Duplicate RSA Keys Enable Lockheed Martin Network Intrusion

An anonymous reader writes "Unknown hackers have broken into the security networks of Lockheed Martin Corp and several other US military contractors, a source with direct knowledge of the attacks told Reuters. They breached security systems designed to keep out intruders by creating duplicates to 'SecurID' electronic keys from EMC Corp's RSA security division, said the person who was not authorized to publicly discuss the matter." There's also coverage at PC Magazine.

The Security Dance

[Frosty+Piss]

â¦said the person who was not authorized to publicly discuss the matter

I love it how these companies and even our own government can't keep people from talking about secrets, like it's so fucking juicy that everyone just has to spill it out to the press.

Yes, I'm not a moron, I know these "not authorized" folks are probably explicitly authorized... It's just the whole security "dance" is so fucking silly.

Re:The Security Dance

[__aaqvdr516]

The usual way that press inquiries are handled is to have all personnel direct any inquiries to the PR officer or group. It is usually someone who has no real knowledge of what happened and only gives scripted responses to inquiries.

Since they have real information on how the breach occured, I'd bet it really was someone who was unauthorized to speak spilling the beans.

Re:The Security Dance

[OpenLegs]

Agreed, more FUD to support renewal of the Patriot Act.

Re:The Security Dance

[erroneus]

Not necessarily. I seem to recall about a month or two ago a story came out about a serious compromise in RSA's systems which was said had potential to compromise most, if not all, SecureID devices out there.

I recall when this story came out, I asked "Should we be concerned about this?" We use SecureIDs to get into the company network...

Re:The Security Dance

[_Sprocket_]

Not necessarily. I seem to recall about a month or two ago a story came out about a serious compromise in RSA's systems which was said had potential to compromise most, if not all, SecureID devices out there.

Potential - yes. In so far RSA wasn't really being too frank about what was involved. So since the compromised involved the SecurID product in some way, who's to know exactly what's going on? The potential is there.

I recall when this story came out, I asked "Should we be concerned about this?" We use SecureIDs to get into the company network...

To which RSA assured everyone that they should be following "best practices" and maybe paying a lot more attention to failed authentication attempts. Yeah - thanks.

The possible implication here is that RSA has been far, far less forthcoming than they should have been about this incident. Which has me wondering if we really should be trusting their product in our own environment.

Aha!

[wiedzmin]

So this is what they hacked RSA for! I was waiting to find out who the end-target was... makes sense.

Re:Aha!

[fuzzyfuzzyfungus]

I, for one, am shocked, shocked, that RSA's assertion that the breach was minor and totally, not, y'know, a real world issue was less than 100% truthful...

Spoken like a true spokesperson...

[Zakabog]

and we remain confident in the integrity of our robust, multi-layered information systems security

Translation: Our system's breached but maybe you won't realize that if I throw enough buzz words at you...

Re:Spoken like a true spokesperson...

[betterunixthanunix]

On the other hand, a robust security system should be able to keep your most important information secure even when a breach occurs at lower levels. So, perhaps a breach occurred that allows some expense reports to be copied but does not enable the attackers to obtain designs for stealth aircraft. A breach is not a good thing, but it does not have to be an all-or-nothing scenario.

Re:Spoken like a true spokesperson...

[Jah-Wren+Ryel]

Indeed. At the defense contractor where I worked, all computers with classified documents were kept isolated in a locked room with no internet connection.

However, that is not necessarily the case for information that individually is unclassified but in aggregate is classified. The government security folks have a name for that stuff, I just can't recall it at the moment. If an attacker were able to hoover up enough stuff from lockmart's unclassified networks it would be valuable intelligence to the government of some place like China or Israel.

Re:Spoken like a true spokesperson...

[Fallen+Kell]

For anyone working at a place like this, they know that the real data is on a separate network which has no physical connection to the internet. The only data that could possibly have been compromised would be unclassified, business trade secrets, and/or proprietary information.

As the one official said (which was almost completely ignored by the article's authors), there should be little risk to actual projects. Really, what they got was access to "TPS reports", and other such documents. Now, there may be an issue with "Export Control" as even if some documents are unclassified, they may not be allowed to be transmitted to certain countries. But all the real information is on that other network which you need physical access to hack, which is one of the easiest things to secure.

Does RSA store usernames and pins?

[solarium_rider]

Can someone explain what was actually stolen from RSA that allowed them to break into the networks? From what I understand even if you had had a duplicate SecurID number generator, you would still need the username and securid password (fixed code + random 6 digit) associated with the account to get into the network. Once you are into the network you probably also need a username (same as above) and user password to access the machines. This sounds more like the attackers must have had significant insider knowledge to get in.

Re:Does RSA store usernames and pins?

[Spad]

Usernames and passwords are trivial to socially engineer; most people you ask will give you their password without you even asking for it if you claim to be "from IT".

Re:Does RSA store usernames and pins?

[blincoln]

"The permutations for users to tokens to guessing PINs is still astronomical unless an insider was involved that had access to the securid database."

Maybe. But if you think about it, there are approaches that would only require a lot of attempts, not an "astronomical" number. If you know the username of an employee and whatever Lockheed-Martin's helpdesk uses for verification (last four SSN digits or whatever), you can have their password and SecurID PIN reset. Then just try that PIN with every cloned token in your possession. Trying different PINs with the same token will cause a lockout, but will trying each token once with the same PIN? I'm pretty sure that would go unnoticed, especially if the attempts were made from different proxy servers to mask the source IP all being the same.

It could also be that RSA had network captures or SecurID database backups or something along those lines *from* Lockheed-Martin that were sent in for troubleshooting purposes, and *those* were stolen as well.

Re:Does RSA store usernames and pins?

[rahvin112]

Some of the early places that jumped on the securID tokens only used the securID as the password (in other words there was no password in front of the 6 digit random code), thus it was trivial to compromise if you could compromise the RSA securID system. What I don't get is why these organizations didn't immediately upgrade security when word came down the the root compromise of RSA. Like one of the previous posters I always believed that breaking the securID system was a deliberate and planned attack to gain access to secondary systems that used the tokens, it's only a question of who did it because one party is responsible for both.

Re:Quantum

[VortexCortex]

Wonder what relation, if any, this has to the quantum computer?

My guess is that their new quantum computer enables their security to exists as a super position of itself -- both being very secure, and completely unsecured at the same time.

However, now that the state of their security has been observed, it has collapsed into only one state (which is unfortunately: unsecured).

PC Magzine: Classified data secure. Wrong.

[Relayman]

According to PC Magazine: "Classified information is likely out of hackers' hands: Due to the volume of attacks that these kinds of systems on a daily basis, it's highly doubtful that Lockheed—or any security contractor—would keep top-secret information within reach, should one ever breach the remote access gates."

Sounds like wishful thinking to me. Classified information has been breached in the past so why would you expect that it's magically safe now?

Re:PC Magzine: Classified data secure. Wrong.

[tsotha]

Oh, don't get me wrong. I think classified data is routinely stolen by other countries. I just don't think much (if any) is stolen by cyberspies hacking in from the outside. When I worked as a defense contractor the rules were pretty strict - we had a network with classified data on it, but that network was physically disconnected from the internet. The cables were even covered in thick pipes that were regularly inspected to discourage tapping from the inside.

I'm not saying nobody has ever stolen classified data by hacking in. But for that to happen someone has to physically put classified data on an insecure network, something that's not easy to do on accident.

Soft tokens?

[Technomancer]

I they are using soft token apps in addition to hardware keys they are trivial to duplicate if you can get ahold of the key string and password from an employee.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Surprise Intrusion?

[sloth+jr]

A few aspects of security as practiced in the military-industrial complex occur that you may be unaware of:
- daily automated audits; these regularly flag new vulnerabilities;
- entire teams dedicated to evaluation of controls and failure therein
- segmentation of computing resources by sensitivity; if it's really sensitive, it's not on any network you can get to.
- physical barriers (gates, armed guards, man traps)

There are literally thousands of pages of controls concerning security just for non-classified resources: http://iase.disa.mil/stigs/
They all depend on the integrity of the persons entrusted to safeguard this data. Intentional violation of those controls as allegedly practiced by PFC Bradley Manning show how these safeguards can break down. Ultimately, you need humans to be able to keep a secret if you have the notion of "classified". That's the real security mechanism right there. That's why security clearances are designed to identify whether or not an individual is "loyal" and not likely to be coerced into revealing state secrets. In any human endeavor, though - some human will conspire to fuck it up. The end-result is almost always massive and persistent headache for everyone else.