More cyberattacks reported; RSA tokens likely involved

Two more defense companies reported targeted on heels of Lockheed Martin breach

Has someone declared a cyber war against government contractors?

Two more cyberattacks, this time against Northrop Grumman Corp. and L-3 Communications Inc., have been reported, barely a week after an attack on Lockheed Martin Corp. caused the shutdown of some of its systems.

The attacks apparently are the fallout from a breach at EMC Corp.’s RSA Security division earlier this year, where information is believed to have been taken and used to attack Lockheed Martin Corp. and L-3.

The L-3 attack was reported May 27 by Reuters, which said attackers reportedly were able to spoof the passcode from an RSA SecurID token.

Fox News is reporting the attack on Northrop Grumman, but the company has declined to confirm the breach.

Similar data is believed to have been used in a May 21 attempt to access Lockheed Martin, which the company described as a “significant and tenacious attack on its information systems network.”


Related stories:

'Significant' attack shuts down Lockheed network

Hackers gain access to RSA's SecurID security tokens


The RSA breach, reported in March, was described by the company as an Advanced Persistent Threat that targeted information related to the SecurID two-factor authentication product. Although details of that attack still have not been released, it is believed that information about the seed numbers used by an algorithm to generate one-time passcodes on the token was taken.

In a letter to customers, RSA Executive Chairman Art Coviello said that, although “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

The broader attack appears to be what has happened at Lockheed Martin and L-3, according to observers in the industry.

Harry Sverdlove, CTO at Bit9, an end-point security company, said the Lockheed Martin attack apparently began with the compromise and installation of keylogger malware on a computer that remotely connected to the corporation’s network. That would let the attacker collect a log-in password and probably several one-time SecurID passcodes.

The passcodes cannot be reused and by themselves are useless. Likewise, the algorithm used to generate them is well-known, but is useless without a seed number that is used to determine what codes are generated. But if the attacker had access to several passcodes, it would be a trivial task to work through a database of seed numbers to determine which value was used to create the codes, Sverdlove said. The attacker could then use that value to generate viable passcodes that could be used with the password to log into the system.

“Whoever attacked Lockheed Martin was the same as who attacked RSA or had access to information from the RSA breach,” Sverdlove said.

He said the exploit that delivered the keylogger to the remote computer likely came through a targeted phishing e-mail, the same technique that was used in the initial RSA attack and that also was used to break into systems at the Oak Ridge National Laboratory in April. The series of attacks illustrates how vulnerable the most sophisticated defenses can be to a well-engineered phishing attack.

“It only took one infiltration vector to steal everything needed to defeat two-factor authentication,” Sverdlove said.

The attackers are not “one-trick ponies,” Sverdlove said. “They are raising the bar,” by building on initial successes to develop additional attacks.

Sverdlove said that “hardening” passwords used with two-factor authentication or using additional passwords provides no additional security in a system that has been compromised, because attackers are able to collect password data.

Ronald Rivest, professor of computer science at the Massachusetts Institute of Technology and originally the “R” in RSA, said there is no end in sight in the battle between attackers and defenders.

“It is not a problem you can solve,” Rivest said. “We will continue to see attacks and we will continue to see successful attacks.”

He compared cybersecurity to health care, in which new drugs and treatments are continually developed to improve health, although new germs and diseases continue to appear. Success is not determined by the ability to completely eliminate problems.

“There is no silver bullet,” Rivest said. “We must aim for steady progress, not perfection.”

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Jun 2, 2011 Ron LaPedis

Perhaps it's time for PKI tokens? Since the private keys are off in a smart card, it should be near impossible to capture them, even with possession of the card. Add mutual authentication to the mix and you probably have a more secure solution than static passwords or OTP.

Thu, Jun 2, 2011

I find it very interesting that two headlines in this are: "More Cyberattacks reported: RSA tokens likely involved" and "Making Cloud Achievable: To Cloud or Not to Cloud". Does anyone really think that trusting others to keep valuable data for you just because it's cheaper is a good idea in the long run? The only data that belongs in the cloud is the data that you don't care about. But then, why keep it at all?

Thu, Jun 2, 2011

My company is proud we haven't been attacked because we have accpeted significant degradation in capability. Looks like none of that would have mattered in these cases. Maybe we are next after all. The time comes when we have to accept risk and fight back. We all do that when we get in our cars. But we also reap the reward. Perfect security means shut down. That time was last year.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
 Top 100 Slideshow
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts