The better question is: knowing that RSA was compromised in March, why did these companies apparently take zero steps to prevent the RSA hack from being used on them? Other companies quickly turned off the RSA tokens and moved to another system until RSA can get their stuff fixed, why were these guys so damned lazy?

Military technology is a big deal. Not only does it include technical information on present/future equipment, it also incorporates R&D, anti-circumvention, materials, manufacturing, etc.

I know that these companies make things that kill people but that doesn’t mean we should want their information to be stolen. If it ends up in places where we have tenuous relationships with, it could end up costing us a lot in dollars, lives, & war. Russia, China, and Venezuela are just the few I’m thinking of.

I call shenanigans.

The information wasn’t stolen, LM still has their copies. Now, if your real point is that it doesn’t mean their secrets should be revealed, then I’d like to see your logic there. Show your work, please.

Winning!

What a surprise, the gummint and one of its largest contractors can’t keep their own stuff secret. Fuck them. They should build their own “internet”, you know string their own wires (or fiber optics) which no one else could possibly tap in to.

To quote Red Foreman, if these military contractors don’t get their act together, they’re going to get my foot up their ass.

I’m sick of this SHIT.

First.

“So, someone with security clearance didn’t know better than to NOT retrieve and open an excel spreadsheet?”

There is no reason to believe that the person at RSA who opened the phish has security clearance. If they were involved with classified material from the DOD then maybe yes. Working for a security company doesn’t mean you have any more clearance than a guy on the street.

Second.

“4) RSA, which, for some I’d-like-to-see-them-explain-this-one reason, had their SecurID database system’s computers non-firewalled, non-air-gapped, non-fraud-detecting.”

Probably the data had all of these in place. If you come up with a foolproof way of determining a valid data request from an invalid one coming from the same system using the same credentials you will be a millionaire.

Third.

“The better question is: knowing that RSA was compromised in March, why did these companies apparently take zero steps to prevent the RSA hack from being used on them? Other companies quickly turned off the RSA tokens and moved to another system until RSA can get their stuff fixed, why were these guys so damned lazy?”

Do you have any concept of what it takes to just swap out a security system for a company with 126,000 employees? At this point a plan for that is still being developed. I have no view into their internal workings but I doubt they just ignored what was going. My guess is they thought they still had time to mitigate the risk. The RSA hack still would have required PINs to use the duplicated keys. The bad guys either had them already or got them as part of this attack.

My $.03.

(Not really, just quoting the Temptation’s song “Ball of Confusion”), that’s what the world is today.

Damn… now I’m going to go over to u tube and listen to it. I need sleep. ;P

I’m sure putting muscles on a plane improves the aerodynamics.

Well, to be fair, the R, S, and A of RSA are millionaires. And they DO sell systems which are intended to prevent this type of breach and, NO, they did not have them installed on the machine which held the database…read the reports.

Here’s a ‘why didn’t they?’:
1) encrypt the database;
2) use a separate device to decrypt the data on the fly. This is SOP for sensitive data. Bonus: the device doesn’t work unless keys are inserted into the device.

If the encrypted database was stolen, it couldn’t be decrypted without the external device. No problem.

Brilliant. Cheers for that.

Still, if a contractor is so big that the client cannot go anywhere else, then why would the contractor care?

ScienceMikey, the attack was imbedded in an Excel spreadsheet.

Quoting ChannelInsider: “The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” [RSA's Uri] Rivner explained. “It was a spreadsheet titled ’2011 Recruitment plan.xls.’ The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability.”

The Flash vuln, if you took the time to read the details, was exploitable on Mac OS X as well. It wasn’t a ‘Windows Exploit’.

So there were two, no three, no FOUR culprits: 1) Microsoft, for an vulnerability in Excel that they didn’t know existed; 2) Adobe, for a known Flash vulnerability on ALL platforms using Adobe [See here: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609; 3) the low-level employee, who was taken in by a well-crafted spear-phishing attack; and most importantly; 4) RSA, which, for some I’d-like-to-see-them-explain-this-one reason, had their SecurID database system’s computers non-firewalled, non-air-gapped, non-fraud-detecting.

This is what RSA counsels and sells to its customers and it wasn’t using it itself.

What was stolen was the SecurID’s private-key/serial number database, not the algorithms. Those are published and well-known.

Captcha: ehiedi happens… huh? Whiskey Tango Foxtrot, over?

What a surprise, the gummint and one of its largest contractors can’t keep their own stuff secret. Fuck them. They should build their own “internet”, you know string their own wires (or fiber optics) which no one else could possibly tap in to.

I assure you, they do this, and also make extensive use of local-only or completely non-networked computers. The word “sensitive” is being used either to exaggerate the severity of the problem (for legal or PR reasons) or by an uninformed journalist. At most they might have lost some proprietary information (bad for the company) or released some non-sensitive things that none-the-less aren’t cool to talk about (e.g. wikipedia-level descriptions of current and planned projects).

Playing Devil’s advocate: why is this really, really, really bad? Lockheed Martin is a nasty brutish servant of of the empire that, as an institution, screws people over at home and abroad. So who cares if someone yanks LM’s pants down a little (or a lot)?

(Note: not bashing on individual employees of Lockheed, but on it’s role within US and global society: they make weapons that kill many people really well.)

http://en.wikipedia.org/wiki/JWICS
http://en.wikipedia.org/wiki/SIPRNET

and of course

http://en.wikipedia.org/wiki/ARPANET

enjoy!

OK, they don’t buy from LockMart, but that’s because they have their own cheaper suppliers. Their budgets are smaller, but Russia (according to SIPRI) spends more on its military as a percentage of its GDP than the US does, and the actual size of the Chinese military budget is very hard to determine. The only reason why their overall military budgets are smaller is because their economies are smaller, and they can pay their soldiers a lot less and give them much worse living conditions, due to the lower living standards of their civilians and (in Russia’s case) conscription.