Lockheed Martin hacked using RSA keys

[Flashback]

Lockheed Martin hacked using RSA keys - Security - Technology - News - iTnews.com.au

Data breach at the Pentagon's largest supplier.


Lockheed Martin, the world's biggest aerospace company and the Pentagon's No. one supplier, has been hit by an unspecified cyber incident, the U.S. government said on Saturday.
The Department of Homeland Security said it and the Defense Department had offered to help gauge the scope of a "cyber incident impacting LMCO," as the maker of fighter jets, ships and other major weapons systems is known.
The U.S. government also has offered to help analyse "available data in order to provide recommendations to mitigate further risk," Chris Ortman, a Homeland Security official, said in an e-mailed reply to a query from Reuters.

 

[Mal]

I actually believe the following statement in the article is false:

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC's RSA security division, said the person, who was not authorised to discuss the matter publicly.

But, I don't work for RSA - just something I heard recently.

 

[Sifor]

Why does "China" immediately come to mind in these sorts of incidents...

 

[rwatts]

Why does "China" immediately come to mind in these sorts of incidents...

For understandable reasons. I was given an unclassified report at work a year or so ago that makes for very interesting reading. It was prepared by Northrop Grumman for the US-China Economic and Security Review Commission in 2009. I've since found it in the commission's archives -
http://www.uscc.gov/researchpapers/...ber_Paper_FINAL_Approved Report_16Oct2009.pdf.

Lots of detailed information - all from publicly available sources - on the various sections of the PLA and their capability for cyber warfare and computer network exploitation. Even Kevin Rudd gets a mention. There is also an anonymous case study of a data exfiltration incident.

Richard.

 

[elbarto]

Why does "China" immediately come to mind in these sorts of incidents...

Because stealing and copying is much easier than developing your own systems. And China is well known for the theft of intellectual property.

 

[simongr]

I actually believe the following statement in the article is false:

But, I don't work for RSA - just something I heard recently.

So you are saying that they didnt use RSA tokens to hack LMCO? They hacked them some other way?

 

[Mal]

So you are saying that they didnt use RSA tokens to hack LMCO? They hacked them some other way?

I believe it was an attack based on more than what has been released. I've seen various information, some indicating a phish attack, some suggesting a keylog, some suggesting that the rsa algorithms are in the wild, etc. I've used rsa for many years and doubt that it was possible using the method indicated.

 

[NM]

I actually believe the following statement in the article is false:



But, I don't work for RSA - just something I heard recently.

Why do you believe it to be false? There was significant media coverage of the initial breach which has led to many organisations re-issuing token or changing technology. It would seem that this organisation had not completed either action and remained exposed to the vulnerability post the RSA breach. Interested to know why you believe the statement to be false?

RSA SecurID Breach Shows Why Everybody Must Stay Vigilant - Security - News & Reviews - eWeek.com
RSA's SecurID security breach: What should you do?
After RSA Breach, Are SecurID Tokens in Jeopardy? | PCWorld Business Center
RSA SecurID breach is cause for caution, say analysts - Techworld.com
RSA’s SecurID targeted in data breach - Security

 

[Mal]

Why do you believe it to be false? There was significant media coverage of the initial breach which has led to many organisations re-issuing token or changing technology. It would seem that this organisation had not completed either action and remained exposed to the vulnerability post the RSA breach. Interested to know why you believe the statement to be false?

Some RSA customers have replaced their SecurID cards because they were not happy with the level of information provided by RSA about the hack. If I was RSA and a customer says "Replace our cards, or we will walk"... I know what my response would be...

Because Lockheed Martin has claimed that they were not hacked - only that they were attacked:
AFP: Lockheed Martin confirms attack on its IT network

The company's information security team detected the attack almost immediately and took what is described as "aggressive actions" to protect all systems and data, the statement added.

"As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure," Lockheed Martin said.

"No customer, program or employee personal data has been compromised."

Because the SecureId implementation is based on several levels of security, and that no attacker will know all unless it is obtained by social engineering or similar (Usually an RSA implementation will involve a username, a pin number, and the pseudo-random number on the card). Even if the seed values were stolen (and assuming they were matched to a customer by the hackers), they are useless without the SecurID serial number to tie it back to, the username of the user and their PIN number.

Because the media contains other incorrect reports about the "hack" - eg, that RSA has reissued 100,000 tokens at LM... this is not currently true.

 

[albatross710]

Because the SecureId implementation is based on several levels of security, and that no attacker will know all unless it is obtained by social engineering or similar (Usually an RSA implementation will involve a username, a pin number, and the pseudo-random number on the card). Even if the seed values were stolen (and assuming they were matched to a customer by the hackers), they are useless without the SecurID serial number to tie it back to, the username of the user and their PIN number.

I thought that in this case they had created the ability to create their own SecurID token codes and had back engineered the key that RSA used to create LMs token series.

The RSA token patent has expired in 2001 (?) so there is a growing number of people creating similar technologies (ie Google Authenticator) BUT it still comes down to having the computer power to generate and work with large prime numbers.

 

[Mal]

I thought that in this case they had created the ability to create their own SecurID token codes and had back engineered the key that RSA used to create LMs token series.

The RSA system is a multiple factor authentication process.

On most (normal) implementations you require three things:
- A username
- A pin number
- the code from the token.

On most implementations, the account gets locked if you enter three/four or similar numbers of incorrect pin numbers / incorrect codes from the token.

In some implementations you also need to know your Windows domain password.

There is much more to this story than what has been told. I haven't lost faith in the RSA SecurID system at all, and can't see the RSA compromise being the sole reason for this LM issue.

 

[albatross710]

The RSA system is a multiple factor authentication process.

On most (normal) implementations you require three things:
- A username
- A pin number
- the code from the token.

Agreed, the beauty of the system is the two factor ID. The protection is that the physical device has to be replicated. Now that there are software implementations of the hardware devices then it is one step closer.

However, still has to be a social factor involved. Always the easiest method!