Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/6/2011
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

RSA Offers SecurID Token Replacement For Customers In Wake Of Lockheed Hack

Lockheed Martin, RSA link Defense contractor's breach to hack of RSA's SecurID

Lockheed Martin and RSA today each separately confirmed that the breach that compromised RSA's SecurID authentication technology helped lead to the recent targeted attack aimed at the defense contractor. And RSA late today said it will offer to replace its customers' SecurID tokens.

RSA executive chairman Art Coviello said in an open letter on EMC RSA's website that the company would offer to replace SecurID tokens for "customers with concentrated user bases typically focused on protecting intellectual property and corporate networks" and provide "risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions."

In an interview with The Wall Street Journal Coviello elaborated on the token recall, saying that RSA will offer token replacements "for virtually every customer we have" and offer transaction monitoring and intrusion detection for its customers—namely financial institutions, according to the article.

Coviello says in his post that the attackers who hit RSA back in March were after security information in order to target Defense intelligence and intellectual property, not for monetary purposes or for pilfering personal information. "For this reason, we worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure. We will continue these efforts," he says.

On June 2, RSA confirmed that data stolen from the company back in March was "used as an element of an attempted broader attack on Lockheed Martin," he says -- an attack that Lockheed Martin says it stopped in its tracks.

"It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker," he says.

Lockheed Martin first confirmed the RSA connection earlier today. "Our investigation into the attack on our system concluded that the RSA breach was a direct contributing factor," a Lockheed spokesperson said in a statement today. "Based on our early actions to replace all RSA SecurID tokens and add new layers of security to our remote access processes, we remain confident in the integrity of our robust, multi-layered information systems security."

RSA's and Lockheed's revelations came on the heels of much speculation over whether an apparent wave of targeted attacks leveled against U.S. defense contractors this past few weeks was in any way tied to the breach of RSA's SecurID token database earlier this year. The company is in the process of giving 45,000 of its employees' brand-new SecurID tokens to replace the potentially compromised ones.

L-3 Communications reportedly was also among the victimized contractors whose networks were compromised using stolen SecurID token information, as well as Northrop Grumman, according to post today on Fox News. An unnamed source said to be from inside Northrop Grumman said the company reset passwords and suddenly shut down remote access to its corporate network on May 26. That was about five days after Lockheed detected its breach.

"We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions. As a leader in cybersecurity, Northrop Grumman continuously monitors and proactively strengthens the security of our networks, and is vigilant to protect our employee, customer and program data and systems," a Northrop Grumman spokesperson said in response to inquiries about the reported breach.

Lockheed Martin late last month revealed that it had detected a "significant and tenacious attack" on its network, but that no customer, employee, or program data was compromised.

But even with Lockheed's latest comment, the devil's still in the details, security experts say. Marcus Carey, community manager at Rapid7, says the big question is just how the attackers were able to acquire the passwords, user names, PINS, and even certificate files. "They are saying the RSA breach was just one factor. What were the other factors?" Carey says. "We don't know what other techniques" were used to get inside Lockheed, he says.

To get VPN access, you need a PIN, a certificate with your VPN client, and the IP address that the VPN concentrator is connected to, Carey says. "The main thing I want to emphasize is that this was a multi-factor attack … people are emphasizing the RSA token piece, but what's a lot more interesting to me is … the other techniques" that were used, he says.

Carey says even if Lockheed's statement means that stolen SecurID tokens were used to hack it, that doesn't necessarily mean all RSA SecurID customers will also automatically be hacked that way as well. "And being able to synchronize RSA tokens is nothing new—it's been available for a long time," he says, with tools such as Cain and Abel.

Richard Stiennon, chief research analyst at IT-Harvest, earlier today predicted that RSA would perform "a massive recall" of SecurID tokens to protect its customers and restore confidence in the multi-factor authentication technology. "That would be the biggest [recall] in the security industry ever," he says.

Stiennon says RSA also must offer a new model where Defense contractors can generate their own seeds. "In the meantime, one-time password tokens have lost a lot of luster and companies are going to start the search for better solutions that are out-of-band," for instance, he says.

Next page: RSA's miscalculation? Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.