RSA SecurID breach linked to hacker attack on Lockheed Martin; other US military contractors may be affected

RTXSJA1.jpg
[F-35 Lightning II, also known as the Joint Strike Fighter (JSF), planes built by Lockheed Martin arrive at Edwards Air Force Base in California in this May 2010 photo. REUTERS/Tom Reynolds/Lockheed Martin]

This week, Lockheed Martin—the largest U.S. military contractor—and several other defense contractors have reportedly experienced intrusions in their computer networks. Those intrusions may be connected to a hacking attack on RSA's SecurID security token division, disclosed back in March.

Hackers penetrating Sony's Playstation network or Google, affecting the data privacy of millions of users? Bad. Hackers penetrating the networks of the US military's largest weapons makers? Really, really, really bad.

Reuters was first tonight with the news of the intrusion at Lockheed, which the company is said to have first detected on Sunday.

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's RSA security division, said the person who was not authorized to publicly discuss the matter. It was not immediately clear what kind of data, if any, was stolen by the hackers. But the networks of Lockheed and other military contractors contain sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.

A Lockheed press statement, reprinted in part in the Wall Street Journal,

[T]o counter any threats, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. We have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multilayered information systems security.

securid.jpg

John Markoff and Christopher Drew in the New York Times link the Lockheed hack to the March RSA breach. While Lockheed's problems may be the first publicly known damage from that attack, other firms may also be affected.

"The issue is whether all of the security controls are compromised," said James A. Lewis, a senior fellow and a specialist in computer security issues at the Center for Strategic and International Studies, a policy group in Washington. "That's the assumption people are making."

Neither RSA, which is based in Bedford, Mass., nor Lockheed would discuss the problems on Friday.

Officials in the military industry, who spoke only on the condition of anonymity given the sensitivity of the matter, said Lockheed had detected an intruder trying to break into its networks last Sunday. It shut down much of its remote access and has been providing new tokens and passwords to many workers, company employees said.

Raytheon published a statement today saying it took "immediate companywide actions" when the RSA breach became known back in March. General Dynamics denied experiencing problems related to the RSA breach; Northrop Grumman and Boeing declined to comment to the Times.

Related reading:
SecurID Company Suffers a Breach of Data Security (NYT, March 17, 2011, John Markoff)
Columbia University computer science professor Steve Bellovin's take on the RSA breach (March, 2011).
• And Ars Technica's counterpoint to RSA's characterization of the breach as "extremely sophisticated."

31

  1. So?

    What a surprise, the gummint and one of its largest contractors can’t keep their own stuff secret. Fuck them. They should build their own “internet”, you know string their own wires (or fiber optics) which no one else could possibly tap in to.

    To quote Red Foreman, if these military contractors don’t get their act together, they’re going to get my foot up their ass.

    I’m sick of this SHIT.

    1. Jake, you do realize that there are classified networks right? These rsa things get in you in to the company intranets

      1. Yep, I do realize. But guess what? Someone put some sensitive stuff whar it warent spoze to be. And it got hacked.

  2. Windows “wins” again–although not mentioned prominently, earlier reports indicated that the RSA breach was traced to a password-stealing Trojan that also allowed analysis of the SecureID algorithms. When will these folks learn that Microsoft Windows is unsuitable for any secure system? Iran and the Oak Ridge Labs sure found out the hard way!

    1. Xeni, it’s ‘SecurID’.

      ScienceMikey, the attack was imbedded in an Excel spreadsheet.

      Quoting ChannelInsider: “The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” [RSA’s Uri] Rivner explained. “It was a spreadsheet titled ‘2011 Recruitment plan.xls.’ The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability.”

      The Flash vuln, if you took the time to read the details, was exploitable on Mac OS X as well. It wasn’t a ‘Windows Exploit’.

      So there were two, no three, no FOUR culprits: 1) Microsoft, for an vulnerability in Excel that they didn’t know existed; 2) Adobe, for a known Flash vulnerability on ALL platforms using Adobe [See here: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609%5D; 3) the low-level employee, who was taken in by a well-crafted spear-phishing attack; and most importantly; 4) RSA, which, for some I’d-like-to-see-them-explain-this-one reason, had their SecurID database system’s computers non-firewalled, non-air-gapped, non-fraud-detecting.

      This is what RSA counsels and sells to its customers and it wasn’t using it itself.

      What was stolen was the SecurID’s private-key/serial number database, not the algorithms. Those are published and well-known.

      1. So, someone with security clearance didn’t know better than to NOT retrieve and open an excel spreadsheet?

        Winning!

    1. Vote for me and I’ll set you free!

      (Not really, just quoting the Temptation’s song “Ball of Confusion”), that’s what the world is today.

      Damn… now I’m going to go over to u tube and listen to it. I need sleep. ;P

  3. Wow, the people responsisble for sorting the data from the latest UK Census… This isn’t bad, it’s inexcusable.

  4. It’s not that I’m gay, cos I’m not or anything, but gay is cool an all, it’s just, I can’t help noticing how muscle-y those planes are. They’re so RIPPED! The word ‘brawny’ comes to mind. Can’t you just see those planes in dago-tees and tight jeans? You’re already seeing the sunglasses, aren’t you?

    I’m sure putting muscles on a plane improves the aerodynamics.

  5. For reasons none of us understand, the UK census data collection was contracted out to Lockheed Martin as well.

    Brilliant. Cheers for that.

  6. If the data is that important (or, knowing the US, embarrassing) then what business has it got being placed on an internet?

    Still, if a contractor is so big that the client cannot go anywhere else, then why would the contractor care?

  7. Not aerodynamics, but radar cross section. And I don’t normally go for inanimate objects, but I’d like, totally do an F35. Just sayn’, ya know?

    Captcha: ehiedi happens… huh? Whiskey Tango Foxtrot, over?

  8. The best thing that could happen to US national security would be for the Chinese to steal the plans to the F35. It’s such a dog of an airplane – so utterly and fundamentally misconceived and poorly executed – that it would set the Chinese air force back decades if they decided to try to copy it.

  9. What a surprise, the gummint and one of its largest contractors can’t keep their own stuff secret. Fuck them. They should build their own “internet”, you know string their own wires (or fiber optics) which no one else could possibly tap in to.

    I assure you, they do this, and also make extensive use of local-only or completely non-networked computers. The word “sensitive” is being used either to exaggerate the severity of the problem (for legal or PR reasons) or by an uninformed journalist. At most they might have lost some proprietary information (bad for the company) or released some non-sensitive things that none-the-less aren’t cool to talk about (e.g. wikipedia-level descriptions of current and planned projects).

  10. Xeni and others,

    Playing Devil’s advocate: why is this really, really, really bad? Lockheed Martin is a nasty brutish servant of of the empire that, as an institution, screws people over at home and abroad. So who cares if someone yanks LM’s pants down a little (or a lot)?

    (Note: not bashing on individual employees of Lockheed, but on it’s role within US and global society: they make weapons that kill many people really well.)

    1. This, this, this. I can see no reason why screwing with a company who plays such a large role in the wholesale slaughter of people everywhere in the world (except the US) is really, really really bad.

  11. Wow… this IS really, really, really bad.

    Military technology is a big deal. Not only does it include technical information on present/future equipment, it also incorporates R&D, anti-circumvention, materials, manufacturing, etc.

    I know that these companies make things that kill people but that doesn’t mean we should want their information to be stolen. If it ends up in places where we have tenuous relationships with, it could end up costing us a lot in dollars, lives, & war. Russia, China, and Venezuela are just the few I’m thinking of.

    1. When was the last time you saw China, Russia or Venezuela simultaneously invade other countries, engage in protracted occupation of same, prosecute domestic and foreign assassinations, arm brutal regimes with LM-produced anti-insurgent weapons, and spend more than the rest of the world’s nations combined on military infrastructure?

      I call shenanigans.

    2. I know that these companies make things that kill people but that doesn’t mean we should want their information to be stolen.

      The information wasn’t stolen, LM still has their copies. Now, if your real point is that it doesn’t mean their secrets should be revealed, then I’d like to see your logic there. Show your work, please.

  12. Umm… Tibet? Xinjiang? Chechnya? Georgia?

    OK, they don’t buy from LockMart, but that’s because they have their own cheaper suppliers. Their budgets are smaller, but Russia (according to SIPRI) spends more on its military as a percentage of its GDP than the US does, and the actual size of the Chinese military budget is very hard to determine. The only reason why their overall military budgets are smaller is because their economies are smaller, and they can pay their soldiers a lot less and give them much worse living conditions, due to the lower living standards of their civilians and (in Russia’s case) conscription.

  13. A common misconception I keep seeing is “why do they keep this stuff on the internet.” This stuff is not on the internet. What is being done is using the RSA tokens to gain remote access to the internal network of the company. Employees have to be able to work remotely, and have to have a method to log in using some sort of secure protocol.

    The better question is: knowing that RSA was compromised in March, why did these companies apparently take zero steps to prevent the RSA hack from being used on them? Other companies quickly turned off the RSA tokens and moved to another system until RSA can get their stuff fixed, why were these guys so damned lazy?

  14. A few of things.

    First.

    “So, someone with security clearance didn’t know better than to NOT retrieve and open an excel spreadsheet?”

    There is no reason to believe that the person at RSA who opened the phish has security clearance. If they were involved with classified material from the DOD then maybe yes. Working for a security company doesn’t mean you have any more clearance than a guy on the street.

    Second.

    “4) RSA, which, for some I’d-like-to-see-them-explain-this-one reason, had their SecurID database system’s computers non-firewalled, non-air-gapped, non-fraud-detecting.”

    Probably the data had all of these in place. If you come up with a foolproof way of determining a valid data request from an invalid one coming from the same system using the same credentials you will be a millionaire.

    Third.

    “The better question is: knowing that RSA was compromised in March, why did these companies apparently take zero steps to prevent the RSA hack from being used on them? Other companies quickly turned off the RSA tokens and moved to another system until RSA can get their stuff fixed, why were these guys so damned lazy?”

    Do you have any concept of what it takes to just swap out a security system for a company with 126,000 employees? At this point a plan for that is still being developed. I have no view into their internal workings but I doubt they just ignored what was going. My guess is they thought they still had time to mitigate the risk. The RSA hack still would have required PINs to use the duplicated keys. The bad guys either had them already or got them as part of this attack.

    My $.03.

    1. Probably the data had all of these in place. If you come up with a foolproof way of determining a valid data request from an invalid one coming from the same system using the same credentials you will be a millionaire.

      Well, to be fair, the R, S, and A of RSA are millionaires. And they DO sell systems which are intended to prevent this type of breach and, NO, they did not have them installed on the machine which held the database…read the reports.

      Here’s a ‘why didn’t they?’:
      1) encrypt the database;
      2) use a separate device to decrypt the data on the fly. This is SOP for sensitive data. Bonus: the device doesn’t work unless keys are inserted into the device.

      If the encrypted database was stolen, it couldn’t be decrypted without the external device. No problem.

Comments are closed.