Update — Though I chose to keep secret the identity of the defense contractor to limit the damage it was subsequently revealed by Reuters to be Lockheed-Martin. There was one additional detail presented at the end of a story in Saturday’s New York Times.
Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA?” he asked, referring to how the RSA Data Security division of EMC had been hacked. “I suspect it was no more than a serial number, a seed, and possibly the key generation time. The algorithm has been known for years but unless they can match a seed to an account it is like having a key without knowing what lock it fits. That might simplify a brute force attack but first the attacker would need something to brute force…”
Well it didn’t take long for whoever cracked RSA to find a lock to fit that key.
Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.
It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.
The contractor’s data security folks saw this coming, though not well enough to stop it. Shortly after the RSA breach they began requiring a second password for remote logins. But that wouldn’t help against a key-logger attack.
The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it. A breach like this is very subtle and not easy to spot. There will be many aftershocks in the IT world from this incident.
But is this the only such instance of a major corporate network break-in? The very fact that we haven’t heard anything about this (I hadn’t, had you?) makes me think this probably ISN’T the first such network penetration from the recent RSA hack… or the last.
What if every RSA token has been compromised, everywhere?
“I have not seen anyone abandoning their investment yet,” said my friend back in March. “Most networks exchange token values over an encrypted channel anyway so the facade of security is still there. Until an attack succeeds (and how would you know?) the lemmings are complacent.”
Well an attack has succeeded, laying open who knows what national secrets?
The lemmings are now upset, or would be if they knew what you know now.
I guess now they do.