Print 10 comment(s) - last by borismkv.. on Jun 10 at 2:19 PM

RSA has offered to replace customers' SecurIDs after they were compromised by a recent data breach. The breach is believed to be part of a foreign espionage attempt.  (Source: Michael Lu)

Spies used the information to penetrate the servers of the U.S.'s largest defense contractor, Lockheed Martin, last month.  (Source: Reuters/Mick Tsikas)
Old dongles likely have been compromised

Most people have never seen them, but little USB-like dongles called "SecurIDs" have played a crucial role in protecting some of our nation's most valuable information.  Designed by RSA Security, a subsidiary of EMC Corp. (EMC), the dongles generate a string of numbers ever 30 to 60 seconds that acts a one-time password.  

Users must enter both their pin (traditional password) and the number shown within a narrow time window in order to log in to a secure connection.  The approach is designed to protect both against keylogging attempts to steal passwords and against traditional brute force attacks that try to "guess" at the password.

The scheme was sound -- until RSA Security's servers were breached in a hack that was believed to be an act of foreign espionage.

Mid last month, hackers used the stolen information to compromise the security codes and remotely enter servers belonging to Lockheed Martin Corp. (LMT), the U.S. government's top information technology services provider, and major supplier of heavy armaments

The hack shocked the U.S. defense community.  Sources close to the Lockheed Martin say that it is believed to have originated from a familiar source -- China -- though the U.S. State Department, U.S. Department of Defense, and Lockheed Martin itself have yet to officially comment.

China has been trying for years to steal information on the U.S. government's stealth jet program, according to some officials.  Most of these efforts consisted of buying the wreckage of crashed U.S. fighters, but some believe China is also looking to the internet for new intelligence on various U.S. weapons programs.

Fortunately, sources say that Lockheed Martin did not store critical stealth fighter information on its internet connected servers.  Nonetheless, foreign sources may have been able to obtain other information that was housed on Lockheed Martin's internet-accessible servers.

In a letter to its customers, RSA acknowledges that the information stolen from RSA's servers was likely used to compromise the keys breach Lockheed Martin's security.  Writes the company:

Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related (intellectual property).

RSA has offered to replace customers' SecurIDs free of charge, to prevent similar intrusions.  The new dongles should be safe, as RSA believes the underlying algorithm remains sound and unbroken. 

Previously RSA would only say that customers might want to prepare for the ramifications of the breach.  Many observers expressed credulity at first that the stolen information was used in the Lockheed Martin intrusion, given the encryption format's prestigious reputation.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By fic2 on 6/7/2011 7:39:23 PM , Rating: 4
Most people have never seen them, but little USB-like dongles called "SecurIDs" have played a crucial role in protecting some of our nation's most valuable information.

Most people in the world - yeah.
Most people reading this website - doubtful since every company I have worked for uses these for remote access.

RE: Really?
By amanojaku on 6/7/2011 9:17:47 PM , Rating: 2
I would have said "most people in the world have probably never seen them", but I agree with Jason. I used to sell security products that supported two-factor authentication and one-time passwords, and it was rare to see RSA SecurIDs anywhere outside of corporations of 5000 employees or more. In extreme cases only a portion of the company had SecurIDs for things like virtual desktops and file transfer, while the rest had restricted access to OWA and other web services.

These things are expensive, and complicated to configure when compared to AD/LDAP, traditional RADIUS, etc... Well, not really complicated as much as unfamiliar. Nearly everyone has AD, and by extension LDAP, knowledge. Few people outside of UNIX admins touch RADIUS, let alone attempt to implement an RSA version.

Long story short, for every professional I have met who uses a SecurID, there 1,000 who don't have one, and 5,000 who don't even know what it is.</slight_exaggeration>

RE: Really?
By aegisofrime on 6/7/2011 11:55:18 PM , Rating: 2
Here in Singapore every bank uses them for authentication into their Internet Banking services. We also have One Time Passwords sent to our mobile phones for every transaction. So they aren't as rare as you think :)

RE: Really?
By AnnihilatorX on 6/8/2011 4:31:49 AM , Rating: 2
HSBC in the UK is beginning the transition now for Internet Banking of general public. I knew they were used in high security company based transactions before

RE: Really?
By jay401 on 6/8/2011 12:07:35 AM , Rating: 2
Heck even anyone with a family member who works for a major corporation has probably seen them. They've been around in a form factor that looks like the first article photo for over 10 years now.

RE: Really?
By Eldercat1 on 6/8/2011 10:39:29 AM , Rating: 2
Or you know, anyone who has an authenticator for World of Warcraft.

"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki