Forgot your password?
typodupeerror
Security Crime The Military United States

Duplicate RSA Keys Enable Lockheed Martin Network Intrusion 138

Posted by timothy
from the nobody's-perfect dept.
An anonymous reader writes "Unknown hackers have broken into the security networks of Lockheed Martin Corp and several other US military contractors, a source with direct knowledge of the attacks told Reuters. They breached security systems designed to keep out intruders by creating duplicates to 'SecurID' electronic keys from EMC Corp's RSA security division, said the person who was not authorized to publicly discuss the matter." There's also coverage at PC Magazine.
This discussion has been archived. No new comments can be posted.

Duplicate RSA Keys Enable Lockheed Martin Network Intrusion

Comments Filter:
  • The Security Dance (Score:4, Interesting)

    by Frosty Piss (770223) * on Saturday May 28, 2011 @04:51PM (#36275580)

    â¦said the person who was not authorized to publicly discuss the matter

    I love it how these companies and even our own government can't keep people from talking about secrets, like it's so fucking juicy that everyone just has to spill it out to the press.

    Yes, I'm not a moron, I know these "not authorized" folks are probably explicitly authorized... It's just the whole security "dance" is so fucking silly.

    • â¦said the person who was not authorized to publicly discuss the matter

      I love it how these companies and even our own government can't keep people from talking about secrets, like it's so fucking juicy that everyone just has to spill it out to the press.

      Yes, I'm not a moron, I know these "not authorized" folks are probably explicitly authorized... It's just the whole security "dance" is so fucking silly.

      Except if it's a conspiracy, of course. Everyone knows that the government manages to keep its conspiracies completely secret.

    • by Jaktar (975138)

      The usual way that press inquiries are handled is to have all personnel direct any inquiries to the PR officer or group. It is usually someone who has no real knowledge of what happened and only gives scripted responses to inquiries.

      Since they have real information on how the breach occured, I'd bet it really was someone who was unauthorized to speak spilling the beans.

      • by yuhong (1378501)

        Yea, legacy PR based on control of the message is fundamentally flawed.

      • Since they have real information on how the breach occured, I'd bet it really was someone who was unauthorized to speak spilling the beans.

        That's the way it works for most businesses, but not the way it works for government agencies.

        As Lockmart is the largest corporate member of the military industrial complex, things are little bit different in this case. There are national security implications to both lockheed being hacked and to RSA tokens being duplicable. That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.

        • by _Sprocket_ (42527)

          That's the way it works for most businesses, but not the way it works for government agencies.

          As Lockmart is the largest corporate member of the military industrial complex, things are little bit different in this case. There are national security implications to both lockheed being hacked and to RSA tokens being duplicable. That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.

          Ahhh - the language of conspiracy. We know we're in for some really good non-information as soon as "Lockmart" and "military industrial complex" are uttered. Yes - serious implications for Lockheed's compromise (psst - not the first time). Serious implications for RSA tokens being duplicated - definitely. Then we'll just play "I've got a secret" and end it with vague mention of "all kinds" of spin and unnamed scenarios. That should be enough to get lots of head-nodding from the anti-military political

          • WTF? Everything I wrote is pretty much self-evident.

            Getting their unclass network breached is a freaking obvious problem.

            It is no secret that the military uses RSA tokens all over the place either. It is also no secret that RSA guards the source code at the heart of their authentication system pretty jealousy - not even including it in their SDK. And the idea that RSA tokens may now be duplicable due to the prior theft of that source was in the goddamn HEADLINE of the story here.

            On the nature of the una

            • by _Sprocket_ (42527)

              WTF? Everything I wrote is pretty much self-evident.

              Getting their unclass network breached is a freaking obvious problem.

              Well, yes. Everything is pretty much self-evident except for the part that goes:

              That makes for all kinds of motives for a "controlled" leak like this, for all we know it is 100% spin designed to cover some other worse(?) scenario.

              What's the motive for a controlled leak? What possible worse case scenarios. If you're going to invoke conspiracy, at least entertain us with one.

              It is no secret that the military uses RSA tokens all over the place either. It is also no secret that RSA guards the source code at the heart of their authentication system pretty jealousy - not even including it in their SDK. And the idea that RSA tokens may now be duplicable due to the prior theft of that source was in the goddamn HEADLINE of the story here.

              I agree for the most part. Although the big question is exactly what RSA's intrusion meant. We don't know how this intrusion enda

              • What's the motive for a controlled leak? What possible worse case scenarios. If you're going to invoke conspiracy, at least entertain us with one.

                If RSA isn't at fault but everyone thinks they are then there then that does a lot of things. Like political cover for Lockheed management doing something stupid that actually enabled the breach - say poor protection against spear-phising attacks. Or security through misdirection - maybe the real vulnerability is present in other systems and they are hoping that other bad guys won't figure it out in time to take advantage of it if everybody thinks RSA is compromised instead.

    • by Xtifr (1323)

      I love it how these companies and even our own government can't keep people from talking about secrets

      Sure they can! It's just that they're only good at it when it concerns UFOs and JFK's assassination and Bigfoots and the faked moon landing and the Illuminati and the herds of Invisible Pink Unicorns thundering across the Great Plains, and things like that.

    • by OpenLegs (2203438)
      Agreed, more FUD to support renewal of the Patriot Act.
      • by milkmage (795746)

        WTF Patriot Act? Hacking was illegal prior to 9/11

        • If hacking were illegal, then some pretty famous people would still be locked up. Bill Gates, Steve Jobs, and Linus Torvalds come readily to mind. Microsoft employees by the hundreds. Apple employees by the score. Probably all of the anti-malware companies would lose their most valuable people.

          Had you said that "espionage" and "theft by wire" were illegal bfore 9/11, your post would have made more sense. "Hacking" is not, nor has it ever been illegal - TOS's and EULA's notwithstanding.

    • by erroneus (253617)

      Not necessarily. I seem to recall about a month or two ago a story came out about a serious compromise in RSA's systems which was said had potential to compromise most, if not all, SecureID devices out there.

      I recall when this story came out, I asked "Should we be concerned about this?" We use SecureIDs to get into the company network...

      • by _Sprocket_ (42527)

        Not necessarily. I seem to recall about a month or two ago a story came out about a serious compromise in RSA's systems which was said had potential to compromise most, if not all, SecureID devices out there.

        Potential - yes. In so far RSA wasn't really being too frank about what was involved. So since the compromised involved the SecurID product in some way, who's to know exactly what's going on? The potential is there.

        I recall when this story came out, I asked "Should we be concerned about this?" We use SecureIDs to get into the company network...

        To which RSA assured everyone that they should be following "best practices" and maybe paying a lot more attention to failed authentication attempts. Yeah - thanks.

        The possible implication here is that RSA has been far, far less forthcoming than they should have been about this incident. W

    • What exactly is your problem with people revealing information that organizations would rather keep hidden?

      Yes, I'm not a moron

      And what exactly is your evidence that you're not a moron?

      • by dbraden (214956)

        What exactly is your problem with people revealing information that organizations would rather keep hidden?

        Not all information should be "free", nor do you have a right to know everything. An organization, or an individual, wanting to keep something secret is not, in and of itself, evil.

        • Not all information should be "free", nor do you have a right to know everything. An organization, or an individual, wanting to keep something secret is not, in and of itself, evil.

          When did I say that all information should be free? Care to quote me?
          When did I say that I have a right to know everything? Care to quote me?
          When did I say that an organization or an individual wanting to keep something secret is in and of itself evil? Care to quote me?

          That's quite a lot of inferring you did there, and none of it's remotely accurate. Excellent job, champ.

          But please tell me how it's beneficial for people not to know rhat Lockheed was broken into through an RSA vulnerability? Please

    • by melikamp (631205)
      I thought you are just talking out of your ass, but then I read your nick... and dude, wow. How could we be so blind? Preach on, brother.
  • All these security breaches reminds me of the game Uplink.
    • Every time I played it I found it hilarious that I could time and again hack the same "high security" servers with the same approach, every time resulting in a story about a "yet again" security breach at some important database, and I was sitting there snickering, thinking something like this would just be unthinkable in reality since they'd of course analyze how I got in and seal that security hole.

      • thinking something like this would just be unthinkable in reality since they'd of course analyze how I got in and seal that security hole.

        Yeh, that's a nice fantasy. Unfortunately that's not how things go. Look at Sony, they still haven't fixed their security problems and it's been over a month.

        • So you're saying the sony network is back up and anyone can use the same hole?
        • All this time, I've been thinking that Sony IS the security problem. Visa, Mastercard, and Bank of America didn't leak all those user's credentials - Sony did. Sony doesn't "have" security problems, they are the problem!

      • by Tridus (79566)

        If they really got in by duplicating an RSA token, sealing the hole requires figuring out how they managed to do that. Not as simple as it sounds.

      • by milkmage (795746)

        "something like this would just be unthinkable in reality since they'd of course analyze how I got in and seal that security hole"

        putting the cap back on the toothpaste prevents more from coming out, but it doesn't clean up the mess on the counter.

    • All these security breaches reminds me of the game Uplink.

      All these security breaches remind me that the world has changed in an irrevocable manner and that it's only a matter of time before anything and everything falls victim to these types of attacks. Nothing is really safe anymore.

      • by Blackbrain (94923)
        All these security breaches remind me that the world has changed in an irrevocable manner and that it's only a matter of time before anything and everything falls victim to these types of attacks. Nothing is really safe anymore.

        Nothing ever was. The only difference now is that this one made the news.
  • by wiedzmin (1269816) on Saturday May 28, 2011 @04:59PM (#36275622)
    So this is what they hacked RSA for! I was waiting to find out who the end-target was... makes sense.
    • I bet they used the d-wave they just bought.
    • Re:Aha! (Score:4, Funny)

      by fuzzyfuzzyfungus (1223518) on Saturday May 28, 2011 @05:47PM (#36275916) Journal
      I, for one, am shocked, shocked, that RSA's assertion that the breach was minor and totally, not, y'know, a real world issue was less than 100% truthful...
    • They chose an excellent target, imagine the technological goodies you'd find at Lockheed Martin, a company elbow-deep in every corner of the US military's black projects, the company that built the A-12, basically a slightly smaller and slightly less refined SR-71, in the '50s. Imagine what they're doing today.

    • Although it's possible that Lockheed was the end target of the RSA crackers, it's also possible that the fruits of the RSA hack were simply sold to the people who then used it to do the Lockheed break in.

  • China, Iran, India, or someone planning to sell it (Russia, Organized Crime, etc...)?

    I suppose Israel could do it too. (They'd risk a bit if they got caught, but we know they have the capability.)

    • China, Iran, India, or someone planning to sell it (Russia, Organized Crime, etc...)?

      China has the most to gain.

    • by Angostura (703910)

      So you're excluding Boeing?

      • Re: (Score:2, Troll)

        So you're excluding Boeing?

        Let's not exclude the US government either. Nothing points the finger elsewhere like attacking one of your own major contractors. The NSA, CIA, etc aren't above stealing the RSA keys. /tinfoilhat

    • by Dasher42 (514179)

      It was the Cylons.

  • by Zakabog (603757) <johnNO@SPAMjmaug.com> on Saturday May 28, 2011 @05:02PM (#36275652)

    and we remain confident in the integrity of our robust, multi-layered information systems security

    Translation: Our system's breached but maybe you won't realize that if I throw enough buzz words at you...

    • by betterunixthanunix (980855) on Saturday May 28, 2011 @05:09PM (#36275706)
      On the other hand, a robust security system should be able to keep your most important information secure even when a breach occurs at lower levels. So, perhaps a breach occurred that allows some expense reports to be copied but does not enable the attackers to obtain designs for stealth aircraft. A breach is not a good thing, but it does not have to be an all-or-nothing scenario.
      • by AmiMoJo (196126)

        Problem is that once your attacker has the private key they can impersonate the server and/or perform man-in-the-middle attacks. That could get them passwords and keys for everything else because things like SSH and RDP rely on the connection being secure enough to send raw key presses as the user logs in etc. Loss of private keys is pretty serious.

        • Assuming you only have one key for all security levels, which would be a pretty bad idea.
          • Multiple keys wouldn't have helped, since it appears the attackers identified all the seeds that were ordered by Lockheed from RSA. Whatever process they used to assign these seeds to unique individuals would have been robust enough to notice that the individual was using two.

            It was endgame. Everyone should have trashed all their tokens weeks ago.

            ~Sticky

      • by the_B0fh (208483)

        you forget one thing. Typically RSA tokens are used for the high value shit, the hardest to get to, most protected shit.

        so, this is RSA token being duplicated. Guess what. Major fault.

        • by Rich0 (548339)

          I still have no idea why RSA of all places would implement their tokens in this manner. If they just used an asymmetric cipher (like RSA!) it would be immune to this kind of attack.

          There is no reason that any device other than the keyfob itself needs to be able to generate the numbers. Other devices merely need to authenticate if a number is correct - which can be done separately just as with any other asymetric system.

          However, I do see a weakness in this - the PINs that are generated need to be much long

        • Really? The last time I was issued one of those, I was not in a very high level position; I was just an intern on a development team. My access was limited; I had some access to business documents (mainly from company mailing lists), but I could not access all systems, particularly not the high security systems.
        • by schnell (163007)

          Typically RSA tokens are used for the high value shit, the hardest to get to, most protected shit.

          In parts of the corporate world? Maybe. (Debatable though since my company uses RSA tokens and every Joe Sixpack with a laptop has one.)

          In the US government? Not a chance. Information whose unauthorized release poses a threat to national security is "classified" and access restricted to networks which are 1.) logically airgapped from public networks and 2.) wouldn't let a RSA token get within spitting distance. This applies for defense contractors too... if it was a publicly accessible network they got into

      • by Fallen Kell (165468) on Saturday May 28, 2011 @11:09PM (#36277408)
        For anyone working at a place like this, they know that the real data is on a separate network which has no physical connection to the internet. The only data that could possibly have been compromised would be unclassified, business trade secrets, and/or proprietary information.

        As the one official said (which was almost completely ignored by the article's authors), there should be little risk to actual projects. Really, what they got was access to "TPS reports", and other such documents. Now, there may be an issue with "Export Control" as even if some documents are unclassified, they may not be allowed to be transmitted to certain countries. But all the real information is on that other network which you need physical access to hack, which is one of the easiest things to secure.
      • nothing classified will even be on the compromised networks. classified(US government) material is not placed on networks connected to networks connected to the internet... if so, they have worse problems then bad PR and compromised boxes. you do not want the US government up your ass for spilling classified data.

      • by EETech1 (1179269)

        Lockheed Martin confirms attack on its IT network
        (AFP)
        â"
        1 hour ago
        WASHINGTON â" US defense contractor Lockheed Martin has confirmed that it had detected "a significant and tenacious" attack on its information systems network.
        "Lockheed Martin detected a significant and tenacious attack on its information systems network," said a company statement.
        The company's information security team detected the attack almost immediately and took what is described as "aggressive actions" to protect all s

    • It might have been "multi-layered", but clearly was not "robust".

      • Usually I just chalk this up to the morons they hire in the admin departments... but suffice to say, the worst the breach could've gotten, even from a Defense Contractor, is trade secrets... and possibly some unclassified designs and whatnot. (Classified systems are not facing the internet. Ever.) And of course a huge PR hit to Lockheed Martin's ability to claim they can keep anything "secret." :)

        They also might've gotten some foreign contract information... depending upon how far they snooped. :) It depen

        • Remember when the Presidential helicopters were redesigned to be better a few years ago? The security there failed and the plans were released on the Internet. Never say never!
          • The presidential helicopters themselves aren't the problem. the Avionics and electronic warfare stuff inside is what really counted, and that wasn't leaked. There were several foreign contractors involved in that as well... sort of like the unclassified portions of the F-35 being siphoned off by a subcontractor out of Turkey (I believe.)

            I am not saying it's never going to happen. It just takes more than this to get to it. There is no way to get it via the internet. There is no classified anything connected

    • by Anonymous Coward

      Disclaimer: I work for Boeing in Information Security.

      Todd Kelley is communications and not incident detection and response. He most likely has no clue on the state of the network and probably did not have time to contact someone and find out when he gave that statement.

      That said, we do not rely on RSA SecurID's. As soon as the initial breach of RSA was reported, any SecurID's in use were basically force retired.

    • by hey! (33014)

      Except the spokesman, whether or not he is speaking truthfully, is describing the way things *should* be. Policies and procedures should not be built around the assumption that everything *works*. They should assume that at any given time something or things might not be working.

      Anyone familiar with MySQL's permissions systems knows that one of the niftier things about it is that you can differentiate between the rights you give a user depending on the IP address or network his session originates from. Yo

  • by solarium_rider (677164) on Saturday May 28, 2011 @05:07PM (#36275674)
    Can someone explain what was actually stolen from RSA that allowed them to break into the networks? From what I understand even if you had had a duplicate SecurID number generator, you would still need the username and securid password (fixed code + random 6 digit) associated with the account to get into the network. Once you are into the network you probably also need a username (same as above) and user password to access the machines. This sounds more like the attackers must have had significant insider knowledge to get in.
    • by Dunbal (464142) *
      Well see the people used the same password at work as they used for PSN...
    • I think they found a way to synchronize their copied SecurID tokens with the victims', thus reducing the attack to figuring out the victim's password.
    • by Spad (470073)

      Usernames and passwords are trivial to socially engineer; most people you ask will give you their password without you even asking for it if you claim to be "from IT".

    • Exactly. Even if the seed files for the token were stolen, RSA still has no information about what seed file information was associated with what user! A company like Lockheed Martin could have tens of thousands of Securid tokens. The permutations for users to tokens to guessing PINs is still astronomical unless an insider was involved that had access to the securid database.

      • by blincoln (592401)

        "The permutations for users to tokens to guessing PINs is still astronomical unless an insider was involved that had access to the securid database."

        Maybe. But if you think about it, there are approaches that would only require a lot of attempts, not an "astronomical" number. If you know the username of an employee and whatever Lockheed-Martin's helpdesk uses for verification (last four SSN digits or whatever), you can have their password and SecurID PIN reset. Then just try that PIN with every cloned token

        • by mikem170 (698970) on Saturday May 28, 2011 @07:31PM (#36276462) Homepage

          I always saw these RSA tokens as protecting against compromised end user installations.

          It you can log keystrokes on an end user's PC, then you can grab their user id and pin. That goes nicely with a compromised/duplicate token.

          Done deal!

        • by _Sprocket_ (42527)

          Trying different PINs with the same token will cause a lockout, but will trying each token once with the same PIN? I'm pretty sure that would go unnoticed, especially if the attempts were made from different proxy servers to mask the source IP all being the same.

          A combination of PIN and Token Code act like a password. A bad auth attempt is a bad auth attempt no matter whether you used the wrong PIN or gave the wrong Token Code (although the SecurID system will log when its noticed a correct token code and bad PIN or when the user might have transposed PIN and token code). So it doesn't much matter whether you're brute-forcing the token or the PIN - both will generate failed auth attempts and eventually bump up against any account lockout mechanism (which should b

    • by rahvin112 (446269)

      Some of the early places that jumped on the securID tokens only used the securID as the password (in other words there was no password in front of the 6 digit random code), thus it was trivial to compromise if you could compromise the RSA securID system. What I don't get is why these organizations didn't immediately upgrade security when word came down the the root compromise of RSA. Like one of the previous posters I always believed that breaking the securID system was a deliberate and planned attack to ga

    • by ebonum (830686)

      two words:
      keystroke logger

  • I think we need new English words to represent these concepts more concisely: an adjective for "not authorized to speak publicly on the matter", and a verb for "confirmed under condition of anonymity".
  • Wonder what relation, if any, this has to the quantum computer?
    • Probably none, since that computer only allows for a limited form of quantum computing (which, as far as I know, is not useful for factoring RSA numbers or solving the discrete logarithm problem or much that is likely to be of interest to the attackers). My guess is that the attackers were interested in Lockheed's software or weapons designs.
    • Re:Quantum (Score:5, Funny)

      by VortexCortex (1117377) <VortexCortex AT ... trograde DOT com> on Saturday May 28, 2011 @05:21PM (#36275786)

      Wonder what relation, if any, this has to the quantum computer?

      My guess is that their new quantum computer enables their security to exists as a super position of itself -- both being very secure, and completely unsecured at the same time.

      However, now that the state of their security has been observed, it has collapsed into only one state (which is unfortunately: unsecured).

    • Well, given that Lockheed announced three days ago that they had "agreed to buy it", implying that they won't have it for several months (and it may not even physically exist yet), I'd say nada.
  • ... Lockheed what the true top speed of the SR-71 was?
  • According to PC Magazine: "Classified information is likely out of hackers' hands: Due to the volume of attacks that these kinds of systems on a daily basis, it's highly doubtful that Lockheed—or any security contractor—would keep top-secret information within reach, should one ever breach the remote access gates."

    Sounds like wishful thinking to me. Classified information has been breached in the past so why would you expect that it's magically safe now?
    • by tsotha (720379)

      Classified information has been breached in the past so why would you expect that it's magically safe now?

      Oh? Classified information has been stolen by hacking in from the internet? When?

  • by sjudd (162227)
    there are military or high security environments still using RSA?
  • by Technomancer (51963) on Saturday May 28, 2011 @06:56PM (#36276286)

    I they are using soft token apps in addition to hardware keys they are trivial to duplicate if you can get ahold of the key string and password from an employee.

  • Aren't they the guys who did the UK census? I wonder if they'll offer every UK citizen Identity Protection. Even though I'm from the UK and hence was forced to participate in the census, I'd almost feel good about that information getting stolen, this is what us whiny people were going on about.
  • thought about getting Enterprise [lastpass.com] protection.

  • How come I no longer respect big government and corporations to adequately protect themselves and us as a country anymore? It couldn't be because a major security blunder is reported in the press about once a week is it?

    How can any large public corporation & defense contractors not have teams of people to constantly audit & oversee security procedures, penetration testing, network analysis, and systems analysis to keep up to date on a daily threat basis?

    These constant adverse events inspire dark cy

    • by sloth jr (88200)
      A few aspects of security as practiced in the military-industrial complex occur that you may be unaware of:
      - daily automated audits; these regularly flag new vulnerabilities;
      - entire teams dedicated to evaluation of controls and failure therein
      - segmentation of computing resources by sensitivity; if it's really sensitive, it's not on any network you can get to.
      - physical barriers (gates, armed guards, man traps)

      There are literally thousands of pages of controls concerning security just for non-classified re
  • Expect China to develop yet another military technology stolen from the US in the next 24 months, mark my words

Our informal mission is to improve the love life of operators worldwide. -- Peter Behrendt, president of Exabyte

Working...