Mike Fratto

Network Computing Editor

Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Dear RSA, Trust Is Earned Every Day--You're Not Earning It Today

Trust is earned every day, and in information security, your customers' trust is easy to lose and hard to earn back. RSA had a breach with unknown ramifications. RSA Chairman Art Coviello's cryptic notice, and RSA's relative silence since then, is not helping customers feel confident in SecurID as a product or RSA as a company. Just look at what's happening on Twitter  for gems like this: "Dear #RSA, open your pants and show us the problem, or we will never trust you again."

I don't think any reasonable information security or IT professional would expect any vendor to be 100 percent secure, and RSA is no exception. You do your level best (and RSA has some very good people working for it), but you can't stop every attack. Your customers understand. When a problem or breach occurs, however, you retain your customers' trust by being forthright about the problem and stating what you are doing about it. That is what Microsoft and VeriSign did when VeriSign erroneously issued two code signing certificates in 2001. The two companies owned up, came clean and moved on. Fact is, RSA has to come clean publicly about what was taken and when it was taken, and then issue a forthright assessment of the damage to customers. RSA is hiding, and its customers do not like it.

But let's assume the worst, like Steve Gibson does, and think about what would happen if the master seed database was stolen. The damage from the loss of that database entails knowing what it contains. Does it just map token serial numbers to seed values used to initialize the tokens, or does it also map which tokens were sent to customers? Is the random number part of the seed values truly randomly generated, or are they somehow tied to the token in some way? Are the random numbers that are part of the seed random, or can the next one be derived? Why are the serial-to-seed mappings retained, anyway? You and I could probably come up with dozens more questions about the impact of losing the seed database, and it is natural for us to tend toward the worst case.

Maybe the seed data base wasn't breached? Steve Bellovin is "worried about the source code to any of the myriad back-end administrative products necessary to use SecurID. ... An attacker who could penetrate these administrative systems doesn't have to worry about key generation or cryptanalysis; they could simply steal existing keys or insert new ones of their own." Getting the source code to the SecurID software would give attackers a clear advantage in targeting software vulnerabilities that could be exploited. Remember, every SecurID installation has a database that maps user names, tokens, seeds and pins together. Given that data set, now an attacker can impersonate specific users, and that is a significant threat. Exploiting servers and communications channels is an effective attack strategy.

The truth is, RSA customers don't know what was lost--RSA isn't saying--and they are getting an earful of wild speculation and hyperbole from news outlets, blog posts and other outlets. (I do not include Gibson or Bellovin in this group.) Customers are getting angry because not only have they made an investment in SecurID, they have made investments of time and money in all the other systems that are integrated and rely on SecurID. Add it up and the costs are enormous. And now there is a breach, and without any other information, these same customers have no idea about the risks to their SecurID systems. That's OK, though, because RSA sent a new support note to its customers yesterday that included a FAQ.

Page:  1 | 2  | Next Page »

Related Reading

More Insights

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013

TechWeb Careers