DailyTech - RSA Offers New SecurIDs in the Wake of Lockheed Martin Cyberattack

Submit News

Science RSA Offers New SecurIDs in the Wake of Lockheed Martin Cyberattack
Jason Mick (Blog) - June 7, 2011 6:36 PM

10 comment(s) - last by borismkv.. on Jun 10 at 2:19 PM

RSA has offered to replace customers' SecurIDs after they were compromised by a recent data breach. The breach is believed to be part of a foreign espionage attempt. (Source: Michael Lu)

Spies used the information to penetrate the servers of the U.S.'s largest defense contractor, Lockheed Martin, last month. (Source: Reuters/Mick Tsikas)

Old dongles likely have been compromised

Most people have never seen them, but little USB-like dongles called "SecurIDs" have played a crucial role in protecting some of our nation's most valuable information. Designed by RSA Security, a subsidiary of EMC Corp. (EMC), the dongles generate a string of numbers ever 30 to 60 seconds that acts a one-time password.

Users must enter both their pin (traditional password) and the number shown within a narrow time window in order to log in to a secure connection. The approach is designed to protect both against keylogging attempts to steal passwords and against traditional brute force attacks that try to "guess" at the password.

The scheme was sound -- until RSA Security's servers were breached in a hack that was believed to be an act of foreign espionage.

Mid last month, hackers used the stolen information to compromise the security codes and remotely enter servers belonging to Lockheed Martin Corp. (LMT), the U.S. government's top information technology services provider, and major supplier of heavy armaments

The hack shocked the U.S. defense community. Sources close to the Lockheed Martin say that it is believed to have originated from a familiar source -- China -- though the U.S. State Department, U.S. Department of Defense, and Lockheed Martin itself have yet to officially comment.

China has been trying for years to steal information on the U.S. government's stealth jet program, according to some officials. Most of these efforts consisted of buying the wreckage of crashed U.S. fighters, but some believe China is also looking to the internet for new intelligence on various U.S. weapons programs.

Fortunately, sources say that Lockheed Martin did not store critical stealth fighter information on its internet connected servers. Nonetheless, foreign sources may have been able to obtain other information that was housed on Lockheed Martin's internet-accessible servers.

In a letter to its customers, RSA acknowledges that the information stolen from RSA's servers was likely used to compromise the keys breach Lockheed Martin's security. Writes the company:

Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related (intellectual property).

RSA has offered to replace customers' SecurIDs free of charge, to prevent similar intrusions. The new dongles should be safe, as RSA believes the underlying algorithm remains sound and unbroken.

Previously RSA would only say that customers might want to prepare for the ramifications of the breach. Many observers expressed credulity at first that the stolen information was used in the Lockheed Martin intrusion, given the encryption format's prestigious reputation.

Comments

Threshold

Username
Password
remember me

This article is over a month old, voting and posting comments is disabled

RE: Really?

By amanojaku on 6/7/2011 9:17:47 PM , Rating: 2

I would have said "most people in the world have probably never seen them", but I agree with Jason. I used to sell security products that supported two-factor authentication and one-time passwords, and it was rare to see RSA SecurIDs anywhere outside of corporations of 5000 employees or more. In extreme cases only a portion of the company had SecurIDs for things like virtual desktops and file transfer, while the rest had restricted access to OWA and other web services.

These things are expensive, and complicated to configure when compared to AD/LDAP, traditional RADIUS, etc... Well, not really complicated as much as unfamiliar. Nearly everyone has AD, and by extension LDAP, knowledge. Few people outside of UNIX admins touch RADIUS, let alone attempt to implement an RSA version.

Long story short, for every professional I have met who uses a SecurID, there 1,000 who don't have one, and 5,000 who don't even know what it is.</slight_exaggeration>

Parent

"If you look at the last five years, if you look at what major innovations have occurred in computing technology, every single one of them came from AMD. Not a single innovation came from Intel." -- AMD CEO Hector Ruiz in 2007