Another major defense contractor hacked; RSA tokens likely involved

L-3 Communciations attacked on heels of Lockheed Martin breach

 

Fallout from a breach at EMC Corp.’s RSA Security division earlier this year continues to cascade through the defense industry, as information taken in that breach is believed to have been used against major contractor L-3 Communications Holdings Inc. The report follows a similar attack against contracting giant Lockheed Martin.

The L-3 attack was reported May 27 by Reuters, which said attackers reportedly were able to spoof the passcode from an RSA SecurID token.

Similar data is believed to have been used in a May 21 attempt to access Lockheed Martin, which the company described as a “significant and tenacious attack on its information systems network.” A third defense contractor, Northrop Grumman, may also have been attacked. Fox News reported that the company shut down remote access to its network May 26. Northrop hasn't commented on the report.


Related stories:

'Significant' attack shuts down Lockheed network

Hackers gain access to RSA's SecurID security tokens


L-3 was formed out of 10 business units from Lockheed that were spun off during Lockheed’s acquisition of Martin Marietta.

The RSA breach, reported in March, was described by the company as an Advanced Persistent Threat that targeted information related to the SecurID two-factor authentication product. Although details of that attack still have not been released, it is believed that information about the seed numbers used by an algorithm to generate one-time passcodes on the token was taken.

In a letter to customers, RSA Executive Chairman Art Coviello said that, although “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

The broader attack appears to be what has happened at Lockheed Martin and L-3, according to observers in the industry.

Harry Sverdlove, CTO at Bit9, an end-point security company, said the Lockheed Martin attack apparently began with the compromise and installation of keylogger malware on a computer that remotely connected to the corporation’s network. That would let the attacker collect a log-in password and probably several one-time SecurID passcodes.

The passcodes cannot be reused and by themselves are useless. Likewise, the algorithm used to generate them is well-known, but is useless without a seed number that is used to determine what codes are generated. But if the attacker had access to several passcodes, it would be a trivial task to work through a database of seed numbers to determine which value was used to create the codes, Sverdlove said. The attacker could then use that value to generate viable passcodes that could be used with the password to log into the system.

“Whoever attacked Lockheed Martin was the same as attacked RSA or had access to information from the RSA breach,” Sverdlove said.

He said the exploit that delivered the keylogger to the remote computer likely came through a targeted phishing e-mail, the same technique that was used in the initial RSA attack and that also was used to break into systems at the Oak Ridge National Laboratory April. The series of attacks illustrates how vulnerable the most sophisticated defenses can be to a well-engineered phishing attack.

“It only took one infiltration vector to steal everything needed to defeat two-factor authentication,” Sverdlove said.

The attackers are not “one-trick ponies,” Sverdlove said. “They are raising the bar,” by building on initial successes to develop additional attacks.

Sverdlove said that “hardening” passwords used with two-factor authentication or using additional passwords provides no additional security in a system that has been compromised, because attackers are able to collect password data.

Ronald Rivest, professor of computer science at the Massachusetts Institute of Technology and originally the “R” in RSA, said there is no end in sight in the battle between attackers and defenders.

“It is not a problem you can solve,” Rivest said. “We will continue to see attacks and we will continue to see successful attacks.”

He compared cybersecurity to health care, in which new drugs and treatments are continually developed to improve health, although new germs and diseases continue to appear. Success is not determined by the ability to completely eliminate problems.

“There is no silver bullet,” Rivest said. “We must aim for steady progress, not perfection.”

 

Reader Comments

Wed, Jun 22, 2011 JC

There will be more attacks on gov't contractors. DHS does not yet have the power to stop/investigate the attacks.

Sun, Jun 5, 2011 ibsteve2u Commonwealth of Pennsylvania

“There is no silver bullet,” Rivest said. “We must aim for steady progress, not perfection.”

Makes you hope everybody who collects - publicly, or privately - data on the attack vectors used and the preventative measures taken is on the "up-and-up".

As opposed, say, to collecting that data with the sole intent of creating an exploit that a) cycles through all known security holes while simultaneously b) attempting improved variations of each attack and c) exploiting holes introduced by security patches themselves before d) launching its own unique exploits.

And to pontificate: Something went screwy with our government's approach to information security since I was familiar with it. Where once we took extreme measures such as using optoelectric isolation to insure we didn't leak anything we didn't want out there, now the government - and privileged contractors - have hooked all of that information up to the web...transforming the access paths to that information from game trails replete with ambushes into unimaginably multi-laned superhighways with no speed limits.

And with only illusory unmanned electronic doors between that information and a breach.

We still (I wager) use armed humans to secure sensitive areas...but when it comes to e-security, we not only don't want to pay for round-the-clock monitoring of each electronic door, we keep adding new doors.

Which is strange, to me, as I know there is no substitute for physical access restriction to ensure information security. There is no essential difference between providing unmonitored access to a mechanical door AND its keys and provided unmonitored access to an e-door AND its e-keys.

You want to keep something secure, you ISOLATE it...both physically and electronically.

I give you Dick Cheney's safe as an example: While I would hesitate to posit that its contents were ever intended to benefit the American people as a whole, one thing I can state for a fact: Specialist Bradley Manning didn't - couldn't - leak its contents.

(Speaking of Cheney: Anybody ever validate the communications wiring after that fire in the Executive Office Building, POST-Bush Administration?

It isn't any of my business, of course...but it is always good practice to make sure nobody made a...mistake. Fresh eyes...and all that.)

Wed, Jun 1, 2011 Boston, MA

The US is being cyber bullied by China. With research and development programs frequently tallying over $3B it is no wonder government contractors are targeted. Instead of investing in research, invest in cyber espionage for a fraction of the cost yielding the same results. Plans on how to build a F35 Fighter jet. And to think, a majority of these breaches are starting with a phishing attack targeting an individual. If we are only as strong as our weakest link, then a default-deny strategy of application whitelisting certainly provides the most effective protection against modern cyber threats ... including phishing.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above