open letter to RSA customers http://www

Ensuring mistrust - companies not coming clean on problems

By: Scott Bradner

It has been quite a month for companies mishandling bad situations. In all of these cases, delays in reporting the problem made the problem worse, and in one case the decision to not be forthcoming in what the actual risk is may cost a company most of its customers.

In early February an overhead light fixture fell in one of the Boston "Big Dig" tunnels but it was more than a month before the public who drive through the tunnel were told. On March 15th a system at security company Comodo was used to create fake security certificates for a number of major US companies but Comodo did not tell the public for more than a week. (http://www.networkworld.com/news/2011/032611-in-iran-new-attack-escalates.html) And, at some, so far unknown point, RSA, the folks that bring you the SecureID tokens used by thousands of companies to protect their electronic assets, was hacked. (http://www.networkworld.com/news/2011/031811-rsa-warns-securid-customers-after.html ) As of this writing, RSA has still not said just what happened.

The decision to not tell the public about the Big Dig lighting problem has already cost one highway administrator his job and has become a daily reminder of the expensive mess that was the whole Big Dig project.

When Comodo did come clean about the breach they published a detailed incident report (http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html) and have posted some good blog entries on what happened and what they learned. (http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/

http://blogs.comodo.com/it-security/data-security/the-changing-threat-model/) But they have come under strong criticism for the delay, particular because they said they found and canceled the bogus certificates "within hours." At least one commentator said that lives of Iranian dissidents were put in danger by the delay. Mozilla., one of the companies that was involved in cleaning up after the breach, has concluded that the delay was a mistake. http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/

The RSA SecureID case is the most troubling and puzzling. RSA is a company whose very existence depends on trust, but the way they have responded to the breach is almost perfectly designed to destroy trust. So far RSA has posted one, very fuzzy, "Open letter to RSA customers." (http://www.rsa.com/node.aspx?id=3872) The letter says nothing of any use to a RSA customer worried about the security of their SecureID protected systems and information. A RSA led conference call, during which RSA did not take any questions, provided no additional information.

Because RSA is refusing to actually say what happened and what information was stolen, all RSA customers must assume that everything was compromised and that their assets are hanging out there for the picking. I expect it is not that bad, but RSA seems to be trying very hard to ensure the maximum level of mistrust in RSA. Their excuse seems to be that their customers would be at more risk if they knew now much risk they had - this is an argument that makes little sense to me. Unlike some of its competitors, RSA keeps a copy of the key information used to authenticate a SecureID user - since RSA is not saying , we have to assume that this information was stolen. It is almost as if RSA's decisions were being made by a mole working for a competitor.

You should take the above examples into account if you are in the decision path in a company that has a problem of some sort that will impact your customers. Timely honesty may be painful, but the pain will likely be far less damaging to your company than the festering that comes from delay and dishonesty.

disclaimer: The above is my own observation of the results of not being prompt and honest, Harvard will make up its own mind if it needs to.