RSA SecurID Breach Leads To Intrusion At Lockheed Martin

rsa_securid

It looks like Lockheed Martin is the latest victim in what seems to be an endless string of security breaches. This time however, it does not look like a lack of security measures led to the breach. In fact, it seems that Lockheed’s implementation of a widely-trusted security tool was the attack vector this time around.

Last month we reported on the apparent compromise of RSA’s SecurID product, and while many speculated that this intrusion could lead to subsequent attacks, the firm downplayed the breach. They stated that the stolen data was unlikely to affect their customers, but as usual, the problem appears to be far larger than originally estimated.

The breadth of the intrusion is currently unknown, and with both RSA and Lockheed officials keeping mum, it may be some time before anyone knows how serious it is. When military secrets are in question however, you know it can’t be good!

45 thoughts on “RSA SecurID Breach Leads To Intrusion At Lockheed Martin

  1. F22 anti-radar technology anyone?

    That makes national power grid, top weapons manufacturer, what else?

    Also what’s funny is if you go into any of these places it’s mostly contractors from other countries ^^

  2. The next time a company like RSA gets hacked, I bet the same people will be saying how the information taken, couldn’t possibly be useful. The rest of us will know the truth.

  3. @thelackey3326:

    Those “few more walls” are not just a concept for Military stuff.

    If someone exploited the machine you are reading this on – what could happen to your life?

    Arguably the basic concepts of layered access plus nested encryption levels “might” lower risks at an acceptable cost/effort expense. But only if the risk of data loss or other exploits does not warrant true Offline/Air Gap handling of the data. We’ve developed all these elaborate policies up to and including Thermite enhanced computers etc- and all it takes is someone ignoring the rules.

    I worry more about the risks of ignored rules than all external exploits combined.

  4. SecureID is supposed to be a factor of authentication… something you have… but once it was hacked, its just something you know. That is no longer an additional security method.

  5. just a thought.. what about more `offensive` methods, like perhaps when a breach takes place, the system automaticly sends a bug back to the intruding machine. a bug capable of first retrieving all data from the attacking computer for use in later legal matters, then basiclly frying the system. a castle doctrine for the internet world.. you break into my computer, i destroy yours. here in ohio, if someone breaks thru my front door, i dump a few loads buckshot at them, and wait for the authorities to come and clean up my kitchen. why cant the same be done for our PCs?

  6. This really pisses me off for a number of reasons.

    Those of you who claim that any government secrets are protected by the RSA tokens need to shut up. That’s illegal.

    Also, those of you who claim that these contractors are not US Citizens also need to shut up. Department of Defense contractors are not able to hire foreign nationals for work on anything that is DoD classified, or on any software coding. That is also illegal.

    If you don’t know the laws, regulations, and policies, shut your yaps.

  7. There are going to be more details before one can find out what went wrong. Did these computers have a trojan already on them to track their pin codes and user logins at a specific time? If so, then the only thing you can do is to protect your PC in the first place. RSA keys can only go so far to protect stupidity…

  8. i’d assume, that one users machine was compromised, as a result the attackers were able to log what token he was using at what time and what their PIN was as well.
    With that data you can (like you used to be able to for the old tokens with cain and able) determine at which point in ‘time’ the token is at ( you need two naturally) and then log in whenever since the PIN is static..

    Increasing the Pin length just makes it less likely to guess. Doesnt matter if the box gets key-logged.

  9. @Chuckt:

    Partial agreement.

    I’d word it with a few qualifiers.

    It’s sub-moronic to EVER have anything of security risk potentials UNENCRYPTED on any NETWORKED media.

    Access to anything of a security risk needs to be kept at a “only with clear NEED to access” ruleset. EX: Sales reps have no access need to process chemistry details or CNC files of internal parts etc! Same with an accountant having no need to take home an insecure laptop with the whole fracking projects database including program codebases…

    And even after the rules of having NEED to even log in on a secured network+ AUDIT TRAIL compliant methods have been 100% baked into the process, ALL even remotely risky info needs to be handled as encrypted folders. Transmitted in an encrypted transport “whatever” methodology.

    Perhaps up to and including schemes of user-targeted keypairs totally air gap detached from all the other layers?

    Compromise the RSA factor+PIN and still have to get past robust Audit Trail methods like reverse path logging to “really” gain entry. Let’s say you’ve suborned the human and have their complicity in that basic access layer penetration if spy movie stuff is thinkable here.

    The end game is over when there’s a few additional steps like a private key needed to decrypt the “jacket” and then generate a challenge/response session to the time sensitive jacket’s inner keypair. Hassle factor multiplication to the hilt, it’s barely “good enough” for some commercial espionage risks, let alone government wrecking secrets.

    The concept of uh- Disinfo seeding for one case, seems often way underused.. Some of us may seem tinfoil hat paranoids but others of us are too aware of how common crappy security is unremarkable.

  10. If a DoD Contractor has anything classified on a network that is exposed to the outside world, then they won’t likely be a DoD Contractor much longer.

    So that which was allegedly exposed, should only have been company proprietary information. Its a tragic loss, and is likely to contain For Official Use Only information.

  11. KLIK

    “SAM system active”
    “Target aquired”
    “F35-B detected, programming missile, jamming F35-B communications.”

    KLIK
    “Firing”

    “F35-B destroyed”

  12. @Tuttomenui: China, Russia, Korea, and some other countries were all suspected to be in on the national power grid control center infiltration..

    The algo for these dongles were obviously sold on the black-market..Lockheed data is worth even more.

    What’s funny is it was likely a contracted US based researcher or one of the many many foreign contractors there who got them in ^^

  13. “may be connected” is already a big assumption. Where’s the proof? IP-address match or something.
    Replacing those SecurID tokens is just a precautionary action. And there’s a whole lot more that just those tokens that might render the network vulnerable.

  14. WTF, when are people going to realize that not EVERY computer needs to be connected to the interwebs. TWO networks are needed people, one in which you face out towards the real world to take care of day to day business. One that is internal and has no connection (I mean fucking none) to the former.

  15. The problem here in the security compromise wasn’t the RSA keys by them selves. Having the seed # by it’s self is pretty damn useless without knowing where it goes or the PIN to go with it.

    The big breach here was the phishing and malware attack vectors used to match the seed#’s to users and gain their PINs. Both of these vectors shouldn’t have worked… unless their IT department is inept or their users are idiots. Mostly the latter…

    Fire those who were phished… even if they were the ceo or board members. They’ve proven they can’t use technology and shouldn’t be anywhere near classified information or weapons technology.

  16. @GottaBeThatGuy
    They do that already. Where I work, we have the company network, the contractor network, and secure facilities without outside access. Can’t even bring a cell phone in, especially one with a camera (what cell phone doesn’t have one now). You also have three security tasks to perform to gain entry.

  17. @EvilEngineer: Engineers and technical people don’t lead major companies..if they did no millionaires would invest..

    Also fortune 500 companies and governments hire by credentials not talent..you think Geohot or some guy who does security frameworks or exceptional RCE could get a permanent job at MS, Apple, or RSA without credentials(whitch they don’t and don’t)? No.

    What will happen: Some other yuppies will do threat analyses around PR and you’ll see some patch to the server that socially mitigates the threat but in now way solves the problem…

    But hey look at these comments..everyone has it figured out..

  18. @Wolfton Actually they could hire contractors to work on classified materials; it would just require the written permission of the Dept of State and DoD. I would imagine it currently is happening on the JSF since a certain amount of work for every contract has to go offshore. It was part of the deal struck with allies in order to get them to help foot he bill for development (hence the JOINT Strike Fighter).

    @GottaBeThatGuy Actually, they do have separate networks. I don’t work for LM, however I do work for a company that has many subcontracts with them and in fact used to be a part of LM. I personally have worked with LM Engineers on site. Per DoD requirements, all classified materials must be kept on a separate network. This network is NOT connected to the internet. In fact, the cables are run in an entirely separate conduit. Lockheed computer security is no joke. The have all computers and connections very locked down… it’s almost too tight to get stuff done sometime. I won’t go into any more detail as giving detailed information about their network would constitute a security risk, however I will say that it is one of the most tightly run networks I’ve ever seen.

  19. All the secure networks I know of are air gaped. Air gaped networks do work, its very hard to hack when have no remote access. BUT as IRAN found out that doesn’t help if your a target and the attacker is persistent and has inside knowledge. RSA was breached for a reason, now we know. Only a state sponsored program goes this far. And you can be sure this is not the end of it, nor will you hear just how BAD it is, RSA would lose more business. A security company that gets hacked, has the keys to the kingdom taken, its proprietary data used to attack its clients. I can see more of this on the horizon.

  20. Really sad to report speculation as fact, but the public facts so far are:

    * Lockheed has announced that the penetration was unsuccessful – they detected it and prevented it
    * Lockheed HAS NOT announced what was breached, and it’s pure speculation this has anything to do with SecurID

    Don’t elevate the speculation of “impartial” security consultants seeking free PR as fact.

  21. LM advertised for some talent after the breach. Very entertaining job description:

    “Just two weeks ago, Lockheed advertised for a “lead computer forensic examiner” for the center, saying it needed someone who could work in a fast paced environment, understood “attack signatures, tactics, techniques and procedures associated with advanced threats,” and was able to “reverse engineer attacker encoding protocols.”

    Maybe they were just trolling for a hacker seeking recognition.

  22. Meh,
    most government secrets are pretty boring, even at lockheed. Besides, maybe leaking lockheed data to the chinese will put *their* projects behind schedule and overbudget.

  23. Some stealth aircraft data is known for 12 years, from this incident: http://en.wikipedia.org/wiki/F-117_Nighthawk#Combat_loss

    I guess you must expect some losses when you attack other countries. Ops, my bad, it was in USA self defense. Somehow on a wrong continent though ;/

    China can do no better than to make sure that they can defend themselves against another American “self-defense on another continent” error. As soon as invader has to pay a price, it won’t invade anymore.

  24. yeah, because America is the only country that defends its self outside its borders. what a bunch of assholes we are huh?

    ooo jets! *looks outside* i love living next to Wright Patterson AFB

  25. Solution: unplug the Ethernet cable!

    It amazes me that we allow servers with sensitive data to even be connected to the internet in some way. As long the servers are connected they will be hacked. You would think that people could start using their brains again instead of the constant “bow down to the almighty internet” mentality.

  26. @caleb: Americans are a great nation that I admire greatly for: idea of real liberty and democracy, technical ability, science, space exploration and other things. Unfortunately, your nation seems to go deeper and deeper into a morass. Old ideals have been abandoned, and you are pulled into conflict with everyone for profits of few. Plutocracy? Military-industrial complex? I don’t know. But things seem to get worse at fast pace.

    I hope that America will recover to its old ideals sooner than latter. Space exploration, science innovation, and all the good things you are admired for the world over. Not wars.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.