Breach of Trust: 3 Major Problems With RSA's Public Statements

When a high profile attack occurs and becomes public knowledge, such as the one successfully mounted against EMC's RSA Security division, the company's preparation of its public statement(s) is a critical process. The goal is to start rebuilding customer and stock holder confidence in the company. If it's done right, it may work. If not, it can multiply the effect of the breach far beyond whatever harm the original attack caused. The reason why is because when damage control is done right, product replacement is a relatively easy fix. However when a company issues contradictory statements or when essential facts are missing or obfuscated, then customers may feel a breach of trust. And trust, once broken, can almost never be restored.
While I've recently been very critical of the RSA timeline, as soon as I read Art Coviello's second public statement (issued June 6, 2011), I decided to take a closer look at everything that the company has released on the attack and it isn't pretty, especially as it relates to three essential questions:
  1. What was taken
  2. How much was taken
  3. Who was affected
RSA has produced 5 official statements:
What was taken?
Art Coviello wrote in his June 6 statement that "certain information related to the SecurID product had been extracted." Now compare that wording to what the SecurCare Online Note #2 says: "Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA systems. Some of that information is related to RSA SecurID authentication products", which is a direct quote from Coviello's March 17th letter.

Analysis: Both Coviellos's letter #1 and SecurCare's note #2 specified two product sets from which data was extracted. The primary was termed "RSA systems" as in "certain information being extracted from RSA systems". The second was a subset of RSA systems - RSA SecurID authentication products. Coviello's letter #2 contradicts that statement by removing the primary product set altogether but without any clarification as to why. So which statement of Art Coviello's is true. The one from March 17th or the one from June 6th?

How much was taken?
How RSA defines "certain information" sheds light on how much of RSA's IP was taken. According to Coviello's letter and the SecurCare Online Note, "certain information" is defined as everything except what is in the customer's care. Here's the exact language in the Online note:
"To the best of our knowledge, whoever attacked RSA has certain information related to the RSA SecurID solution, but not enough to complete a successful attack without obtaining additional information that is only held by our customers." FAQ question #7 is particularly telling. It asks "Have my SecurID token records been taken?". Instead of providing a direct answer, the FAQ repeats that additional customer data not held by RSA is required to mount a successful attack.

RSA has defined how much data was extracted from its systems with the phrase "certain information not held by the customer" or, to put it in plain English, RSA's attackers took everything.

Who was affected?
None of the initial reports mentioned what Coviello referred to in letter #2 as "our view of the motive of this attacker" meaning the defense industry, and he only confirmed Lockheed Martin after Lockheed Martin had made the news public. More importantly, no mention was made of the attack on L-3 Communications even though an internal company email reportedly said it involved duplicate SecurID tokens.

The presence of contradictory information in Coviello's two statements and between his statements and the SecurCare Online Notes paint a picture of a company that's trying unsuccessfully to hide the scale and scope of this breach from the public, from its shareholders, and from its own customers. Art Coviello confirmed in the most obscure language possible that everything it has pertaining to SecurID was breached; that the only parts not breached were the parts owned by the customer.

Furthermore, if the statement in both RSA's SecurCare Online Notes were accurate, other RSA security products were compromised as well although the extent is unknown. To give you an idea of the possible further scope, here is a product list from the RSA website:
The RSA Product Finder
The only other unanswered question at this point is how Coviello's mismanagement of this crisis will impact EMC's sales and stock price. His keynote at February's RSA Conference was "Proof, Not Promises". That's something that RSA's customers including the U.S. government need to be demanding right about now.

Related Posts:

18 Days From 0day to 8K - An RSA Attack Timeline Analysis

An Open Source Analysis Of The Lockheed Martin Network Breach

EMC and Google Lawyers Walked Into A Bar.