is a huge demand for testing in IT market. Testing field has huge career options. Moreover, testing companies are now in expansion mode, so ready to get job in testing field.
    Testing Training in chennai | Software Training institutes in chennai

  8. Google is working for new versions of Android software. They are always producing new versions at six months, but Google is looking forward to slow down as once in a year. Check out every day for new versions.Start to learn Android course at FITA and get placed in MNC's.
    Android Training in Chennai | Android course in Chennai | Android Training Institutes in Chennai

  9. A general purpose object oriented language here is massive demand for java professionals in software development industries. Thus, taking training will assist students to be skilled java developers in leading MNCs.
    Java Training in chennai | Java course in chennai | Best JAVA Training in Chennai

  10. Selenium is easy to get started with for simple functional testing of a Web application. Thus taking selenium training in Chennai from reputed selenium course in Chennai will ensure bright career prospects for aspiring professionals.
    Selenium Training in Chennai | Selenium Training | Selenium Course in Chennai |

  11. Thanks for sharing this newsworthy blog, keep posting...
    SEO Training|SEO Course in Chennai

  12. This technical post helps me to improve my skills set, thanks for this wonder article I expect your upcoming blog, so keep sharing...
    Digital Marketing Training in Chennai|Digital Marketing Chennai

  13. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.

    Digital Marketing Company in Chennnai

  14. Very interesting content which helps me to get the in depth knowledge about the technology. To know more details about the course visit this website.
    Digital marketing course in Chennai | Digital marketing training in Chennai

  15. Wonderful post!!Thanks for sharing your interesting blog of post.
    Android Training in Chennai | Android Course in Chennai

  16. This post is really awesome and interesting blog.Thanks for sharing your informative ideas with us.
    SEO Training in Chennai | SEO Course in Chennai

  17. Having your own security guard company can be very rewarding. Financially, there is great potential, and it feels good to know that you are helping people feel safe and secure.uspa-missouri.com

  18. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Online Training Core Java 8 Training in Chennai Core java 8 online training JavaEE Training in Chennai Java EE Training in Chennai

  19. Java Training Institutes Java Training Institutes Java EE Training in Chennai Java EE Training in Chennai Java Spring Hibernate Training Institutes in Chennai J2EE Training Institutes in Chennai J2EE Training Institutes in Chennai Core Java Training Institutes in Chennai Core Java Training Institutes in Chennai

  20. Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training Java Online Training

    Hibernate Online Training Hibernate Online Training Spring Online Training Spring Online Training Spring Batch Training Online Spring Batch Training Online

  21. Very good write-up. I definitely appreciate this website. Continue the good work!
    Devops Online Training
    Adobe cq5 Training
    Dell Boomi Training

  22. Superb. I really enjoyed very much with this article here. Really it is an amazing article I had ever read. I hope it will help a lot for all. Thank you so much for this amazing posts and please keep update like this excellent article.thank you for sharing such a great blog with us. expecting for your.
    Digital Marketing Company in India

  23. The best thing is that your blog really informative thanks for your great information! I have got some important suggestions from it.
    Events in india.| Online Events Registration Websites | National & International Conference List

  24. Great information. I have got some important suggestions from it. I'm working in ERP Software Company in Chennai | ERP Providers in Chennai. Get your business to the next level in simple steps.

  25. Thanks for sharing this with us it is a worth read. xcellent post!!! Our Digital Marketing Course is tailored for beginners who want to learn how to stand out digitally, whether it is for their own business or a personal brand.

    Digital Marketing Training in Chennai | Digital Marketing Course in Chennai | Digital Marketing Course | SEO Training in Chennai | Google Analytics Course | Social Media Marketing Course

  26. thank you for such a great article with us. hope it will be much useful for us. please keep on updating..

  27. Really Nice Blog. Thank you for Sharing. We are the best erp software providers in chennai. For more details call +91 9677025199 or email us on info@bravetechnologies.in.
    ERP Providers in Chennai

  28. The best thing is that your blog really informative thanks for your great information!
    erp in chennai