Podcast: Play in new window | Download

Update — Though I chose to keep secret the identity of the defense contractor to limit the damage it was subsequently revealed by Reuters to be Lockheed-Martin. There was one additional detail presented at the end of a story in Saturday’s New York Times.

Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA?” he asked, referring to how the RSA Data Security division of EMC had been hacked. “I suspect it was no more than a serial number, a seed, and possibly the key generation time. The algorithm has been known for years but unless they can match a seed to an account it is like having a key without knowing what lock it fits. That might simplify a brute force attack but first the attacker would need something to brute force…”

Well it didn’t take long for whoever cracked RSA to find a lock to fit that key.

Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.

It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.

The contractor’s data security folks saw this coming, though not well enough to stop it. Shortly after the RSA breach they began requiring a second password for remote logins. But that wouldn’t help against a key-logger attack.

The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it.  A breach like this is very subtle and not easy to spot.  There will be many aftershocks in the IT world from this incident.

But is this the only such instance of a major corporate network break-in? The very fact that we haven’t heard anything about this (I hadn’t, had you?) makes me think this probably ISN’T the first such network penetration from the recent RSA hack… or the last.

What if every RSA token has been compromised, everywhere?

“I have not seen anyone abandoning their investment yet,” said my friend back in March. “Most networks exchange token values over an encrypted channel anyway so the facade of security is still there. Until an attack succeeds (and how would you know?) the lemmings are complacent.”

Well an attack has succeeded, laying open who knows what national secrets?

The lemmings are now upset, or would be if they knew what you know now.

I guess now they do.

Podcast: Play in new window | Download

This is my second predictions column for 2010 with more to come. This column is about homeland security, which is something our government isn’t very good at and I predict won’t get any better at this year because of a systemic inability to do correctly even the most basic things to protect our society, our privacy, and our way of life.

President Obama this week proposed some changes in how homeland security is managed following that Christmas Eve attempt to explode an airliner as it was landing in Detroit. These changes are minimal but I doubt they’ll even be implemented because this is a system that inevitably reverts to little fiefdoms run by idiots.

Can you tell I’m pissed-off?

I saw this coming. Here’s something I wrote in this space on September 13th, 2001, two days after the World Trade Center and Pentagon attacks:

“…. The most important reaction to terrorism that a free society can show is to not give in to it. But not giving in takes many forms, and I fear that some of the official reactions to the events of this week will take the form of effectively giving in if they also mean that we give up our freedom. “To a man with a hammer, everything looks like a nail,” wrote Mark Twain. In the current, context this means that the organizations charged with reacting to this catastrophe will do so by doing what they have always done, only more of it. Congress, which controls the budget and passes laws, will want to pass laws and to allocate more money, lots of money, forgetting completely about any campaign promises. The military, which is the nation’s enforcer, will want to use force, if only they can find a foe. The intelligence community, which gathers information, will want to be even more energetic in that gathering, no matter what the cost to the privacy of the millions of us who aren’t thinking of terrorist acts. And agencies like the Federal Aviation Administration, which regulate, will want to create more stringent regulations. Now here is an important point to be remembered: All these parties will want to do these things whether they are warranted or useful or not…. ”

That was more than eight years ago, yet not much has changed since then except the names of the agencies and the length of the queues. The current crisis is one that should have been foreseen, officials from the President on down admit, and the fact that it wasn’t worse comes down to terrorist incompetence, citizen bravery, and nothing else. The government had all along the information to stop this guy but they didn’t do it.

Instead of just complaining, let’s take a look at the issue from another angle. Contrast these three situations: 1) you are sitting in a hotel bar in Mongolia and want to use your Visa card to buy a round of drinks for your friends, and; 2) your Mom is at the check-out counter at a Sears store when the clerk asks her if she wants to apply for a Sears credit card and save 10 percent on her order, and 3) a possible terrorist with a dubious travel record and suspected al-Qaeda connections is standing in line at a European airport waiting to board a flight to the U.S. that leaves in an hour. What happens in each of these cases?

In Mongolia the bartender takes your card and authorizes it in seconds across a 12,000-mile round-trip. At the Sears store the transaction is not only authorized in less than a minute, but a new account is created and both your Mom’s identity and her creditworthiness are established and calculated on the spot, along with her discount. Meanwhile the airline, airport, local security, European police, Interpol, Transportation Security Administration, Department of Homeland Security, Customs Service, FBI, CIA, and NSA can’t between them figure out in an hour whether this guy standing in line in Holland should be allowed on the plane or not.

How is it that we can run our credit card operations so well and our national security so poorly?

I’ll answer that in a moment but first another anecdote from my files.

I wrote a column awhile back in which I explained that while the U. S. Government has little to no idea how many illegal aliens there are in America, the big credit reporting agencies know exactly how many:

“… The credit reporting agencies have a handle on total numbers and have a lot of information on specific individuals. So members of the gray economy are, for the most part, not invisible at all, just difficult to identify as individuals. But thanks to data mining down at the credit bureau, it is getting harder and harder to hide. A lot of this sleuthing comes down to a surprising artifact, the Social Security number. One would think that surprising for an economic class of people best known for not having Social Security numbers. Ah, but they do have Social Security numbers, just not their own. You need a Social Security number to sign up for utility services, for example. No Social Security number, no electricity, gas, phone, or satellite TV. So what’s a poor alien to do? They go down to some local hangout and buy a Social Security number to give to the utility. This has to be a legitimate number or it won’t fly with utility computer systems, but does it have to be the customer’s own number? Good question. Here’s where we have an interesting business ethics issue. Say you are the electric company and someone tries to set up service using a Social Security number that already exists in your database and is clearly borrowed, bought, or stolen. What do you do? Most utilities go ahead and set up the account, because to them what counts is whether the new customer will actually pay that bill and it turns out that people operating on such borrowed numbers are more reliable bill payers than the rest of us. They can’t afford to get in trouble with the electric company because that would draw attention to them. So there is a tacit agreement between the parties that a Social Security number must be provided because that’s the rule, but if it happens to be someone else’s Social Security number, well that’s okay. The funny thing about this is the impact it has to have on the person who was originally assigned that Social Security number by the U. S. government. Rather than hurt their credit it actually helps because there is so much evidence that they are good at paying their bills! Of course the credit bureau notices something and that’s why they are so able to estimate numbers in the first place. They know what Social Security numbers are being overused and can probably even trace the genealogy of that number as it makes its way across the country. Here’s an amazing fact: some individual Social Security numbers are in use right now by up to 3,000 people and it isn’t at all unusual for a borrowed number to be used by 200-1,000 people at the same time… ”

Okay, that’s interesting and weird, but let me tell you about the phone call I got later about it from the U. S. Department of Homeland Security.

“The credit bureaus can really do that? ” Mr. Homeland Security asked. “Do they really have that kind of data? Who can tell us more about this? ”

I am not making this up.

That was in 2007 — six years after 9/11 and the people who had already spent billions of dollars making us safer by gathering information had no idea at all what kind of information was already being gathered.

I don’t know what happened after that but I can make a good guess. My guess is that the folks at Homeland Security if they actually bothered to follow-up on the contacts I gave them probably decided they needed to spend more billions and build a similar information system for their own use — yet another fiefdom — and that system will be operational sometime this decade.

I have a better idea. Why not outsource the whole screening process to the credit agencies? Don’t build a new system, just throw a few extra fields in the existing records — fields like “terrorist associations” or “U. S. citizen” — fields that can be populated only by that long list of agencies I mentioned up the page. If there are security or privacy concerns then encrypt these new fields and limit access.

Of course credit agencies make mistakes, too. But it is a generally functional system, which is more than I can say for the way we’ve been running Homeland Security so far.

Sadly I can predict, too, that what I suggest here will never happen.