InsecureID: No more secrets?
Podcast: Play in new window | Download
Update — Though I chose to keep secret the identity of the defense contractor to limit the damage it was subsequently revealed by Reuters to be Lockheed-Martin. There was one additional detail presented at the end of a story in Saturday’s New York Times.
Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA?” he asked, referring to how the RSA Data Security division of EMC had been hacked. “I suspect it was no more than a serial number, a seed, and possibly the key generation time. The algorithm has been known for years but unless they can match a seed to an account it is like having a key without knowing what lock it fits. That might simplify a brute force attack but first the attacker would need something to brute force…”
Well it didn’t take long for whoever cracked RSA to find a lock to fit that key.
Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.
It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.
The contractor’s data security folks saw this coming, though not well enough to stop it. Shortly after the RSA breach they began requiring a second password for remote logins. But that wouldn’t help against a key-logger attack.
The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it. A breach like this is very subtle and not easy to spot. There will be many aftershocks in the IT world from this incident.
But is this the only such instance of a major corporate network break-in? The very fact that we haven’t heard anything about this (I hadn’t, had you?) makes me think this probably ISN’T the first such network penetration from the recent RSA hack… or the last.
What if every RSA token has been compromised, everywhere?
“I have not seen anyone abandoning their investment yet,” said my friend back in March. “Most networks exchange token values over an encrypted channel anyway so the facade of security is still there. Until an attack succeeds (and how would you know?) the lemmings are complacent.”
Well an attack has succeeded, laying open who knows what national secrets?
The lemmings are now upset, or would be if they knew what you know now.
I guess now they do.
[...] detected a network intrusion, according to the Reuters story, which cited technology blogger Robert Cringley. Cringley claimed the breach involved RSA SecurID tokens that Lockheed employees use to access the [...]
The old rules still apply from the dawn of the computing era (or from any other era), quite simply if you want to keep something secret don’t store it on a computer unless you have “one-time-pad” security in place and even then it’s only as safe as the “other person”.
So called security experts operating RSA type encryption are asking for trouble! And in fact this has been the case now for some time.
And those that store “delicate data” in any type of recent databases need their head examining, they’re all USA backdoor enabled under the “USA homeland security” debacle/legislation.
There is no such thing as a secure data transfer or password using computers.
Steve Gibson suggests PIE (pre-internet encryption).
Security=LAN. If you need to secure data keep it out of any noded network. Nothing is ever 100% secure but this off-line measure removes 95-98% of the issue. The rest is human hacking and more advanced technologies. It’s impossible to do this remotely.
[...] quoted technology blogger Robert Cringely as saying the intrusion may have involved the use of RSA’s SecurID tokens, which Lockheed Martin employees use when logging into their network from outside the [...]
The only secure network is a standalone network which is in an electromagnetic sheilded environment. But even then its only as secure as the people using it
Yeah. I saw “Enemy of the People”, too.
Tokens, not the encryption was comprimised. Smart cards are a better solution for strong authentication.
The APT attacked RSA specifically to get into Northrup. This is an act of war.
Wow, I see a LOT of “assumptions” and guesswork, but no real information or confirmation from LM. For example; It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company.
Really? Based on what information? It may simple be that they’re concerned about the RSA hack and have shut down remote access as a precautionary measure while they issue new tokens. Is there REALLY a story here?
[...] Robert X. Cringely reported on the attack early on, without naming the specific company, and wrote that countermeasures were taken, namely in requiring another level of authentication: It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network. [...]
You seem to be missing the point of a forum. You are supposed to state your opinion about something, not just randomly quote passages from the original article.
We got rid of our RSA Keys three years ago and went to a different two factor authentification process that also includes a challange authentication.
[...] Włamanie do Lockheed Martin, producenta m.in. samolotów F-22, jest wiązane z wcześniejszym włamaniem do RSA. Przypomnijmy, że w wyniku ataku na RSA ciągle nieznani włamywacze wykradli najprawdopodobniej bazę seedów do tokentów SecurID. Mając seed i numer tokenu można stworzyć klon tokena danego pracownika i obejść mechanizmy podwójnego uwierzytelnienia. Taki scenariusz ataku na Lockheed Martin jest obstawiany jako najbardziej prawdopodobny. [...]
How’s the weather in Warsaw?
At least one good thing will come of this, the end of the critics of privacy concerns. For sometime I’ve gotten flack about my hesitation to just go with the flow and put my personal info (and my families) out onto the digital domain. Being called anti-technology simply because one doesn’t but into the line that the debate about security is over will now be a tougher sell with the RSA incursion.
[...] InsecureID: No more secrets? (Cringely broke the Lockheed story) [...]
[...] fallout from the March attack on RSA has arrived. Per the news agencies—and the excellent blog post by Bob Cringely—several large defense contractors (Lockheed Martin, L-3, and potentially Northrop [...]
[...] fallout from the March attack on RSA has arrived. Per the news agencies—and the excellent blog post by Bob Cringely—several large defense contractors (Lockheed Martin, L-3, and potentially Northrop [...]
[...] back in March. The manufacturer of F-22 and F-35 fighter planes confirmed the attempted hack, first reported by tech blogger Robert Cringely, which took place on or around the weekend on 21 May. In a [...]
[...] was detected. The first details, although the target was not immediately revealed, were given few days after, on May, the [...]
[...] blogger Robert Cringely said the network disruption at Lockheed began Sunday and that the SecurID tokens were at the center of [...]
Security firm RSA has offered to replace the SecurID tokens used by its customers to log into company systems and banks.
http://www.bbc.co.uk/news/technology-13681566
[...] day hackers demonstrate how weak the security of our corporate and government resources are. Stealing millions of credit cards occurs on a [...]
[...] day hackers demonstrate how weak the security of our corporate and government resources are. Stealing millions of credit cards occurs on a [...]
[...] day hackers demonstrate how weak the security of our corporate and government resources are. Stealing millions of credit cards occurs on a [...]
I’m pleased that I am not a News Corp, shareholder! With all the on going problems it is facing in the UK with the now shut down, News of the World. Rupert Murdoch’s News Corp based in Delaware; is also facing a legal challenge from its shareholders. Shareholders, as well as investment funds, labor and municipal pension funds are accusing Murdoch of misusing News Corp. assets, by treating the company like a family candy jar, which he raids whenever his appetite strikes. It looks like the trouble are just starting!
[...] consultant Robert Cringely says that a major defence contractor is issuing new RSA SecurID to all employees using them for remote [...]
Shareholders, as well as investment funds, labor and municipal pension funds are accusing Murdoch of misusing News Corp. assets, by treating the company like a family candy jar
[...] day hackers denote how weak a security of a corporate and supervision resources are. Stealing millions of credit cards occurs on a [...]
A piece of edrtuiion unlike any other!
hTo8Yh xueltherfusq
isAmNg exgypqbnqyma
Fantastic web site. Plenty of helpful information here. I?m sending it to several buddies ans also sharing in delicious. And certainly, thanks on your effort!
Just wish to say your article is as astonishing. The clearness to your publish is just nice and i could think you’re an expert in this subject. Fine with your permission allow me to grab your feed to keep updated with drawing close post. Thank you a million and please continue the gratifying work.
magnificent post, very informative. I wonder why the opposite experts of this sector don’t notice this. You should continue your writing. I am sure, you’ve a huge readers’ base already!
kosten schutting plaatsen…
[...]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[...]…
offerte…
[...]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[...]…
Schilderwerk laag BTW tarief…
[...]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[...]…
Hey Cringely,
Along the same lines,, The news media is usually pretty negative and focused on the worst things happening in our society — because that’s what sells. Likewise, on a personal level, it’s much easier for your mind to fall into a trap of negative thinking, self-doubt, fear and low self esteem than it is to focus on optimism, success and self-confidence. However, the most successful people among us focus on the bright side of life and what it has to offer. They recognize that bad things do happen, but they consider these to be challenges that they must overcome to achieve their goals.
Regards
panasonic sd257 breadmaker…
[...]I, Cringely » Blog Archive » InsecureID: No more secrets? – Cringely on technology[...]…