Season 3 / Episode 116
In March 2011, RSA was facing a terrible dilemma. An attacker siphoned data relating to SecureID, the company's flagship product used by thousands of high-profile clients around the world - but it was unknown whether the attacker also stole the cryptographic key needed to decipher that data. Should the company disclose the breach, or keep it quiet in the hope that SecureID will remain safe?…
A special collaboration with Wired magazine, exposing - for the first time - the untold story behind one of the most dramatic hacks of all time.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
CSO at Cybereason
20 years' worth of experience as an entrepreneur, info sec expert and executive at companies like RSA, Arbor Networks, CA , McAfee, Cybereason, and more. Dedicated to empowering defenders in cyber conflict and fulfilling the promise of security, enabling a safe, reliable, connected world.
Chief Revenue Officer at Bugcrowd
Previously Chief Operating Officer at Blackberry Cylance, Chief Revenue Officer & Executive Vice President at Optiv Inc., and Senior Vice President at RSA.
Senior Writer at Wired
Andy Greenberg is a senior writer for WIRED, covering security, privacy, and information freedom. He’s the author of the book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. The book and excerpts from it published in WIRED won a Gerald Loeb Award for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, two Deadline Club Awards from the New York Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club.
RSA Breach: The Untold Story, Part 1
It’s the week of February 14th, 2011. We’re at the big, beautiful Moscone Center in San Francisco. Walking through a truly giant expo floor, hundreds or maybe thousands of people pass by, chatting and visiting presentation booths set up by big tech companies from around the world.
Nearby, in a giant conference hall, row after row of portable, semi-comfortable chairs are lined up with TV monitors above, so that people in the back can see what’s happening all the way up on stage. Among the speakers lined up for the week are computer expert and author Bruce Schneier, physicist Michio Kaku, Deputy Secretary of Defense William Lynn, and the 42nd President of the United States, Bill Clinton.
This is RSA Conference 2011–one of the biggest industry events of the year, the place to be if you’re in cybersecurity.
[Sam Curry] I’m Sam Curry. I’m the Chief Security Officer at Cybereason and a Visiting Fellow at the National Security Institute.
Sam Curry was at the 2011 conference, naturally: as a Sr. executive at RSA at the time, he was busy organizing and shaking hands–probably too busy to actually enjoy any of the speeches. Among the wheeling and dealing, the snack bars and chatting with other CTOs and CSOs and listening to talks about this and that, there was hardly any time to think about anything else.
It especially wasn’t a good time for bad news.
[Sam] The first time I got wind something was happening, I was at RSA conference [. . .] and we had an incident.
An incident. Inconvenient, for sure, but probably nothing serious.
[Sam] We have incidents all the time. And it was late night on the phone – being on the phone constantly with all the chaos of a show with some colleagues and we pretty much contained the incident
With the incident contained, Sam went back to his more important business.
The conference soon ended, and a couple weeks passed. But not everything was completely back to normal.
[Dave] We had missed some code delivery for a client that was very, very out of the ordinary.
Dave Castignola, today the CRO at Bugcrowd, was a VP at RSA in 2011.
[Dave] And then I had seen some network issues and some servers being taken offline and that just immediately sent alarm bells up.
Lots of employees started experiencing these same issues–issues accessing data, communicating on RSA’s network. It was more than your typical outage.
[Sam] You couldn’t get out if you were on a corporate network and the VPN wasn’t – probably wasn’t deliv w ering the content you were used to.
[Dave] And on the Friday night, the week before we announced, I had just had a terrible feeling all weekend long. And then I received the phone call Monday morning about what was happening.
That phone call was the beginning of the most chaotic month in Dave’s career.
Hey listeners, welcome to Malicious Life, in collaboration with Cybereason. I’m Ran Levi.
If you’re a regular listener of this podcast, or if you follow cybersecurity news, you’ll know the kinds of things that we typically focus on when a big hack occurs.
The first question, usually, is: what’s the damage? What machines were brought down, what data was taken, who’s affected and how?
After that, we ask two questions, in no particular order: who did it, and how’d they pull it off? Was it Russian cybercriminals, a phishing email and lateral movement in a corporate network, the Chinese military with a zero-day vulnerability, or Colonel Mustard in the hall with a knife?
Far less emphasis is usually given to another component every hack: the incident response. How the hacked entity deals once they realize what just happened to them.
It’s too bad, because incident response is just as important, just as dramatic as any other aspect of a hack. Think about Yahoo and Target, ignoring repeated red flags. Think Equifax which, after losing the largest trove of personal data in history, offered just one year of free credit monitoring to Americans, and put up a website which purported to tell you if you were affected but didn’t actually work. On the opposite end of the spectrum, think Maersk during NotPetya, or Saudi Aramco which, after 30,000 of their computers were destroyed by Shamoon, simply went out and bought 50,000 new hard drives on the spot. Nearly the entire world’s available supply at the time, right off the factory floor.
There are a lot of different ways an organization can respond to a hack but, when you’re in the war room, it’s hard to make the best, most logical decision. For the moment, you’re at the center of the world, with media attention and jobs and money and a lot else on the line. It’s this kind of pressure that can destroy the weak, or bring out sides of people they didn’t quite know were there.
In early 2011, Sam Curry and Dave Castignola had no clue that they’d be thrust into one of these situations. That the kind of security professionals, the kind of men they believed themselves to be would be put to the test..
3/14: FIGURING IT OUT
It all began on a Monday evening, when an employee noticed sensitive data exiting from RSA servers.
[Dave] He saw this thing in transmission. The profile of the data stream didn’t look right. It wasn’t what it should have been on that court. So he hit the big red button and shut down production, which was a brave move in itself.
The whole company was put on pause, just in case.
[Dave] And that happened three or four days prior.
The next day, there were lots of questions and few answers. Evidently something was wrong at RSA Security, but exactly what was still unclear. Unclear, until they discovered what data had left the system.
[Dave] We then hunted it down and we found an encrypted object. OK. We opened it up within one of our encrypted objects. We opened it up and we saw exactly what it was. It was a secret material related to SecurID.
SecurID, RSA’s flagship product. The exfiltration had been proactively interrupted partway through, but this was bad.
[Sam] We had three days to think about what if, what if, what if, and hopes rose and fell in those three days. [. . .] It was really the Wednesday morning that we determined yeah, beyond the shadow of a doubt that had happened. [. . .] It took us nearly three days to come to the conclusion that we had had a breach.
Sam and Dave, upon hearing the news, had the same thought.
[Sam] I believe we are going out of business.
BACKGROUND ON RSA
Sometimes, data breaches cause millions and millions of dollars in losses for a company. Usually, though, they don’t cause an otherwise solid business to go under.
RSA was not Yahoo, not Mt. Gox. They were a solidly-run company with a good reputation and steady revenue. Their breach threatened to take that all away–not because they’d lose money, or data, but because they’d lose trust. RSA were in the business of trust.
[Sam] RSA is a company that has been acquired twice in its history. It stands for Rivest, Shamir, and Adleman, the three people who came up with the RSA algorithm that really enabled internet commerce in the late ‘70s
RSA Security specialized in public key cryptography–algorithms that ensure the right machines are talking to each other on networks. Take, for instance, their most well known product: a little USB key fob with a screen called SecurID.
[Sam] I used to joke I was the, at one point, the CTO of the world’s largest keychain manufacturer.
SecurID was a hardware two-factor authentication device, with a screen that displayed numeric codes.
[Sam] The numbers on there changed synchronically with the server in the background because of a shared secret. And so, when you go to log in to something, you can enter something you know, something you are, a password for instance or a fingerprint or whatever. And then you could add this thing which represents I have the token, the unique piece of hardware in the world that has the same numbers that matched with the server on the backend it’s expecting.
And so, the machines and the systems can be reasonably sure it’s me. And that was a little over 50% of the business at the time.
SecurID was the heart of RSA’s business, but also a key component for the cybersecurity of organizations worldwide.
[Andy] Everybody who cared about multi-factor authentication had these RSA tokens. I mean, they were just totally ubiquitous.
That’s Andy Greenberg, journalist at Wired Magazine. This week, we’ve partnered with him and Wired to co-release the RSA story. He spoke with our Senior Producer, Nate Nelson.
[Andy] So if you’re a SecurID customer, you trust those little tokens. You believe that they offer a trusted… And I mean, you assume almost unhackable layer of protection. And yet, something that happens entirely outside of your view, off of your network, this hack of SecurID on RSA’s network, has totally compromised a really crucial layer of security on your network.
[Sam] And this breach said everyone using that from governments to financial institutions and secret organizations, everyone using that suddenly couldn’t trust who potentially was connecting to them.
MYSTERY OF THE KEY
There was just one bit of information to save them. A detail that wasn’t clear yet, and made all the difference in the world.
[Dave] The question was, did they have the key? Could they have decrypted it, that inner container?
[Sam] Because if you got something encrypted, no breach.
The attacker had stolen a safe, but needed the combination to crack it. If they had the combo, they had the safe. If they didn’t have the code, the safe was useless. As if no breach had occurred in the first place.
[Dave] A lot depended on whether or not they had that key.
To be clear, RSA didn’t have evidence that their attackers had stolen the encryption key. They didn’t actually know if they were compromised–and thousands of companies around the world were compromised along with them–or if nothing of consequence had actually happened at all.
It left them with an incredibly difficult choice to make, where each choice carried immense but completely different risks. As an analogy, consider our Malicious Life Senior Producer, Nate Nelson.
Nate is ugly.
[Nate] Wait, really?
It’s too bad. He’s just got the kind of face that makes you want to look away.
[Nate] Gosh…good thing I got a job in podcasts, then.
Is Nate better off now that I told him about his weird face? It probably made him sad, but maybe now he can address the problem: get plastic surgery, at least invest in some ski masks. Or was Nate better off before? He was probably much happier that way, going through life in blissful ignorance of why he can never get a girlfriend.
[Nate] All these years, I just assumed it was because of my terrible personality!
RSA Security may or may not have lost the keys to SecurID. It was Schrodinger’s Hack. Two, equally plausible alternate realities were ahead, and they didn’t know which was true. That meant they had a choice.
In timeline number one, they’d assume the worst. They’d disclose the breach, and face the consequences.
[Dave] let’s start with the media, the media is unforgiving, and rightly so in many cases. It was not going to go well. It was going to look extremely bad. That would have affected every deal, every renewal, every financial metric the company dependent on. But we were part of a bigger company. It was going to affect them too. So we were like a billion dollar entity, in fact, just shy of that in a larger over $20 billion company, EMC. This was ugly. This was really ugly.
It’d be a nightmare. And what if, a week after disclosing to the public, they discovered that the hackers hadn’t actually obtained the SecurID private key? All that for nothing.
On the other hand, if they didn’t disclose what’d happened…
[Dave] The risk associated with it though was potentially enormous because something like 80 million people who had highly sensitive and important positions used us to prove they were who they said they were in their own operations. The fear that it could cause and the genuine risk, that was terrifying.
3/16: DECIDING WHAT TO DO
It was a chilly, cloudy Wednesday morning in Bedford, Massachusetts, on March the 16th. In a conference room at RSA HQ, Sam Curry and the execs at RSA convened to consider the decision in front of them.
[Sam] Senior management were sitting around and the question, what do we do, came up. And I’m not going to out anybody. One person said, “We don’t have to say anything.” And it was because there were no contracts, no rules, no laws that said we have to.
Could RSA have ke pt the whole thing quiet? Most cybersecurity disclosure laws are pretty new, yes, but it’s difficult to imagine that working.
[Andy] It’s possible they could’ve gotten away with it. It’s clearly not the right thing to do.
[Andy] And I think also, not the right business thing to do. And they would have gotten slammed for it, sooner or later. [. . .] I think they would have been facing serious criticisms or possibly a big lawsuit.
It was at the suggestion of a cover-up that an older gentleman–parted grey hair, a little hunch in his shoulders, butted in. As CEO of the company, Art Coviello had the ultimate say as to how RSA was going to respond to this crisis. What kind of company they were going to be. Employees later referred to what he did next as an “Art Attack.”
[Sam] So he swore, he said, “We are going to do the right thing.” And we shifted gears.
The decision was final. Every individual in that room realized what the implications were. What they were about to do would initiate a chain of events that would very possibly cause the end of their company–a company that’d stood for 30 years.
Sam was as scared as anyone. But he understood what had to be done.
[Sam] I mean I have to share this. Twenty years prior, there were two brands I wanted to work for one and thought were unattainable, and one of them was RSA. And I spent 16 years trying to get there. And eventually, I came on board and ran the product organization and went through a few roles over my time there and ended with CTO. And I was incredibly proud to have made it there and to be among the best. Art used to say, “We stand on the shoulders of giants.” I felt like I was responsible for that. And I remember when we went to disclose, I felt, “OK, if we are going down, we are going down right.”
[Sam] I should tell you, Nate. It was 21 hours from the decision that we had had a – from the moment we knew we had a breach to decide and go public was 5 minutes. And it was 21 hours from that moment until we did. So we can tell you what it was like to suddenly rush people to the battlements but it was less than a day.
[Nate] And why did it need to be less than a day?
[Sam] There was a sense of urgency about this. There was – maybe the adrenaline and the energy we were just talking about, maybe the terror around it. It wasn’t like something that we felt – there was no rules that said we have to but it felt like you don’t dither over stuff like this.
[Nate] True. Although when you write a podcast about enough corporate hacks, this kind of thing stands out as a bit unusual. So was it by virtue of leadership of the company, the culture of the company?…
[Sam] The Art Attack helped. I think part of it was culture that we were a security company and there was nothing like this before and arguably, very little exactly like this after. Later I think we came up with a whole bunch of like how should you do this stuff but even now, I’m amazed that look, Dave got the call on Monday something was wrong. You were there, what, Wednesday, Dave?
3/17: DAVE’S FLIGHT
[Dave] I flew in Thursday morning, Sam.
[Sam] Thursday morning.
Dave Castignola, in all this, was half a country away.
[Dave] My phone call on Thursday morning, March 17th, which was, “We need you. We are announcing this today. Bring a big suitcase. You’re going to be here a while.” [. . .] You’re going to be involved in the response with us and we can talk more when you get here.” But I just remembered the words in my head, failure is not an option.
As head of the communications arm of the company, Dave flew to RSA HQ in Massachusetts from his home in Michigan.
[Dave] I knew that this was dire. In fact, I called my father-in-law up and said, “Richard, I need you to come to the house and you need to help the family. I’m going to be gone for a long time.” And I said to him, “When I come back, I’m not sure if my company is going to be in business.” It was – I could feel it to my core.
[. . .]
I didn’t even have a chance to say goodbye to my wife. I left and she was out someplace. I had to rush home, pack my bag, and I was off to the airport.
[. . .]
And in that time between getting to the airport on a plane from Detroit to Boston, I download and read three books on crisis management. I didn’t know what I was going to do but I knew this was a crisis beyond anything I had ever dealt with.
The flight was only a couple hours, the drive out to Bedford 30 minutes more. He arrived at the office late in the afternoon.
The energy in the building was unlike it had ever been before.
[Dave] My first meeting in a very – not very big conference room full of many people, we had to stop the meeting after a few minutes because there were a few people weeping and crying and they were shaken. And I said, “Hey, let’s pause real quick. Get some waters. We’re going to be in here for a while this evening.” I had people out in the hall just like grabbing me saying, “Are we going to survive this?” And I didn’t know if we were going to survive but of course, I told everybody, “We are going to get through this.” We had to keep the strong face for everybody but everybody was beyond rattled.
Employees made last-minute scrambles, but there was only so much they could do. The announcement was about to occur, in just a few minutes.
[Nate] You guys had all of these, very sad meetings and-…
[Sam] By the way Nate, I don’t think sad is the right word. I think terrified. It’s not sadness. When I think back not just how I felt afterwards but how I felt in the moment [. . .] it was terror.
THE BIG MOMENT
As the big hand passed ‘12’, and 4:00 pm became 4:01 pm, they released the news. The whole world would now know what happened at RSA. Everyone in the building braced themselves.
[Sam] There are a few times in your life when you realize you’re staring at a monster. It’s bigger than you, way bigger.
It was time.
Sam Curry: It went crazy.
[Dave] it was just mayhem.