RSA SecurID breach linked to hacker attack on Lockheed Martin; other US military contractors may be affected

Discuss

31 Responses to “RSA SecurID breach linked to hacker attack on Lockheed Martin; other US military contractors may be affected”

  1. cepheus42 says:

    A common misconception I keep seeing is “why do they keep this stuff on the internet.” This stuff is not on the internet. What is being done is using the RSA tokens to gain remote access to the internal network of the company. Employees have to be able to work remotely, and have to have a method to log in using some sort of secure protocol.

    The better question is: knowing that RSA was compromised in March, why did these companies apparently take zero steps to prevent the RSA hack from being used on them? Other companies quickly turned off the RSA tokens and moved to another system until RSA can get their stuff fixed, why were these guys so damned lazy?

  2. So It's Come To This says:

    Wow… this IS really, really, really bad.

    Military technology is a big deal. Not only does it include technical information on present/future equipment, it also incorporates R&D, anti-circumvention, materials, manufacturing, etc.

    I know that these companies make things that kill people but that doesn’t mean we should want their information to be stolen. If it ends up in places where we have tenuous relationships with, it could end up costing us a lot in dollars, lives, & war. Russia, China, and Venezuela are just the few I’m thinking of.

    • Lexicat says:

      When was the last time you saw China, Russia or Venezuela simultaneously invade other countries, engage in protracted occupation of same, prosecute domestic and foreign assassinations, arm brutal regimes with LM-produced anti-insurgent weapons, and spend more than the rest of the world’s nations combined on military infrastructure?

      I call shenanigans.

    • EH says:

      I know that these companies make things that kill people but that doesn’t mean we should want their information to be stolen.

      The information wasn’t stolen, LM still has their copies. Now, if your real point is that it doesn’t mean their secrets should be revealed, then I’d like to see your logic there. Show your work, please.

  3. Jake0748 says:

    So?

    What a surprise, the gummint and one of its largest contractors can’t keep their own stuff secret. Fuck them. They should build their own “internet”, you know string their own wires (or fiber optics) which no one else could possibly tap in to.

    To quote Red Foreman, if these military contractors don’t get their act together, they’re going to get my foot up their ass.

    I’m sick of this SHIT.

  4. ScienceMikey says:

    Windows “wins” again–although not mentioned prominently, earlier reports indicated that the RSA breach was traced to a password-stealing Trojan that also allowed analysis of the SecureID algorithms. When will these folks learn that Microsoft Windows is unsuitable for any secure system? Iran and the Oak Ridge Labs sure found out the hard way!

    • PaulR says:

      Xeni, it’s ‘SecurID’.

      ScienceMikey, the attack was imbedded in an Excel spreadsheet.

      Quoting ChannelInsider: “The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” [RSA's Uri] Rivner explained. “It was a spreadsheet titled ’2011 Recruitment plan.xls.’ The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability.”

      The Flash vuln, if you took the time to read the details, was exploitable on Mac OS X as well. It wasn’t a ‘Windows Exploit’.

      So there were two, no three, no FOUR culprits: 1) Microsoft, for an vulnerability in Excel that they didn’t know existed; 2) Adobe, for a known Flash vulnerability on ALL platforms using Adobe [See here: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609; 3) the low-level employee, who was taken in by a well-crafted spear-phishing attack; and most importantly; 4) RSA, which, for some I’d-like-to-see-them-explain-this-one reason, had their SecurID database system’s computers non-firewalled, non-air-gapped, non-fraud-detecting.

      This is what RSA counsels and sells to its customers and it wasn’t using it itself.

      What was stolen was the SecurID’s private-key/serial number database, not the algorithms. Those are published and well-known.

  5. Tau'ma says:

    Dang it !

  6. querent says:

    vote Jake0748 in 2012.

    • Jake0748 says:

      Vote for me and I’ll set you free!

      (Not really, just quoting the Temptation’s song “Ball of Confusion”), that’s what the world is today.

      Damn… now I’m going to go over to u tube and listen to it. I need sleep. ;P

  7. Anonymous says:

    A few of things.

    First.

    “So, someone with security clearance didn’t know better than to NOT retrieve and open an excel spreadsheet?”

    There is no reason to believe that the person at RSA who opened the phish has security clearance. If they were involved with classified material from the DOD then maybe yes. Working for a security company doesn’t mean you have any more clearance than a guy on the street.

    Second.

    “4) RSA, which, for some I’d-like-to-see-them-explain-this-one reason, had their SecurID database system’s computers non-firewalled, non-air-gapped, non-fraud-detecting.”

    Probably the data had all of these in place. If you come up with a foolproof way of determining a valid data request from an invalid one coming from the same system using the same credentials you will be a millionaire.

    Third.

    “The better question is: knowing that RSA was compromised in March, why did these companies apparently take zero steps to prevent the RSA hack from being used on them? Other companies quickly turned off the RSA tokens and moved to another system until RSA can get their stuff fixed, why were these guys so damned lazy?”

    Do you have any concept of what it takes to just swap out a security system for a company with 126,000 employees? At this point a plan for that is still being developed. I have no view into their internal workings but I doubt they just ignored what was going. My guess is they thought they still had time to mitigate the risk. The RSA hack still would have required PINs to use the duplicated keys. The bad guys either had them already or got them as part of this attack.

    My $.03.

    • PaulR says:

      Probably the data had all of these in place. If you come up with a foolproof way of determining a valid data request from an invalid one coming from the same system using the same credentials you will be a millionaire.

      Well, to be fair, the R, S, and A of RSA are millionaires. And they DO sell systems which are intended to prevent this type of breach and, NO, they did not have them installed on the machine which held the database…read the reports.

      Here’s a ‘why didn’t they?’:
      1) encrypt the database;
      2) use a separate device to decrypt the data on the fly. This is SOP for sensitive data. Bonus: the device doesn’t work unless keys are inserted into the device.

      If the encrypted database was stolen, it couldn’t be decrypted without the external device. No problem.

  8. Anonymous says:

    It was only a little leak.
    Only one port was hacked.

  9. Anonymous says:

    Wow, the people responsisble for sorting the data from the latest UK Census… This isn’t bad, it’s inexcusable.

  10. nil8r says:

    It’s not that I’m gay, cos I’m not or anything, but gay is cool an all, it’s just, I can’t help noticing how muscle-y those planes are. They’re so RIPPED! The word ‘brawny’ comes to mind. Can’t you just see those planes in dago-tees and tight jeans? You’re already seeing the sunglasses, aren’t you?

    I’m sure putting muscles on a plane improves the aerodynamics.

  11. BlackPanda says:

    For reasons none of us understand, the UK census data collection was contracted out to Lockheed Martin as well.

    Brilliant. Cheers for that.

  12. Anonymous says:

    If the data is that important (or, knowing the US, embarrassing) then what business has it got being placed on an internet?

    Still, if a contractor is so big that the client cannot go anywhere else, then why would the contractor care?

  13. Anonymous says:

    Not aerodynamics, but radar cross section. And I don’t normally go for inanimate objects, but I’d like, totally do an F35. Just sayn’, ya know?

    Captcha: ehiedi happens… huh? Whiskey Tango Foxtrot, over?

  14. Anonymous says:

    The best thing that could happen to US national security would be for the Chinese to steal the plans to the F35. It’s such a dog of an airplane – so utterly and fundamentally misconceived and poorly executed – that it would set the Chinese air force back decades if they decided to try to copy it.

  15. bkad says:

    What a surprise, the gummint and one of its largest contractors can’t keep their own stuff secret. Fuck them. They should build their own “internet”, you know string their own wires (or fiber optics) which no one else could possibly tap in to.

    I assure you, they do this, and also make extensive use of local-only or completely non-networked computers. The word “sensitive” is being used either to exaggerate the severity of the problem (for legal or PR reasons) or by an uninformed journalist. At most they might have lost some proprietary information (bad for the company) or released some non-sensitive things that none-the-less aren’t cool to talk about (e.g. wikipedia-level descriptions of current and planned projects).

  16. Lexicat says:

    Xeni and others,

    Playing Devil’s advocate: why is this really, really, really bad? Lockheed Martin is a nasty brutish servant of of the empire that, as an institution, screws people over at home and abroad. So who cares if someone yanks LM’s pants down a little (or a lot)?

    (Note: not bashing on individual employees of Lockheed, but on it’s role within US and global society: they make weapons that kill many people really well.)

    • ryxxui says:

      This, this, this. I can see no reason why screwing with a company who plays such a large role in the wholesale slaughter of people everywhere in the world (except the US) is really, really really bad.

    • Anonymous says:

      Lexicat, would you prefer that anyone could make such weapons?

  17. AlexG55 says:

    Umm… Tibet? Xinjiang? Chechnya? Georgia?

    OK, they don’t buy from LockMart, but that’s because they have their own cheaper suppliers. Their budgets are smaller, but Russia (according to SIPRI) spends more on its military as a percentage of its GDP than the US does, and the actual size of the Chinese military budget is very hard to determine. The only reason why their overall military budgets are smaller is because their economies are smaller, and they can pay their soldiers a lot less and give them much worse living conditions, due to the lower living standards of their civilians and (in Russia’s case) conscription.

Leave a Reply