Print 19 comment(s) - last by dominieks.. on Jun 19 at 3:54 PM

Stolen information from RSA Security may have been used to hack into Lockheed Martin's secure servers, say sources.  (Source: RSA Security)

Lockheed claims information on its fighter projects and government-contracted IT storage was NOT stolen. The company says it quickly countered the "sophisticated" attack.
Company claims fighter project schematics and hosted government information were not leaked

Over a week has passed and Lockheed Martin Corp. (LMT), the U.S. government's top information technology services provider, was hacked. The attack has been characterized as a "fairly subtle", yet "significant and tenacious" attack on servers at its massive Gaithersburg, Maryland data center, located not far from the company headquarters in Bethesda.

As details emerge the attack is appearing more and more like it was lifted out of a spy movie or Tom Clancy novel.  The hackers appeared to have gained entry using information stolen in a separate, even more audacious attack of one of the world's highest profile security firms.

I. RSA Sec. Breach -- Prelude to the Lockheed Martin Attack?

Back in March hackers gained access to RSA Security's servers.  RSA Sec. takes its name from the last initials of founders Ron Rivest, Adi Shamir, and Leonard Adleman, three top cryptographers.  The trio's popular public-key cryptography algorithm shares the same name -- RSA.

At the time of the RSA Sec. intrusion, the company commented that despite the fact that it believed information was stolen, the company did not believe customer information or the security of the company's software products were not comprised. Yet, they did advise clients to follow online advice to safeguard themselves against possible fallout from the data loss.

The attack on RSA was described as "extremely sophisticated".

Sources close to Lockheed point to compromised RSA SecurID tokens -- USB keychain dongles that generate strings of numbers for cryptography purposes -- as playing a pivotal role in the Lockheed Martin hack.

II. Damage Control

Hackers are believed to have entered Lockheed Martin's servers by gaining illegitimate access to the company's virtual private network (VPN).  The VPN allowed employees to connect over virtually any public network to the company's primary servers, using information streams secured by cryptography.

With the RSA tokens hacked, though, those supposedly secure VPN connections were compromised.

Lockheed says that it detected the attack "almost immediately" and warded it off quickly.  The company has since brought the VPN back online, but not before "upgrades" to the RSA tokens and adding new layers of security to the remote login procedure.

III. What Was Lost?

At this point the question on everyone's mind likely is "What was lost?"

Lockheed has cause for concern -- the company is not only safeguarding a wealth of U.S. government military information from external sources, it's also protecting its own valuable projects -- the F-16, F-22 and F-35 fighter aircraft; the Aegis naval combat system; and the THAAD missile defense.

A U.S. Defense Department spokeswoman, Air Force Lieutenant Colonel April Cunningham told Reuters Saturday night that the risk from the breach was "minimal and we [the USAF] don't expect any adverse effect."

Lockheed Martin claims that no compromise of customer, program or employees' personal data occurred.  The company has made similar claims about past breaches.  

Now that the Pentagon is involved, if anything was stolen, it should be identified shortly.

IV. Who Attacked Lockheed Martin?

After the pressing issue of what was lost, perhaps the second most compelling question is who was behind the breach.  Military officials and security staff at Lockheed are looking for clues in local time stamped information stored on the server and IP logs, trying to find out who accessed the compromised systems from where and when.  

The problem is not easy as hackers commonly reroute their malicious traffic through multiple proxies, disguising their location.  That said, given the nature of attack -- take down one of the world's top security firms and then use that information to compromise a top defense contractor -- involvement by a foreign government is suspected.

Lockheed posted a job listing last week requesting the services of a "lead computer forensic examiner".  Requirements included someone who could "attack signatures, tactics, techniques and procedures associated with advanced threats" and "reverse engineer attacker encoding protocols."  The cyber forensics expert's first task will likely be to try to pinpoint the identity of the attacker.

The most likely suspect is obviously China, with whom the U.S. government has been waging a "cyberwar" with for a decade now.  China hires freelance hackers and maintains a large military force of official hackers as well.  It uses this force to infiltrate international utilities, businesses, government servers, and defense contractors, looking for valuable information.

China has recently been testing a stealth jet, the J-20, which contains features curiously similar to those found on past Lockheed Martin designs.  China insists, though, that it did not use stolen information to build its new weapon.

V. One Million Threats

Lockheed Martin's IT staff say they encounter 1 million "incidents" a day.  They have to filter through these, distinguishing "white noise" from serious threats.

The Maryland data center from which information was taken is a state of the art facility, built in 2008.  It covers 25,000 square-feet and cost $17M USD to build.  But even with relatively modern systems and protections, defenses were still not strong enough to hold off the sophisticated and savvy attacker.

The company has a separate back-up data center in Denver, Colorado, which shares some of the company's contract workload.  That center is not believed to have been breached in the intrusion.

Going ahead, Lockheed Martin will invariably face pressure from the U.S. Military and Congress to do a better job in making its systems breach-proof.  But given the company's budget versus China's virtually blank check given to cyber security efforts, one has to wonder how much the company will be able to do with so little.

Sondra Barbour, the company's chief information officer, reminded employees in an email, "The fact is, in this new reality, we are a frequent target of adversaries around the world."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Authenticator keys compromised?
By rabbitslayer21 on 5/30/2011 10:34:28 AM , Rating: 3
I hope I'm not the only one here worried for the safety of his/her WoW account...

RE: Authenticator keys compromised?
By MrTeal on 5/30/2011 10:57:36 AM , Rating: 4
Possibly a foreign government breaks into the system of a security firm defending many high profile companies, and then uses that to gain access to the network of one of the US's most important defense contractors, one that is responsible for the next generation of air power.

Sigh... No, you're probably not the only one worried about your WoW account.

RE: Authenticator keys compromised?
By wranglerangler on 5/31/2011 9:56:57 AM , Rating: 2
If I recall correctly, shortly after the WoW authenticators came out there were hackers who defeated them. I believe there was malware involved that intercepted the login credentials then displayed a logon error to the user. In the meantime, it sent the login data to a remote system that would attempt to access the account during the window in which the authenticator key was still valid.

RE: Authenticator keys compromised?
By vapore0n on 5/31/2011 11:35:09 AM , Rating: 2
during the window in which the authenticator key was still valid.

You mean they used a key logger coupled with a phishing site? They didnt defeat the rsa system, they defeated the user's intelligence.

RE: Authenticator keys compromised?
By wranglerangler on 5/31/2011 12:58:19 PM , Rating: 2
You mean they used a key logger coupled with a phishing site? They didnt defeat the rsa system, they defeated the user's intelligence.

No, I meant exactly what I said. The hackers found a hole in the system and exploited it using a modified version of the same sort of tactics (malware w/ keyloggers, etc.) they had been using successfully for quite sometime. Just because people fell for it doesn't make them dumb. Smart people get bamboozled every day (look how many intelligent people were fooled then financially ruined by Madoff).

Most people are not security experts and there was a general perception among many WoW players that the authenticator made an account 100% secure. If the attackers preyed on anything related to users, it was users' ignorance (as per usual) in conjunction with a vulnerability.

After all, I'm sure Blizzard was aware that this sort of man-in-the-middle attack was still an issue, but they didn't go out of their way to advertise that when they were pushing authenticators. They knew another security layer with a high rate of adoption would make their system more secure and would reduce the number of compromised accounts.

RE: Authenticator keys compromised?
By borismkv on 5/31/2011 4:50:12 PM , Rating: 2
Blizzard needs to step up their security anyway. They don't even accept special characters in passwords, which basically that if someone is able to get a hold of some password Hashing info, they can just rainbow table your password pretty easily. The fact that Blizzard *only* has RSA tokens as an advanced form of security shows how little they give a crap. Despite the fact that their poor security is costing them probably hundreds of thousands of dollars a year in Customer Support costs and lost subscriptions due to hacking.

By wranglerangler on 5/31/2011 5:39:41 PM , Rating: 2
You are right to an extent, but a company like Blizzard must walk a very thin line when it comes to security and usability. I'm sure there has been a lot of hand wringing going on at their HQ over the constant flood of compromised accounts, but at the same time the solutions they implement need to be carefully thought out so as not to drive away customers by making the game less fun or inconvenient.

No one on Blizzard's security team wants to be the person who killed the goose that was laying golden eggs. They don't want to lose customers because they can't secure their accounts, but at the same time they don't want to implement strong yet unpopular security measures that could drive away even more customers. I have a feeling they know exactly where the break even point is for several solutions they could implement and are just waiting to get there to start rolling out new security features.

RE: Authenticator keys compromised?
By spamreader1 on 5/31/2011 11:56:32 AM , Rating: 2
I've had my account hacked once a few months ago, and several in my guild have also been hacked in the past. We all have authenticators, it cuts down on the hacked accounts, but doesn't stop it completely.

By Smartless on 5/31/2011 11:18:56 PM , Rating: 2
Yeah I think they got me through some kind of in-game hack. I had scanned my machine with several anti-malware and virus scanners. Bought an authenticator, 2 months later somehow I got booted and my stuff sold.

Doesn't help when you hear stories like these,
Not that I ever purchased gold, thought this article was funny and shows how determined they are.

Oh Really.
By karielash on 5/30/2011 11:18:01 AM , Rating: 5

According to every other news source I can find nothing was lost (according to the government and Lockheed ;) ), and the breach was from a phishing style attack which delivered a key logging trojan which seems to have been attempting to grab the pins and user names, without which the RSA information is useless.

The RSA hack does not mean the VPN security was useless, you would still need the additional account information to use the token. Whilst replacing all the tokens and forcing password changes maybe could have been made as soon as the RSA breach was discovered (easy to wise after the fact) without the full details of what the hackers took from RSA and the limited guidance provided by them it probably wasn't considered necessary.

You could now surmise that at the very least the RSA seed files were compromised, the change of tokens should resolve that issue. combined with a change of password/PIN the issue probably looks better as speculation and supposition plastered all over the press than fact in the hacking history books.

RE: Oh Really.
By theapparition on 5/31/2011 10:38:54 AM , Rating: 3

We have contracts that requires my company to use the RSA tokens for certain access. All of my employees have the tokens to access the VPN.

We were notified by RSA months ago that they had a security violation and they replaced every token with a new one.

As you stated, still need the user and pin number, so even the compromised token gets them nothing.

By themaster08 on 5/30/2011 4:32:30 PM , Rating: 5

By spamreader1 on 5/31/2011 11:57:29 AM , Rating: 2
You sit on it, but can't take it with you.

By MrTeal on 5/30/2011 10:27:26 AM , Rating: 2
The Maryland data center from which information was taken is a state of the art facility, built in 2008. It covers 25,000 square-feet and cost $17M USD to build. But even with relatively modern systems and protections, defenses were still not strong enough to hold off the sophisticated and savvy attacker.

Is this a typo? That just seems way too cheap.

RE: $17M?
By peterlws08 on 5/30/2011 11:21:50 AM , Rating: 4
A standard looking 25,000 sq ft warehouse in Dubai was about $3.5m so maybe the $17m was just for the builing and facilities/security. IT hardware may be extra.

Countering China's hackers
By Cullinaire on 5/30/2011 12:34:24 PM , Rating: 2
Nothing beats a good rebel ambush, but if they are smart and keep them spread out, pathfinders tend to do wonders.

I think it's safe to say that stealth raptors are out of the question now :/

Uk Census
By parsley on 5/30/2011 1:47:12 PM , Rating: 2
AFAIK Lockheed Martin are involved in the 2011 UK census. Hopefully our (non-classified?) data is safe too.

Quantum Computer
By dominieks on 6/19/2011 3:54:38 PM , Rating: 2
It might be worth mentioning that Lockheed Martin is one of the first companies that bought a commercially ready Quantum Computer a few weeks ago.

Access to such a device is the heroin of any crypto-man...

Is this a joke???
By slyck on 5/30/2011 8:37:20 PM , Rating: 1
"But given the company's budget versus China's virtually blank check given to cyber security efforts, one has to wonder how much the company will be able to do with so little."

from Wikipedia "received $36 billion in government contracts in 2008 alone, more than any company in history"

Yeah, Lockheed Martin's budget is "so little". They obviously can't be expected to afford security with the few dollars they have. /S

"There's no chance that the iPhone is going to get any significant market share. No chance." -- Microsoft CEO Steve Ballmer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki