United States military contractors hacked, SecurID to blame

Have we reached a tipping point on the Internet where companies who are not breached are the exception rather than the norm? Reading the headlines every day, it sure seems like it with companies like Sony, Honda, and Apple falling victim. Another company, EMC, was also attacked in March but instead of losing customer data they lost the keys to their RSA SecurID tokens. For those who are unaware, most corporations use these tokens, combined with a password, to allow their employees to connect to the corporate network from their homes.

Now Reuters is reporting that unknown attackers have used data gained from the SecurID breach in order to successfully break into Lockheed Martin, a defense contractor for the United States government. At this time nobody knows whether any data was actually taken or not. It’s interesting to note that while most attacks have been attempting to gather personal information about users, this is one of the few published attacks targeting a company that does not deal directly with the public. It also appears that the attack on EMC/RSA and Lockheed Martin have been more advanced than simple SQL Injection attacks.

What does this mean for the future of the “always on” Internet? It seems like it’s too late to go back, but how can we better protect our sensitive data? Although there are no easy answers to these questions, with the advent of “cloud computing” we are seeing more and more sensitive data being put online so solutions need to be identified and implemented.

Image Courtesy of Wikipedia

Report a problem with article
Previous Story

HP expands voluntary battery recall for laptops bought July 2007 to May 2008

Next Story

Starcraft II Heart of the Swarm teaser trailer leaked

21 Comments

Commenting is disabled on this article.

I cant believe they were using securID

Chinese hackers steal hundreds of warcraft accounts each day from people that are using the ID's why would a Gov contractor think it would be any safer than a gaming account by using it as well.

*tinfoil hat.
Anyone else wonder if these are fabricated in order for the government to get more fuel to have power over the internet? Just a thought...

presence06 said,
*tinfoil hat.
Anyone else wonder if these are fabricated in order for the government to get more fuel to have power over the internet? Just a thought...

If it were the government saying they were attacked, then maybe. But nocompany, especially not one that is publicly traded, wants this kind of attention as it can easily affect their share prices.

Fezmid said,

If it were the government saying they were attacked, then maybe. But nocompany, especially not one that is publicly traded, wants this kind of attention as it can easily affect their share prices.


I was just curious. Seems a lot of this is going on. Sony, Honda, This.. just thinking it might all be tied to their push to tighten the internet.

Why dont the bigger companies send in a private sattelite, that connects their servers/companies to eachother, and then some update server with server updates/internet connection. etc.

Geranium_Z__NL said,
Why dont the bigger companies send in a private sattelite, that connects their servers/companies to eachother, and then some update server with server updates/internet connection. etc.

Because it's very very *costly* to use non-standard authentication - worse, most government contracts won't let you.

Even if RSA doesn't supply the cryptokeys being used, their protocols DO underlie just about all the competing key standards (including the two most commonly used alternatives - Diffie/Haffleman and Blowfish). Also, there are folks out there that don't like ANY platform-neutral standards, and want to undermine RSA for that reason alone.

We were going to implement two factor authentication via RSA. After this breech back in March, we opted to go with a different vendor for precisely this reason. This validates our choice.

We're actually in the process of removing external access from all of our servers unless it's needed because of all this ****.

Ryoken said,
The simple fact is, once it's connected to the net, security is a myth. There is ALWAYS a way..
Which is why 90% of the classified things that companies like Lockheed have, are stored on local servers that have no connection what-so-ever to the internet.

As someone who has worked at Lockheed in the past, unless there is an internal breach of security, nothing highly sensitive will be obtained from hacking in from the outside.

It really makes you wonder who was actually behind the RSA attack. Foreign state? Sounds more likely if they're going after government contractors.

Did you just join the internetz? Companies were always hacked. Its nothing new

About cloud computing and securing your 'sensitive data', do what people always tell you to do:
Use different password for every registration and always encrypt the data yourself before giving them to the cloud

securID compromised?
HAH, well done RSA, that's now all advanced bank security (those that bothered to implement it anyway) defeated, great.

Why bother to identify and implement if we can just apologize to people, write a few reports and forget about it. Because an apology always fixes everything. /s

Unknown attackers? Pssht, must be some evil aliens. And nobody knows if any data was taken. Because, you know, nobody knows anything there to avoid someone knowing too much. Everyone's simply an expert on the field.

cralias said,
Why bother to identify and implement if we can just apologize to people, write a few reports and forget about it. Because an apology always fixes everything. /s

Unknown attackers? Pssht, must be some evil aliens. And nobody knows if any data was taken. Because, you know, nobody knows anything there to avoid someone knowing too much. Everyone's simply an expert on the field.

What are you talking about?! It's even stated on the article Lockheed Martin (god dammit, those defense contractors have the coolest names ><) doesn't deal with the public, who are they going to apologize to? This is no oil spill or gaming network shortage, a PR in this case probably doesn't even exist.

Also, are you implying any link between all the attacks? As far as we know every single one of them is a different person/group. This one in particular have a complete different focus and execution so I really don't know where you are coming from. Even if we were to start making connections between all of them and try to put some sort of political agenda behind the whole thing it would be a flimsy argument at best.

And what about "Everyone's simply an expert on the field."? You might be damn sure that every single person on their pay list have a ton of background on the area, their higher ups MIGHT undermine their productivity with low budget and small work force but this doesn't undermine their resume (not so much the case on the Sony breach I give you that... but then again, they were targeted by semi automatic scripts so what can you expect from them ¬¬).

*711 said,
What are you talking about?!

Just like the last paragraph in the article, I'm talking about the security of online data in general. I could care less about EMC, Lockheed or any individual attack in particular.

The link between the attacks is that something is wrong here. I know, I know... I'm ranting. I'm still an idealistic bast*rd, I'll admit that. Things don't work that way x_x

*711 said,

What are you talking about?! It's even stated on the article Lockheed Martin (god dammit, those defense contractors have the coolest names ><) doesn't deal with the public, who are they going to apologize to? This is no oil spill or gaming network shortage, a PR in this case probably doesn't even exist.

Also, are you implying any link between all the attacks? As far as we know every single one of them is a different person/group. This one in particular have a complete different focus and execution so I really don't know where you are coming from. Even if we were to start making connections between all of them and try to put some sort of political agenda behind the whole thing it would be a flimsy argument at best.

And what about "Everyone's simply an expert on the field."? You might be damn sure that every single person on their pay list have a ton of background on the area, their higher ups MIGHT undermine their productivity with low budget and small work force but this doesn't undermine their resume (not so much the case on the Sony breach I give you that... but then again, they were targeted by semi automatic scripts so what can you expect from them ¬¬).

While Lockheed Martin is known primarily for their military contract work, they do a lot more than just weapons - heck, their IT contracts alone cover darn near every government agency that *isn't* connected to either the grunts or the spooks (including the courts and the taxers) and a crapton of state and even municipal-government contracts as well.

RSA got targeted because they are the first private and *accepted* standard for security tokening that is operating-system-neutral, and they have been that standard for two decades now. However, the very fact that they are OS-neutral means that they are only as strong as the least-secure operating system that uses their keying. (Surprise - it's NOT Windows.) The groups that would want to do that sort of cracking are as varied as there are opinions - and it may not necessarily be state-related cyberterror.

What truly scares me are the anarchist/nihilist fringe of terror groups. Anarchists seek to tear down *all* governments, regardless of stripe. (Some offshoots of al-Quaeda fall into this category.) The nihilistic fringe not only is even scarier, but far more focussed - they seek to destroy for the sake of destruction. (Think homicide bombing with backpack nukes.) The nihilistic fringe, unfortunately, can cloak itself inside the more mainstream terror groups very well.