Dept. of Defense and Homeland Security confirm Lockheed Martin hacker breach

Reuters has a followup to their scoop yesterday about an unspecified hacker attack involving Lockheed Martin, the world's biggest aerospace firm and the top US military supplier by sales: the DoD and the DHS are now involved, and confirm that a breach took place.

As reported yesterday, the Lockheed intrusion may be linked to the RSA SecurID breach disclosed two months ago. Reuters reports today:

The Department of Homeland Security said it and the Defense Department had offered to help gauge the scope of a "cyber incident impacting LMCO," as the maker of fighter jets, ships and other major weapons systems is known. The U.S. government also has offered to help analyze "available data in order to provide recommendations to mitigate further risk," Chris Ortman, a Homeland Security official, said in an e-mailed reply to a query from Reuters.
It was not immediately clear what kind of data, if any, was stolen by the hackers. But military contractors' networks contain sensitive data on arms that are under development as well as technology used by U.S. forces in Iraq and Afghanistan.

No word yet on whether other military contractors that also use RSA's SecurID system have experienced similar problems.

RSA SecurID breach linked to hacker attack on Lockheed Martin

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: Business • politics • security • Technology • war

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

thebelgianpanda

Considering the lack of clarity on what data was stolen and details on how the breach was accomplished, it is gonna be pretty difficult for us arm-chair analysts to figure out what actually happened. Even with detailed logs and forensics, as an experienced security handler I shudder at the thought of analyzing this type of case.

If this really gets back to SecurID being compromised by disclosure of implementation or implementation flaws, then I don’t think it is hyperbole to say the security community will be shaken to its core.
murrayhenson

I wonder if it is starting to dawn on corporate IT nerds that relying on closed-source code and vendors to fix quickly fix holes doesn’t work very well.

The answer, BTW, is that they all know this but it’s impossible to explain it to people higher up the chain (if it can’t fit on a powerpoint slide or grossly simplified excel spreadsheet then (1) they don’t know about it and (2) it can’t possibly matter or be relevant) so they just do what’s safe.
- thebelgianpanda
  
  Back when I was dealing with RSA, RSA made more money selling tokens than software. And the RSA sales folk talked directly with the exec/vp/buyers. Architecture would be involved, but in multi-million dollar deals the lowest risk choice is often taken (no-one has ever lost their job from going with RSA, for example).
  
  Open source isn’t a panacea, though I am actually on your side. Vigilance is your most important defense, and that can be done with both open and closed source software. The main problem with this kind of incident is the implied lack of needed vigilance that tokens needed (or so it seems from the article).
- rebdav
  
  It is like the compromised Indigo codes during WW-II. The culture in Imperial Japan wouldn’t permit admitting that the codes were broken so they kept using them to the end.
  This is how giants stumble and fall.
  - Ugly Canuck
    
    I don’t buy that, unless you give a cite pointing to evidence that they KNEW, or ought reasonably to have known, that their code had been broken, but that the Japanese yet continued to use it, regardless.
    
    Can you point to anything in the historical record which indicates that they suspected at the time of the War that their codes had been compromised?
    
    AFAIK, the Allies – perhaps even just the US, as only they may have known at that time about their code-breaking successes – were very, very careful not to conduct any operations in a way which would unquestionably demonstrate to the enemy that the US had in fact broken their codes, and read their dispatches.
    
    The Japanese and Germans did not know, nor suspect, that most of their codes had been broken during WW 2, until the US told then about it in 1960.
    - Ugly Canuck
      
      In fact, IIRC, the Germans and Japanese reacted to the 1960 American revelations of successfully having broken their codes at the outset of WW 2 with outright disbelief and great skepticism.
      
      So in a limited sense , you are correct as to the blind arrogance and over-confidence present in their essential nature: for they remained arrogant and over-confident in their abilities – even years after their actual defeat.
      
      OTOH, such arrogance, or unfounded confidence in their selves, appears from history to be a common failing in powerful people.
    - turn_self_off
      
      Iirc, Churchill chose to not intercept an attack to hide the fact that the British where reading the German transmissions.
jackbird

I’ve done some on-site contract work for LMCO, and their IT is extremely tightly locked-down (and this is for non-clearance-requiring stuff).

So much so that employees have trouble doing things like provisioning servers.

So they end up running test servers off their home internet connections and other foolishness.
Anonymous

I am surprised that you would say the officials confirm a breach, since I don’t see that in the story. The officials confirm that they offered to help, but that could easily have been in response to the rumors.

Still no breach confirmed. (Though it may have happened).
D.R.W.

i worked for a bank & for a bit i worked from home for the bank.
we used the SecurID tags to log into the corporate network.

the key fob that is pictured spits out a numeric key. i think it is once a minute it produces a new key.
our company said they would charge us for replacement. i could be wrong but i think the charge was 20$ i am probably wrong on the price & i have no idea how much they charge the company for bulk.

the hackers needed a lot more than just a SecurID key to get into a network. they would need to match up the rest of the log in credentials that match a generated key
Anonymous

The irony is that hackers usually say they’re doing it to preserve internet freedoms. But all these hacks just give politicians more ammo to try to lock the thing down. Its slowly ruining it for everyone.

Britain and america already seem to have a hard on for ruining the internet. This just speeds up the inevitable. Someday we’ll tell our kids how amazing and free the internet used to be…
- EH
  
  Strawman much? Do you know that these hackers are doing it for the freedom rather than the lulz?
  
  No, the only thing we will know is that society will have to be locked down in response due to “freedom,” that which is also invoked in order to start wars.
  
  The irony is in this happening just as the US Government is saying that SIPRNET will be locked down in response to Wikileaks problems, moving from their current Post-It Note-based security model to one much more secure. Current ETA is sometime 2013, so might as well save your bile.
  - Finnagain
    
    “No, the only thing we will know is that society will have to be locked down in response”
    
    Who died and made you autocrat?
- CastanhasDoPara
  
  You’re pulling out the wrong buzzword to describe the perpetrators here. The word you were looking for was criminals not hackers.
  
  Hackers are people with deep curiosity about the way things work, computer systems are a prime example but not the only one.
  
  Criminals are people with a deep curiosity about how they can abuse the way things work for personal gain or to harm others.
  
  Now that that is cleared up, it does suck that incidents like this will lead to less freedom and more knee-jerk reactions. Also the proposed solutions will invariably be flawed and vulnerable to criminals as well. The main problem is that security needs to be perfect and criminals only need to be lucky or persistent. One of those conditions will never be met and the other will always be present.
Jake0748

To continue my rant from the previous thread.

Foot —-> Ass.

(or collective asses)
Anonymous

lockheed martin are the contractor running the UK 2011 census. glad our data is nice and safe.
Sam125

The irony is that hackers usually say they’re doing it to preserve internet freedoms.

That may be true but if I were to speculate for a moment, I’m pretty sure most hackers do it because they can which is I’m guessing more of them exercising their freedom than doing it in the name of freedom. Unfortunately the people in power are painfully bad at using or even understanding technology and would likely use a security breach at a national defense contractor as an excuse to step up internet monitoring which yeah will ruin the internet we all know and love.
SeattlePete

“So they end up running test servers off their home internet connections and other foolishness.”

This. Although it may not have anything to do with the issue at hand. I’d like to take the opportunity to point out the inherent insecurity of a system that encourages insecure practices. I get that 3 key encryption is a safe way to transmit data in a vacuum, but someone at RSA should really take note of how real people act in the real world. Humans are sloppy, and it’s the human proclivities that result in security breaches.
WeightedCompanionCube

Ouch.

Chances are the RSA hackers stole token seed data. If you know the seed you can emulate the token in software. There’s open-source code out there to do it. You basically run the same code the SecurID auth servers use to know what value the token will be displaying right now.

Once you have that, it’s simply a matter of mapping the token to a username and guessing a PIN or password. And we all know people use the kinda thing an idiot would have on his luggage.

One thing that might give everyone some comfort is that the really sensitive (as in classified) data wouldn’t have been affected by this breach. Nothing of that nature is ever put on a network that connects to the Internet. Things like Wikileaks, etc.. happen because someone with physical access sneakernets it out.
Anonymous

I warned them that 202 in Palo Alto wasn’t safe. It’s dangerous between them.
Cochituate

All our fobs were turned off at the start of the week. Still waiting on my new one…
Anonymous

Negligence at work: it was known that RSA had been broken into and it had been assumed (correctly, as we know now) that the seeds for security tokens could have been compromised.

So why then did so many companies continue to rely on these SecurID tokens?
Anonymous

If someone published how to compromise these security measures, you’d be talking about white-hat hackers, who might very well claim that their interests are in net neutrality and ‘internet freedoms’. It should be noted, they usually only do this after the concerned party refuses to rectify problems.

Considering no-one has said that for this, it’s safe to assume that this isn’t an act by your ‘internet freedoms’ hackers.