backtop


Print 10 comment(s) - last by borismkv.. on Jun 10 at 2:19 PM


RSA has offered to replace customers' SecurIDs after they were compromised by a recent data breach. The breach is believed to be part of a foreign espionage attempt.  (Source: Michael Lu)

Spies used the information to penetrate the servers of the U.S.'s largest defense contractor, Lockheed Martin, last month.  (Source: Reuters/Mick Tsikas)
Old dongles likely have been compromised

Most people have never seen them, but little USB-like dongles called "SecurIDs" have played a crucial role in protecting some of our nation's most valuable information.  Designed by RSA Security, a subsidiary of EMC Corp. (EMC), the dongles generate a string of numbers ever 30 to 60 seconds that acts a one-time password.  

Users must enter both their pin (traditional password) and the number shown within a narrow time window in order to log in to a secure connection.  The approach is designed to protect both against keylogging attempts to steal passwords and against traditional brute force attacks that try to "guess" at the password.

The scheme was sound -- until RSA Security's servers were breached in a hack that was believed to be an act of foreign espionage.

Mid last month, hackers used the stolen information to compromise the security codes and remotely enter servers belonging to Lockheed Martin Corp. (LMT), the U.S. government's top information technology services provider, and major supplier of heavy armaments

The hack shocked the U.S. defense community.  Sources close to the Lockheed Martin say that it is believed to have originated from a familiar source -- China -- though the U.S. State Department, U.S. Department of Defense, and Lockheed Martin itself have yet to officially comment.

China has been trying for years to steal information on the U.S. government's stealth jet program, according to some officials.  Most of these efforts consisted of buying the wreckage of crashed U.S. fighters, but some believe China is also looking to the internet for new intelligence on various U.S. weapons programs.

Fortunately, sources say that Lockheed Martin did not store critical stealth fighter information on its internet connected servers.  Nonetheless, foreign sources may have been able to obtain other information that was housed on Lockheed Martin's internet-accessible servers.

In a letter to its customers, RSA acknowledges that the information stolen from RSA's servers was likely used to compromise the keys breach Lockheed Martin's security.  Writes the company:

Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related (intellectual property).

RSA has offered to replace customers' SecurIDs free of charge, to prevent similar intrusions.  The new dongles should be safe, as RSA believes the underlying algorithm remains sound and unbroken. 

Previously RSA would only say that customers might want to prepare for the ramifications of the breach.  Many observers expressed credulity at first that the stolen information was used in the Lockheed Martin intrusion, given the encryption format's prestigious reputation.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Really?
By fic2 on 6/7/2011 7:39:23 PM , Rating: 4
quote:
Most people have never seen them, but little USB-like dongles called "SecurIDs" have played a crucial role in protecting some of our nation's most valuable information.


Most people in the world - yeah.
Most people reading this website - doubtful since every company I have worked for uses these for remote access.




RE: Really?
By amanojaku on 6/7/2011 9:17:47 PM , Rating: 2
I would have said "most people in the world have probably never seen them", but I agree with Jason. I used to sell security products that supported two-factor authentication and one-time passwords, and it was rare to see RSA SecurIDs anywhere outside of corporations of 5000 employees or more. In extreme cases only a portion of the company had SecurIDs for things like virtual desktops and file transfer, while the rest had restricted access to OWA and other web services.

These things are expensive, and complicated to configure when compared to AD/LDAP, traditional RADIUS, etc... Well, not really complicated as much as unfamiliar. Nearly everyone has AD, and by extension LDAP, knowledge. Few people outside of UNIX admins touch RADIUS, let alone attempt to implement an RSA version.

Long story short, for every professional I have met who uses a SecurID, there 1,000 who don't have one, and 5,000 who don't even know what it is.</slight_exaggeration>


RE: Really?
By aegisofrime on 6/7/2011 11:55:18 PM , Rating: 2
Here in Singapore every bank uses them for authentication into their Internet Banking services. We also have One Time Passwords sent to our mobile phones for every transaction. So they aren't as rare as you think :)


RE: Really?
By AnnihilatorX on 6/8/2011 4:31:49 AM , Rating: 2
HSBC in the UK is beginning the transition now for Internet Banking of general public. I knew they were used in high security company based transactions before


RE: Really?
By jay401 on 6/8/2011 12:07:35 AM , Rating: 2
Heck even anyone with a family member who works for a major corporation has probably seen them. They've been around in a form factor that looks like the first article photo for over 10 years now.


RE: Really?
By Eldercat1 on 6/8/2011 10:39:29 AM , Rating: 2
Or you know, anyone who has an authenticator for World of Warcraft.


Layered Defense
By borismkv on 6/7/2011 7:27:03 PM , Rating: 1
Seriously...Is it *really* that hard to figure out?




RE: Layered Defense
By icanhascpu on 6/7/2011 10:02:20 PM , Rating: 2
Isn't this layered defense


RE: Layered Defense
By borismkv on 6/10/2011 2:19:41 PM , Rating: 2
No it isn't. RSA tokens allow two factor authentication. That's *one* layer of defense. Utilizing real time monitoring and alerting, rights management systems, encryption, Intrusion Prevention systems, and proper ACL management are other layers. Having crappy internal security with a high powered authentication system is just negligence.


really?
By Murloc on 6/8/2011 6:59:30 AM , Rating: 2
I thought security dongles were widespread for e-banking operations for private customers. At least that's how it is here.




"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki